Changes:Firewall Filterscreate firewall filter: ! allow good traffic in: set firewall family inet filter tty-access term good from address 10.120.34.0/24 set firewall family inet filter tty-access term good from address 10.50.32.0/24 set firewall family inet filter tty-access term good from protocol tcp set firewall family inet filter tty-access term good from port ssh set firewall family inet filter tty-access term good then accept ! block everyone else from connecting: set firewall family inet filter tty-access term bad from protocol tcp set firewall family inet filter tty-access term bad from port ssh set firewall family inet filter tty-access term bad from port telnet set firewall family inet filter tty-access term bad from port http set firewall family inet filter tty-access term bad from port https set firewall family inet filter tty-access term bad then log set firewall family inet filter tty-access term bad then reject ! allow other protocols like snmp, etc. set firewall family inet filter tty-access term other then accept in the example above, the "allow good traffic in uses the "address" command. You can also do the above with lists, but not together. (either lists OR addresses, but not both) ! define list: set policy-options prefix-list vzn-locl-asn701 70.0.0.0/9 set policy-options prefix-list vzn-locl-asn701 71.96.0.0/11 set policy-options prefix-list vzn-locl-asn701 71.128.0.0/9 set policy-options prefix-list vzn-locl-asn701 72.32.0.0/11 ! allow good traffic in: set firewall family inet filter tty-access term good from source-prefix-list vzn-locl-asn701 set firewall family inet filter tty-access term good from protocol tcp set firewall family inet filter tty-access term good from port ssh set firewall family inet filter tty-access term good then accept Bind filter to interfacescreate a "loopback" interface, and bind the filter to it: set interfaces lo0 unit 0 family inet filter input tty-accessAllow SSH on interfaceMake sure that your firewall interfaces allow ssh to them: ! allow ping and ssh to the outside interface set security zones security-zone untrust interfaces fe-0/0/2.0 host-inbound-traffic system-services ssh set security zones security-zone untrust interfaces fe-0/0/2.0 host-inbound-traffic system-services ping ! allow ping and ssh to the inside interface set security zones security-zone trust interfaces fe-0/0/0.0 host-inbound-traffic system-services ping set security zones security-zone trust interfaces fe-0/0/0.0 host-inbound-traffic system-services ssh Debugging:to see connections being blocked by the filter, check the firewall logs: > show firewall log user@host> show firewall log
Why:This looks confusing, because you are sshing to the IPs on the interfaces, not to the "loopback" IP. But the loopback interface is the only one with the ACL on it. This works because the interface IPs are just proxing the traffic to the loopback, and all of that is up in the control plane where the ACL is bound to. References:
|