Access (Olive)

All you need to access the device, an Olive on VirtualBox in this case, is this config.

system {
      services {
        ssh;
        telnet;
    }


This config would allow ssh and telnet access to all interfaces.
Note: Root will not authenticate with telnet.

Now suppose you would like to block access on one or more interfaces.
You need a firewall filter.

Lets say we wish to stop telnet on interface em0.

First define the filter. Note the action "discard" to stop the traffic we want.

firewall {
    filter ACCESS-CNTRL {
        term TELNET-BLOCK {
            from {
                destination-port telnet;
            }
            then {
                discard;
            }
        }
        term PERMIT-ALL {
            from {
                source-address {
                    0.0.0.0/0;
                }
            }
            then accept;
        }
    }
}


Then apply to the interface.

interfaces {
    em0 {
        unit 0 {
            family inet {
                filter {
                    input ACCESS-CNTRL;
                }
                address 192.168.0.100/24;
            }
        }
    }


If you want to temporarily deactive the filter on the interface without deleting the filter itself (Maybe the filter needs to keep working on another interface or you want to test with the filter off for example) you can use the deactivate command..

user@olive-core# deactivate interfaces em0.0 family inet filter       
[edit]
user@olive-core# show | compare
[edit interfaces em0 unit 0 family inet]
!        inactive: filter { ... }

[edit]
user@olive-core# commit
commit complete


To set the filter active on the interface again..

[edit]user@olive-core# activate interfaces em0.0 family inet filter
[edit]user@olive-core# commit  
commit complete

[edit]user@olive-core#

Now suppose you want to see if your filter get hits you need to apply the action "count" to each filter term you want to see the byte count for. Each counter has its own name.

user@olive-core> show configuration firewall
filter ACCESS-CNTRL {
    term TELNET-BLOCK {
        from {
            destination-port telnet;
        }
        then {
            count COUNTER-TELNET-BLOCK;
            discard;
        }
    }
    term PERMIT-ALL {
        from {
            source-address {
                0.0.0.0/0;
            }
        }
        then {
            count COUNTER-PERMIT-ALL;
            accept;
        }
    }
}


To see the actual count ..

user@olive-core> show firewall
Filter: ACCESS-CNTRL                                          
Counters:
Name                  Bytes              Packets
COUNTER-PERMIT-ALL     2758                   24
COUNTER-TELNET-BLOCK    312                    6


That shows all counters. To see a specific one..

user@olive-core> show firewall counter COUNTER-TELNET-BLOCK filter ACCESS-CNTRL
Filter: ACCESS-CNTRL                                          
Counters:
Name                    Bytes              Packets
COUNTER-TELNET-BLOCK      312                    6


To clear the counter..

user@olive-core> clear firewall counter COUNTER-PERMIT-ALL filter ACCESS-CNTRL   
user@olive-core> show firewall counter COUNTER-PERMIT-ALL filter ACCESS-CNTRL    
Filter: ACCESS-CNTRL                                          
Counters:
Name                                                Bytes              Packets
COUNTER-PERMIT-ALL                                      0                    0

user@olive-core>

Model: olive
JUNOS Base OS Software Suite [10.1R1.8]

No comments:

Post a Comment