Seeing alot of china SSH attempts to my external inet inet 2200.
Have root login denied but dont even want to see them trying...
Trying to set up a firewall filter and not having much luck. What am I doing wrong?
removed some of the config of course... thanks
Using this doc....
Here is my config - removed private items of course... IPs are not really relavent - wont let me commit this filter to lo0
-------------------------------------------------------------------------------------------------------
root@iswitch# run show configuration | display set
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members INTERNET
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members INTERNET
set interfaces ge-0/1/0 description "to Internet"
set interfaces ge-0/1/0 ether-options no-auto-negotiation
set interfaces ge-0/1/0 ether-options link-mode full-duplex
set interfaces ge-0/1/0 ether-options speed 1g
set interfaces ge-0/1/0 unit 0 family inet address x.x.x.x/x - ISP assigned IP
set interfaces vlan unit 71 family inet address x.x.x.x/x - our external IP
set routing-options static route 0.0.0.0/0 next-hop x.x.x.x - external ISP IP
set routing-options static route x.x.x.x next-hop x.x.x.x (internal routing)
(added this per doc linked above)
set firewall family inet filter local_acl term terminal_access from source-address x.x.x.x/x (internal range)
set firewall family inet filter local_acl term terminal_access from protocol tcp
set firewall family inet filter local_acl term terminal_access from port ssh
set firewall family inet filter local_acl term terminal_access from port telnet
set firewall family inet filter local_acl term terminal_access then accept
set firewall family inet filter local_acl term terminal_access_denied from protocol tcp
set firewall family inet filter local_acl term terminal_access_denied from port ssh
set firewall family inet filter local_acl term terminal_access_denied from port telnet
set firewall family inet filter local_acl term terminal_access_denied then log
set firewall family inet filter local_acl term terminal_access_denied then reject
set firewall family inet filter local_acl term default-term then accept
set interfaces lo0 unit 0 family inet filter input local_acl
set interfaces lo0 unit 0 family inet address 127.0.0.1/32
(end added per doc above)
set ethernet-switching-options storm-control interface all
set vlans INTERNET vlan-id 71
set vlans INTERNET l3-interface vlan.71
-------------------------------------------------------------------------------------------------------
Commit and I get this... remove log and it fails as well and doesnt like reject.... tried discard and doesnt like that either...
root@iswitch# commit check
[edit interfaces lo0 unit 0 family inet]
'filter'
Referenced filter 'local_acl' can not be used as log not supported on ingress loopback interface
error: configuration check-out failed
Thanks