Hi Folks,
Just my 2 cents on this,
1. Block the content you dont want exclusively, like source-address + protocol tcp + port telnet/ssh
[edit]
labroot# show firewall family inet filter cust | display set
set firewall family inet filter cust term 1 from source-address 192.168.1.0/25
set firewall family inet filter cust term 1 from protocol tcp
set firewall family inet filter cust term 1 from destination-port telnet
set firewall family inet filter cust term 1 from destination-port ssh
set firewall family inet filter cust term 1 then log
set firewall family inet filter cust term 1 then discard
2. Allow what you want with range command destination-port range
[edit]
labroot# set firewall family inet filter cust term 2 from protocol tcp
[edit]
labroot# set firewall family inet filter cust term 2 from destination-?
Possible completions:
> destination-address Match IP destination address
+ destination-class Match destination class
+ destination-class-except Do not match destination class
+ destination-port Match TCP/UDP destination port
+ destination-port-except Do not match TCP/UDP destination port> destination-prefix-list Match IP destination prefixes in named list
[edit]
labroot# set firewall family inet filter cust term 2 from destination-port?
Possible completions:
+ destination-port Match TCP/UDP destination port
+ destination-port-except Do not match TCP/UDP destination port
[edit]
labroot# set firewall family inet filter cust term 2 from destination-port ?
Possible completions:<range> Range of values
Example:
Working One:
term UDP_trace {
from {
protocol udp;
destination-port 33434-33534;
}
then {
policer udppolicer;
count trace;
accept;
}
}
Followed by desired drop allow; with a default drop action
↧
Re: Firewall filter to accept traffic from tcp, udp except destined for ssh/telnet
↧