Juniper 防火牆 Managemet 限制允許來源

Juniper 防火牆啟用遠端管理介面(Telnet、SSH、Http、Https), 要注意如果沒有特別設定Firewall filter的話, 可能會有管理介面暴露在Internet上面, 會讓來自各處的暴力破解來試探, 透過Juniper上的firewall filter可以過濾掉這些行為, 可供參考.

．先建立filter "MgnACL"
rule1. 建立允許來源存取SSH & Http & HTTPS.
set firewall family inet filter MgnACL term access from source-address 218.99.87.88/32
set firewall family inet filter MgnACL term access from protocol tcp
set firewall family inet filter MgnACL term access from port ssh
set firewall family inet filter MgnACL term access from port http
set firewall family inet filter MgnACL term access from port https
set firewall family inet filter MgnACL term access then accept

rule2. 建立除了以上述允許來源, 其於都擋掉.
set firewall family inet filter MgnACL term access_denied from protocol tcp
set firewall family inet filter MgnACL term access_denied from port ssh
set firewall family inet filter MgnACL term access_denied from port telnet
set firewall family inet filter MgnACL term access_denied from port http
set firewall family inet filter MgnACL term access_denied from port https
set firewall family inet filter MgnACL term access_denied then log
set firewall family inet filter MgnACL term access_denied then reject

rule3. 建立除了以上的條件外的流量都放行.
set firewall family inet filter MgnACL term default-term then accept

．套用filter:"MgnACL"到lo0 interface上面(jWeb上可能沒用過就不會顯示這個interface)
set interfaces lo0 unit 0 family inet filter input MgnACL
commit

(刪除)→ delete interfaces lo0 unit 0 family inet filter input
commit

參考來源: Juniper SRX JUNOS使用Firewall Filter來限制只有特定的IP才能管理設備 (taiwankid-computer.blogspot.com)