Restricting access to management on Juniper MX

In this article, I will give an example of restricting access to the Juniper MX204 management using a firewall.

Suppose SSH and Telnet services are activated, a user is created and an IP address is assigned to any interface:

configure
set system services ssh
set system services telnet
show system services

set system login user ixnfo authentication plain-text-password
set system login user ixnfo class super-user

set interfaces fxp0 unit 0 family inet address 192.168.24.200/24
set routing-options static route 0.0.0.0/0 next-hop 192.168.24.1 no-readvertise
show routing-options

set interfaces lo0 unit 0 family inet address 172.17.0.1/21

set interfaces et-0/0/2 unit 500 family inet address 192.168.90.8/28

Now let’s start creating a list of allowed IP addresses from which it will be possible to connect to the device via SSH or Telnet, for example, let’s call it “manager-ip”:

set policy-options prefix-list manager-ip 192.168.24.0/24
set policy-options prefix-list manager-ip 10.0.5.1/32
show policy-options

edit policy-options
delete prefix-list manager-ip 10.0.5.1/32
show
exit

Now let’s create a filter in the firewall, for example, let’s call it “limit-mgmt-access”, in which we will deny all connections to tcp ssh and telnet ports, and allow only the IP addresses specified in the manager-ip list:

set firewall filter limit-mgmt-access term block_non_manager from source-address 0.0.0.0/0
set firewall filter limit-mgmt-access term block_non_manager from source-prefix-list manager-ip except
set firewall filter limit-mgmt-access term block_non_manager from protocol tcp
set firewall filter limit-mgmt-access term block_non_manager from destination-port ssh
set firewall filter limit-mgmt-access term block_non_manager from destination-port 2222
set firewall filter limit-mgmt-access term block_non_manager from destination-port telnet
set firewall filter limit-mgmt-access term block_non_manager from destination-port snmp
set firewall filter limit-mgmt-access term block_non_manager from destination-port dhcp
set firewall filter limit-mgmt-access term block_non_manager from destination-port bgp
set firewall filter limit-mgmt-access term block_non_manager then log
set firewall filter limit-mgmt-access term block_non_manager then discard
set firewall filter limit-mgmt-access term accept_everything_else then accept

The “then log” rule allows you to write connection logs for debugging and can be omitted or removed later.
We will definitely indicate the last rule, it allows all other incoming traffic.
If the ssh port is not standard or you need to restrict access to some other services, then list the port numbers, for example “from destination-port 2222”.

Let’s take a look at the created filter in the firewall:

run show firewall

Let’s apply the created filter to the necessary interfaces with IP addresses (if you specify a filter on lo0, then it can affect other interfaces):

set interfaces lo0 unit 0 family inet filter input limit-mgmt-access
set interfaces fxp0 unit 0 family inet filter input limit-mgmt-access
set interfaces et-0/0/2 unit 500 family inet filter input limit-mgmt-access
show interfaces

Let’s go to the CLI and see the firewall logs:

exit
show firewall log
show firewall log detail
clear firewall log

You can also SSH to other devices from the CLI:

ssh user@10.0.5.254
exit

I will give another example of creating a filter that allows SSH and BGP traffic for the specified networks and blocks everything else (I want to note that if DHCP, Radius are configured on Juniper, then they must also be listed, otherwise users will not be given IP addresses, etc.):

set firewall family inet filter protect-RE term ssh-term from source-address 172.15.0.5/28
set firewall family inet filter protect-RE term ssh-term from source-address 10.0.0.0/24
set firewall family inet filter protect-RE term ssh-term from protocol tcp 
set firewall family inet filter protect-RE term ssh-term from destination-port 2222 
set firewall family inet filter protect-RE term ssh-term then accept 
set firewall family inet filter protect-RE term bgp-term from source-address 10.2.1.0/24 
set firewall family inet filter protect-RE term bgp-term from protocol tcp 
set firewall family inet filter protect-RE term bgp-term from destination-port bgp 
set firewall family inet filter protect-RE term bgp-term then accept 
set firewall family inet filter protect-RE term discard-rest-term then log 
set firewall family inet filter protect-RE term discard-rest-term then syslog 
set firewall family inet filter protect-RE term discard-rest-term then discard
set interfaces lo0 unit 0 family inet filter input protect-RE

Another example, we allow connections to all ports to Juniper for the specified networks and block for the rest:

set firewall family inet filter protect-RE term allow-all from source-address 172.15.0.5/32
set firewall family inet filter protect-RE term allow-all from source-address 10.0.10.0/24
set firewall family inet filter protect-RE term allow-all from protocol tcp 
set firewall family inet filter protect-RE term allow-all from destination-port 0-65535 
set firewall family inet filter protect-RE term allow-all then accept 
set firewall family inet filter protect-RE term discard-rest-term then log 
set firewall family inet filter protect-RE term discard-rest-term then syslog 
set firewall family inet filter protect-RE term discard-rest-term then discard
set interfaces lo0 unit 0 family inet filter input protect-RE

To make sure that the filter lists all open ports, you can perform a port scan from Linux, for example:

nmap -p1-65535 192.168.55.55

You can make several filters and then specify them via “filter input-list”.
I do not recommend using reject instead of discard, since reject to RE will generate responses to packets, which is expensive for the CPU.

See also my articles:
Juniper MX204 setup
IPTables rules for DHCP

Leave a comment

Leave a Reply