You need to control SSH, HTTP, and Telnet access to an MX240 router through any interface.
You have decided to use a firewall filter. How should you apply the firewall filter?
A.
as an outbound filter on interface fxp0
B.
as an outbound filter on interface lo0
C.
as an inbound filter on interface fxp0
D.
as an inbound filter on interface lo0
Explanation:
example
The Function of Labels in MPLS Networks
How to Protect the Junos Routing Engine
By Walter J. Goralski, Cathy Gadecki, and Michael Bushong from JUNOS OS For Dummies, 2nd Edition
Although all interfaces are important, the loopback (lo0) interface is perhaps the most important because it is the link to the Routing Engine, which runs and monitors all the routing protocols. This article provides the skeleton of a firewall filter that protects the Routing Engine. You can use this example as a blueprint to design the appropriate filter for your router. The filter is applied to the router’s lo0 interface.
This filter is for a router configured for a common IPv4 setup:
IPv4
BGP and IS-IS routing protocols
RADIUS, SSH, and Telnet access
SNMP NMS access
NTP
Because firewall filters are evaluated in order, place the most time-critical items — the routing protocols — first. Accept traffic from your known BGP peers and from the known IS-IS neighbors with the AS using the following set commands:
[edit firewall filter routing-engine]
set term bgp-filter from source-address peer-address1
set term bgp-filter from source-address peer-address2
set term bgp-filter from protocol tcp
set term bgp-filter from port bgp
set term bgp-filter then accept
Then accept DNS traffic (for hostname resolution):
[edit firewall-filter routing-engine]
set term dns-filter from source-address network-address
set term dns-filter from protocol [ tcp udp ]
set term dns-filter from port domain
set term dns-filter then accept
Next, accept RADIUS, SSH, Telnet, and SNMP NMS traffic:
[edit firewall-filter routing-engine]
set term radius-filter from source-address radius-server-address1
set term radius-filter from source-address radius-server-address2
set term radius-filter from source-port radius
set term radius-filter then accept
set term ssh-telnet-filter from source-address network-address1
set term ssh-telnet-filter from source-address network-address2
set term ssh-telnet-filter from protocol tcp
set term ssh-telnet-filter from destination-port [ ssh telnet ]
set term ssh-telnet-filter then accept
set term snmp-filter from source-address network-address1
set term snmp-filter from source-address network-address2
set term snmp-filter from protocol udp
set term snmp-filter from destination-port snmp
set term snmp-filter then accept
The last traffic to accept is from the NTP time servers and the ICMP protocol (which sends IPv4 error messages):
[edit firewall-filter routing-engine]
set term ntp-filter from source-address server-address1
set term ntp-filter from source-address server-address2
set term ntp-filter from source-address 127.0.0.1
set term ntp-filter from protocol udp
set term ntp-filter from port ntp
set term ntp-filter then accept
set term icmp-filter from protocol icmp
set term icmp-filter from icmp-type [ echo-request echo-reply unreachable time-exceeded source-quench ]
set term icmp-filter then accept
The final part of the filter explicitly discards all other traffic:
[edit firewall-filter routing-engine]
set term discard-the-rest then count counter-filename
set term discard-the-rest then log
set term discard-the-rest then syslog
set term discard-the-rest then reject
You need to create the file in which to place the syslog messages:
[edit system]
fred@router# set syslog file filename firewall any
And lastly, apply the firewall filter to the router’s loopback interface:
[edit interfaces]
fred@router# set lo0 unit 0 family inet filter input routing-engine
Understanding Management Ethernet Interfaces ///(fxp0) is incorrect because it is a management interface for OOB//
The management Ethernet interface provides an out-of-band method for connecting to the router using utilities such as ssh and telnet to monitor or configure the router, or the Simple Network Management Protocol (SNMP) to gather statistics from the router. The Junos OS automatically configures the router’s management Ethernet interface, as either em0 or fxp0, and the internal Ethernet interface, em1 or fxp1, which connects the Routing Engine with the router’s packet-forwarding components.
You can use the show chassis hardware command to display hardware information about the router, including its Routing Engine model. The specific Routing Engine model installed in the routers determines which of the two management Ethernet interface types is supported, em0 or fxp0. To determine which management interface type is supported on a router, locate the router and Routing Engine combination in Supported Routing Engines by Chassis and note its management Ethernet interface type, either em0 or fxp0.
To use a type em0 management Ethernet interface as a management port, you must configure its logical port, em0.0, with a valid IP address.
To use a type fxp0 management Ethernet interface as a management port, you must configure its logical port, fxp0.0, with a valid IP address.
For the J Series Services Routers, you can use any of the built-in Ethernet ports as a management interface. To use a built-in interface as a management Ethernet interface, configure it with a valid IP address. The factory configuration for the J4350 and J6350 Services Routers automatically enables the J-Web user interface on the ge-0/0/0, ge-0/0/1, ge-0/0/2, and ge-0/0/3 interfaces. To manually configure J-Web access, include the interface interface-name statement at the [edit system services web-management http] hierarchy level.