[Juniper] JUNOS Firewall filter(Access-list, ACL)

주니퍼 방화벽, ACL

 

Firewall filter (Access-list)

 

1. Firewall filter 정의

 

set firewall family inet filter <acl name> term <term name> from < match>

set firewall family inet filter <acl name> term <term name> then < action>

<ACL NAME> : Interface 에 적용할 ACL NAME 정의

<Term name> : ACL Line에 대한 Description

<Match> : Mac, IP, Protocol, Layer4 Port의 ACL Matching을 위한 조건 정의

<Action> : Packet을 deny or permit 할 것인지 action 정의

* Action 종류

Discard : packet을 deny함.

accept : packet을 permit 함

 

2. Interface에 input/output 방향으로 적용

 

set interfaces vlan unit 10 family inet filter input <ACL NAME>

( 1.1.1.1/32 에서 1.1.1.2/32 으로 가는 packet만 discard 하고, 나머지 packet 은 forwarding)

 

 

-------------------- ---------------------------------------

 

1. firewall filter(acl) 만들기

 

juniper@EX2# set firewall family inet filter blockhost term 1 from source-address 1.1.1.1/32

juniper@EX2# set firewall family inet filter blockhost term 1 from destination-address 1.1.1.2/32

juniper@EX2# set firewall family inet filter blockhost term 1 then discard

juniper@EX2# set firewall family inet filter blockhost term 2 then accept

juniper@EX2# set firewall family inet filter blockhost term 2 then count blockcount (counter 옵션)

 

2. interface에 적용하기

 

juniper@EX2# set interfaces vlan unit 10 family inet filter input blockhost

juniper@EX2# set interfaces vlan unit 20 family inet filter input blockhost

 

3. counter 확인하기

 

juniper@EX2# run show firewall filter blockhost

Filter: blockhost

Counters:

Name Bytes Packets

blockcount 0 0

Copyright

 

장비 SSH 적용은 lo0 인터페이스에 걸어야함.