Lompat ke konten Lompat ke sidebar Lompat ke footer
Beranda / Juniper | Firewall Filter

Juniper | Firewall Filter

Oleh Hasugian Posting Komentar

 
 
 
 
 
 
 
 
 
 
 
 
1. BLOCK PING 
Berikut Config Firewall Filter
Kita ingin block ping dari R-03 ke IP Loopback R-01
 
[edit]
root@R-1# edit firewall filter FIREWAL term TERM1

[edit firewall filter FIREWAL term TERM1]
root@R-1# set from source-address 13.13.13.0/30

[edit firewall filter FIREWAL term TERM1]
root@R-1# set from destination-address 1.1.1.1

[edit firewall filter FIREWAL term TERM1]
root@R-1# set from protocol icmp

[edit firewall filter FIREWAL term TERM1]
root@R-1# set then reject

VERIFIKASI:
root@R-1# show
Lalu, tanamkan (apply) action firewall ini di interface ge-0/0/0 di R-01. 

root@R-1#top
 root@R-1# set interfaces ge-0/0/0 unit 0 family inet filter input FIREWAL

VERIFIKASI
[edit]
root@R-1# show | compare
root@R-1# commit 
root@R-1#run show configuration firewall filter FIREWAL | display set
set firewall filter FIREWAL term TERM1 from source-address 13.13.13.0/30
set firewall filter FIREWAL term TERM1 from destination-address 1.1.1.1/32
set firewall filter FIREWAL term TERM1 from protocol icmp
set firewall filter FIREWAL term TERM1 then reject
set firewall filter FIREWAL term term_default then accept

NOTED: dari R2 juga ikut ke rejck jika ping ke IP 1.1.1.1, karena kena Default Term, di postingan selanjutnya dibahs tentang Default Term. Karena dari R-02 tidak bisa ping ke IP loopback R-01, maka term-default harus diseting dengan action accept.
 
Berikut confignuya di R-01.
 root@R-1# edit firewall filter FIREWAL term term_default
[edit firewall filter FIREWAL term term_default]
root@R-1# set then accept

root@R-1# top
VERIFIKASI
Pastikan dari R-02 sudah bisa ping loopback R-01 dan dari R-03 ping di block ke loopback R-01.

Noted:
jika firewall filter ingin di hapus di R-01 supya dari R3 bisa ping ke 1.1.1.1 maka lakukan command untuk deactive.
root@R-1# deactivate interfaces ge-0/0/0 unit 0 family inet filter  
root@R-1# commit 
 
VERIFIKASI:
root@R-1# show interfaces
root@R-1# show interfaces
ge-0/0/0 {
    unit 0 {
        family inet {
            inactive: filter {
                input FIREWAL;
            }
            address 12.12.12.1/30;
        }
#test_LAB suskes...!!! ping dari R3 sudah bisa.
 
1. BLOCK SSH
Pastikan bisa SSH dari R3 ke R1  sebelum melakukan block SSH ke R1 dari R3, 
root@R-03# run ssh root@1.1.1.1 
Password:

Langsung kita config
root@R-02# edit firewall filter FILTER term term1_SSH

[edit firewall filter FILTER term term1_SSH]
root@R-02# set from source-address 13.13.13.2
 
[edit firewall filter FILTER term term1_SSH]
root@R-02# set from destination-address 1.1.1.1

[edit firewall filter FILTER term term1_SSH]
root@R-02# set from protocol tcp

[edit firewall filter FILTER term term1_SSH]
root@R-02# set from destination-port 22

[edit firewall filter FILTER term term1_SSH]
root@R-02# set then reject
 
Lalu, apply di interface ge-0/0/0, diman interface ini adalah output menuju ke R-01.

root@R-02#set interfaces ge-0/0/0 unit 0 family inet filter output FILTER  
 
lalu, commit. Dan test dan dari R3 SSH ke R1 tidak. Berhasil.
-----   
Noted: Cuman ada msalah SSH dari R2 ke R1 juga tidak bsia. mk default-term harus dikonfig di R2.
 
Berikut commandnya:
root@R-02# edit firewall filter FILTER
[edit firewall filter FILTER ]

[edit firewall filter FILTER ]
root@R-02# edit term term_default

[edit firewall filter FILTER term term_default]
root@R-02# set then accept 
 
VERIFIKASI: Bahwa dari R-03 tidak bisa SSH ke R-01 

 
 



Filter PING dan Re-Oder Term
root@R-02# edit firewall filter FILTER term term_block_ping

[edit firewall filter FILTER term term_block_ping]
root@R-02# set from source-address 13.13.13.2

[edit firewall filter FILTER term term_block_ping]
root@R-02# set from destination-address 1.1.1.1

[edit firewall filter FILTER term term_block_ping]
root@R-02# set from protocol icmp

[edit firewall filter FILTER term term_block_ping]
root@R-02# set then reject

[edit firewall filter FILTER term term_block_ping]
root@R-02#commit

VERIFIKASI:
root@R-02# show firewall filter FILTER
term term_SSH {
    from {
        source-address {
            13.13.13.2/32;
        }
        destination-address {
            1.1.1.1/32;
        }
        protocol tcp;
        destination-port 22;
    }
    then {
        reject;
    }
}
term term_default {
    then accept;
}
term term_block_ping {
    from {
        source-address {
            13.13.13.2/32;
        }
        destination-address {
            1.1.1.1/32;
        }
        protocol icmp;
    }
    then {
        reject;
    }
}

[edit]
root@R-02#
---
Lalu, lakukan re-order, supya no-index term_block_ping diatas term-default.
Berikut commandnya:
root@R-02# edit firewall filter FILTER

[edit firewall filter FILTER]
root@R-02# insert term term_block_ping before term term_default

[edit firewall filter FILTER]
root@R-02# commit 

Posting Komentar untuk "Juniper | Firewall Filter"

Posting Komentar