Problem
The default router interface behavior is to allow connections from anywhere on the network, but you want to restrict access so connections can be made fom all subnetworks except for a particular one.
Solution
Allow Telnet and SSH connections from all subnetworks except 10.0.0.0/8:
[edit firewall filter incoming-to-me] aviva@router1# set term restrict-telnet-ssh from source-address 10.0.0.0/8 except aviva@router1# set term restrict-telnet-ssh then accept
Then apply the filter to the router's interface:
[edit interfaces] aviva@router1# set fe-0/0/0 unit 0 family inet filter input incoming-to-me
Discussion
When you want to be less restrictive with a filter's conditions, instead of defining the address, port, or protocol to match, you can do the inverse and define what not to match. This recipe, which is a variation of Recipe 9.8, adds the except keyword to the from term to allow Telnet and SSH connections from all subnetworks except 10.0.0.0/8.
You can use the except keyword to negate all firewall match terms. Sometimes, you use a separate keyword, as shown in this recipe. Other times, the keyword is built into the match condition, as in the following example, which matches packets from all protocols except TCP, counts them so you can determine the rate of this type of traffic, and then accepts the packets:
[edit firewall filter incoming-to-me term not-TCP] aviva@RouterF# set from protocol-except tcp aviva@RouterF# set then count packets-not-tcp aviva@RouterF# set then accept
The filter looks like this:
[edit firewall filter incoming-to-me term not-TCP ] aviva@RouterF# show from { protocol- except tcp; } then { count packets-not-tcp; accept; }
The best way to determine when to use a separate except keyword or whether there is a built-in keyword is to use the CLI online help:
[edit firewall filter incoming-filter term 1 ] aviva@router1# set from ? Possible completions: > address Match IP source or destination address + ah-spi Match IPSec AH SPI value + ah-spi-except Do not match IPSec AH SPI value + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups > destination-address Match IP destination address + destination-class Match destination class + destination-class-except Do not match destination class + destination-port Match TCP/UDP destination port + destination-port-except Do not match TCP/UDP destination port > destination-prefix-list Match IP destination prefixes in named list + dscp Match Differentiated Services (DiffServ) code point + dscp-except Do not match Differentiated Services (DiffServ) code point + esp-spi Match IPSec ESP SPI value + esp-spi-except Do not match IPSec ESP SPI value first-fragment Match if packet is the first fragment + forwarding-class Match forwarding class + forwarding-class-except Do not match forwarding class fragment-flags Match fragment flags + fragment-offset Match fragment offset + fragment-offset-except Do not match fragment offset + icmp-code Match ICMP message code + icmp-code-except Do not match ICMP message code + icmp-type Match ICMP message type + icmp-type-except Do not match ICMP message type > interface Match interface name + interface-group Match interface group + interface-group-except Do not match interface group > interface-set Match interface in set + ip-options Match IP options + ip-options-except Do not match IP options is-fragment Match if packet is a fragment + packet-length Match packet length + packet-length-except Do not match packet length + port Match TCP/UDP source or destination port + port-except Do not match TCP/UDP source or destination port + precedence Match IP precedence value + precedence-except Do not match IP precedence value > prefix-list Match IP source or destination prefixes in named list + protocol Match IP protocol type + protocol-except Do not match IP protocol type > source-address Match IP source address + source-class Match source class + source-class-except Do not match source class + source-port Match TCP/UDP source port + source-port-except Do not match TCP/UDP source port > source-prefix-list Match IP source prefixes in named list tcp-established Match packet of an established TCP connection tcp-flags Match TCP flags tcp-initial Match initial packet of a TCP connection
You use the separate keyword with all match conditions that do not have an -except version.
Router Configuration and File Management
Basic Router Security and Access Control
IPSec
SNMP
Logging
NTP
Router Interfaces
IP Routing
Routing Policy and Firewall Filters
RIP
IS-IS
OSPF
BGP
MPLS
VPNs
IP Multicast