Control SSH, HTTP, and Telnet Access to an MX240 Router: Firewall Filter Application

Control Access to MX240 Router through Any Interface using Firewall Filter

Prev Question Next Question

Question

You need to control SSH, HTTP, and Telnet access to an MX240 router through any interface. You have decided to use a firewall filter.

How should you apply the firewall filter?

Answers

A. as an outbound filter on interface fxp0

B. as an outbound filter on interface lo0

C. as an inbound filter on interface fxp0

D. as an inbound filter on interface lo0

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

To control SSH, HTTP, and Telnet access to an MX240 router through any interface, a firewall filter can be used to filter the traffic based on its source and destination address, protocol, and port numbers.

The correct way to apply the firewall filter in this case would be as an inbound filter on interface fxp0, option C. This is because inbound filters are applied to traffic before it enters the router, while outbound filters are applied after the routing decision has been made and just before the traffic leaves the router. In other words, an outbound filter would only affect traffic that is generated by the router itself, while an inbound filter would affect all traffic that is received by the router.

Furthermore, applying the firewall filter on interface fxp0 is the correct option because it is a physical interface that connects the router to the network, while lo0 is a logical interface that is used for local management and is not intended for routing traffic.

To create the firewall filter, the following steps can be taken:

Define the firewall filter and specify the protocols and port numbers to be allowed/denied. For example, to allow SSH and deny Telnet and HTTP, the filter may look like this:

python
set firewall family inet filter allow-ssh term allow-ssh from source-address any set firewall family inet filter allow-ssh term allow-ssh from port ssh set firewall family inet filter allow-ssh term allow-ssh then accept  set firewall family inet filter allow-ssh term deny-telnet-http from source-address any set firewall family inet filter allow-ssh term deny-telnet-http from port telnet set firewall family inet filter allow-ssh term deny-telnet-http from port http set firewall family inet filter allow-ssh term deny-telnet-http then discard

Apply the firewall filter to the inbound traffic on the fxp0 interface:

python
set interfaces fxp0 unit 0 family inet filter input allow-ssh

This will apply the filter named "allow-ssh" to the inbound traffic on interface fxp0.

In summary, the correct way to apply a firewall filter to control SSH, HTTP, and Telnet access to an MX240 router through any interface would be to create an inbound firewall filter that allows SSH and denies Telnet and HTTP, and apply it to the inbound traffic on the fxp0 interface.

Prev Question Next Question