經由GOOGLE 爬文之後,發現有一位網友提供了詳細的步驟說明,參考設定之後,順利解決問題。
首先我們先利用ssh登入。
% cli #進入命令模式
> config #或是 edit,進入編輯模式接著可以開始設定,基於安全的考量,我們會把http跟telnet關閉,只留下ssh跟https
delete system services web-management http接著設定允許介面存取服務(應該是這樣翻吧XD)
delete system services telnet
set system services ssh
set system services web-management https interface ae0.0
set security zones security-zone untrust host-inbound-traffic system-services ssh
set security zones security-zone untrust host-inbound-traffic system-services https
接著加入允許存取的IPset policy-options prefix-list management-hosts 123.123.123.123/32接著加入防火牆存取過濾,設定允許的IP存取ssh跟https
IPV4以及IPV6
set firewall family inet filter filter-management term block_unauthorised from source-address 0.0.0.0/0
set firewall family inet filter filter-management term block_unauthorised from source-prefix-list management-hosts except
set firewall family inet filter filter-management term block_unauthorised from protocol tcp destination-port [ssh https]
set firewall family inet filter filter-management term block_unauthorised then discard
set firewall family inet filter filter-management term accept_default then accept
set firewall family inet6 filter filter-management6 term block_unauthorised from source-address ::/0
set firewall family inet6 filter filter-management6 term block_unauthorised from source-prefix-list management-hosts except
set firewall family inet6 filter filter-management6 term block_unauthorised from destination-port [ssh https]
set firewall family inet6 filter filter-management6 term block_unauthorised then discard
set firewall family inet6 filter filter-management6 term accept_detault then accept
接著將規則加入到loopback介面
set interfaces lo0 unit 0 family inet filter input filter-management
set interfaces lo0 unit 0 family inet6 filter input filter-management6
最後不要忘記套用,打完收工commit
參考來源:
沒有留言:
張貼留言