Configuring a Custom Service from the CLI on a NetScreen Firewall

If you need to configure a custom service from the command line interface (CLI) you obtain by a Secure Shell (SSH) connection to a Juniper NetScreen Firewall running ScreenOS, you can use the set service command. E.g., suppose I want to be able to establish an SSH connection from any system on the external untrusted side of the firewall to an internal SSH server with an IP address of 192.168.0.5 on the trusted side of the firewall that is listening on the non-standard port of 2005 for SSH connections.

If I haven't yet created an address book entry for the SSH server, I can use the set address command to create it. E.g, if I wanted to create an IP address for a system named Auburn with an IP address of 192.168.0.1 on the trust side of the firewall, I could use the command below:

ns5xp-> set address trust "Auburn" 192.168.0.1 255.255.255.255

The IP address is followed by the subnet mask. Since I am assigning just one IP address to the name, not a range of addresses, the subnet mask is 255.255.255.255.

If I made a mistake in entering the IP address or it later is changed, I can't just issue the "set address" command again with the new IP address. If I try that, the firewall will respond with "duplicate entry".

oreilly.com - Your tech ebook super store
ns5xp-> set address trust "Auburn" 192.168.1.5 255.255.255.255
Address: Duplicate entry

Failed command - set address trust "Auburn" 192.168.0.5 255.255.255.255
ns5xp->

Instead, first I must unset the existing entry. Then I can add the modified entry to the address book.

ns5xp-> unset address trust "Auburn"
ns5xp-> set address trust "Auburn" 192.168.1.5 255.255.255.255
ns5xp->

After I've set the address book entry, I can create a new custom service, which I'll call "Auburn SSH". I specify the protocol is TCP. The source port for any system that is connecting to the SSH server can be any port from 1,024 up to the maximum port number of 65,535. I started with 1,024, since the port numbers from 0 to 1,023 are well-known", aka "system" ports and an SSH client should not be using one of those ports for its source port. For the destination port on the server, the server will be listening on port 2005, so the range of allowed ports is just one.

ns5xp-> set service "Auburn SSH" protocol tcp src-port 1024-65535 dst-port 2005-2005

Now that I've created the address book entry and the custom service, I can configure a firewall policy to allow connections through the firewall from any system on the untrust side to the SSH server on the trust side.

ns5xp-> set policy from untrust to trust Any Auburn "Auburn SSH" permit log 
policy id = 17
ns5xp->

The policy is for connectivity from the untrust to the trust side with any IP address allowed as the source address on the untrust side. The destination is the system named Auburn in the address book and the next parameter is the service name, which is "Auburn SSH". The connectivity is allowed so I specify "permit" rather than "deny" and I appended logso that connections will be logged.

 

TechRabbit ad 300x250 newegg.com

Justdeals Daily Electronics Deals1x1 px

Valid HTML 4.01 Transitional

Created: Sunday July 19, 2015