Can’t you restrict the the /32 range which is just a single host?  As for the rest, I haven’t a clue or any 9.12 hosts so I can’t really help.  

The real answer might be a router to block access to the management subnet/vlan and have a jump host you need to login to to do your ssh access.


Sent from my iPhone

On Jan 3, 2023, at 1:36 PM, Heino Walther <hw@beardmann.dk> wrote:



Hi there

 

I am trying to restrict which IP addresses can reach the SSH port on the default cluster management interface…

I first cloned the default-management service-policy to a new policy… I then restrict the service “management-ssh” to a specific range, say 10.0.2.0/24

I then modify the cluster lif and the two node management interfaces, so that they use my new service-policy.

But… I am still able to ssh into the system from 10.10.10.0/24…  which makes no sense at all…

If I do the same to the management-https it _does_ work as expected…

 

The “old” firewall is enabled, and all policies are set to 0.0.0.0/0 (I think this old firewall is depreciated… )

 

So it there something specific about ssh?

(ONTAP 9.12.1)

 

Personally I think the “firewall” features are a mess on ONTAP at the moment…   also the fact that you can only open up for IP ranges, and not specific IP addresses… so the “best” you can do is /30 I guess?  Why not just allow specific IP or even ranges..  like 10.10.10.5, 10.10.10.5-10, and 10.10.20.0/24

 

Any help or input is appreciated 😊

 

/H

 

 

 

 

_______________________________________________
Toasters mailing list
Toasters@teaparty.net
https://www.teaparty.net/mailman/listinfo/toasters