Hi there
I am trying to restrict which IP addresses can reach the SSH port on the default cluster management interface… I first cloned the default-management service-policy to a new policy… I then restrict the service “management-ssh” to a specific range, say 10.0.2.0/24 I then modify the cluster lif and the two node management interfaces, so that they use my new service-policy. But… I am still able to ssh into the system from 10.10.10.0/24… which makes no sense at all… If I do the same to the management-https it _does_ work as expected…
The “old” firewall is enabled, and all policies are set to 0.0.0.0/0 (I think this old firewall is depreciated… )
So it there something specific about ssh? (ONTAP 9.12.1)
Personally I think the “firewall” features are a mess on ONTAP at the moment… also the fact that you can only open up for IP ranges, and not specific IP addresses… so the “best” you can do is /30 I guess? Why not just allow specific IP or even ranges.. like 10.10.10.5, 10.10.10.5-10, and 10.10.20.0/24
Any help or input is appreciated 😊
/H
Can’t you restrict the the /32 range which is just a single host? As for the rest, I haven’t a clue or any 9.12 hosts so I can’t really help.
The real answer might be a router to block access to the management subnet/vlan and have a jump host you need to login to to do your ssh access.
Sent from my iPhone
On Jan 3, 2023, at 1:36 PM, Heino Walther hw@beardmann.dk wrote:
Hi there
I am trying to restrict which IP addresses can reach the SSH port on the default cluster management interface… I first cloned the default-management service-policy to a new policy… I then restrict the service “management-ssh” to a specific range, say 10.0.2.0/24 I then modify the cluster lif and the two node management interfaces, so that they use my new service-policy. But… I am still able to ssh into the system from 10.10.10.0/24… which makes no sense at all… If I do the same to the management-https it _does_ work as expected…
The “old” firewall is enabled, and all policies are set to 0.0.0.0/0 (I think this old firewall is depreciated… )
So it there something specific about ssh? (ONTAP 9.12.1)
Personally I think the “firewall” features are a mess on ONTAP at the moment… also the fact that you can only open up for IP ranges, and not specific IP addresses… so the “best” you can do is /30 I guess? Why not just allow specific IP or even ranges.. like 10.10.10.5, 10.10.10.5-10, and 10.10.20.0/24
Any help or input is appreciated 😊
/H
Toasters mailing list Toasters@teaparty.net https://www.teaparty.net/mailman/listinfo/toasters