Restrict NETCONF operations
A basic example that shows how to restrict access, so that specific NETCONF clients cannot query NETCONF in Vyatta NOS.
NETCONF operates over an SSH session that uses TCP port
830. You can use this to restrict usage through configuration of the firewall.
In this example, we restrict access so that NETCONF clients on subnet
10.100.100.0/24 cannot perform NETCONF queries.
- Configure a firewall rule to drop NETCONF packets on the subnet.
set security firewall name block-netconf default-action accept set security firewall name block-netconf rule 100 action drop set security firewall name block-netconf rule 100 destination port 830 set security firewall name block-netconf rule 100 protocol tcp set security firewall name block-netconf rule 100 source address 10.100.100.0/24
- Apply the firewall rule to the interface to which the NETCONF client is connected.
set interfaces dataplane dp0p6 vif 100 firewall in block-netconf
- Enable the NETCONF service, and the SSH server on both port
22(default SSH port) and on port
830(SSH port used by the NETCONF protocol).
set service netconf set service ssh port 22 set service ssh port 830Note: By default, SSH will validate the host name — so long as you have configured a name server (DNS) with the
set system name-servercommand. If the name server is unreachable then there will be a 30 second delay in the response. To avoid this, you can also configure
set service ssh disable-host-validation.
10.100.100.0/24subnet will not be able to perform a NETCONF query to Vyatta NOS on port