Nokia recommends using a strict CPM filter policy allowing traffic from trusted IP subnets for protocols and ports actively used in the router and to explicitly drop other traffic.
The configuration below is an example that follows the recommendations for SSH and BGP:
allow SSH from trusted subnet only
allow BGP from trusted subnet only
explicitly deny all other traffic and operationally log unexpected packets
A:Dut-A>config>sys>security>cpm-filter# info
----------------------------------------------
default-action drop
ip-filter
entry 100 create
action accept
description "SSH: server terminated TCP sessions from trusted
subnets"
match protocol tcp
dst-port 22 65535
src-ip ip-prefix-list "trusted-mgmt-subnet"
exit
exit
entry 200 create
action accept
description "BGP: server terminated TCP Sessions"
match protocol tcp
dst-port 179 65535
src-ip ip-prefix-list "trusted-bgp-subnet"
exit
exit
entry 300 create
action accept
description "BGP: client responses for initiated TCP sessions"
match protocol tcp
src-ip ip-prefix-list "trusted-bgp-subnet"
src-port 179 65535
exit
exit
entry 6000 create
action drop
description "Drop all other UDP"
log 102
match protocol udp
exit
exit
entry 6010 create
action drop
description "drop all other TCP"
log 103
match protocol tcp
exit
exit
no shutdown
exit
----------------------------------------------