01-17-2010 03:23 PM
For security reasons, I need to disable telnet on a Brocade 300, but for the life of me can not find the CLI reference guides to do so. Any help would be greatly appreciated.
01-17-2010 11:12 PM
1. Connect to the switch and log in as admin.
Connect through some means other than Telnet: for example, through SSH.
2. Create a policy by typing the following command:
ipfilter --create <policyname> -type < ipv4 | ipv6 >
where <policyname> is the name of the new policy and -type specifies an IPv4 or IPv6
Example of creating a policy
ipfilter --create block_telnet_v4 --type ipv4
3. Add a rule to the policy, by typing the following command:
ipfilter --addrule <policyname> -rule <rule_number> -sip <source_IP> -dp
<dest_port> -proto <protocol> -act <deny>
where -sip option can be given as any, dp is the port number for telnet (23), and -proto is tcp.
Example of adding a rule
ipfilter --addrule block_telnet_v4 -rule 2 -sip any -dp 23 -proto tcp -act
4. Save the new ipfilter policy by typing the following command:
where is the name of the policy and is optional.
Example of saving a policy
ipfilter --save block_telnet_v4
5. Activate the new ipfilter policy by typing the following command:
ipfilter --activate <policyname>
where <policyname> is the name of the policy you created in step
Example of activating a policy
ipfilter --activate block_telnet_v4
06-30-2010 01:33 AM
If you are using older FOS (5.3.x) then there is way to disable the service
and in response to the telnetd prompt type off
For newer (6.x) ones the only way is to use ipfilter. Download the admin guide for the FOS version you are running and you will find detailed notes on disabling telenet.
Hope this helps.
07-01-2010 05:05 PM
I've disabled telnet, using the above command excactly.
ipfilter --create block_telnetv4 -type ipv4
ipfilter --addrule block_telnetv4 -rule 1 -sip any -dp 23 -proto tcp -act deny
ipfilter --save block_telnetv4
ipfilter --activate block_telnetv4
However I've also now lost all access via HTTP, SSH.and my monitoring tool has also access..
Now need to visit the datacenter.
07-02-2010 11:47 PM
My mistake as well, apologies. The post I had was citing examples only to add ipfiler rules. In my previous post I did mention that you need to download the Admin Guide for your FOS version and follow instructions there. What has happened is that the rule now denies access to all the ports, you will have to visit the Data Center, connect using serial port and delete the new policy block_telnetv4 and activate the old policy.
ipfilter --delete block_telnetv4 -type ipv4
ipfilter --activate default_ipv4
Once done follow the Admin Guide for the FOS version installed on your switch for the appropriate method to disable telnet.
From the admin guide, ** Once again request download the Admin Guide and read all instructions. I'm posting excerpts here to help you narrow down to the right section in the guide. This is from the FOS 6.4 guide. You will find a section in your FOS guide with title Blocking Telner or Telnet protocol.
Before blocking Telnet, make sure you have an alternate method of establishing a connection with
If you create a new policy using commands with just one rule, all the missing rules have an implicit
deny and you lose all IP access to the switch, including Telnet, SSH, and management ports.
1. Connect to the switch and log in as admin.
2. Clone the default policy by typing the ipFilter --clone command.
switch:admin> ipfilter --clone BlockTelnet -from default_ipv4
3. Save the new policy by typing the ipFilter --save command.
switch:admin> ipfilter --save BlockTelnet
4. Verify the new policy exists by typing the ipFilter --show command.
switch:admin> ipfilter --show
5. Add a rule to the policy, by typing the ipFilter --addrule command.
switch:admin> ipfilter --addrule BlockTelnet -rule 1 -sip any -dp 23 -proto
tcp -act deny
The rule number assigned has to precede the default rule number for this protocol. For
example, in the defined policy, the Telnet rule number is 2, therefore to effectively block Telnet,
the rule number to assign must be 1.
If you choose not to use 1, you will need to delete the telnet rule number 2 after adding this
rule. Refer to “Deleting a rule to an IP Filter policy” on page 157 for more information on
deleting IP filter rules.
6. Save the new ipfilter policy by typing the ipfilter --save command.
7. Verify the new policy is correct by typing the ipFilter --show command.
8. Activate the new ipfilter policy by typing the ipfilter --activate command.
switch:admin> ipfilter --activate BlockTelnet