Jump to content
Калькуляторы

JUNOS: статическая маршрутизация

Приветствую всех.

 

Не получается статическая маршрутизация на SRX210. Не понимаю. Прошу помочь.

 

Задача в урезанном варианте ниже.

 

Есть внутренняя сеть:

10.10.1.1/24 на ge-0/0/0.0

10.10.10.1/24 на ge-0/0/1.0

Есть внешняя сеть

111.222.42.139/26 на fe-0/0/6.0

 

Из 10.10.1.1/24 в 10.10.10.1/24 - нормально.

Из 10.10.1.1/24 в 0.0.0.0/0 - нефига.

 

Конфиг:

 

## Last changed: 2010-10-18 23:01:05 MSD
version 10.3R1.9;
system {
    host-name gate;
    backup-router 111.222.42.129;
    time-zone Europe/Moscow;
    authentication-order password;
    root-authentication {
        encrypted-password "$1$I1FHDYu9$xSdwes4iXRouyF674zjv/";
    }
    name-server {
        10.10.1.13;
        10.10.1.12;
        10.10.1.11;
    }
    login {
        user admin {
            uid 2000;
            class superuser;
            authentication {
                encrypted-password "$1$Rus5cIhSdfgrxzCCu7pCdTMLw40kQ.";
            }
        }
    }
    services {
        ssh;
        web-management {
            http {
                interface [ ge-0/0/0.0 ge-0/0/1.0 ];
            }
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server 62.117.76.142;
        server 62.117.76.141;
        server 62.117.76.138;
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 10.10.1.1/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 10.10.10.1/24;
            }
        }
    }
    fe-0/0/5 {
        unit 0 {
            family inet;
        }
    }
    fe-0/0/6 {
        description "Physical: 111.222.42.139/26";
        unit 0 {
            description "Logical: 111.222.42.139/26";
            family inet {
                address 111.222.42.139/26;
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family inet;
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 127.0.0.1/32;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 111.222.42.129;
    }
}
security {
    idp {
        idp-policy Web_Server {
            /* This template policy is designed to protect commonly used HTTP servers from remote attacks. */
            rulebase-ips {
                rule 1 {
                    /* This rule drops all packets that should not occur on a clean network, and can be used by attackers to evade IDSs. This rule is necessary to harden the IDP against evasion attempts. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "IP - Major" "IP - Critical" "TCP - Critical" "TCP - Major" ];
                        }
                    }
                    then {
                        action {
                            drop-packet;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 2 {
                    /* This rule drops all DNS  and DHCP packets that contain critical severity attacks and logs them as alarms. Enable this rule if you are running your IDP in "in-line" mode, and wish to protect your network against critical DNS and DHCP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "DNS - Critical" "DNS - Major" ];
                        }
                    }
                    then {
                        action {
                            drop-packet;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 3 {
                    /* This rule drops critical and high severity attacks against common web and IIS services and logs them as alarms. Enable this rule if you are running your IDP in "in-line" mode, and wish to protect your network against critical and high severity attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "FINGER - Critical" "FINGER - Major" "GOPHER - Critical" "GOPHER - Major" "FTP - Critical" "FTP - Major" "HTTP - Critical" "HTTP - Major" "SHELLCODE - Major" "SHELLCODE - Critical" "NNTP - Critical" "NNTP - Major" ];
                        }
                    }
                    then {
                        action {
                            drop-packet;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 4 {
                    /* This rule logs medium severity attacks.  Enable this rule if you are running your IDP in "in-line" mode, and wish to monitor your network for attacks and IDS evasion attempts. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "DNS - Minor" "FINGER - Minor" "FTP - Minor" "GOPHER - Minor" "HTTP - Minor" "NNTP - Minor" "SHELLCODE - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                inactive: rule 5 {
                    /* This rule logs low severity attacks.  The rule is disabled by default, as some networks contain many low severity events, which results in many logs. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "Anomaly - Warning" "Signature - Warning" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                inactive: rule 6 {
                    /* This rule logs informational events.  This rule is disabled by default as it generates many logs.  Informational signatures are included not to necessarily detect attacks, but to provide additional understanding of your network's traffic. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "Anomaly - Info" "Signature - Info" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
            }
        }
        idp-policy DMZ_Services {
            /* This template policy is designed to be used to protect a typical DMZ environment. */
            rulebase-ips {
                rule 1 {
                    /* This rule drops all packets that should not occur on a clean network, and can be used by attackers to evade IDSs.  This rule is necessary to harden the IDP against evasion attempts. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "IP - Major" "IP - Critical" "TCP - Critical" "TCP - Major" ];
                        }
                    }
                    then {
                        action {
                            drop-packet;
                        }
                        notification {
                            log-attacks {
                                alert;
                            }
                        }
                    }
                }
                rule 2 {
                    /* This rule drops all DNS  and DHCP packets that contain critical severity attacks and logs them as alarms.  Enable this rule if you are running your IDP in "in-line" mode, and wish to protect your network against critical DNS and DHCP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "DNS - Critical" "DNS - Major" ];
                        }
                    }
                    then {
                        action {
                            drop-packet;
                        }
                        notification {
                            log-attacks {
                                alert;
                            }
                        }
                    }
                }
                rule 3 {
                    /* This rule drops critical and high severity attacks against common DMZ services and logs them as alarms. Enable this rule if you are running your IDP in "in-line" mode, and wish to protect your network against critical and high severity attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "FINGER - Critical" "FINGER - Major" "GOPHER - Critical" "GOPHER - Major" "FTP - Critical" "FTP - Major" "HTTP - Critical" "HTTP - Major" "SHELLCODE - Major" "SHELLCODE - Critical" "NNTP - Critical" "NNTP - Major" "IMAP - Critical" "IMAP - Major" "POP3 - Critical" "POP3 - Major" "SMTP - Critical" "SMTP - Major" "SSH - Critical" "SSH - Major" ];
                        }
                    }
                    then {
                        action {
                            drop-packet;
                        }
                        notification {
                            log-attacks {
                                alert;
                            }
                        }
                    }
                }
                rule 4 {
                    /* This rule logs medium severity attacks.  Enable this rule if you are running your IDP in "in-line" mode, and wish to monitor your network for attacks and IDS evasion attempts. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "FINGER - Minor" "FTP - Minor" "GOPHER - Minor" "HTTP - Minor" "IMAP - Minor" "NNTP - Minor" "POP3 - Minor" "SHELLCODE - Minor" "SMTP - Minor" "SSH - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                inactive: rule 5 {
                    /* This rule logs low severity attacks.  The rule is disabled by default, as some networks contain many low severity events, which results in many logs. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "Anomaly - Warning" "Signature - Warning" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                inactive: rule 6 {
                    /* This rule logs informational events.  This rule is disabled by default as it generates many logs.  Informational signatures are included not to necessarily detect attacks, but to provide additional understanding of your network's traffic. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "Anomaly - Info" "Signature - Info" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
            }
        }
        idp-policy DNS_Service {
            /* This template policy is designed to protect DNS services. Use this template as a starting point to customize your desired level of protection. */
            rulebase-ips {
                rule 1 {
                    /* This rule drops all packets that should not occur on a clean network, and can be used by attackers to evade IDSs.  This rule is necessary to harden the IDP against evasion attempts. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "IP - Major" "IP - Critical" "TCP - Critical" "TCP - Major" ];
                        }
                    }
                    then {
                        action {
                            drop-packet;
                        }
                        notification {
                            log-attacks {
                                alert;
                            }
                        }
                    }
                }
                rule 2 {
                    /* This rule drops all DNS  and DHCP packets that contain critical severity attacks and logs them as alarms.  Enable this rule if you are running your IDP in "in-line" mode, and wish to protect your network against critical DNS and DHCP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "DNS - Critical" "DNS - Major" ];
                        }
                    }
                    then {
                        action {
                            drop-packet;
                        }
                        notification {
                            log-attacks {
                                alert;
                            }
                        }
                    }
                }
                rule 3 {
                    /* This rule logs medium severity DNS attacks. Enable this rule to investigate possible threats against Domain Name Services. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups "DNS - Minor";
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                inactive: rule 4 {
                    /* This rule logs low severity attacks.  The rule is disabled by default, as some networks contain many low severity events, which results in many logs. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "Anomaly - Warning" "Signature - Warning" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                inactive: rule 5 {
                    /* This rule logs informational events.  This rule is disabled by default as it generates many logs.  Informational signatures are included not to necessarily detect attacks, but to provide additional understanding of your network's traffic. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "Anomaly - Info" "Signature - Info" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
            }
        }
        idp-policy File_Server {
            /* This template policy is designed to provide protection to various file sharing services such as AMB, NFS, FTP, and others. */
            rulebase-ips {
                rule 1 {
                    /* This rule drops all packets that should not occur on a clean network, and can be used by attackers to evade IDSs.  This rule is necessary to harden the IDP against evasion attempts. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "IP - Major" "IP - Critical" "TCP - Critical" "TCP - Major" ];
                        }
                    }
                    then {
                        action {
                            drop-packet;
                        }
                        notification {
                            log-attacks {
                                alert;
                            }
                        }
                    }
                }
                rule 2 {
                    /* This rule drops all DNS  and DHCP packets that contain critical severity attacks and logs them as alarms.  Enable this rule if you are running your IDP in "in-line" mode, and wish to protect your network against critical DNS and DHCP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "DNS - Critical" "DNS - Major" "DHCP - Critical" "DHCP - Major" "SHELLCODE - Critical" "SHELLCODE - Major" ];
                        }
                    }
                    then {
                        action {
                            drop-packet;
                        }
                        notification {
                            log-attacks {
                                alert;
                            }
                        }
                    }
                }
                rule 3 {
                    /* This rule drops critical and high severity attacks against common DMZ services and logs them as alarms. Enable this rule if you are running your IDP in "in-line" mode, and wish to protect your network against critical and high severity attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "FTP - Critical" "FTP - Major" "SSH - Critical" "SSH - Major" "NFS - Critical" "NFS - Major" "PORTMAPPER - Critical" "PORTMAPPER - Major" "RPC - Critical" "RPC - Major" "SMB - Critical" "SMB - Major" "MS-RPC - Critical" "MS-RPC - Major" "NETBIOS - Critical" "NETBIOS - Major" "TFTP - Critical" "TFTP - Major" ];
                        }
                    }
                    then {
                        action {
                            drop-packet;
                        }
                        notification {
                            log-attacks {
                                alert;
                            }
                        }
                    }
                }
                rule 4 {
                    /* This rule logs medium severity file service attacks. Enable this rule to investigate possible threats against file sharing services. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "FTP - Minor" "SSH - Minor" "MS-RPC - Minor" "NETBIOS - Minor" "NFS - Minor" "PORTMAPPER - Minor" "RPC - Minor" "SMB - Minor" "TFTP - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                inactive: rule 5 {
                    /* This rule logs low severity attacks.  The rule is disabled by default, as some networks contain many low severity events, which results in many logs. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "Anomaly - Warning" "Signature - Warning" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                inactive: rule 6 {
                    /* This rule logs informational events.  This rule is disabled by default as it generates many logs.  Informational signatures are included not to necessarily detect attacks, but to provide additional understanding of your network's traffic. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "Anomaly - Info" "Signature - Info" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
            }
        }
        idp-policy Getting_Started {
            /* This template is a good starting point for learning how to create IDP policies. */
            rulebase-ips {
                rule 1 {
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "IP - Major" "IP - Critical" "IP - Minor" "TCP - Critical" "TCP - Major" "TCP - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 2 {
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "ICMP - Critical" "ICMP - Major" "ICMP - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 3 {
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "HTTP - Critical" "HTTP - Major" "HTTP - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 4 {
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "SMTP - Critical" "SMTP - Major" "SMTP - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 5 {
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "DNS - Critical" "DNS - Major" "DNS - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 6 {
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "FTP - Critical" "FTP - Major" "FTP - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 7 {
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "POP3 - Critical" "POP3 - Major" "POP3 - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 8 {
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "IMAP - Critical" "IMAP - Major" "IMAP - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 9 {
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "TROJAN - Critical" "TROJAN - Major" "TROJAN - Minor" "VIRUS - Critical" "VIRUS - Major" "VIRUS - Minor" "WORM - Critical" "WORM - Major" "WORM - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
            }
        }
        idp-policy IDP_Default {
            /* This template policy represents a good blend od security and performance. Use this template for "in-line" mode. */
            rulebase-ips {
                rule 1 {
                    /* This rule drops all packets that should not occur on a clean network, and can be used by attackers to evade IDSs.  This rule is necessary to harden the IDP against evasion attempts. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "IP - Major" "IP - Critical" "TCP - Critical" "TCP - Major" ];
                        }
                    }
                    then {
                        action {
                            drop-packet;
                        }
                        notification {
                            log-attacks {
                                alert;
                            }
                        }
                    }
                }
                rule 2 {
                    /* This rule drops high severity attacks and logs them as alarms. Enable this rule if you are running your IDP in "in-line" mode, and wish to protect your network against critical attacks and IDS evasion attempts. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "DB - Critical" "DB - Major" "DDOS - Critical" "DDOS - Major" "DHCP - Critical" "DHCP - Major" "DNS - Critical" "DNS - Major" "DOS - Critical" "DOS - Major" "FTP - Critical" "FTP - Major" "HTTP - Critical" "HTTP - Major" "ICMP - Critical" "ICMP - Major" "IMAP - Critical" "IMAP - Major" "NETBIOS - Critical" "NETBIOS - Major" "MS-RPC - Critical" "MS-RPC - Major" "NFS - Critical" "NFS - Major" "POP3 - Critical" "POP3 - Major" "PORTMAPPER - Critical" "PORTMAPPER - Major" "RPC - Critical" 
                            "RPC - Major" "SCAN - Critical" "SCAN - Major" "SHELLCODE - Critical" "SHELLCODE - Major" "SMB - Critical" "SMB - Major" "SMTP - Critical" "SMTP - Major" "SSH - Critical" "SSH - Major" "TELNET - Critical" "TELNET - Major" "TROJAN - Critical" "TROJAN - Major" "WORM - Critical" "WORM - Major" "APP - Critical" "APP - Major" ];
                        }
                    }
                    then {
                        action {
                            drop-packet;
                        }
                        notification {
                            log-attacks {
                                alert;
                            }
                        }
                    }
                }
                rule 3 {
                    /* This rule logs medium severity attacks.  Enable this rule if you are running your IDP in "in-line" mode, and wish to monitor your network for attacks and IDS evasion attempts. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "DB - Minor" "DDOS - Minor" "DHCP - Minor" "DNS - Minor" "DOS - Minor" "FTP - Minor" "HTTP - Minor" "ICMP - Minor" "IMAP - Minor" "NETBIOS - Minor" "MS-RPC - Minor" "NFS - Minor" "POP3 - Minor" "PORTMAPPER - Minor" "RPC - Minor" "SCAN - Minor" "SHELLCODE - Minor" "SMB - Minor" "SMTP - Minor" "SSH - Minor" "TELNET - Minor" "TROJAN - Minor" "WORM - Minor" "APP - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                inactive: rule 4 {
                    /* This rule logs low severity attacks.  The rule is disabled by default, as some networks contain many low severity events, which results in many logs. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "Anomaly - Warning" "Signature - Warning" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                inactive: rule 5 {
                    /* This rule logs informational events.  This rule is disabled by default as it generates many logs.  Informational signatures are included not to necessarily detect attacks, but to provide additional understanding of your network's traffic. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "Anomaly - Info" "Signature - Info" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
            }
        }
        idp-policy Recommended {
            /* This template policy covers the most important vulnerabilities. Use this template as a base line. */
            rulebase-ips {
                rule 1 {
                    /* This rule is designed to protect your networks against important TCP/IP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]IP - Critical" "[Recommended]IP - Minor" "[Recommended]IP - Major" "[Recommended]TCP - Critical" "[Recommended]TCP - Minor" "[Recommended]TCP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 2 {
                    /* This rule is designed to protect your network against  important ICMP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]ICMP - Major" "[Recommended]ICMP - Minor" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 3 {
                    /* This rule is designed to protect your network against  important HTTP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]HTTP - Critical" "[Recommended]HTTP - Major" "[Recommended]HTTP - Minor" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 4 {
                    /* This rule is designed to protect your network against  important SMTP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]SMTP - Critical" "[Recommended]SMTP - Major" "[Recommended]SMTP - Minor" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 5 {
                    /* This rule is designed to protect your network against  important DNS attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]DNS - Critical" "[Recommended]DNS - Minor" "[Recommended]DNS - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 6 {
                    /* This rule is designed to protect your network against  important FTP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]FTP - Critical" "[Recommended]FTP - Minor" "[Recommended]FTP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 7 {
                    /* This rule is designed to protect your network against important POP3 attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]POP3 - Critical" "[Recommended]POP3 - Minor" "[Recommended]POP3 - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 8 {
                    /* This rule is designed to protect your network against  important IMAP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]IMAP - Critical" "[Recommended]IMAP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 9 {
                    /* This rule is designed to protect your network against common internet malware. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]TROJAN - Critical" "[Recommended]TROJAN - Major" "[Recommended]TROJAN - Minor" "[Recommended]VIRUS - Critical" "[Recommended]VIRUS - Major" "[Recommended]VIRUS - Minor" "[Recommended]WORM - Critical" "[Recommended]WORM - Major" "[Recommended]WORM - Minor" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
            }
        }
        active-policy Getting_Started;
    }
    nat {
        source {
            address-persistent;
            pool-utilization-alarm raise-threshold 50 clear-threshold 40;
        }
    }
    screen {
        ids-option untrust-screen {
            ip {
                bad-option;
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    queue-size 2000;
                    timeout 20;
                }
                land;
                winnuke;
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
                fe-0/0/5.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
                fe-0/0/6.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
                fe-0/0/7.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application [ junos-tcp-any junos-udp-any junos-icmp-ping junos-ping ];
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application [ junos-ping junos-tcp-any junos-udp-any junos-icmp-ping ];
                }
                then {
                    permit;
                }
            }
            policy default-deny {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    deny;
                }
            }
        }
        default-policy {
            permit-all;
        }
    }
    flow {
        allow-dns-reply;
        route-change-timeout 100;
        syn-flood-protection-mode syn-proxy;
    }
    utm {
        feature-profile {
            anti-virus {
                mime-whitelist {
                    list junos-default-bypass-mime;
                    exception junos-default-bypass-mime;
                }
                type kaspersky-lab-engine;
            }
        }
    }
}
firewall {
    family inet {
        filter "resolve all" {
            term "resolve all" {
                from {
                    source-address {
                        0.0.0.0/0;
                    }
                    destination-address {
                        0.0.0.0/0;
                    }
                }
                then {
                    log;
                    accept;
                }
            }
        }
    }
}

Edited by kappoly

Share this post


Link to post
Share on other sites

А вам там случаем NAT настраивать не надо?

Кого-нибудь в 111.222.42.128/26 кроме IP-адреса интерфейса fe-0/0/6.0 попинговать можно?

Share this post


Link to post
Share on other sites
А вам там случаем NAT настраивать не надо?

Кого-нибудь в 111.222.42.128/26 кроме IP-адреса интерфейса fe-0/0/6.0 попинговать можно?

NAT надо. Но я всё лишнее, резво написанное сначала, уже удалил.

С устройства через fe-0/0/6.0 мир пингуется. NS-севрера провайдера в сети 10.254.1.0/? пингуются.

 

Хорошая ссылка. Спасибо.

Я уже не первый день долблюсь, читая жаниперовский сайт и прочее, что найду.

Наверняка какой-то пустяк, но не въезжаю.

Share this post


Link to post
Share on other sites
Апну.

 

Для начала напишите нормльные правила для фильтров и назначьте зоны на интерфейсе

 

security {
   
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/0.0;
                ge-0/0/1.0;
                fe-0/0/5.0;
                fe-0/0/6.0;
                fe-0/0/7.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy PERMIT-ALL {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
}

 

И пишите конфиг в форуме в тегах Code

Share this post


Link to post
Share on other sites

Обновил версию. Конфиг в code. Что в нём не так?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this