Zrobiłem to co chciałem, i wszystko działa, jednak tak na wszelki wypadek publikuje i proszę o sprawdzenie. Chodzi mi bardziej o to czy nie popełniłem gdzieś jakiejś "dziury" w security.
Z góry bardzo dziękuję:
Kod: Zaznacz cały
root@NODE-1# show
## Last changed: 2015-10-26 13:13:16 UTC
version 12.1X46-D35.1;
groups {
node0 {
interfaces {
fxp0 {
unit 0 {
family inet {
address 1.1.1.1/24;
}
}
}
}
}
node1 {
interfaces {
fxp0 {
unit 0 {
family inet {
address 1.1.1.2/24;
}
}
}
}
}
}
apply-groups "${node}";
system {
host-name NODE-1;
root-authentication {
encrypted-password "$1$OBrtJGCy$XXim9woawjQd8VXaCTup2/"; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface vlan.0;
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
chassis {
cluster {
control-link-recovery;
reth-count 3;
heartbeat-interval 1000;
heartbeat-threshold 3;
redundancy-group 0 {
node 0 priority 100;
node 1 priority 1;
}
redundancy-group 1 {
node 0 priority 100;
node 1 priority 1;
preempt;
gratuitous-arp-count 4;
hold-down-interval 6;
interface-monitor {
ge-0/0/1 weight 255;
ge-2/0/1 weight 255;
}
}
}
}
interfaces {
ge-0/0/0 {
gigether-options {
redundant-parent reth0;
}
}
ge-0/0/1 {
gigether-options {
redundant-parent reth1;
}
}
fe-0/0/2 {
fastether-options {
redundant-parent reth2;
}
}
fe-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-2/0/0 {
gigether-options {
redundant-parent reth0;
}
}
ge-2/0/1 {
gigether-options {
redundant-parent reth1;
}
}
fe-2/0/2 {
fastether-options {
redundant-parent reth2;
}
}
fab0 {
fabric-options {
member-interfaces {
fe-0/0/5;
}
}
}
fab1 {
fabric-options {
member-interfaces {
fe-2/0/5;
}
}
}
reth0 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 2.2.2.1/24;
}
}
}
reth1 {
vlan-tagging;
redundant-ether-options {
redundancy-group 1;
}
unit 10 {
vlan-id 10;
family inet {
address 10.40.10.254/24;
}
}
unit 20 {
vlan-id 20;
family inet {
address 10.40.20.254/24;
}
}
unit 30 {
vlan-id 30;
family inet {
address 10.40.30.254/24;
}
}
}
reth2 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 10.20.0.1/24;
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}
routing-options {
static {
route 192.168.90.0/24 next-hop 2.2.2.2;
}
}
protocols {
stp;
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool DEST-NAT-POOL-01 {
address 10.20.0.10/32 port 80;
}
pool DEST-NAT-POOL-02 {
address 10.20.0.10/32 port 1194;
}
rule-set RULE-NAT-D-SET-01 {
from zone untrust;
rule RULE-D-01 {
match {
destination-address 2.2.2.200/32;
destination-port 80;
}
then {
destination-nat {
pool {
DEST-NAT-POOL-01;
}
}
}
}
rule RULE-D-02 {
match {
destination-address 2.2.2.200/32;
destination-port 1194;
}
then {
destination-nat {
pool {
DEST-NAT-POOL-02;
}
}
}
}
}
}
proxy-arp {
interface reth0.0 {
address {
2.2.2.200/32;
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone trust {
policy fromVLAN_10_toVLAN_20 {
match {
source-address any;
destination-address VLAN_20;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone dmz {
policy to_WWW_SRV {
match {
source-address any;
destination-address SRV_WWW;
application [ junos-http junos-icmp-ping ];
}
then {
permit;
}
}
}
from-zone untrust to-zone dmz {
policy Server-Access {
match {
source-address any;
destination-address SRV_WWW;
application junos-http;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
address-book {
address VLAN_10 10.40.10.0/24;
address VLAN_20 10.40.20.0/24;
address VLAN_30 10.40.30.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
reth1.10;
reth1.20;
reth1.30;
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
ping;
}
}
interfaces {
reth0.0;
}
}
security-zone dmz {
address-book {
address SRV_WWW 10.20.0.10/32;
}
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
reth2.0;
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}
{primary:node0}[edit]
root@NODE-1#