## Last changed: 2013-12-21 14:11:02 CET version 11.4R9.4; # THIS SOFWARE IS PROVIDED TO YOU 'AS IS' AND IS NOT WARRANTED OR SUPPORTED # BY JUNIPER NETWORKS. JUNIPER NETWORKS DISCLAIMS ANY AND ALL WARRANTIES IN # AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), # INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR # PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES JUNIPER NETWORKS WARRANT THAT # THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE # WITHOUT ERROR OR INTERRUPTION, OR WILL BE FREE OF VULNERABILITY TO INTRUSION # OR ATTACK. ADDITIONALLY USE OF THE SOFTWARE IS SUBJECT TO JUNIPER NETWORKS' # AUTHORIZATION AND SOFTWARE MAY NOT BE DISTRIBUTED WITHOUT JUNIPER NETWORKS' # PRIOR WRITTEN CONSENT. IN NO EVENT SHALL JUNIPER NETWORKS HAVE ANY LIABILITY # FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES, OR FOR ANY DIRECT, SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES # ARISING OUT OF CUSTOMER’S USE OF THE SOFTWARE, UNDER ANY THEORY OF LIABILITY, # INLCUDING, WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF SOFTWARE # PROVIDED HEREUNDER, OR THE FAILURE OF SOFTWARE TO PERFORM, OR FOR ANY OTHER # REASON. THESE LIMITATIONS SHALL APPLY NOTWITHSTANDING THE FAILURE OF THE # ESSENTIAL PURPOSE OF ANY LIMITED REMEDY. # # system { host-name gw.example.com; domain-name example.com; time-zone Europe/Warsaw; authentication-order password; root-authentication { encrypted-password "blah,blah,blah"; ## SECRET-DATA } name-server { 8.8.8.8; 8.8.4.4; } services { ssh { root-login allow; protocol-version v2; } telnet; xnm-clear-text; dns { max-cache-ttl 600; forwarders { 8.8.8.8; } } web-management { http { interface ge-0/0/1.0; } https { system-generated-certificate; interface [ ge-0/0/1.0 ge-0/0/0.0 ]; } } dhcp { domain-name example.com; name-server { 8.8.8.8; 8.8.4.4; } domain-search { example.com; example.lan; } router { 192.168.1.1; } pool 192.168.1.0/24 { address-range low 192.168.1.100 high 192.168.1.199; } propagate-settings ge-0/0/1.0; } } } interfaces { ge-0/0/0 { gigether-options { no-loopback; auto-negotiation; } unit 0 { family inet { address 79.110.203.161/30; } } } ge-0/0/1 { unit 0 { family inet { address 192.168.1.1/24; } } } lo0 { description local-loopback; unit 0 { family inet { address 79.110.203.153/29; } } } } routing-options { static { route 0.0.0.0/0 next-hop 79.110.203.162; } } security { # 0001 # FROM "Any" # TO "Any" # SERVICE "any" # permit policies { # 0002 # FROM "Any" # TO "Any" # SERVICE "any" # permit from-zone trust to-zone untrust { policy defaultPermitPolicy { match { source-address any; destination-address any; application any; } then { permit; } } } # 0003 # FROM "Any" # TO "Any" # SERVICE "any" # deny from-zone untrust to-zone trust { policy test { match { source-address any; destination-address any; application junos-icmp-all; } then { permit; } } policy defaultPolicy { match { source-address any; destination-address any; application any; } then { deny; } } policy kairos { match { source-address any; destination-address kairos-host; application [ junos-https junos-http junos-ssh ]; } then { permit; } } } from-zone untrust to-zone junos-host { policy icmp-from-wan { match { source-address any; destination-address any; application junos-icmp-all; } then { permit; } } } from-zone untrust to-zone dmz-zone { policy icmp { match { source-address any; destination-address any; application junos-icmp-all; } then { permit; } } } } zones { security-zone trust { address-book { address kairos-host 192.168.1.254/32; } host-inbound-traffic { system-services { ping; traceroute; } } interfaces { ge-0/0/1.0 { host-inbound-traffic { system-services { ssh; ping; http; https; dhcp; dns; } protocols { bgp; pim; ospf; rip; igmp; } } } } } security-zone untrust { host-inbound-traffic { system-services { ping; ssh; } } interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { https; ssh; ping; traceroute; } } } } } security-zone junos-host { address-book { address dmz-153 79.110.203.153/32; } } security-zone dmz-zone { host-inbound-traffic { system-services { ping; traceroute; } } interfaces { lo0.0; } } } }