Use deny-last Script to Move Terms to Last Term
For SLAX version 1.0 and higher, you can use the deny-last script to move an "any/any" reject or deny term to the last term.
Many security policy lists have a blanket reject/deny term as their last term, so that if nothing matches the previous terms, it's not allowed. But if a user adds a new term, the new term is inserted by default at the end of the list of terms, preventing the 'any/any' from doing its job. The deny-last script moves 'any/any' to the proper position as the last term.
NOTE: This script will not work with config groups because they are always the last terms.
Source Code and GitHub Links
The source code below is also available from the following GitHub locations:
Example Configuration
1 system {
2 scripts {
3 commit {
4 file deny-last.slax {
5 description "Move an "any/any" reject or deny term to the last term";
6 }
7 }
8 }
9 }
Example Output
01 [edit]
02 lab@host1-a# show security policies
03 from-zone untrust to-zone trust {
04 policy allow-ftp {
05 match {
06 source-address any;
07 destination-address any;
08 application junos-ftp;
09 }
10 then {
11 permit;
12 }
13 }
14 policy deny-any {
15 match {
16 source-address any;
17 destination-address any;
18 application any;
19 }
20 then {
21 deny;
22 log {
23 session-init;
24 }
25 }
26 }
27 policy allow-smtp {
28 match {
29 source-address any;
30 destination-address any;
31 application junos-smtp;
32 }
33 then {
34 permit;
35 }
36 }
37 }
38 default-policy {
39 permit-all;
40 }
41
42 [edit]
43 lab@host1-a# commit
44 [edit security policies policy policy deny-any]
45 warning: Moved deny/reject any term 'deny-any' to the end of the policy chain.
46 commit complete
47
48 [edit]
49 lab@host1-a# show security policies
50 from-zone untrust to-zone trust {
51 policy allow-ftp {
52 match {
53 source-address any;
54 destination-address any;
55 application junos-ftp;
56 }
57 then {
58 permit;
59 }
60 }
61 policy allow-smtp {
62 match {
63 source-address any;
64 destination-address any;
65 application junos-smtp;
66 }
67 then {
68 permit;
69 }
70 }
71 policy deny-any {
72 match {
73 source-address any;
74 destination-address any;
75 application any;
76 }
77 then {
78 deny;
79 log {
80 session-init;
81 }
82 }
83 }
84 }
85 default-policy {
86 permit-all;
87 }
SLAX Script Contents
01 version 1.0;
02 ns junos = "http://xml.juniper.net/junos/*/junos";
03 ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
04 ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
05
06 import "../import/junos.xsl";
07
08 match configuration {
09 for-each (security/policies/policy) {
10 /* Count the number of policies. */
11 var $policy-count = count(policy);
12
13 /* Find all "match any" "then reject/deny" policies
14 that are not at the end. */
15 for-each (policy[match/source-address=="any" &&
16 match/destination-address=="any" &&
17 match/application=="any" &&
18 (then/deny || then/reject) &&
19 position() != $policy-count]) {
20 /* Move the policy to the end. */
21 call jcs:emit-change() {
22 with $dot = ..;
23 with $content = {
24 <from-zone-name> ../from-zone-name;
25 <to-zone-name> ../to-zone-name;
26 <policy insert="after" name=../policy[position() == $policy-count]/na
27 me> {
28 <name> name;
29 }
30 }
31 with $message="Moved deny/reject any term '" _ name _ "' to the end of th
32 e policy chain.";
33 }
34 }
35 }
36 }
XML Script Contents
01 <?xml version="1.0"?>
02 <script>
03 <title>deny-last.slax</title>
04 <author>phil.shafer</author>
05 <synopsis>
06 Move an "any/any" reject or deny term to the last term
07 </synopsis>
08 <coe>commit</coe>
09 <type>security</type>
10
11 <description>
12 Many security policy lists have a blanket reject/deny term as their
13 last term, so that if nothing matches the previous terms, it's not
14 allowed. But if a user adds a new term, the new term is inserted
15 by default at the end of the list of terms, preventing it from
16 doing its job.
17
18 This script moves such a term to the proper position as the last term.
19
20 Note that this script will not work with config groups, since they
21 are always the last terms.
22
23 </description>
24
25 <keyword>security</keyword>
26 <keyword>policies</keyword>
27 <keyword>last</keyword>
28 <keyword>term</keyword>
29 <example>
30 <title>basic config</title>
31 <config>example-1.conf</config>
32 <output>example-1.output</output>
33 </example>
34
35 <xhtml:script xmlns:xhtml="http://www.w3.org/1999/xhtml"
36 src="../../../../../web/leaf.js"
37 type="text/javascript"/>
38 </script>