标签:http io ar os sp for on art log
set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "RDP-8888" protocol tcp src-port 1-65535 dst-port 8888-8888
set service "P4788" protocol tcp src-port 1-65535 dst-port 4788-4788
set service "P4789" protocol tcp src-port 1-65535 dst-port 4789-4789
set service "P9991" protocol tcp src-port 1-65535 dst-port 9991-9991
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "admin"
set admin password "nH/vDirbE5GBcjdGoslAEBBtHFA6En"
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Trust" screen alarm-without-drop
set zone "Trust" screen icmp-flood
set zone "Trust" screen udp-flood
set zone "Trust" screen winnuke
set zone "Trust" screen port-scan
set zone "Trust" screen ip-sweep
set zone "Trust" screen tear-drop
set zone "Trust" screen syn-flood
set zone "Trust" screen ip-spoofing
set zone "Trust" screen ping-death
set zone "Trust" screen ip-filter-src
set zone "Trust" screen land
set zone "Trust" screen syn-frag
set zone "Trust" screen tcp-no-flag
set zone "Trust" screen ip-bad-option
set zone "Trust" screen ip-record-route
set zone "Trust" screen ip-timestamp-opt
set zone "Trust" screen ip-security-opt
set zone "Trust" screen ip-loose-src-route
set zone "Trust" screen ip-strict-src-route
set zone "Trust" screen ip-stream-opt
set zone "Trust" screen icmp-fragment
set zone "Trust" screen icmp-large
set zone "Trust" screen syn-fin
set zone "Trust" screen fin-no-ack
set zone "Trust" screen syn-ack-ack-proxy
set zone "Trust" screen block-frag
set zone "Trust" screen component-block zip
set zone "Trust" screen component-block exe
set zone "Trust" screen component-block activex
set zone "Trust" screen icmp-id
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set zone "Trust" screen icmp-flood threshold 100
set zone "Trust" screen udp-flood dst-ip x.x.x.x
set interface "ethernet1" zone "Trust"
set interface "ethernet2" zone "V1-Trust"
set interface "ethernet3" zone "Null"
set interface "ethernet4" zone "V1-Untrust"
set interface vlan1 ip 10.2.80.3/20
set interface vlan1 nat
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface vlan1 ip manageable
unset flow no-tcp-seq-check
set flow tcp-syn-check
set hostname juniper-network
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "V1-Trust" "10.2.0.0/16" 10.2.0.0 255.255.0.0
set address "V1-Trust" "10.2.0.0/20" 10.2.0.0 255.255.240.0
set address "V1-Trust" "x.x.x.x/28" x.x.x.x 255.255.255.240
set address "V1-Trust" "x.x.x.x/28" x.x.x.x 255.255.255.240
set address "V1-Untrust" "10.2.0.0/16" 10.2.0.0 255.255.0.0
set address "V1-Untrust" "10.3.0.0/8" 10.3.0.0 255.0.0.0
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set url protocol websense
exit
set policy id 1 name "lan-to-wan" from "V1-Trust" to "V1-Untrust" "Any" "Any" "ECHO" permit
set policy id 1
exit
set policy id 2 from "V1-Trust" to "V1-Untrust" "Any" "Any" "DNS" permit
set policy id 2
exit
set policy id 3 from "V1-Trust" to "V1-Untrust" "Any" "Any" "HTTP" permit
set policy id 3
exit
set policy id 4 from "V1-Trust" to "V1-Untrust" "Any" "Any" "GRE" permit
set policy id 4
exit
set policy id 5 from "V1-Trust" to "V1-Untrust" "Any" "Any" "HTTPS" permit
set policy id 5
exit
set policy id 6 from "V1-Untrust" to "V1-Trust" "Any" "Any" "ICMP-ANY" permit
set policy id 6
exit
set policy id 7 name "vpn-to-lan-admin" from "V1-Untrust" to "V1-Trust" "10.2.0.0/16" "10.2.0.0/16" "ANY" permit
set policy id 7
exit
set policy id 9 name "pptp" from "V1-Untrust" to "V1-Trust" "Any" "106.3.78.160/28" "HTTP" permit
set policy id 9
exit
set policy id 10 name "pptp-gre" from "V1-Untrust" to "V1-Trust" "Any" "x.x.x.x/28" "GRE" permit
set policy id 10
exit
set policy id 11 name "pptp" from "V1-Untrust" to "V1-Trust" "Any" "x.x.x.x/28" "PPTP" permit
set policy id 11
exit
set policy id 12 name "RDP8888" from "V1-Untrust" to "V1-Trust" "Any" "x.x.x.x/28" "RDP-8888" permit
set policy id 12
exit
set policy id 13 name "P4788" from "V1-Untrust" to "V1-Trust" "Any" "x.x.x.x/28" "P4788" permit
set policy id 13
exit
set policy id 14 name "P4789" from "V1-Untrust" to "V1-Trust" "Any" "106.3.78.160/28" "P4789" permit
set policy id 14
exit
set policy id 15 name "P9991" from "V1-Untrust" to "V1-Trust" "Any" "106.3.78.160/28" "P9991" permit
set policy id 15
exit
set policy id 16 name "lan-to-wan" from "V1-Trust" to "V1-Untrust" "Any" "Any" "SMTP" permit
set policy id 16
exit
set policy id 17 name "-lan-to-wan" from "V1-Trust" to "V1-Untrust" "Any" "Any" "NTP" permit
set policy id 17
exit
set policy id 18 name "lan-to-wan" from "V1-Trust" to "V1-Untrust" "Any" "Any" "POP3" permit
set policy id 18
exit
set policy id 19 name "lan-to-wan" from "V1-Trust" to "V1-Untrust" "Any" "Any" "L2TP" permit
set policy id 19
exit
set policy id 20 name "lan-to-wan" from "V1-Trust" to "V1-Untrust" "Any" "Any" "PPTP" permit
set policy id 20
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 gateway x.x.x.x
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
标签:http io ar os sp for on art log
原文地址:http://www.cnblogs.com/networking/p/4111874.html
