[Nocrancid] autopop-onenet.net router config diffs
rancid at rancid.noc.onenet.net
rancid at rancid.noc.onenet.net
Fri Feb 12 12:02:31 CST 2016
Index: configs/hub.cla.onenet.net
===================================================================
--- configs/hub.cla.onenet.net (revision 139757)
+++ configs/hub.cla.onenet.net (working copy)
@@ -310,8 +310,8 @@
#t1-2/0/0:10 down down
#t1-2/0/0:11 down down
#t1-2/0/0:12 down down
-#t1-2/0/0:13 up up
-#t1-2/0/0:13.0 up up
+#t1-2/0/0:13 up down
+#t1-2/0/0:13.0 up down
#t1-2/0/0:14 down down
#t1-2/0/0:15 up up
#t1-2/0/0:15.0 up up
Index: configs/maysville-es.client.onenet.net
===================================================================
--- configs/maysville-es.client.onenet.net (revision 139757)
+++ configs/maysville-es.client.onenet.net (working copy)
@@ -1,7 +1,6 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at MAYSVILLE-ES-LEASED-ASSET-TAG-004945> show system commit
-# show chassis environment
# 2015-10-26 13:12:04 CDT by admin via cli
# 2015-10-26 13:08:26 CDT by admin via cli
# 2015-10-26 12:58:03 CDT by admin via cli
Index: configs/rpswi2.rp1f3.onenet.net
===================================================================
--- configs/rpswi2.rp1f3.onenet.net (revision 139757)
+++ configs/rpswi2.rp1f3.onenet.net (working copy)
@@ -430,8 +430,8 @@
#ge-0/0/12.0 up up
#ge-0/0/13 up up
#ge-0/0/13.0 up up
-#ge-0/0/14 up down
-#ge-0/0/14.0 up down
+#ge-0/0/14 up up
+#ge-0/0/14.0 up up
#ge-0/0/15 up down
#ge-0/0/15.0 up down
#ge-0/0/16 up up
@@ -552,8 +552,8 @@
#ge-1/0/24.0 up down
#ge-1/0/25 up up
#ge-1/0/25.0 up up
-#ge-1/0/26 up down
-#ge-1/0/26.0 up down
+#ge-1/0/26 up up
+#ge-1/0/26.0 up up
#ge-1/0/27 up down
#ge-1/0/27.0 up down
#ge-1/0/28 up up
@@ -600,8 +600,8 @@
#ge-2/0/0.0 up down
#ge-2/0/1 up down
#ge-2/0/1.0 up down
-#ge-2/0/2 up up
-#ge-2/0/2.0 up up
+#ge-2/0/2 up down
+#ge-2/0/2.0 up down
#ge-2/0/3 up down
#ge-2/0/3.0 up down
#ge-2/0/4 up down
Index: configs/stringtown-high-school.client.onenet.net
===================================================================
--- configs/stringtown-high-school.client.onenet.net (revision 139755)
+++ configs/stringtown-high-school.client.onenet.net (working copy)
@@ -1,6 +1,7 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at STRINGTOWN-HIGH-SCHOOL-TAG-004909> show system commit
+# show chassis environment
# 2016-01-19 09:16:22 CST by joel via cli
# 2016-01-11 10:33:48 CST by joel via cli
# 2016-01-07 22:36:29 CST by root via cli
Index: configs/hub.chi.onenet.net
===================================================================
--- configs/hub.chi.onenet.net (revision 139755)
+++ configs/hub.chi.onenet.net (working copy)
@@ -294,7 +294,7 @@
#t1-2/0/2:1 up up
#t1-2/0/2:1.16 up up
#t1-2/0/2:1.17 up up
-#t1-2/0/2:2 down down
+#t1-2/0/2:2 down up
#t1-2/0/2:3 down down
#t1-2/0/2:4 down down
#t1-2/0/2:5 down down
Index: configs/ada-hs-srx240.client.onenet.net
===================================================================
--- configs/ada-hs-srx240.client.onenet.net (revision 139705)
+++ configs/ada-hs-srx240.client.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at ADA-HS-LR-004894> show system commit
+# 2016-02-12 11:37:10 CST by andrew via cli commit confirmed, rollback in 10mins
# 2016-02-10 21:51:13 CST by andrew via cli commit confirmed, rollback in 3mins
# 2015-10-02 22:13:30 CDT by andrew via cli
# 2015-09-01 13:44:12 CDT by sean via cli
# 2015-08-06 15:04:49 CDT by joel via cli
# 2015-08-04 16:46:41 CDT by admin via cli
-# 2015-08-03 23:21:44 CDT by root via cli
# grnoc-mon at ADA-HS-LR-004894> show chassis environment
# Class Item Status Measurement
# Temp Routing Engine OK
@@ -115,7 +115,7 @@
# grnoc-mon at ADA-HS-LR-004894> show system uptime
# System booted: 2016-02-10 21:58 CST
# Protocols started: 2016-02-10 22:00 CST
-# Last configured: 2016-02-10 21:51 CST by andrew
+# Last configured: 2016-02-12 11:37 CST by andrew
#
# grnoc-mon at ADA-HS-LR-004894> show interface terse
#Interface Admin Link
@@ -143,7 +143,8 @@
#ge-0/0/11 down down
#ge-0/0/12 down down
#ge-0/0/13 down down
-#ge-0/0/14 down down
+#ge-0/0/14 up up
+#ge-0/0/14.0 up up
#ge-0/0/15 up up
#ge-0/0/15.0 up up
#fxp2 up up
@@ -166,9 +167,11 @@
#st0 up up
#tap up up
#vlan up up
+#vlan.3 up up
+#vlan.4 up up
#vlan.999 up down
# grnoc-mon at ADA-HS-LR-004894> show configuration
-## Last commit: 2016-02-10 21:51:13 CST by andrew
+## Last commit: 2016-02-12 11:37:10 CST by andrew
version 12.1X44-D35.5;
system {
host-name ADA-HS-LR-004894;
@@ -364,13 +367,24 @@
disable;
}
ge-0/0/14 {
- disable;
+ description "L2 - DMZ INTERACE";
+ unit 0 {
+ family ethernet-switching {
+ port-mode access;
+ vlan {
+ members 4;
+ }
+ }
+ }
}
ge-0/0/15 {
- description "UNTRUST LAN Interface - 164.58.28.65/28";
+ description "L2 - LAN INTERFACE";
unit 0 {
- family inet {
- address 164.58.28.65/28;
+ family ethernet-switching {
+ port-mode access;
+ vlan {
+ members 3;
+ }
}
}
}
@@ -384,6 +398,18 @@
}
}
vlan {
+ unit 3 {
+ description "LAN INTERFACE - 172.16.20.1/22";
+ family inet {
+ address 172.16.20.1/22;
+ }
+ }
+ unit 4 {
+ description "DMZ INTERFACE - 192.168.254.253/30";
+ family inet {
+ address 192.168.254.253/30;
+ }
+ }
unit 999 {
description "L3 INTERFACE - TEST-VLAN - 10.1.0.1/24";
family inet {
@@ -408,6 +434,9 @@
routing-options {
static {
route 0.0.0.0/0 next-hop 156.110.34.93;
+ route 10.0.0.0/8 next-hop 192.168.254.254;
+ route 172.16.0.0/12 next-hop 192.168.254.254;
+ route 192.168.0.0/16 next-hop 192.168.254.254;
}
}
protocols {
@@ -427,6 +456,21 @@
}
}
security {
+ address-book {
+ global {
+ address HOST-172.16.8.1 172.16.8.1/32;
+ address HOST-172.16.8.10 172.16.8.10/32;
+ address HOST-172.16.8.38 172.16.8.38/32;
+ address HOST-172.16.8.52 172.16.8.52/32;
+ address HOST-172.16.8.58 172.16.8.58/32;
+ address HOST-172.16.8.65 172.16.8.65/32;
+ address HOST-172.16.8.101 172.16.8.101/32;
+ address HOST-172.16.8.125 172.16.8.125/32;
+ address HOST-172.16.8.170 172.16.8.170/32;
+ address HOST-172.16.9.8 172.16.9.8/32;
+ address HOST-204.87.227.111 204.87.227.111/32;
+ }
+ }
screen {
ids-option UNTRUST-SCREEN {
icmp {
@@ -450,6 +494,11 @@
}
nat {
source {
+ pool 164_058_028_074 {
+ address {
+ 164.58.28.74/32;
+ }
+ }
rule-set TEST-TO-UNTRUST-NAT {
from zone TEST;
to zone UNTRUST;
@@ -464,11 +513,221 @@
}
}
}
+ rule-set TRUST-TO-UNTRUST {
+ from zone TRUST;
+ to zone UNTRUST;
+ rule SNAT-TRUST-UNTRUST {
+ match {
+ source-address 0.0.0.0/0;
+ }
+ then {
+ source-nat {
+ pool {
+ 164_058_028_074;
+ }
+ }
+ }
+ }
+ }
+ rule-set DMZ-TO-UNTRUST {
+ from zone DMZ;
+ to zone UNTRUST;
+ rule SNAT-DMZ-UNTRUST {
+ match {
+ source-address 0.0.0.0/0;
+ }
+ then {
+ source-nat {
+ pool {
+ 164_058_028_074;
+ }
+ }
+ }
+ }
+ }
}
+ destination {
+ pool 172_016_008_101_25 {
+ address 172.16.8.101/32 port 25;
+ }
+ pool 172_016_008_101_22 {
+ address 172.16.8.101/32 port 22;
+ }
+ pool 172_016_008_101_443 {
+ address 172.16.8.101/32 port 443;
+ }
+ pool 172_016_008_065_80 {
+ address 172.16.8.65/32 port 80;
+ }
+ pool 192_168_254_254_23 {
+ address 192.168.254.254/32 port 23;
+ }
+ pool 172_016_008_038_80 {
+ address 172.16.8.38/32 port 80;
+ }
+ pool 172_016_008_038_443 {
+ address 172.16.8.38/32 port 443;
+ }
+ rule-set DEST-NAT-UNTRUST {
+ from zone UNTRUST;
+ rule 164_058_028_066_80 {
+ match {
+ destination-address 164.58.28.66/32;
+ destination-port 80;
+ }
+ then {
+ destination-nat pool 172_016_008_038_80;
+ }
+ }
+ rule 164_058_028_066_443 {
+ match {
+ destination-address 164.58.28.66/32;
+ destination-port 443;
+ }
+ then {
+ destination-nat pool 172_016_008_038_443;
+ }
+ }
+ rule 164_058_028_067_25 {
+ match {
+ destination-address 164.58.28.67/32;
+ destination-port 25;
+ }
+ then {
+ destination-nat pool 172_016_008_101_25;
+ }
+ }
+ rule 164_058_028_067_22 {
+ match {
+ destination-address 164.58.28.67/32;
+ destination-port 22;
+ }
+ then {
+ destination-nat pool 172_016_008_101_22;
+ }
+ }
+ rule 164_058_028_067_443 {
+ match {
+ destination-address 164.58.28.67/32;
+ destination-port 443;
+ }
+ then {
+ destination-nat pool 172_016_008_101_443;
+ }
+ }
+ rule 164_058_028_067_80 {
+ match {
+ destination-address 164.58.28.67/32;
+ destination-port 80;
+ }
+ then {
+ destination-nat pool 172_016_008_065_80;
+ }
+ }
+ rule 164_058_028_067_23 {
+ match {
+ destination-address 164.58.28.67/32;
+ destination-port 23;
+ }
+ then {
+ destination-nat pool 192_168_254_254_23;
+ }
+ }
+ }
+ }
+ static {
+ rule-set STATIC-NAT-UNTRUST {
+ from zone UNTRUST;
+ rule 164_058_028_068 {
+ match {
+ destination-address 164.58.28.68/32;
+ }
+ then {
+ static-nat {
+ prefix {
+ 172.16.8.125/32;
+ }
+ }
+ }
+ }
+ rule 164_058_028_069 {
+ match {
+ destination-address 164.58.28.69/32;
+ }
+ then {
+ static-nat {
+ prefix {
+ 172.16.8.170/32;
+ }
+ }
+ }
+ }
+ rule 164_058_028_071 {
+ match {
+ destination-address 164.58.28.71/32;
+ }
+ then {
+ static-nat {
+ prefix {
+ 172.20.8.21/32;
+ }
+ }
+ }
+ }
+ rule 164_058_028_072 {
+ match {
+ destination-address 164.58.28.72/32;
+ }
+ then {
+ static-nat {
+ prefix {
+ 172.16.4.101/32;
+ }
+ }
+ }
+ }
+ rule 164_058_028_076 {
+ match {
+ destination-address 164.58.28.76/32;
+ }
+ then {
+ static-nat {
+ prefix {
+ 172.16.8.52/32;
+ }
+ }
+ }
+ }
+ rule 164_058_028_077 {
+ match {
+ destination-address 164.58.28.77/32;
+ }
+ then {
+ static-nat {
+ prefix {
+ 172.16.9.8/32;
+ }
+ }
+ }
+ }
+ rule 164_058_028_078 {
+ match {
+ destination-address 164.58.28.78/32;
+ }
+ then {
+ static-nat {
+ prefix {
+ 172.16.8.1/32;
+ }
+ }
+ }
+ }
+ }
+ }
}
policies {
- from-zone UNTRUST to-zone UNTRUST {
- policy UNTRUST-TO-UNTRUST {
+ from-zone TEST to-zone UNTRUST {
+ policy ALLOW-ALL-OUT {
match {
source-address any;
destination-address any;
@@ -479,8 +738,8 @@
}
}
}
- from-zone TEST to-zone UNTRUST {
- policy ALLOW-ALL-OUT {
+ from-zone TRUST to-zone UNTRUST {
+ policy 201602121006 {
match {
source-address any;
destination-address any;
@@ -491,6 +750,144 @@
}
}
}
+ from-zone TRUST to-zone DMZ {
+ policy 201602121007 {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ from-zone DMZ to-zone TRUST {
+ policy 201602121008 {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ from-zone DMZ to-zone UNTRUST {
+ policy 201602121009 {
+ match {
+ source-address [ HOST-172.16.8.10 HOST-172.16.8.58 HOST-172.16.8.65 HOST-172.16.8.101 ];
+ destination-address any;
+ application junos-smtp;
+ }
+ then {
+ permit;
+ }
+ }
+ policy 201602121010 {
+ match {
+ source-address any;
+ destination-address any;
+ application junos-smtp;
+ }
+ then {
+ deny;
+ }
+ }
+ policy 201602121011 {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ from-zone UNTRUST to-zone DMZ {
+ policy 201602121032 {
+ match {
+ source-address any;
+ destination-address HOST-172.16.8.38;
+ application junos-https;
+ }
+ then {
+ permit;
+ }
+ }
+ policy 201602121033 {
+ match {
+ source-address any;
+ destination-address HOST-172.16.8.101;
+ application [ junos-smtp junos-http ];
+ }
+ then {
+ permit;
+ }
+ }
+ policy 201602121034 {
+ match {
+ source-address any;
+ destination-address HOST-172.16.8.125;
+ application junos-http;
+ }
+ then {
+ permit;
+ }
+ }
+ policy 201602121035 {
+ match {
+ source-address any;
+ destination-address HOST-172.16.8.125;
+ application CUSTOM-TCP-8080;
+ }
+ then {
+ permit;
+ }
+ }
+ policy 201602121036 {
+ match {
+ source-address any;
+ destination-address HOST-172.16.8.170;
+ application junos-http;
+ }
+ then {
+ permit;
+ }
+ }
+ policy 201602121037 {
+ match {
+ source-address any;
+ destination-address HOST-172.16.8.52;
+ application [ junos-http junos-https CUSTOM-TCP-3389 ];
+ }
+ then {
+ permit;
+ }
+ }
+ policy 201602121038 {
+ match {
+ source-address any;
+ destination-address HOST-172.16.9.8;
+ application CUSTOM-TCP-3389;
+ }
+ then {
+ permit;
+ }
+ }
+ policy 201602121039 {
+ match {
+ source-address HOST-204.87.227.111;
+ destination-address HOST-172.16.8.1;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
}
zones {
security-zone TEST {
@@ -520,70 +917,36 @@
}
}
}
- ge-0/0/15.0 {
+ }
+ }
+ security-zone TRUST {
+ interfaces {
+ vlan.3 {
host-inbound-traffic {
system-services {
ping;
- snmp;
- ssh;
traceroute;
}
}
}
}
}
+ security-zone DMZ {
+ interfaces {
+ vlan.4 {
+ host-inbound-traffic {
+ system-services {
+ ping;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
}
}
firewall {
family inet {
- filter PACKET-MODE {
- term SSH-ALLOW {
- from {
- source-prefix-list {
- PRE-MGMT-SOURCES;
- PRE-LOCALIPv4-SOURCES;
- }
- protocol tcp;
- destination-port ssh;
- }
- then accept;
- }
- term SNMP-ALLOW {
- from {
- source-prefix-list {
- PRE-MGMT-SOURCES;
- PRE-LOCALIPv4-SOURCES;
- }
- protocol udp;
- destination-port snmp;
- }
- then accept;
- }
- term SSH-DENY {
- from {
- protocol tcp;
- destination-port ssh;
- }
- then {
- discard;
- }
- }
- term SNMP-DENY {
- from {
- protocol tcp;
- destination-port snmp;
- }
- then {
- discard;
- }
- }
- term PACKET-MODE {
- then {
- packet-mode;
- accept;
- }
- }
- }
filter PROTECT-RE {
term SSH-ALLOW {
from {
@@ -631,6 +994,16 @@
}
}
}
+applications {
+ application CUSTOM-TCP-8080 {
+ protocol tcp;
+ destination-port 8080;
+ }
+ application CUSTOM-TCP-3389 {
+ protocol tcp;
+ destination-port 3389;
+ }
+}
ethernet-switching-options {
secure-access-port {
interface ge-0/0/1.0 {
@@ -647,6 +1020,14 @@
vlan-id 999;
l3-interface vlan.999;
}
+ VLAN-3 {
+ vlan-id 3;
+ l3-interface vlan.3;
+ }
+ VLAN-4 {
+ vlan-id 4;
+ l3-interface vlan.4;
+ }
}
# grnoc-mon at ADA-HS-LR-004894> show ospf neighbor
# OSPF instance is not running
Index: configs/acx.cai.hart-acx2100.onenet.net
===================================================================
--- configs/acx.cai.hart-acx2100.onenet.net (revision 139757)
+++ configs/acx.cai.hart-acx2100.onenet.net (working copy)
@@ -8,7 +8,6 @@
# 2015-05-06 14:16:13 CDT by andrew via cli commit confirmed, rollback in 3mins
# 2015-05-06 14:06:19 CDT by andrew via cli
# grnoc-mon at HARTSHORNE-PUBLIC-LIBRARY-ACX2100> show chassis environment
-# show chassis firmware
# Class Item Status Measurement
# PCB Left OK
# SFP+ Xcvr OK
@@ -73,6 +72,7 @@
# grnoc-mon at HARTSHORNE-PUBLIC-LIBRARY-ACX2100> show chassis sfm detail
# grnoc-mon at HARTSHORNE-PUBLIC-LIBRARY-ACX2100> show chassis ssb
# grnoc-mon at HARTSHORNE-PUBLIC-LIBRARY-ACX2100> show system boot-messages
+# show version
# platform_early_bootinit: MX-PPC Series Early Boot Initialization
# mxppc_set_re_type: hw.board.type is ACX-2100
# WDOG initialized
Index: configs/maysville-hs.client.onenet.net
===================================================================
--- configs/maysville-hs.client.onenet.net (revision 139757)
+++ configs/maysville-hs.client.onenet.net (working copy)
@@ -21,7 +21,6 @@
# SRX240 IO fan 2 OK
# Power Power Supply 0 OK
#
-# show chassis firmware
# grnoc-mon at MAYSVILLE-HS-LEASED-ASSET-TAG-004887> show chassis firmware
# Part Type Version
# FPC 0 O/S Version 12.1X44-D35.5 by builder on 2014-05
Index: configs/meeker-ps.client.onenet.net
===================================================================
--- configs/meeker-ps.client.onenet.net (revision 139757)
+++ configs/meeker-ps.client.onenet.net (working copy)
@@ -110,7 +110,7 @@
# WARNING: / was not properly dismounted
#
# grnoc-mon at MEEKER-PS-LEASED-ASSET-TAG-004947> show version
-# Hostname: MEEKER-PS-LEASED-ASSET-TAG-004947 # Model: srx240h2 # JUNOS Software Release [12.1X44-D35.5] # # grnoc-mon at MEEKER-PS-LEASED-ASSET-TAG-004947> file list /var/tmp detail # lrw-r--r-- 1 root wheel 11 May 19 2014 /var/tmp@ -> /cf/var/tmp
+# file list /var/tmp detail # Hostname: MEEKER-PS-LEASED-ASSET-TAG-004947 # Model: srx240h2 # JUNOS Software Release [12.1X44-D35.5] # # grnoc-mon at MEEKER-PS-LEASED-ASSET-TAG-004947> file list /var/tmp detail # lrw-r--r-- 1 root wheel 11 May 19 2014 /var/tmp@ -> /cf/var/tmp
# total files: 1
#
# grnoc-mon at MEEKER-PS-LEASED-ASSET-TAG-004947> show system uptime
Index: configs/adair-ps.client.onenet.net
===================================================================
--- configs/adair-ps.client.onenet.net (revision 136869)
+++ configs/adair-ps.client.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at ADAIR-SRX220-LR-00xxxx> show system commit
+# 2016-02-12 11:30:45 CST by joel via cli commit confirmed, rollback in 3mins
# 2015-11-10 13:48:35 CST by sky via cli
# 2015-11-10 13:41:48 CST by sky via cli
# 2015-11-10 13:36:28 CST by sky via cli
# 2015-10-19 16:52:46 CDT by root via other
# 2015-10-19 16:24:08 CDT by sky via cli
-# 2015-10-19 16:09:15 CDT by onenet via cli commit confirmed, rollback in 3mins
# grnoc-mon at ADAIR-SRX220-LR-00xxxx> show chassis environment
# Class Item Status Measurement
# Temp Routing Engine OK
@@ -98,7 +98,7 @@
# grnoc-mon at ADAIR-SRX220-LR-00xxxx> show system uptime
# System booted: 2015-11-17 05:25 CST
# Protocols started: 2015-11-17 05:27 CST
-# Last configured: 2015-11-10 13:48 CST by sky
+# Last configured: 2016-02-12 11:30 CST by joel
#
# grnoc-mon at ADAIR-SRX220-LR-00xxxx> show interface terse
#Interface Admin Link
@@ -152,7 +152,7 @@
#vlan.192 up up
#vlan.999 up down
# grnoc-mon at ADAIR-SRX220-LR-00xxxx> show configuration
-## Last commit: 2015-11-10 13:48:35 CST by sky
+## Last commit: 2016-02-12 11:30:45 CST by joel
version 12.1X46-D20.5;
system {
host-name ADAIR-SRX220-LR-00xxxx;
@@ -440,6 +440,13 @@
}
}
security {
+ address-book {
+ global {
+ address DVR-SECURITY-156.110.46.226 {
+ wildcard-address 156.110.46.226/32;
+ }
+ }
+ }
screen {
ids-option UNTRUST-SCREEN {
icmp {
@@ -498,9 +505,26 @@
156.110.34.233/32;
}
}
+ pool 156_110_46_226 {
+ address {
+ 156.110.46.226/32;
+ }
+ }
rule-set TRUST-to-UNTRUST {
from zone TRUST;
to zone UNTRUST;
+ rule NAT-DVR-SECURITY-TO-UNTRUST {
+ match {
+ source-address 172.16.14.61/32;
+ }
+ then {
+ source-nat {
+ pool {
+ 156_110_46_226;
+ }
+ }
+ }
+ }
rule PAT-INTERFACE-ELEMENTARY {
match {
source-address 172.16.2.0/23;
@@ -605,8 +629,47 @@
}
}
}
+ static {
+ rule-set UNTRUST-to-TRUST {
+ from zone UNTRUST;
+ rule NAT-TO-DVR-SECURITY-TO-TRUST {
+ match {
+ destination-address 156.110.46.226/32;
+ }
+ then {
+ static-nat {
+ prefix {
+ 172.16.14.61/32;
+ }
+ }
+ }
+ }
+ }
+ }
}
policies {
+ from-zone UNTRUST to-zone TRUST {
+ policy ALLOW-HTTP-TO-DVR-SECURITY {
+ match {
+ source-address any;
+ destination-address DVR-SECURITY-156.110.46.226;
+ application junos-http;
+ }
+ then {
+ permit;
+ }
+ }
+ policy ALLOW-DVR-SECURITY-APP-TO-DVR-SECURITY {
+ match {
+ source-address any;
+ destination-address DVR-SECURITY-156.110.46.226;
+ application DVR-SECURITY-APP;
+ }
+ then {
+ permit;
+ }
+ }
+ }
from-zone TRUST to-zone TRUST {
policy TRUST-to-TRUST {
match {
@@ -836,6 +899,11 @@
}
}
}
+applications {
+ application DVR-SECURITY-APP {
+ term tcp-8000 protocol tcp destination-port 8000;
+ }
+}
ethernet-switching-options {
secure-access-port {
interface ge-0/0/1.0 {
Index: configs/hub.tsb.onenet.net
===================================================================
--- configs/hub.tsb.onenet.net (revision 139757)
+++ configs/hub.tsb.onenet.net (working copy)
@@ -198,7 +198,7 @@
# -rw-rw---- 1 root field 51994624 Oct 24 2013 ifinfo.core.1
# -rw-rw---- 1 root field 51974144 Oct 24 2013 ifinfo.core.2
# -rw-rw---- 1 root field 52744192 Oct 24 2013 ifinfo.core.3
-# -rw-rw---- 1 root field 52727808 Feb 12 10:57 ifinfo.core.4
+# -rw-rw---- 1 root field 52727808 Feb 12 11:57 ifinfo.core.4
# drwxrwxrwx 2 root wheel 512 Oct 12 2012 install/
# -rw-rw---- 1 root field 33464320 Mar 3 2014 jdiameterd.core.0
# -rw-r--r-- 1 eng field 99542994 Apr 23 2013 jinstall-ppc-11.4R7.5-domestic-signed.tgz
More information about the Nocrancid
mailing list