security {
nat {
source {
rule-set interface-nat {
from zone trust;
to zone untrust;
rule net_113_90_26_0 {
match {
source-address 113.90.26.0/24;
}
then {
source-nat {
interface;
}
}
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
queue-size 2000; ## Warning: 'queue-size' is deprecated
timeout 20;
}
land;
}
}
}
zones {
security-zone trust {
tcp-rst;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
http;
https;
ssh;
telnet;
dhcp;
ping;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/1.0;
fe-0/0/2.0;
}
}
}
policies {
from-zone trust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy default-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
}
utm {
feature-profile {
web-filtering {
type surf-control-integrated;
surf-control-integrated {
profile junos-wf-cpa-default {
category {
social_Networking {
action block;
}
}
default block;
fallback-settings {
default block;
server-connectivity block;
timeout block;
too-many-requests block;
}
}
}
}
}
utm-policy custom-utm-policy {
web-filtering {
http-profile junos-wf-cpa-default;
}
}
}
}
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment