diff options
| author | Johan Lundberg <lundberg@nordu.net> | 2015-04-02 10:43:33 +0200 |
|---|---|---|
| committer | Johan Lundberg <lundberg@nordu.net> | 2015-04-02 10:43:33 +0200 |
| commit | bd611ac59f7c4db885a2f8631ef0bcdcd1901ca0 (patch) | |
| tree | e60f5333a7699cd021b33c7f5292af55b774001b /filters | |
Diffstat (limited to 'filters')
| -rw-r--r-- | filters/.save | 0 | ||||
| -rw-r--r-- | filters/sample_srx.srx | 73 | ||||
| -rw-r--r-- | filters/sample_tug_wlc_fw.acl | 49 | ||||
| -rw-r--r-- | filters/sample_tug_wlc_fw.asa | 27 | ||||
| -rw-r--r-- | filters/sample_tug_wlc_fw.demo | 55 | ||||
| -rw-r--r-- | filters/sample_tug_wlc_fw.html | 55 | ||||
| -rw-r--r-- | filters/sample_tug_wlc_fw.ipt | 28 | ||||
| -rw-r--r-- | filters/sample_tug_wlc_fw.jcl | 62 | ||||
| -rw-r--r-- | filters/sample_tug_wlc_fw.srx | 96 |
9 files changed, 445 insertions, 0 deletions
diff --git a/filters/.save b/filters/.save new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/filters/.save diff --git a/filters/sample_srx.srx b/filters/sample_srx.srx new file mode 100644 index 0000000..3c3beaf --- /dev/null +++ b/filters/sample_srx.srx @@ -0,0 +1,73 @@ +security { + zones { + security-zone DMZ { + replace: address-book { + address RFC1918_0 10.0.0.0/8; + address RFC1918_1 172.16.0.0/12; + address RFC1918_2 192.168.0.0/16; + address-set RFC1918 { + address RFC1918_0; + address RFC1918_1; + address RFC1918_2; + } + } + } + } + replace: policies { + /* + $Id: ./filters/sample_srx.srx $ + $Date: 2015/03/26 $ + */ + from-zone Untrust to-zone DMZ { + policy test-tcp { + match { + source-address any; + destination-address [ RFC1918 ]; + application test-tcp-app; + } + then { + permit; + log { + session-init; + } + } + } + policy test-icmp { + match { + source-address any; + destination-address [ RFC1918 ]; + application test-icmp-app; + } + then { + permit; + } + } + policy default-deny { + match { + source-address any; + destination-address any; + application any; + } + then { + deny; + } + } + } + } +} +replace: applications { + application-set test-tcp-app { + application test-tcp-app1; + application test-tcp-app2; + } + application test-tcp-app1 { + term t1 protocol tcp; + } + application test-tcp-app2 { + term t2 protocol udp; + } + application test-icmp-app { + term t1 protocol icmp icmp-type 0 inactivity-timeout 60; + term t2 protocol icmp icmp-type 8 inactivity-timeout 60; + } +}
\ No newline at end of file diff --git a/filters/sample_tug_wlc_fw.acl b/filters/sample_tug_wlc_fw.acl new file mode 100644 index 0000000..a8a8905 --- /dev/null +++ b/filters/sample_tug_wlc_fw.acl @@ -0,0 +1,49 @@ +! $Id: ./filters/sample_tug_wlc_fw.acl $ +! $Date: 2015/03/26 $ +no ip access-list extended fw_tug_wlc_protect +ip access-list extended fw_tug_wlc_protect +remark $Id: ./filters/sample_tug_wlc_fw.acl $ +remark $Date: 2015/03/26 $ +remark this is a sample output filter that generates +remark multiplatform for tug wlc protection + + +remark permit-icmp + permit 1 any 109.105.104.16 0.0.0.15 + + +remark permit-traceroute + permit 17 any 109.105.104.16 0.0.0.15 range 33434 33534 + + +remark permit-NORDUnet + permit ip 109.105.96.0 0.0.31.255 109.105.104.16 0.0.0.15 + permit ip host 130.242.82.30 109.105.104.16 0.0.0.15 + permit ip host 130.242.121.137 109.105.104.16 0.0.0.15 + permit ip 193.10.252.0 0.0.0.255 109.105.104.16 0.0.0.15 + permit ip 193.10.254.0 0.0.0.255 109.105.104.16 0.0.0.15 + permit ip 193.11.3.0 0.0.0.255 109.105.104.16 0.0.0.15 + permit ip 194.68.13.0 0.0.0.255 109.105.104.16 0.0.0.15 + + +remark default-deny + deny ip any any + + +no ipv6 access-list fw_tug_wlc_protect +ipv6 access-list fw_tug_wlc_protect +remark $Id: ./filters/sample_tug_wlc_fw.acl $ +remark $Date: 2015/03/26 $ +remark this is a sample output filter that generates +remark multiplatform for tug wlc protection + + +remark Term permit-icmp +remark not rendered due to protocol/AF mismatch. + + +remark default-deny + deny ipv6 any any + + +end diff --git a/filters/sample_tug_wlc_fw.asa b/filters/sample_tug_wlc_fw.asa new file mode 100644 index 0000000..ece52c0 --- /dev/null +++ b/filters/sample_tug_wlc_fw.asa @@ -0,0 +1,27 @@ +clear configure access-list asa_in +access-list asa_in remark $Id: ./filters/sample_tug_wlc_fw.asa $ +access-list asa_in remark $Date: 2015/03/26 $ +access-list asa_in remark this is a sample output filter that generates +access-list asa_in remark multiplatform for tug wlc protection + + +access-list asa_in remark permit-icmp +access-list asa_in extended permit icmp any 109.105.104.16 255.255.255.240 + + +access-list asa_in remark permit-traceroute +access-list asa_in extended permit udp any 109.105.104.16 255.255.255.240 range 33434 33534 + + +access-list asa_in remark permit-NORDUnet +access-list asa_in extended permit ip 109.105.96.0 255.255.224.0 109.105.104.16 255.255.255.240 +access-list asa_in extended permit ip host 130.242.82.30 109.105.104.16 255.255.255.240 +access-list asa_in extended permit ip host 130.242.121.137 109.105.104.16 255.255.255.240 +access-list asa_in extended permit ip 193.10.252.0 255.255.255.0 109.105.104.16 255.255.255.240 +access-list asa_in extended permit ip 193.10.254.0 255.255.255.0 109.105.104.16 255.255.255.240 +access-list asa_in extended permit ip 193.11.3.0 255.255.255.0 109.105.104.16 255.255.255.240 +access-list asa_in extended permit ip 194.68.13.0 255.255.255.0 109.105.104.16 255.255.255.240 + + +access-list asa_in remark default-deny +access-list asa_in extended deny ip any any
\ No newline at end of file diff --git a/filters/sample_tug_wlc_fw.demo b/filters/sample_tug_wlc_fw.demo new file mode 100644 index 0000000..c7a2d52 --- /dev/null +++ b/filters/sample_tug_wlc_fw.demo @@ -0,0 +1,55 @@ +Header { + Name: MUPP { + Type: inet + Comment: this is a sample output filter that generates + Comment: multiplatform for tug wlc protection + Family type: none + } + Term: permit-icmp{ + + Destination IP's + 109.105.104.16/28 + + Protocol + icmp + + Action: allow all traffic + } + + Term: permit-traceroute{ + + Destination IP's + 109.105.104.16/28 + + Destination Ports + 33434-33534 + + Protocol + udp + + Action: allow all traffic + } + + Term: permit-NORDUnet{ + + Source IP's + 109.105.96.0/19 + 130.242.82.30/32 + 130.242.121.137/32 + 193.10.252.0/24 + 193.10.254.0/24 + 193.11.3.0/24 + 194.68.13.0/24 + + Destination IP's + 109.105.104.16/28 + + Action: allow all traffic + } + + Term: default-deny{ + + Action: discard all traffic + } + +}
\ No newline at end of file diff --git a/filters/sample_tug_wlc_fw.html b/filters/sample_tug_wlc_fw.html new file mode 100644 index 0000000..c7a2d52 --- /dev/null +++ b/filters/sample_tug_wlc_fw.html @@ -0,0 +1,55 @@ +Header { + Name: MUPP { + Type: inet + Comment: this is a sample output filter that generates + Comment: multiplatform for tug wlc protection + Family type: none + } + Term: permit-icmp{ + + Destination IP's + 109.105.104.16/28 + + Protocol + icmp + + Action: allow all traffic + } + + Term: permit-traceroute{ + + Destination IP's + 109.105.104.16/28 + + Destination Ports + 33434-33534 + + Protocol + udp + + Action: allow all traffic + } + + Term: permit-NORDUnet{ + + Source IP's + 109.105.96.0/19 + 130.242.82.30/32 + 130.242.121.137/32 + 193.10.252.0/24 + 193.10.254.0/24 + 193.11.3.0/24 + 194.68.13.0/24 + + Destination IP's + 109.105.104.16/28 + + Action: allow all traffic + } + + Term: default-deny{ + + Action: discard all traffic + } + +}
\ No newline at end of file diff --git a/filters/sample_tug_wlc_fw.ipt b/filters/sample_tug_wlc_fw.ipt new file mode 100644 index 0000000..54bf251 --- /dev/null +++ b/filters/sample_tug_wlc_fw.ipt @@ -0,0 +1,28 @@ +*filter +# Speedway INPUT Policy +# this is a sample output filter that generates +# multiplatform for tug wlc protection +# +# $Id: ./filters/sample_tug_wlc_fw.ipt $ +# $Date: 2015/03/26 $ +# inet +:INPUT DROP +-N I_permit-icmp +-A I_permit-icmp -p icmp -d 109.105.104.16/28 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +-A INPUT -j I_permit-icmp +-N I_permit-traceroute +-A I_permit-traceroute -p udp --dport 33434:33534 -d 109.105.104.16/28 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +-A INPUT -j I_permit-traceroute +-N I_permit-NORDUnet +-A I_permit-NORDUnet -p all -s 109.105.96.0/19 -d 109.105.104.16/28 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +-A I_permit-NORDUnet -p all -s 130.242.82.30/32 -d 109.105.104.16/28 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +-A I_permit-NORDUnet -p all -s 130.242.121.137/32 -d 109.105.104.16/28 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +-A I_permit-NORDUnet -p all -s 193.10.252.0/24 -d 109.105.104.16/28 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +-A I_permit-NORDUnet -p all -s 193.10.254.0/24 -d 109.105.104.16/28 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +-A I_permit-NORDUnet -p all -s 193.11.3.0/24 -d 109.105.104.16/28 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +-A I_permit-NORDUnet -p all -s 194.68.13.0/24 -d 109.105.104.16/28 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +-A INPUT -j I_permit-NORDUnet +-N I_default-deny +-A I_default-deny -p all -j DROP +-A INPUT -j I_default-deny +COMMIT diff --git a/filters/sample_tug_wlc_fw.jcl b/filters/sample_tug_wlc_fw.jcl new file mode 100644 index 0000000..0c1e129 --- /dev/null +++ b/filters/sample_tug_wlc_fw.jcl @@ -0,0 +1,62 @@ +firewall { + family inet { + replace: + /* + ** $Id: ./filters/sample_tug_wlc_fw.jcl $ + ** $Date: 2015/03/26 $ + ** + ** this is a sample output filter that generates + ** multiplatform for tug wlc protection + */ + filter fw_tug_wlc_protect { + interface-specific; + term permit-icmp { + from { + destination-address { + 109.105.104.16/28; /* Wireless Controller net */ + } + protocol icmp; + } + then { + accept; + } + } + term permit-traceroute { + from { + destination-address { + 109.105.104.16/28; /* Wireless Controller net */ + } + protocol udp; + destination-port 33434-33534; + } + then { + accept; + } + } + term permit-NORDUnet { + from { + source-address { + 109.105.96.0/19; + 130.242.82.30/32; /* AP FRE POP */ + 130.242.121.137/32; /* AP LULE POP */ + 193.10.252.0/24; + 193.10.254.0/24; + 193.11.3.0/24; + 194.68.13.0/24; + } + destination-address { + 109.105.104.16/28; /* Wireless Controller net */ + } + } + then { + accept; + } + } + term default-deny { + then { + discard; + } + } + } + } +} diff --git a/filters/sample_tug_wlc_fw.srx b/filters/sample_tug_wlc_fw.srx new file mode 100644 index 0000000..f86998c --- /dev/null +++ b/filters/sample_tug_wlc_fw.srx @@ -0,0 +1,96 @@ +security { + zones { + security-zone WLC_net { + replace: address-book { + address NDN_TUG_WLC_NET_0 109.105.104.16/28; + address-set NDN_TUG_WLC_NET { + address NDN_TUG_WLC_NET_0; + } + } + } + security-zone NORDUnet_nets { + replace: address-book { + address NORDUNET_AGGREGATE_0 109.105.96.0/19; + address NORDUNET_AGGREGATE_1 193.10.252.0/24; + address NORDUNET_AGGREGATE_2 193.10.254.0/24; + address NORDUNET_AGGREGATE_3 193.11.3.0/24; + address NORDUNET_AGGREGATE_4 194.68.13.0/24; + address SUNET_AP_STATICS_0 130.242.82.30/32; + address SUNET_AP_STATICS_1 130.242.121.137/32; + address-set NORDUNET_AGGREGATE { + address NORDUNET_AGGREGATE_0; + address NORDUNET_AGGREGATE_1; + address NORDUNET_AGGREGATE_2; + address NORDUNET_AGGREGATE_3; + address NORDUNET_AGGREGATE_4; + } + address-set SUNET_AP_STATICS { + address SUNET_AP_STATICS_0; + address SUNET_AP_STATICS_1; + } + } + } + } + replace: policies { + /* + $Id: ./filters/sample_tug_wlc_fw.srx $ + $Date: 2015/03/26 $ + */ + from-zone NORDUnet_nets to-zone WLC_net { + policy permit-icmp { + match { + source-address any; + destination-address [ NDN_TUG_WLC_NET ]; + application permit-icmp-app; + } + then { + permit; + } + } + policy permit-traceroute { + match { + source-address any; + destination-address [ NDN_TUG_WLC_NET ]; + application permit-traceroute-app; + } + then { + permit; + } + } + policy permit-NORDUnet { + match { + source-address [ NORDUNET_AGGREGATE SUNET_AP_STATICS ]; + destination-address [ NDN_TUG_WLC_NET ]; + application any; + } + then { + permit; + } + } + policy default-deny { + match { + source-address any; + destination-address any; + application any; + } + then { + deny; + } + } + } + } +} +replace: applications { + application-set permit-icmp-app { + application permit-icmp-app1; + } + application permit-icmp-app1 { + term t1 protocol icmp; + } + application-set permit-traceroute-app { + application permit-traceroute-app1; + } + application permit-traceroute-app1 { + term t1 protocol udp destination-port 33434-33534; + } +}
\ No newline at end of file |