-
Notifications
You must be signed in to change notification settings - Fork 14
/
Copy pathprotect-re.txt
229 lines (193 loc) · 15.1 KB
/
protect-re.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
set firewall family inet filter PROTECT_RE term SYNFLOOD_PROTECT from source-prefix-list ENCORE_INTERNAL
set firewall family inet filter PROTECT_RE term SYNFLOOD_PROTECT from protocol tcp
set firewall family inet filter PROTECT_RE term SYNFLOOD_PROTECT from tcp-flags "(syn & !ack) | fin | rst"
set firewall family inet filter PROTECT_RE term SYNFLOOD_PROTECT then policer POLICE_100K
set firewall family inet filter PROTECT_RE term SYNFLOOD_PROTECT then count PROTECT_RE_SYNFLOOD_PROTECT
set firewall family inet filter PROTECT_RE term SYNFLOOD_PROTECT then accept
set firewall family inet filter PROTECT_RE term SYNFLOOD_PROTECT then syslog
set firewall family inet filter PROTECT_RE term DENY_ICMP_FRAGS from is-fragment
set firewall family inet filter PROTECT_RE term DENY_ICMP_FRAGS from protocol icmp
set firewall family inet filter PROTECT_RE term DENY_ICMP_FRAGS then count PROTECT_RE_DENY_ICMP_FRAGS
set firewall family inet filter PROTECT_RE term DENY_ICMP_FRAGS then log
set firewall family inet filter PROTECT_RE term DENY_ICMP_FRAGS then discard
set firewall family inet filter PROTECT_RE term ALLOW_ICMP from protocol icmp
set firewall family inet filter PROTECT_RE term ALLOW_ICMP then policer POLICE_1M
set firewall family inet filter PROTECT_RE term ALLOW_ICMP then count PROTECT_RE_ALLOW_ICMP
set firewall family inet filter PROTECT_RE term ALLOW_ICMP then accept
set firewall family inet filter PROTECT_RE term ALLOW_TRACEROUTE from protocol udp
set firewall family inet filter PROTECT_RE term ALLOW_TRACEROUTE from port 33434-33523
set firewall family inet filter PROTECT_RE term ALLOW_TRACEROUTE then policer POLICE_1M
set firewall family inet filter PROTECT_RE term ALLOW_TRACEROUTE then count PROTECT_RE_ALLOW_TRACEROUTE
set firewall family inet filter PROTECT_RE term ALLOW_TRACEROUTE then accept
set firewall family inet filter PROTECT_RE term ALLOW_OSPF from destination-prefix-list LOCALHOST_DYNAMIC
set firewall family inet filter PROTECT_RE term ALLOW_OSPF from destination-prefix-list OSPF_ROUTERS
set firewall family inet filter PROTECT_RE term ALLOW_OSPF from destination-prefix-list LOCAL_INTERFACES
set firewall family inet filter PROTECT_RE term ALLOW_OSPF from protocol ospf
set firewall family inet filter PROTECT_RE term ALLOW_OSPF then count PROTECT_RE_ALLOW_OSPF
set firewall family inet filter PROTECT_RE term ALLOW_OSPF then accept
set firewall family inet filter PROTECT_RE term ALLOW_BGP from source-prefix-list BGP_PEERS_DYNAMIC
set firewall family inet filter PROTECT_RE term ALLOW_BGP from protocol tcp
set firewall family inet filter PROTECT_RE term ALLOW_BGP from port bgp
set firewall family inet filter PROTECT_RE term ALLOW_BGP then count PROTECT_RE_ALLOW_BGP
set firewall family inet filter PROTECT_RE term ALLOW_BGP then accept
set firewall family inet filter PROTECT_RE term ALLOW_SSH from source-prefix-list ENCORE_INTERNAL
set firewall family inet filter PROTECT_RE term ALLOW_SSH from protocol tcp
set firewall family inet filter PROTECT_RE term ALLOW_SSH from port ssh
set firewall family inet filter PROTECT_RE term ALLOW_SSH then count PROTECT_RE_ALLOW_NETCONF
set firewall family inet filter PROTECT_RE term ALLOW_SSH then accept
set firewall family inet filter PROTECT_RE term ALLOW_SSH then syslog
set firewall family inet filter PROTECT_RE term ALLOW_NETCONF from source-prefix-list ENCORE_INTERNAL
set firewall family inet filter PROTECT_RE term ALLOW_NETCONF from protocol tcp
set firewall family inet filter PROTECT_RE term ALLOW_NETCONF from port 830
set firewall family inet filter PROTECT_RE term ALLOW_NETCONF then accept
set firewall family inet filter PROTECT_RE term ALLOW_NETCONF then syslog
set firewall family inet filter PROTECT_RE term ALLOW_SNMP from source-prefix-list SNMP_SERVERS_DYNAMIC
set firewall family inet filter PROTECT_RE term ALLOW_SNMP from protocol udp
set firewall family inet filter PROTECT_RE term ALLOW_SNMP from port snmp
set firewall family inet filter PROTECT_RE term ALLOW_SNMP then policer POLICE_10M
set firewall family inet filter PROTECT_RE term ALLOW_SNMP then count PROTECT_RE_ALLOW_SNMP
set firewall family inet filter PROTECT_RE term ALLOW_SNMP then accept
set firewall family inet filter PROTECT_RE term ALLOW_NTP from source-prefix-list LOCALHOST_DYNAMIC
set firewall family inet filter PROTECT_RE term ALLOW_NTP from source-prefix-list NTP_SERVERS_DYNAMIC
set firewall family inet filter PROTECT_RE term ALLOW_NTP from source-prefix-list NTP_SOURCE_DYNAMIC
set firewall family inet filter PROTECT_RE term ALLOW_NTP from protocol udp
set firewall family inet filter PROTECT_RE term ALLOW_NTP from port ntp
set firewall family inet filter PROTECT_RE term ALLOW_NTP then policer POLICE_32K
set firewall family inet filter PROTECT_RE term ALLOW_NTP then count PROTECT_RE_ALLOW_NTP
set firewall family inet filter PROTECT_RE term ALLOW_NTP then accept
set firewall family inet filter PROTECT_RE term ALLOW_DNS from source-prefix-list DNS_SERVERS_DYNAMIC
set firewall family inet filter PROTECT_RE term ALLOW_DNS from protocol udp
set firewall family inet filter PROTECT_RE term ALLOW_DNS from protocol tcp
set firewall family inet filter PROTECT_RE term ALLOW_DNS from port domain
set firewall family inet filter PROTECT_RE term ALLOW_DNS then policer POLICE_32K
set firewall family inet filter PROTECT_RE term ALLOW_DNS then count PROTECT_RE_ALLOW_DNS
set firewall family inet filter PROTECT_RE term ALLOW_DNS then accept
set firewall family inet filter PROTECT_RE term ALLOW_DNS then syslog
set firewall family inet filter PROTECT_RE term ALLOW_VRRP from destination-prefix-list VRRP_ROUTERS
set firewall family inet filter PROTECT_RE term ALLOW_VRRP from destination-prefix-list LOCALHOST_DYNAMIC
set firewall family inet filter PROTECT_RE term ALLOW_VRRP from protocol vrrp
set firewall family inet filter PROTECT_RE term ALLOW_VRRP from protocol ah
set firewall family inet filter PROTECT_RE term ALLOW_VRRP then count PROTECT_RE_ALLOW_VRRP
set firewall family inet filter PROTECT_RE term ALLOW_VRRP then accept
set firewall family inet filter PROTECT_RE term ALLOW_BFD from protocol udp
set firewall family inet filter PROTECT_RE term ALLOW_BFD from port 3784
set firewall family inet filter PROTECT_RE term ALLOW_BFD from port 4784
set firewall family inet filter PROTECT_RE term ALLOW_BFD then count PROTECT_RE_ALLOW_BFD
set firewall family inet filter PROTECT_RE term ALLOW_BFD then accept
set firewall family inet filter PROTECT_RE term TCP_ESTABLISHED from protocol tcp
set firewall family inet filter PROTECT_RE term TCP_ESTABLISHED from tcp-established
set firewall family inet filter PROTECT_RE term TCP_ESTABLISHED then policer POLICE_10M
set firewall family inet filter PROTECT_RE term TCP_ESTABLISHED then count PROTECT_RE_TCP_ESTABLISHED
set firewall family inet filter PROTECT_RE term TCP_ESTABLISHED then accept
set firewall family inet filter PROTECT_RE term TCP_ESTABLISHED then syslog
set firewall family inet filter PROTECT_RE term DEFAULT_DENY then count PROTECT_RE_DEFAULT_DENY
set firewall family inet filter PROTECT_RE term DEFAULT_DENY then log
set firewall family inet filter PROTECT_RE term DEFAULT_DENY then discard
set firewall family inet filter PROTECT_RE term DEFAULT_DENY then syslog
####
Testing from a Linux device
snmpwalk -v 2c -c COMMUNITY 10.0.0.1
NTP Monlist Test
ntpdc -n -s 10.0.0.1
Standard NTP test
ntpdc -n -s 10.0.0.1
##SRX with VPN and unknown OSPF neighbors
set firewall family inet filter PROTECT_RE term SYNFLOOD_PROTECT from source-prefix-list MGMT
set firewall family inet filter PROTECT_RE term SYNFLOOD_PROTECT from protocol tcp
set firewall family inet filter PROTECT_RE term SYNFLOOD_PROTECT from tcp-flags "(syn & !ack) | fin | rst"
set firewall family inet filter PROTECT_RE term SYNFLOOD_PROTECT then policer POLICE_100K
set firewall family inet filter PROTECT_RE term SYNFLOOD_PROTECT then count PROTECT_RE_SYNFLOOD_PROTECT
set firewall family inet filter PROTECT_RE term SYNFLOOD_PROTECT then syslog
set firewall family inet filter PROTECT_RE term SYNFLOOD_PROTECT then accept
set firewall family inet filter PROTECT_RE term DENY_ICMP_FRAGS from is-fragment
set firewall family inet filter PROTECT_RE term DENY_ICMP_FRAGS from protocol icmp
set firewall family inet filter PROTECT_RE term DENY_ICMP_FRAGS then count PROTECT_RE_DENY_ICMP_FRAGS
set firewall family inet filter PROTECT_RE term DENY_ICMP_FRAGS then log
set firewall family inet filter PROTECT_RE term DENY_ICMP_FRAGS then discard
set firewall family inet filter PROTECT_RE term ALLOW_ICMP from protocol icmp
set firewall family inet filter PROTECT_RE term ALLOW_ICMP then policer POLICE_1M
set firewall family inet filter PROTECT_RE term ALLOW_ICMP then count PROTECT_RE_ALLOW_ICMP
set firewall family inet filter PROTECT_RE term ALLOW_ICMP then accept
set firewall family inet filter PROTECT_RE term ALLOW_TRACEROUTE from protocol udp
set firewall family inet filter PROTECT_RE term ALLOW_TRACEROUTE from port 33434-33523
set firewall family inet filter PROTECT_RE term ALLOW_TRACEROUTE then policer POLICE_1M
set firewall family inet filter PROTECT_RE term ALLOW_TRACEROUTE then count PROTECT_RE_ALLOW_TRACEROUTE
set firewall family inet filter PROTECT_RE term ALLOW_TRACEROUTE then accept
set firewall family inet filter PROTECT_RE term ALLOW_IKE from protocol udp
set firewall family inet filter PROTECT_RE term ALLOW_IKE from port 500
set firewall family inet filter PROTECT_RE term ALLOW_IKE from port 4500
set firewall family inet filter PROTECT_RE term ALLOW_IKE then count PROTECT_RE_ALLOW_IKE
set firewall family inet filter PROTECT_RE term ALLOW_IKE then log
set firewall family inet filter PROTECT_RE term ALLOW_IKE then accept
set firewall family inet filter PROTECT_RE term ALLOW_VPN from protocol ah
set firewall family inet filter PROTECT_RE term ALLOW_VPN from protocol esp
set firewall family inet filter PROTECT_RE term ALLOW_VPN from protocol gre
set firewall family inet filter PROTECT_RE term ALLOW_VPN then count PROTECT_RE_ALLOW_VPN
set firewall family inet filter PROTECT_RE term ALLOW_VPN then log
set firewall family inet filter PROTECT_RE term ALLOW_VPN then accept
set firewall family inet filter PROTECT_RE term ALLOW_OSPF from protocol ospf
set firewall family inet filter PROTECT_RE term ALLOW_OSPF then count PROTECT_RE_ALLOW_OSPF
set firewall family inet filter PROTECT_RE term ALLOW_OSPF then accept
set firewall family inet filter PROTECT_RE term ALLOW_BGP from source-prefix-list BGP_PEERS_DYNAMIC
set firewall family inet filter PROTECT_RE term ALLOW_BGP from protocol tcp
set firewall family inet filter PROTECT_RE term ALLOW_BGP from port bgp
set firewall family inet filter PROTECT_RE term ALLOW_BGP then count PROTECT_RE_ALLOW_BGP
set firewall family inet filter PROTECT_RE term ALLOW_BGP then accept
set firewall family inet filter PROTECT_RE term ALLOW_SSH from source-prefix-list MGMT
set firewall family inet filter PROTECT_RE term ALLOW_SSH from protocol tcp
set firewall family inet filter PROTECT_RE term ALLOW_SSH from port ssh
set firewall family inet filter PROTECT_RE term ALLOW_SSH then count PROTECT_RE_ALLOW_SSH
set firewall family inet filter PROTECT_RE term ALLOW_SSH then log
set firewall family inet filter PROTECT_RE term ALLOW_SSH then syslog
set firewall family inet filter PROTECT_RE term ALLOW_SSH then accept
set firewall family inet filter PROTECT_RE term ALLOW_NETCONF from source-prefix-list MGMT
set firewall family inet filter PROTECT_RE term ALLOW_NETCONF from protocol tcp
set firewall family inet filter PROTECT_RE term ALLOW_NETCONF from port 830
set firewall family inet filter PROTECT_RE term ALLOW_NETCONF then count PROTECT_RE_ALLOW_NETCONF
set firewall family inet filter PROTECT_RE term ALLOW_NETCONF then log
set firewall family inet filter PROTECT_RE term ALLOW_NETCONF then syslog
set firewall family inet filter PROTECT_RE term ALLOW_NETCONF then accept
set firewall family inet filter PROTECT_RE term ALLOW_HTTPS from source-prefix-list MGMT
set firewall family inet filter PROTECT_RE term ALLOW_HTTPS from protocol tcp
set firewall family inet filter PROTECT_RE term ALLOW_HTTPS from port 443
set firewall family inet filter PROTECT_RE term ALLOW_HTTPS then count PROTECT_RE_ALLOW_HTTPS
set firewall family inet filter PROTECT_RE term ALLOW_HTTPS then log
set firewall family inet filter PROTECT_RE term ALLOW_HTTPS then syslog
set firewall family inet filter PROTECT_RE term ALLOW_HTTPS then accept
set firewall family inet filter PROTECT_RE term ALLOW_SNMP from source-prefix-list SNMP_SERVERS_DYNAMIC
set firewall family inet filter PROTECT_RE term ALLOW_SNMP from protocol udp
set firewall family inet filter PROTECT_RE term ALLOW_SNMP from port snmp
set firewall family inet filter PROTECT_RE term ALLOW_SNMP then policer POLICE_10M
set firewall family inet filter PROTECT_RE term ALLOW_SNMP then count PROTECT_RE_ALLOW_SNMP
set firewall family inet filter PROTECT_RE term ALLOW_SNMP then accept
set firewall family inet filter PROTECT_RE term ALLOW_NTP from source-prefix-list LOCALHOST_DYNAMIC
set firewall family inet filter PROTECT_RE term ALLOW_NTP from source-prefix-list NTP_SERVERS_DYNAMIC
set firewall family inet filter PROTECT_RE term ALLOW_NTP from source-prefix-list NTP_SOURCE_DYNAMIC
set firewall family inet filter PROTECT_RE term ALLOW_NTP from protocol udp
set firewall family inet filter PROTECT_RE term ALLOW_NTP from port ntp
set firewall family inet filter PROTECT_RE term ALLOW_NTP then policer POLICE_32K
set firewall family inet filter PROTECT_RE term ALLOW_NTP then count PROTECT_RE_ALLOW_NTP
set firewall family inet filter PROTECT_RE term ALLOW_NTP then accept
set firewall family inet filter PROTECT_RE term ALLOW_DNS from source-prefix-list DNS_SERVERS_DYNAMIC
set firewall family inet filter PROTECT_RE term ALLOW_DNS from protocol udp
set firewall family inet filter PROTECT_RE term ALLOW_DNS from protocol tcp
set firewall family inet filter PROTECT_RE term ALLOW_DNS from port domain
set firewall family inet filter PROTECT_RE term ALLOW_DNS then policer POLICE_32K
set firewall family inet filter PROTECT_RE term ALLOW_DNS then count PROTECT_RE_ALLOW_DNS
set firewall family inet filter PROTECT_RE term ALLOW_DNS then syslog
set firewall family inet filter PROTECT_RE term ALLOW_DNS then accept
set firewall family inet filter PROTECT_RE term ALLOW_BFD from protocol udp
set firewall family inet filter PROTECT_RE term ALLOW_BFD from port 3784
set firewall family inet filter PROTECT_RE term ALLOW_BFD from port 4784
set firewall family inet filter PROTECT_RE term ALLOW_BFD then count PROTECT_RE_ALLOW_BFD
set firewall family inet filter PROTECT_RE term ALLOW_BFD then accept
set firewall family inet filter PROTECT_RE term TCP_ESTABLISHED from protocol tcp
set firewall family inet filter PROTECT_RE term TCP_ESTABLISHED from tcp-established
set firewall family inet filter PROTECT_RE term TCP_ESTABLISHED then policer POLICE_10M
set firewall family inet filter PROTECT_RE term TCP_ESTABLISHED then count PROTECT_RE_TCP_ESTABLISHED
set firewall family inet filter PROTECT_RE term TCP_ESTABLISHED then syslog
set firewall family inet filter PROTECT_RE term TCP_ESTABLISHED then accept
set firewall family inet filter PROTECT_RE term DEFAULT_DENY then count PROTECT_RE_DEFAULT_DENY
set firewall family inet filter PROTECT_RE term DEFAULT_DENY then log
set firewall family inet filter PROTECT_RE term DEFAULT_DENY then syslog
set firewall family inet filter PROTECT_RE term DEFAULT_DENY then discard