家向けSRXコンフィグ

基本設定

まずは、基本的な設定を行います。

# これは最初に必要
set system root-authentication set system host-name srx-home
# タイムゾーン設定
set system time-zone Asia/Tokyo
# タイムアウトを設定するユーザ向け
set system login class super-user-local idle-timeout 1800
set system login class super-user-local permissions all
# ユーザを作る
set system login user kanai uid 1000
set system login user kanai class super-user-local
set system login user kanai authentication plain
# このあたりはご自由に(特にtelnet)
set system services ssh
set system services telnet
set system services netconf ssh
# 主にlocal向けのsyslog設定
set system syslog archive size 10m
set system syslog archive files 5
set system syslog user * any emergency
set system syslog user * authorization info
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system syslog time-format
# syslogを外部に出すときのsource addr
set system syslog source-address 192.168.100.253
# rollbackできるConfigの数
set system max-configurations-on-flash 49
set system max-configuration-rollbacks 49
# NTP
set system ntp server 210.173.160.57
set system ntp server 210.173.160.27
set system ntp server 210.173.160.87
set system ntp source-address 192.168.101.252
# netflow向け
set forwarding-options sampling input rate 8192
# SNMP
set snmp community public authorization read-only
set snmp community public clients 192.168.100.0/24
set snmp trap-options source-address lo0

ブロードバンドルータ設定。 ここでは、port0をpppoeにつかい、port7をmgmtに使います。

set interfaces fe-0/0/0 description "pppoe uplink"
set interfaces fe-0/0/0 unit 0 encapsulation ppp-over-ether
set interfaces fe-0/0/2 unit 0 family ethernet-switching port-mode access
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members v100
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members v100
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members v100
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members v100
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members v100
set interfaces fe-0/0/7 description mgmt
set interfaces fe-0/0/7 unit 0 family inet address 192.168.101.252/24
set interfaces vlan unit 100 family inet address 192.168.1.1/24
set interfaces pp0 unit 0 ppp-options chap default-chap-secret ""
set interfaces pp0 unit 0 ppp-options chap local-name "a@ocn.ne.jp"
set interfaces pp0 unit 0 ppp-options chap passive
set interfaces pp0 unit 0 pppoe-options underlying-interface fe-0/0/0.0
set interfaces pp0 unit 0 pppoe-options auto-reconnect 10
set interfaces pp0 unit 0 pppoe-options client
set interfaces pp0 unit 0 family inet mtu 1454
set interfaces pp0 unit 0 family inet negotiate-address

次に、ルータとしての基本設定を入れます

set interfaces lo0 unit 0 family inet address 127.0.0.1/32
set interfaces lo0 unit 0 family inet address 192.168.255.253/32
set interfaces lo0 unit 0 family inet6 address fd00::253/128
# router用の設定
set routing-options router-id 192.168.255.253
set routing-options autonomous-system 65000
# RA用の設定
set protocols router-advertisement traceoptions file ra.log
set protocols router-advertisement traceoptions flag all
# BGP用の基本設定
set protocols bgp traceoptions file bgp.log
set protocols bgp traceoptions flag open
set protocols bgp hold-time 180
set protocols bgp group iBGP type internal
set protocols bgp group iBGP family inet unicast prefix-limit maximum 100
set protocols bgp group iBGP family inet unicast prefix-limit teardown idle-timeout forever
 > limitの挙動は適当にかえてください
set protocols bgp group iBGP local-as 65000
# ospfv2,v3,lldp周りの最低限の設定
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface lo0.0 metric 1
set protocols ospf3 area 0.0.0.0 interface lo0.0 passive
set protocols ospf3 area 0.0.0.0 interface lo0.0 metric 1
# 以下は経路はくときのテスト用
set routing-options rib inet6.0 static route fd00::ffff/128 discard
set routing-options static route 255.0.0.0/32 discard

# lldp
set protocols lldp interface all
set protocols lldp-med interface all

次に、ホストフィルタを書きます。 これは、SRX自身へのアクセスを制限するものです。

# telnetはアドレス制限にしています
set firewall family inet filter telnet-access term telnet-permit from source-address 192.168.100.0/24
set firewall family inet filter telnet-access term telnet-permit from source-address 192.168.200.0/24
set firewall family inet filter telnet-access term telnet-permit from protocol tcp
set firewall family inet filter telnet-access term telnet-permit from destination-port telnet
set firewall family inet filter telnet-access term telnet-permit from destination-port ssh
set firewall family inet filter telnet-access term telnet-permit then accept
set firewall family inet filter telnet-access term telnet-deny from protocol tcp
set firewall family inet filter telnet-access term telnet-deny from destination-port telnet
set firewall family inet filter telnet-access term telnet-deny from destination-port ssh
set firewall family inet filter telnet-access term telnet-deny then discard
# BGPに関しては定義されているneighbor単位でのacceptにします
# これによって、bgpを用いたtcp syn attackを防ぎます
set policy-options prefix-list bgp-peers apply-path "protocols bgp group <*> neighbor <*>;"
set firewall family inet filter bgp-access term bgp-permit from prefix-list bgp-peers
set firewall family inet filter bgp-access term bgp-permit from protocol tcp
set firewall family inet filter bgp-access term bgp-permit from port 179
set firewall family inet filter bgp-access term bgp-permit then accept
set firewall family inet filter bgp-access term bgp-deny from protocol tcp
set firewall family inet filter bgp-access term bgp-deny from port 179
set firewall family inet filter bgp-access term bgp-deny then discard
# それ以外に関しては一度すべてをpassするようにしています
set firewall family any filter permit-all term permit-all then accept

ルーティングインスタンスを作ります。 このネットワークでは、mgmtとlanのセグメントは完全に分離します。

set routing-instances lan instance-type virtual-router
set routing-instances lan interface fe-0/0/0.0
# pppoeはlanの出口なので、同じVLANに入れておきます
set routing-instances lan interface pp0.0
# vlan100はユーザ用VLAN
set routing-instances lan interface vlan.100
# default gateはpppoeに向けます
set routing-instances lan routing-options static route 0.0.0.0/0 next-hop pp0.0

また、ユーザ向けのDHCPを定義します。

set routing-instances lan system services dhcp-local-server group pool_vlan_100 interface vlan.100
set routing-instances lan access address-assignment pool pool_vlan_100 family inet network 192.168.1.0/24
set routing-instances lan access address-assignment pool pool_vlan_100 family inet range dhcp low 192.168.1.100
set routing-instances lan access address-assignment pool pool_vlan_100 family inet range dhcp high 192.168.1.199
set routing-instances lan access address-assignment pool pool_vlan_100 family inet dhcp-attributes maximum-lease-time 300
set routing-instances lan access address-assignment pool pool_vlan_100 family inet dhcp-attributes name-server 192.168.1.1
set routing-instances lan access address-assignment pool pool_vlan_100 family inet dhcp-attributes router 192.168.1.1

routing

# mgmt内のntp routing
set routing-options rib inet.0 static route 210.173.160.57/32 next-hop 192.168.101.1
set routing-options rib inet.0 static route 210.173.160.27/32 next-hop 192.168.101.1
set routing-options rib inet.0 static route 210.173.160.87/32 next-hop 192.168.101.1
set routing-options rib inet.0 static route 8.8.8.8/32 next-hop 192.168.101.1

DHCP on VRF

set system services dhcp router 192.168.1.1
set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2
set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254
set system services dhcp propagate-settings fe-0/0/0.0

NAT

set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface

zone間ポリシ

set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies default-policy deny-all

zone設定

# 家では便利性からTrustからのすべて受け取る
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.100
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces fe-0/0/1.0 host-inbound-traffic system-services dhcpv6
set security zones security-zone untrust interfaces pp0.0
# mgmt
set security zones security-zone mgmt host-inbound-traffic system-services all
set security zones security-zone mgmt host-inbound-traffic protocols all
set security zones security-zone mgmt interfaces fe-0/0/7.0

VLAN

set vlans v100 vlan-id 100
set vlans v100 l3-interface vlan.100