家向けSRXコンフィグ

基本設定

まずは、基本的な設定を行います。

# これは最初に必要
set system root-authentication set system host-name srx-home
# タイムゾーン設定
set system time-zone Asia/Tokyo
# タイムアウトを設定するユーザ向け
set system login class super-user-local idle-timeout 1800
set system login class super-user-local permissions all
# ユーザを作る
set system login user kanai uid 1000
set system login user kanai class super-user-local
set system login user kanai authentication plain
# このあたりはご自由に(特にtelnet)
set system services ssh
set system services telnet
# 主にlocal向けのsyslog設定
set system syslog archive size 10m
set system syslog archive files 5
set system syslog user * any emergency
set system syslog user * authorization info
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system syslog time-format
# syslogを外部に出すときのsource addr
set system syslog source-address 192.168.100.253
# rollbackできるConfigの数
set system max-configurations-on-flash 49
set system max-configuration-rollbacks 49
# NTP
set system ntp server 210.173.160.57
# netflow向け
set forwarding-options sampling input rate 8192
# SNMP
set snmp community public authorization read-only
set snmp community public clients 192.168.100.0/24
set snmp trap-options source-address lo0

次に、ルータとしての基本設定を入れます

set interfaces lo0 unit 0 family inet address 127.0.0.1/32
set interfaces lo0 unit 0 family inet address 192.168.255.253/32
set interfaces lo0 unit 0 family inet6 address fd00::253/128
# router用の設定
set routing-options router-id 192.168.255.253
set routing-options autonomous-system 65000
# RA用の設定
set protocols router-advertisement traceoptions file ra.log
set protocols router-advertisement traceoptions flag all
# BGP用の基本設定
set protocols bgp traceoptions file bgp.log
set protocols bgp traceoptions flag open
set protocols bgp hold-time 180
set protocols bgp group iBGP type internal
set protocols bgp group iBGP family inet unicast prefix-limit maximum 100
set protocols bgp group iBGP family inet unicast prefix-limit teardown idle-timeout forever
 > limitの挙動は適当にかえてください
set protocols bgp group iBGP local-as 65000
# ospfv2,v3,lldp周りの最低限の設定
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface lo0.0 metric 1
set protocols ospf3 area 0.0.0.0 interface lo0.0 passive
set protocols ospf3 area 0.0.0.0 interface lo0.0 metric 1
set protocols lldp interface all
set protocols lldp-med interface all
# 以下は経路はくときのテスト用
set routing-options rib inet6.0 static route fd00::ffff/128 discard
set routing-options static route 255.0.0.0/32 discard

フィルタルールを入れます。

# telnetはアドレス制限にしています
set firewall family inet filter telnet-access term telnet-permit from source-address 192.168.100.0/24
set firewall family inet filter telnet-access term telnet-permit from source-address 192.168.200.0/24
set firewall family inet filter telnet-access term telnet-permit from protocol tcp
set firewall family inet filter telnet-access term telnet-permit from destination-port telnet
set firewall family inet filter telnet-access term telnet-permit from destination-port ssh
set firewall family inet filter telnet-access term telnet-permit then accept
set firewall family inet filter telnet-access term telnet-deny from protocol tcp
set firewall family inet filter telnet-access term telnet-deny from destination-port telnet
set firewall family inet filter telnet-access term telnet-deny from destination-port ssh
set firewall family inet filter telnet-access term telnet-deny then discard
# BGPに関しては定義されているneighbor単位でのacceptにします
set policy-options prefix-list bgp-peers apply-path "protocols bgp group <*> neighbor <*>;"
set firewall family inet filter bgp-access term bgp-permit from prefix-list bgp-peers
set firewall family inet filter bgp-access term bgp-permit from protocol tcp
set firewall family inet filter bgp-access term bgp-permit from port 179
set firewall family inet filter bgp-access term bgp-permit then accept
set firewall family inet filter bgp-access term bgp-deny from protocol tcp
set firewall family inet filter bgp-access term bgp-deny from port 179
set firewall family inet filter bgp-access term bgp-deny then discard
# それ以外に関しては一度すべてをpassするようにしています
set firewall family any filter permit-all term permit-all then accept

インタフェース設定を入れます

# vlanを定義
set vlans vlan100 vlan-id 100
set vlans vlan200 vlan-id 200
# uplink向けのポート定義
set interfaces fe-0/0/0 description native-100
set interfaces fe-0/0/0 mtu 1624
set interfaces fe-0/0/0 unit 0 family inet address 192.168.100.253/24
# 以下は下流
set interfaces fe-0/0/1 unit 0 family ethernet-switching port-mode access set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan200 set interfaces fe-0/0/2 unit 0 family ethernet-switching port-mode access set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan200 # lo0はBGPの時に定義済み # vlanの定義 set interfaces vlan unit 0 set interfaces vlan unit 100 family inet address 192.168.100.253/24 set interfaces vlan unit 200 family inet address 192.168.200.253/24 # ゾーンの指定 set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces vlan.100 set security zones security-zone trust interfaces vlan.200 set security zones security-zone trust interfaces fe-0/0/0.0 set security zones security-zone trust interfaces fe-0/0/1.0 set security zones security-zone trust interfaces fe-0/0/2.0 set security zones security-zone untrust screen untrust-screen

DHCP

set system services dhcp router 192.168.1.1
set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2
set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254
set system services dhcp propagate-settings fe-0/0/0.0

NAT

set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit

IDS

set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land