-
Notifications
You must be signed in to change notification settings - Fork 210
/
sample_juniper_loopback.pol
214 lines (189 loc) · 4.02 KB
/
sample_juniper_loopback.pol
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
header {
comment:: "Sample Juniper lookback filter"
target:: juniper LOOPBACK
}
term accept-icmp {
protocol:: icmp
counter:: icmp-loopback
policer:: rate-limit-icmp
action:: accept
}
term accept-traceroute {
comment:: "Allow inbound traceroute from any source."
destination-port:: TRACEROUTE
protocol:: udp
counter:: inbound-traceroute
policer:: rate-limit-to-router
action:: accept
expiration:: 2001-12-31
owner:: jeff
}
term accept-bgp-requests {
comment:: "Allow BGP requests from peers."
source-prefix:: configured-neighbors-only
destination-port:: BGP
protocol:: tcp
counter:: bgp-requests
action:: accept
}
term accept-bgp-replies {
comment:: "Allow inbound replies to BGP requests."
source-prefix:: configured-neighbors-only
source-port:: BGP
protocol:: tcp
option:: tcp-established
counter:: bgp-replies
action:: accept
}
term accept-ospf {
comment:: "Allow outbound OSPF traffic from other RFC1918 routers."
source-address:: INTERNAL
protocol:: ospf
counter:: ospf
action:: accept
}
term allow-vrrp {
protocol:: vrrp
counter:: vrrp
action:: accept
}
term accept-ike {
source-port:: IKE
destination-port:: IKE
protocol:: udp
counter:: ipsec-ike
action:: accept
}
term accept-ipsec {
protocol:: esp
counter:: ipsec-esp
action:: accept
}
term accept-pim {
source-address:: INTERNAL
protocol:: pim
action:: accept
}
term accept-igmp {
source-address:: INTERNAL
protocol:: igmp
action:: accept
}
term accept-ssh-requests {
source-address:: INTERNAL
destination-port:: SSH
protocol:: tcp
counter:: ssh
action:: accept
}
term accept-ssh-replies {
source-port:: SSH
protocol:: tcp
option:: tcp-established
counter:: ssh-replies
action:: accept
}
term accept-snmp-requests {
source-address:: INTERNAL
destination-address:: INTERNAL
destination-port:: SNMP
protocol:: udp
action:: accept
}
term accept-dns-replies {
source-address:: INTERNAL
destination-address:: INTERNAL
source-port:: DNS
protocol:: udp
option:: established
counter:: dns-replies
action:: accept
}
term allow-ntp-request {
source-address:: NTP_SERVERS
destination-address:: INTERNAL
destination-port:: NTP
protocol:: udp
counter:: ntp-request
action:: accept
}
term allow-ntp-replies {
source-address:: INTERNAL
destination-address:: NTP_SERVERS
source-port:: NTP
protocol:: udp
option:: established
counter:: ntp-replies
action:: accept
}
term allow-radius-replies {
source-address:: INTERNAL
destination-address:: INTERNAL
source-port:: RADIUS
protocol:: udp
counter:: radius-replies
action:: accept
}
term allow-tacacs-requests {
source-address:: INTERNAL
destination-address:: TACACS_SERVERS
destination-port:: TACACS
protocol:: tcp
counter:: tacacs-requests
action:: accept
}
term allow-tacacs-replies {
source-address:: TACACS_SERVERS
destination-address:: INTERNAL
source-port:: TACACS
protocol:: tcp
option:: tcp-established
counter:: tacacs-replies
action:: accept
}
term allow-dns-fragments {
source-address:: ANY
source-exclude:: PUBLIC_NAT
destination-address:: GOOGLE_DNS
destination-port:: DNS
protocol:: tcp udp
option:: is-fragment
action:: accept
}
term ratelimit-large-dns {
destination-address:: GOOGLE_DNS
destination-port:: DNS
protocol:: udp
packet-length:: 500-5000
counter:: large-dns-counter
policer:: large-dns-policer
option:: sample
action:: next
}
term reject-large-dns {
destination-address:: GOOGLE_DNS
destination-port:: DNS
protocol:: udp
packet-length:: 500-5000
action:: reject
}
term reject-imap-requests {
destination-address:: MAIL_SERVERS
destination-port:: IMAP
protocol:: tcp
action:: reject-with-tcp-rst
}
term next-filter {
filter-term:: my-next-filter
}
term af-mismatch {
comment:: "Will not be generated as target is inet"
comment:: "but address_family is inet6"
destination-address:: INTERNAL
restrict-address-family:: inet6
action:: reject
}
term discard-default {
counter:: discard-default
action:: deny
}