juniper srx650防护防火墙公网IP被***方法一
2011-07-30 22:44
267 查看
内网通过源地址的NAT上网,通常情况下,这个公网IP是防火墙的IP,即内网公网IP。这个IP默认情况下管理员为了便于管理,会打开http、https、ssh等端口。这样容易被外网的人猜测到密码。现采取以下措施:
开放系统的相关服务:
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set system services ssh
set system services telnet
set system services web-management http interface ge-0/0/3.0
set system services web-management https system-generated-certificate
set system services web-management https interface ge-0/0/1.0
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services dhcp
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services http
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services https
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services ssh
现思路如下:
将该公网的ip的服务关闭,然后将防火墙内网IP的管理端口映射到其它公网的某个端口
delete security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
/*/建立元素
set security zones security-zone trust address-book address juniper2541 192.168.254.1/32
#建立NAT
set security nat destination pool 2541 address 192.168.254.1/32
set security nat destination pool 2541 address port 22
set security nat destination rule-set 1 rule 2541 match source-address 0.0.0.0/0
set security nat destination rule-set 1 rule 2541 match destination-address 113.106.95.x/32
set security nat destination rule-set 1 rule 2541 match destination-port 1055
set security nat destination rule-set 1 rule 2541 then destination-nat pool 2541
#建立策略
set security policies from-zone untrust to-zone trust policy yc2541 match source-address any
set security policies from-zone untrust to-zone trust policy yc2541 match destination-address juniper2541
set security policies from-zone untrust to-zone trust policy yc2541 match application juniper1055
set security policies from-zone untrust to-zone trust policy yc2541 then permit
开放系统的相关服务:
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set system services ssh
set system services telnet
set system services web-management http interface ge-0/0/3.0
set system services web-management https system-generated-certificate
set system services web-management https interface ge-0/0/1.0
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services dhcp
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services http
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services https
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services ssh
现思路如下:
将该公网的ip的服务关闭,然后将防火墙内网IP的管理端口映射到其它公网的某个端口
delete security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
/*/建立元素
set security zones security-zone trust address-book address juniper2541 192.168.254.1/32
#建立NAT
set security nat destination pool 2541 address 192.168.254.1/32
set security nat destination pool 2541 address port 22
set security nat destination rule-set 1 rule 2541 match source-address 0.0.0.0/0
set security nat destination rule-set 1 rule 2541 match destination-address 113.106.95.x/32
set security nat destination rule-set 1 rule 2541 match destination-port 1055
set security nat destination rule-set 1 rule 2541 then destination-nat pool 2541
#建立策略
set security policies from-zone untrust to-zone trust policy yc2541 match source-address any
set security policies from-zone untrust to-zone trust policy yc2541 match destination-address juniper2541
set security policies from-zone untrust to-zone trust policy yc2541 match application juniper1055
set security policies from-zone untrust to-zone trust policy yc2541 then permit
相关文章推荐
- 两种动态创建对象的方法
- 清除Sqlserver数据库日志几种方法
- 三种方法获取指定 URL 的 HTML
- 关于ExpressQuantumGrid4的cxGrid的一些使用方法
- 在Total command中显示Tortoise svn叠置图标的方法
- Oracle物理结构故障的处理方法
- ASP.net 保存变量的方法总结
- JAVA编程中更新XML文档的常用方法
- php判断字符以及字符串的包含方法属性
- ASP.NET中常用的26个优化性能方法
- java.lang.NoSuchFieldError: EMPTY_LIST,EMPTY_MAP错误的解决方法
- 关于委托、事件、处理事件的方法以及.NET
- 求装车算法或给个好的解决问题的方法
- 解决窗口闪烁的常用方法
- 性能计数器及性能分析方法
- 命令行下一种新的加帐号的方法
- ASP.NET中的Eval()和DataBinder.Eval()方法
- 双操作系统的安全删除方法
- ACL的配置方法二
- Target runtime Apache Tomcat v6.0 is not defined.错误解决方法