labunix's blog

labunixのラボUnix

vSRXのFirewallポリシーを作成する。

■vSRXのFirewallポリシーを作成する。
 以下の続き。

 VMware Player上にvSRX-HAを構築してみる。
 http://labunix.hateblo.jp/entry/20151221/1450626773

 vSRX-HAからJessieにNTP/SNMP/SNMP Trap/DNSクライアント/syslogを転送してみる。
 http://labunix.hateblo.jp/entry/20151221/1450706557

■セキュリティゾーンの確認
 セキュリティゾーンとは、インタフェースに割り当てる仮想的なグループなので、
 JUNOSではsecurity-zoneにinterfaceをバインドする必要がある。

root@vSRX-node0> show configuration | display set | match security-zone     
set security zones security-zone L3-Trust interfaces reth0.0
set security zones security-zone L2-Trust interfaces reth1.0
set security zones security-zone L3-Untrust interfaces reth2.0
set security zones security-zone L2-Untrust interfaces reth3.0

■アドレスブックや、サービスブックのデフォルトanyを使ったポリシーの確認

root@vSRX-node0> show configuration | display set | match policy    
set security policies from-zone L3-Untrust to-zone L3-Trust policy allow-all-internal match source-address any
set security policies from-zone L3-Untrust to-zone L3-Trust policy allow-all-internal match destination-address any
set security policies from-zone L3-Untrust to-zone L3-Trust policy allow-all-internal match application any
set security policies from-zone L3-Untrust to-zone L3-Trust policy allow-all-internal then permit

{primary:node0}

root@vSRX-node0> show security policies from-zone L3-Untrust to-zone L3-Trust  
node0:
--------------------------------------------------------------------------
From zone: L3-Untrust, To zone: L3-Trust
  Policy: allow-all-internal, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit

{primary:node0}

root@vSRX-node0> show security policies                             
node0:
--------------------------------------------------------------------------
Default policy: deny-all
From zone: L3-Untrust, To zone: L3-Trust
  Policy: allow-all-internal, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: permit

{primary:node0}

root@vSRX-node0> show security policies detail 
node0:
--------------------------------------------------------------------------
Default policy: deny-all
Policy: allow-all-internal, action-type: permit, State: enabled, Index: 4, Scope Policy: 0
  Policy Type: Configured
  Sequence number: 1
  From zone: L3-Untrust, To zone: L3-Trust
  Source addresses:
    any-ipv4(global): 0.0.0.0/0 
    any-ipv6(global): ::/0
  Destination addresses:
    any-ipv4(global): 0.0.0.0/0 
    any-ipv6(global): ::/0
  Application: any
    IP protocol: 0, ALG: 0, Inactivity timeout: 0
      Source port range: [0-0] 
      Destination port range: [0-0]
  Per policy TCP Options: SYN check: No, SEQ check: No

{primary:node0}

■junos-hostにはinterfaceはバインドされていない。

root@vSRX-node0> show security zones | no-more 
node0:
--------------------------------------------------------------------------

Security zone: L2-Trust
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes  
  Interfaces bound: 1
  Interfaces:
    reth1.0

Security zone: L2-Untrust
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes  
  Interfaces bound: 1
  Interfaces:
    reth3.0

Security zone: L3-Trust
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes  
  Interfaces bound: 1
  Interfaces:
    reth0.0

Security zone: L3-Untrust
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes  
  Interfaces bound: 1
  Interfaces:
    reth2.0

Security zone: junos-host
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes  
  Interfaces bound: 0
  Interfaces:

{primary:node0}

■IPとzoneの再確認

root@vSRX-node0> show interfaces reth[0-3].0 terse    
Interface               Admin Link Proto    Local                 Remote
reth0.0                 up    up   inet     192.168.152.205/24
reth1.0                 up    down inet    
reth2.0                 up    up   inet     172.16.76.205/24
reth3.0                 up    down inet    

{primary:node0}

root@vSRX-node0> show security zones detail | match "zone|reth" 

Security zone: L2-Trust
    reth1.0

Security zone: L2-Untrust
    reth3.0

Security zone: L3-Trust
    reth0.0

Security zone: L3-Untrust
    reth2.0

Security zone: junos-host

{primary:node0}


■アドレスブックの作成

configure
edit security zones security-zone L2-Trust
set address-book address vmnet8.100 192.168.152.100/32
exit
edit security zones security-zone L3-Trust
set address-book address vmnet1.100 172.16.76.100/32
exit
commit and-quit

root@vSRX-node0> show configuration | display set | match address-book
set security zones security-zone L3-Trust address-book address vmnet1.100 172.16.76.100/32
set security zones security-zone L2-Trust address-book address vmnet8.100 192.168.152.100/32

{primary:node0}
   
■デフォルトのアプリケーションの確認
 大量にあるので、例えばよく使うtcp/udpを検索。

root@vSRX-node0# show groups junos-defaults applications | display set | match "smtp|http |https" 
set groups junos-defaults applications application junos-smtp protocol tcp
set groups junos-defaults applications application junos-smtp destination-port 25
set groups junos-defaults applications application junos-http application-protocol http
set groups junos-defaults applications application junos-http protocol tcp
set groups junos-defaults applications application junos-http destination-port 80
set groups junos-defaults applications application junos-https protocol tcp
set groups junos-defaults applications application junos-https destination-port 443

{primary:node0}[edit]

root@vSRX-node0# show groups junos-defaults applications | display set | match "-ntp|dns"    
set groups junos-defaults applications application junos-ntp protocol udp
set groups junos-defaults applications application junos-ntp destination-port 123
set groups junos-defaults applications application junos-dns-udp term t1 alg dns
set groups junos-defaults applications application junos-dns-udp term t1 protocol udp
set groups junos-defaults applications application junos-dns-udp term t1 destination-port 53
set groups junos-defaults applications application junos-dns-tcp term t1 alg dns
set groups junos-defaults applications application junos-dns-tcp term t1 protocol tcp
set groups junos-defaults applications application junos-dns-tcp term t1 destination-port 53
{primary:node0}[edit]

■タイムアウト値の確認
 単位は秒なので、udpは1分、http/tcpだけが5分、その他のtcpは30分。
 なお、タイムアウト値は4-86400(最小は4秒、最大は1)の間で設定可能。

root@vSRX-node0> request pfe execute target fwdd command "show usp app-def tcp" | match "http,|https,|smtp,|dns-tcp," 
tcp port=25, appl_name=junos-smtp, service type=7, alg id=0, timeout=1800
tcp port=53, appl_name=junos-dns-tcp, service type=16, alg id=16, timeout=1800
tcp port=80, appl_name=junos-http, service type=6, alg id=6, timeout=300
tcp port=443, appl_name=junos-https, service type=58, alg id=0, timeout=1800

{primary:node0}

root@vSRX-node0> request pfe execute target fwdd command "show usp app-def udp" | match "-ntp,|dns"         
udp port=53, appl_name=junos-dns-udp, service type=16, alg id=16, timeout=60
udp port=123, appl_name=junos-ntp, service type=44, alg id=0, timeout=60

{primary:node0}

■ALG(APPLICATION LAYER GATEWAY)の設定の確認
 よく使うのはDNSかFTPあたり。
 TFTPをL2外に通過させる場合は必須かと。

root@vSRX-node0> show security alg status 
ALG Status :
  DNS      : Enabled
  FTP      : Enabled
  H323     : Enabled
  MGCP     : Enabled
  MSRPC    : Enabled
  PPTP     : Enabled
  RSH      : Enabled
  RTSP     : Enabled
  SCCP     : Enabled
  SIP      : Enabled
  SQL      : Enabled
  SUNRPC   : Enabled
  TALK     : Enabled
  TFTP     : Enabled
  IKE-ESP  : Disabled

{primary:node0}

■カスタムアプリケーションの作成
 tcpの場合、プロキシのアプリケーションが無いので作成する。

configure 
set applications application proxy_3128 application-protocol http protocol tcp destination-port 3128 inactivity-timeout 1800
set applications application proxy_8080 application-protocol http protocol tcp destination-port 8080 inactivity-timeout 1800
commit and-quit

root@vSRX-node0> show configuration | display set | match applications 
set applications application proxy_3128 application-protocol http
set applications application proxy_3128 protocol tcp
set applications application proxy_3128 destination-port 3128
set applications application proxy_3128 inactivity-timeout 1800
set applications application proxy_8080 application-protocol http
set applications application proxy_8080 protocol tcp
set applications application proxy_8080 destination-port 8080
set applications application proxy_8080 inactivity-timeout 1800

{primary:node0}

■セキュリティポリシーの作成
 以下のルールを設定する。

name:pass_proxy_3128
zone:L2-Untrust -> L2-Trust
dst:host vmnet8.100 dport proxy_3128
log:session-init

configure
edit security policies from-zone L3-Untrust to-zone L2-Trust
set policy pass_proxy_3128 match source-address any
set policy pass_proxy_3128 match destination-address vmnet8.100 application proxy_3128
set policy pass_proxy_3128 then permit
set policy pass_proxy_3128 then log session-init
exit
commit and-quit

root@vSRX-node0> show security policies policy-name pass_proxy_3128 
node0:
--------------------------------------------------------------------------
From zone: L3-Untrust, To zone: L2-Trust
  Policy: pass_proxy_3128, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: vmnet8.100
    Applications: proxy_3128
    Action: permit, log

{primary:node0}

root@vSRX-node0> show security policies policy-name pass_proxy_3128 detail       
node0:
--------------------------------------------------------------------------
Policy: pass_proxy_3128, action-type: permit, State: enabled, Index: 5, Scope Policy: 0
  Policy Type: Configured
  Sequence number: 1
  From zone: L3-Untrust, To zone: L2-Trust
  Source addresses:
    any-ipv4(global): 0.0.0.0/0 
    any-ipv6(global): ::/0
  Destination addresses:
    vmnet8.100: 192.168.152.100/32
  Application: proxy_3128
    IP protocol: tcp, ALG: http, Inactivity timeout: 1800
      Source port range: [0-0] 
      Destination port range: [3128-3128]
  Per policy TCP Options: SYN check: No, SEQ check: No
  Session log: at-create

{primary:node0}

■jessieにプロキシを設定

$ sudo apt-get install -y squid3
$ sudo cp /etc/squid3/squid.con{f,f.org}
$ sudo diff /etc/squid3/squid.con{f,f.org} | awk '/</' | sed -e 's/^< //g'
acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
http_port 0.0.0.0:3128
logformat combined   %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
> #logformat combined   %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
access_log daemon:/var/log/squid3/access.log combined
pinger_enable off
via off
request_header_access User-Agent deny all
request_header_replace User-Agent Mozilla/5.0 (X11; Linux x86_64)
visible_hostname unknown_internal
dns_nameservers 127.0.0.1
forwarded_for off
$ sudo /etc/init.d/squid3 restart
$ netstat -an | grep 3128
tcp        0      0 0.0.0.0:3128            0.0.0.0:*               LISTEN 

■セキュリティポリシーの確認

root@vSRX-node0> telnet source 172.16.76.203 inet interface reth3.0 port 3128 192.168.152.100    
Trying 192.168.152.100...
Connected to 192.168.152.100.
Escape character is '^]'.
GET / HTTP/1.0

HTTP/1.1 400 Bad Request
Server: squid/3.4.8
Mime-Version: 1.0
Date: Wed, 23 Dec 2015 17:34:21 GMT
Content-Type: text/html
Content-Length: 3163
X-Squid-Error: ERR_INVALID_URL 0
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from unknown_internal
X-Cache-Lookup: NONE from unknown_internal:3128
Connection: close
...

labunix@vSRX-node0> show security flow session    
node0:
--------------------------------------------------------------------------

Session ID: 81546, Policy name: self-traffic-policy/1, State: Active, Timeout: 18, Valid
  In: 172.16.76.203/61135 --> 192.168.152.100/3128;tcp, If: .local..0, Pkts: 2, Bytes: 116
  Out: 192.168.152.100/3128 --> 172.16.76.203/61135;tcp, If: reth0.0, Pkts: 0, Bytes: 0
Total sessions: 1

node1:
--------------------------------------------------------------------------
Total sessions: 0

{primary:node0}

■HTTPステータスコード含め、プロキシログが正常に残ることを確認。

$ sudo tail -1 /var/log/squid3/access.log 
  172.16.76.203 - - [24/Dec/2015:02:50:59 +0900] "GET / HTTP/0.0" 400 3499 "-" "-" TAG_NONE:HIER_NONE