■vSRXのFirewallポリシーを作成する。
以下の続き。
VMware Player上にvSRX-HAを構築してみる。
http://labunix.hateblo.jp/entry/20151221/1450626773
vSRX-HAからJessieにNTP/SNMP/SNMP Trap/DNSクライアント/syslogを転送してみる。
http://labunix.hateblo.jp/entry/20151221/1450706557
■セキュリティゾーンの確認
セキュリティゾーンとは、インタフェースに割り当てる仮想的なグループなので、
JUNOSではsecurity-zoneにinterfaceをバインドする必要がある。
root@vSRX-node0> show configuration | display set | match security-zone
set security zones security-zone L3-Trust interfaces reth0.0
set security zones security-zone L2-Trust interfaces reth1.0
set security zones security-zone L3-Untrust interfaces reth2.0
set security zones security-zone L2-Untrust interfaces reth3.0
■アドレスブックや、サービスブックのデフォルトanyを使ったポリシーの確認
root@vSRX-node0> show configuration | display set | match policy
set security policies from-zone L3-Untrust to-zone L3-Trust policy allow-all-internal match source-address any
set security policies from-zone L3-Untrust to-zone L3-Trust policy allow-all-internal match destination-address any
set security policies from-zone L3-Untrust to-zone L3-Trust policy allow-all-internal match application any
set security policies from-zone L3-Untrust to-zone L3-Trust policy allow-all-internal then permit
{primary:node0}
root@vSRX-node0> show security policies from-zone L3-Untrust to-zone L3-Trust
node0:
--------------------------------------------------------------------------
From zone: L3-Untrust, To zone: L3-Trust
Policy: allow-all-internal, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
Source addresses: any
Destination addresses: any
Applications: any
Action: permit
{primary:node0}
root@vSRX-node0> show security policies
node0:
--------------------------------------------------------------------------
Default policy: deny-all
From zone: L3-Untrust, To zone: L3-Trust
Policy: allow-all-internal, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
Source addresses: any
Destination addresses: any
Applications: any
Action: permit
{primary:node0}
root@vSRX-node0> show security policies detail
node0:
--------------------------------------------------------------------------
Default policy: deny-all
Policy: allow-all-internal, action-type: permit, State: enabled, Index: 4, Scope Policy: 0
Policy Type: Configured
Sequence number: 1
From zone: L3-Untrust, To zone: L3-Trust
Source addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Destination addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
Per policy TCP Options: SYN check: No, SEQ check: No
{primary:node0}
■junos-hostにはinterfaceはバインドされていない。
root@vSRX-node0> show security zones | no-more
node0:
--------------------------------------------------------------------------
Security zone: L2-Trust
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
reth1.0
Security zone: L2-Untrust
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
reth3.0
Security zone: L3-Trust
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
reth0.0
Security zone: L3-Untrust
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
reth2.0
Security zone: junos-host
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 0
Interfaces:
{primary:node0}
■IPとzoneの再確認
root@vSRX-node0> show interfaces reth[0-3].0 terse
Interface Admin Link Proto Local Remote
reth0.0 up up inet 192.168.152.205/24
reth1.0 up down inet
reth2.0 up up inet 172.16.76.205/24
reth3.0 up down inet
{primary:node0}
root@vSRX-node0> show security zones detail | match "zone|reth"
Security zone: L2-Trust
reth1.0
Security zone: L2-Untrust
reth3.0
Security zone: L3-Trust
reth0.0
Security zone: L3-Untrust
reth2.0
Security zone: junos-host
{primary:node0}
■アドレスブックの作成
configure
edit security zones security-zone L2-Trust
set address-book address vmnet8.100 192.168.152.100/32
exit
edit security zones security-zone L3-Trust
set address-book address vmnet1.100 172.16.76.100/32
exit
commit and-quit
root@vSRX-node0> show configuration | display set | match address-book
set security zones security-zone L3-Trust address-book address vmnet1.100 172.16.76.100/32
set security zones security-zone L2-Trust address-book address vmnet8.100 192.168.152.100/32
{primary:node0}
■デフォルトのアプリケーションの確認
大量にあるので、例えばよく使うtcp/udpを検索。
root@vSRX-node0# show groups junos-defaults applications | display set | match "smtp|http |https"
set groups junos-defaults applications application junos-smtp protocol tcp
set groups junos-defaults applications application junos-smtp destination-port 25
set groups junos-defaults applications application junos-http application-protocol http
set groups junos-defaults applications application junos-http protocol tcp
set groups junos-defaults applications application junos-http destination-port 80
set groups junos-defaults applications application junos-https protocol tcp
set groups junos-defaults applications application junos-https destination-port 443
{primary:node0}[edit]
root@vSRX-node0# show groups junos-defaults applications | display set | match "-ntp|dns"
set groups junos-defaults applications application junos-ntp protocol udp
set groups junos-defaults applications application junos-ntp destination-port 123
set groups junos-defaults applications application junos-dns-udp term t1 alg dns
set groups junos-defaults applications application junos-dns-udp term t1 protocol udp
set groups junos-defaults applications application junos-dns-udp term t1 destination-port 53
set groups junos-defaults applications application junos-dns-tcp term t1 alg dns
set groups junos-defaults applications application junos-dns-tcp term t1 protocol tcp
set groups junos-defaults applications application junos-dns-tcp term t1 destination-port 53
{primary:node0}[edit]
■タイムアウト値の確認
単位は秒なので、udpは1分、http/tcpだけが5分、その他のtcpは30分。
なお、タイムアウト値は4-86400秒(最小は4秒、最大は1日)の間で設定可能。
root@vSRX-node0> request pfe execute target fwdd command "show usp app-def tcp" | match "http,|https,|smtp,|dns-tcp,"
tcp port=25, appl_name=junos-smtp, service type=7, alg id=0, timeout=1800
tcp port=53, appl_name=junos-dns-tcp, service type=16, alg id=16, timeout=1800
tcp port=80, appl_name=junos-http, service type=6, alg id=6, timeout=300
tcp port=443, appl_name=junos-https, service type=58, alg id=0, timeout=1800
{primary:node0}
root@vSRX-node0> request pfe execute target fwdd command "show usp app-def udp" | match "-ntp,|dns"
udp port=53, appl_name=junos-dns-udp, service type=16, alg id=16, timeout=60
udp port=123, appl_name=junos-ntp, service type=44, alg id=0, timeout=60
{primary:node0}
■ALG(APPLICATION LAYER GATEWAY)の設定の確認
よく使うのはDNSかFTPあたり。
TFTPをL2外に通過させる場合は必須かと。
root@vSRX-node0> show security alg status
ALG Status :
DNS : Enabled
FTP : Enabled
H323 : Enabled
MGCP : Enabled
MSRPC : Enabled
PPTP : Enabled
RSH : Enabled
RTSP : Enabled
SCCP : Enabled
SIP : Enabled
SQL : Enabled
SUNRPC : Enabled
TALK : Enabled
TFTP : Enabled
IKE-ESP : Disabled
{primary:node0}
■カスタムアプリケーションの作成
tcpの場合、プロキシのアプリケーションが無いので作成する。
configure
set applications application proxy_3128 application-protocol http protocol tcp destination-port 3128 inactivity-timeout 1800
set applications application proxy_8080 application-protocol http protocol tcp destination-port 8080 inactivity-timeout 1800
commit and-quit
root@vSRX-node0> show configuration | display set | match applications
set applications application proxy_3128 application-protocol http
set applications application proxy_3128 protocol tcp
set applications application proxy_3128 destination-port 3128
set applications application proxy_3128 inactivity-timeout 1800
set applications application proxy_8080 application-protocol http
set applications application proxy_8080 protocol tcp
set applications application proxy_8080 destination-port 8080
set applications application proxy_8080 inactivity-timeout 1800
{primary:node0}
■セキュリティポリシーの作成
以下のルールを設定する。
name:pass_proxy_3128
zone:L2-Untrust -> L2-Trust
dst:host vmnet8.100 dport proxy_3128
log:session-init
configure
edit security policies from-zone L3-Untrust to-zone L2-Trust
set policy pass_proxy_3128 match source-address any
set policy pass_proxy_3128 match destination-address vmnet8.100 application proxy_3128
set policy pass_proxy_3128 then permit
set policy pass_proxy_3128 then log session-init
exit
commit and-quit
root@vSRX-node0> show security policies policy-name pass_proxy_3128
node0:
--------------------------------------------------------------------------
From zone: L3-Untrust, To zone: L2-Trust
Policy: pass_proxy_3128, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1
Source addresses: any
Destination addresses: vmnet8.100
Applications: proxy_3128
Action: permit, log
{primary:node0}
root@vSRX-node0> show security policies policy-name pass_proxy_3128 detail
node0:
--------------------------------------------------------------------------
Policy: pass_proxy_3128, action-type: permit, State: enabled, Index: 5, Scope Policy: 0
Policy Type: Configured
Sequence number: 1
From zone: L3-Untrust, To zone: L2-Trust
Source addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Destination addresses:
vmnet8.100: 192.168.152.100/32
Application: proxy_3128
IP protocol: tcp, ALG: http, Inactivity timeout: 1800
Source port range: [0-0]
Destination port range: [3128-3128]
Per policy TCP Options: SYN check: No, SEQ check: No
Session log: at-create
{primary:node0}
■jessieにプロキシを設定
$ sudo apt-get install -y squid3
$ sudo cp /etc/squid3/squid.con{f,f.org}
$ sudo diff /etc/squid3/squid.con{f,f.org} | awk '/</' | sed -e 's/^< //g'
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16
http_port 0.0.0.0:3128
logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
>
access_log daemon:/var/log/squid3/access.log combined
pinger_enable off
via off
request_header_access User-Agent deny all
request_header_replace User-Agent Mozilla/5.0 (X11; Linux x86_64)
visible_hostname unknown_internal
dns_nameservers 127.0.0.1
forwarded_for off
$ sudo /etc/init.d/squid3 restart
$ netstat -an | grep 3128
tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN
■セキュリティポリシーの確認
root@vSRX-node0> telnet source 172.16.76.203 inet interface reth3.0 port 3128 192.168.152.100
Trying 192.168.152.100...
Connected to 192.168.152.100.
Escape character is '^]'.
GET / HTTP/1.0
HTTP/1.1 400 Bad Request
Server: squid/3.4.8
Mime-Version: 1.0
Date: Wed, 23 Dec 2015 17:34:21 GMT
Content-Type: text/html
Content-Length: 3163
X-Squid-Error: ERR_INVALID_URL 0
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from unknown_internal
X-Cache-Lookup: NONE from unknown_internal:3128
Connection: close
...
labunix@vSRX-node0> show security flow session
node0:
--------------------------------------------------------------------------
Session ID: 81546, Policy name: self-traffic-policy/1, State: Active, Timeout: 18, Valid
In: 172.16.76.203/61135 --> 192.168.152.100/3128;tcp, If: .local..0, Pkts: 2, Bytes: 116
Out: 192.168.152.100/3128 --> 172.16.76.203/61135;tcp, If: reth0.0, Pkts: 0, Bytes: 0
Total sessions: 1
node1:
--------------------------------------------------------------------------
Total sessions: 0
{primary:node0}
■HTTPステータスコード含め、プロキシログが正常に残ることを確認。
$ sudo tail -1 /var/log/squid3/access.log
172.16.76.203 - - [24/Dec/2015:02:50:59 +0900] "GET / HTTP/0.0" 400 3499 "-" "-" TAG_NONE:HIER_NONE