kiers@5gt> show configuration | except SECRET-DATA | no-more ## Last commit: 2013-12-28 16:51:58 CET by kiers version 12.1X45; system { host-name 5gt; domain-name boppelans.net; time-zone Europe/Amsterdam; location { country-code NL; postal-code 1108CC; } root-authentication { } name-server { inactive: 194.109.6.66; inactive: 194.109.9.99; inactive: 194.109.104.104; 10.0.1.10; 10.0.1.25; } login { user kiers { full-name "Bert Kiers"; uid 2000; class superuser; authentication { } } } services { ssh { root-login deny; } } syslog { archive size 100k files 3; user * { any emergency; } host 10.0.1.25 { any any; source-address 10.0.1.189; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } source-address 10.0.1.189; } no-compress-configuration-files; max-configurations-on-flash 5; max-configuration-rollbacks 5; archival { configuration { transfer-on-commit; archive-sites { } } } license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ntp { server 10.0.1.25; server 10.0.1.10; } } interfaces { interface-range interfaces-trust { member ge-0/0/1; member fe-0/0/2; unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } inactive: fe-0/0/4 { description GUEST; unit 0 { family inet { address 192.168.0.3/24; } } } fe-0/0/5 { description "Vigor 120"; unit 0 { encapsulation ppp-over-ether; } } inactive: fe-0/0/6 { description DMZ; unit 0 { family inet { address 10.0.4.1/32; } family inet6 { address 2001:980:1289:4::1/64; } } } pp0 { description XS4ALL; unit 0 { ppp-options { pap { local-name kiers; passive; } } pppoe-options { underlying-interface fe-0/0/5.0; idle-timeout 0; auto-reconnect 10; client; } family inet { mtu 1492; negotiate-address; } family inet6 { mtu 1492; inactive: address 2001:980:1289::1/64; no-dad-disable; dhcpv6-client { client-type statefull; client-ia-type ia-pd; client-ia-type ia-na; rapid-commit; client-identifier duid-type duid-ll; } } } } vlan { unit 0 { family inet { inactive: filter { input cflow; output cflow; } inactive: address 192.168.1.1/24; address 10.0.1.189/24; address 10.0.1.1/24; } family inet6 { address 2001:980:1289:42::1/64; } } } } forwarding-options { inactive: sampling { input { rate 4; run-length 16; max-packets-per-second 100; } family inet { output { flow-server 10.0.1.25 { port 2055; version 5; } } } } } snmp { location ldh332; contact "kiersb@xs4all.net"; community public { authorization read-only; } } routing-options { rib inet6.0 { static { route ::/0 next-hop pp0.0; } } static { route 0.0.0.0/0 next-hop pp0.0; route 10.0.7.0/24 next-hop 10.0.1.96; route 10.0.8.0/24 next-hop 10.0.1.10; route 10.0.9.0/24 next-hop 10.0.1.49; } } protocols { router-advertisement { interface fe-0/0/6.0 { prefix 2001:980:1289:4::1/64; } interface fe-0/0/3.0 { prefix 2001:980:1289:37::2/64; } interface vlan.0 { prefix 2001:980:1289:42::1/64; } } } security { forwarding-options { family { inet6 { mode flow-based; } } } screen { ids-option untrust-screen { icmp { flood; ping-death; } ip { bad-option; source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; winnuke; } } traceoptions { flag flow; } } nat { source { rule-set trust-to-untrust { from zone trust; to zone untrust; rule source-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } } } policies { from-zone trust to-zone untrust { policy trust-to-untrust { match { source-address any; destination-address any; application [ junos-ftp junos-ssh junos-http junos-https junos-whois junos-dns-tcp junos-dns-udp ssh60122 junos-icmp-ping dbox-tcp llink junos-nntp junos-imaps bert-smtps junos-smtp junos-icmp-all bert-openvpn bert-hkp junos-msn bert-kar junos-nfs bert-submission junos-rtsp junos-sip ]; } then { permit; log { session-init; } count; } } policy klok { match { source-address MY_CLOCKS; destination-address XS_CLOCKS; application junos-ntp; } then { permit; count; } } } default-policy { deny-all; } } zones { security-zone trust { address-book { address MY_CLOCKS 10.0.1.0/24; } host-inbound-traffic { system-services { all; } protocols { all; router-discovery; } } interfaces { vlan.0; } } security-zone untrust { address-book { address XS_CLOCKS 194.109.0.0/16; } inactive: screen untrust-screen; interfaces { pp0.0 { host-inbound-traffic { system-services { dhcpv6; } protocols { router-discovery; ndp; } } } } } inactive: security-zone dmz { interfaces { fe-0/0/6.0 { host-inbound-traffic { protocols { router-discovery; } } } } } inactive: security-zone guest { interfaces { fe-0/0/4.0 { host-inbound-traffic { system-services { dhcp; } } } } } } } firewall { inactive: filter cflow { term all { then { sample; accept; } } } } applications { application ssh60122 { protocol tcp; source-port 0-65535; destination-port 60122; inactivity-timeout never; } application dbox-tcp { protocol tcp; source-port 0-65535; destination-port 42666; inactivity-timeout never; } application llink { protocol tcp; source-port 0-65535; destination-port 8001; inactivity-timeout never; } application bert-smtps { protocol tcp; source-port 0-65535; destination-port 465; inactivity-timeout 1200; } application bert-openvpn { protocol udp; source-port 0-65535; destination-port 1194; inactivity-timeout 1200; } application bert-hkp { protocol tcp; source-port 0-65535; destination-port 11371; inactivity-timeout 60; } application bert-msn { protocol tcp; source-port 0-65535; destination-port 1863; inactivity-timeout never; } application bert-kar { protocol tcp; source-port 0-65535; destination-port 1337; inactivity-timeout never; } application bert-nfs { protocol tcp; source-port 0-65535; destination-port 2049; inactivity-timeout never; } application bert-submission { protocol tcp; source-port 0-65535; destination-port 587; inactivity-timeout never; } } vlans { vlan-trust { vlan-id 3; l3-interface vlan.0; } }