system { host-name firewall-demo; time-zone GMT-6; authentication-order password; root-authentication { encrypted-password "asdkjas[98y34tbfp;hsdfo[ihas]goj"; ## SECRET-DATA } name-server { 208.67.222.222; 208.67.220.220; } services { ssh { protocol-version v2; } dhcp { pool 10.2.1.0/24 { address-range low 10.2.1.10 high 10.2.1.200; domain-name domain.com; name-server { 208.67.222.222; 208.67.220.220; } router { 10.2.1.1; } } } } syslog { user * { any emergency; } file messages { any any; authorization info; } file interactive-commands { interactive-commands any; } file allowed-traffic { any any; match RT_FLOW_SESSION_CREATE; } file blocked-traffic { any any; match RT_FLOW_SESSION_DENY; } } ntp { server 192.5.41.40 prefer; server 192.5.41.41; } } interfaces { ge-0/0/0 { description "Internal Interface"; vlan-tagging; unit 10 { vlan-id 10; family inet { address 10.1.1.1/24; } } unit 20 { vlan-id 20; family inet { address 10.2.1.1/24; } } unit 30 { vlan-id 30; family inet { address 10.3.1.1/24; } } } ge-0/0/1 { description "External Interface"; unit 0 { family inet { address 12.35.45.202/24; ##guessing on the subnet mask here } } } } routing-options { static { route 0.0.0.0/0 next-hop 12.35.45.1; ##guessing on the default gateway as well } } security { nat { source { rule-set outbound { from zone Trust; to zone Untrust; rule outbound-rule { match { source-address 10.0.0.0/8; } then { source-nat { interface; } } } } } destination { pool subversion { address 10.1.1.35/32; } pool web { address 10.1.1.36/32; } pool ftp { address 10.1.1.37/32; } rule-set inbound { from zone Untrust; rule subversion-nat { match { destination-address 12.35.45.202/32; destination-port 22; } then { destination-nat pool subversion; } } rule web-nat { match { destination-address 12.35.45.202/32; destination-port 80; } then { destination-nat pool web; } } rule ftp-nat { match { destination-address 12.35.45.202/32; destination-port 21; } then { destination-nat pool ftp; } } } } } screen { ids-option Untrust_screen { icmp { ip-sweep threshold 1000; ping-death; } ip { source-route-option; tear-drop; } tcp { fin-no-ack; port-scan threshold 1000; /* Using default value for timeout since not within range 0-50 */ syn-flood { timeout 20; } land; } } } zones { security-zone Trust { tcp-rst; address-book { address subversion-server 10.1.1.35/32; address web-server 10.1.1.36/32; address ftp-server 10.1.1.37/32; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/0.10; ge-0/0/0.20; ge-0/0/0.30; } } security-zone Untrust { screen Untrust_screen; interfaces { ge-0/0/1.0 { host-inbound-traffic { system-services { ping; ike; } } } } } } policies { from-zone Untrust to-zone Trust { policy subversion { match { source-address any; destination-address subversion-server; application junos-ssh; } then { permit; log { session-close; } } } policy ftp { match { source-address any; destination-address ftp-server; application junos-ftp; } then { permit; log { session-close; } } } policy web { match { source-address any; destination-address web-server; application junos-http; } then { permit; log { session-close; } } } policy default-deny { match { source-address any; destination-address any; application any; } then { deny; log { session-close; } count; } } } from-zone Trust to-zone Trust { policy permit-intra-trust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone Trust to-zone Untrust { policy permit-outbound { match { source-address any; destination-address any; application any; } then { permit; log { session-close; } count; } } } } flow { tcp-session { strict-syn-check; } } }