## Last commit: 2012-09-20 17:45:29 BST by jim version 10.2R3.10; system { host-name j4350; domain-name router.wildern.hants.sch.uk; time-zone Europe/London; root-authentication { } name-server { 192.168.45.199; } login { class rancid { permissions [ access admin firewall flow-tap interface routing security snmp system trace view view-configuration ]; } user jim { uid 2000; class super-user; authentication { } } user rancid { uid 2001; class rancid; authentication { } } } services { ssh { root-login deny; protocol-version [ v1 v2 ]; } telnet; web-management { http; } } syslog { inactive: host 192.168.12.101 { any error; firewall any; } file filter { firewall any; } } ntp { server 192.168.0.22; } } interfaces { ge-0/0/0 { vlan-tagging; unit 0 { description Management; vlan-id 1; family inet { filter { input 4_incoming; output 4_outbound_traffic; } inactive: sampling { input; output; } address 192.168.51.13/24; } family inet6 { address 2A02:2458:1:0151::13/64; } } inactive: unit 1 { description "NetworkFlow VR Management"; vlan-id 1; family inet { address 192.168.51.11/24; } family inet6 { address 2A02:2458:1:0100::51:1/64; } } unit 16 { description Hants-ext; vlan-id 16; family inet { address 10.36.80.50/24; } } unit 18 { description NetworkFlow-DMZ; vlan-id 18; family inet { inactive: sampling { input; output; } address 217.20.18.49/29; address 172.16.18.1/24; } family inet6 { address 2A02:2458:1:0100:0000:0000:0000:0001/64; } } unit 128 { description DMZ; vlan-id 128; family inet { inactive: sampling { input; output; } address 10.249.16.129/25; } } unit 150 { description NetworkFlow-PTP; vlan-id 150; family inet { inactive: sampling { input; output; } address 217.20.31.146/30; } family inet6 { address 2A02:2458:1:8::2/64; } } unit 545 { description "Servers (for transparent proxy)"; vlan-id 545; family inet { address 192.168.45.13/24; } } inactive: unit 666 { description Development; vlan-id 666; family inet { address 192.168.12.246/24; } } } } forwarding-options { packet-capture { file filename junipercapture files 50; maximum-capture-size 1500; } } snmp { community public { authorization read-only; clients { 192.168.51.9/32; 192.168.12.0/24; } } traceoptions { file SNMP-trace.log; } } routing-options { instance-import Wildern_non-inet-routes; } policy-options { policy-statement Hants_routes { term first { from { instance HantsVR; route-filter 172.16.0.0/16 exact; route-filter 10.249.16.128/25 exact; route-filter 10.36.80.0/24 exact; route-filter 172.25.0.0/16 exact; route-filter 172.17.0.0/16 exact; route-filter 172.27.0.0/16 exact; route-filter 172.28.0.0/16 exact; } then accept; } } policy-statement NetworkFlow_VR-routes { term first { from { instance NetworkFlowVR; route-filter 217.20.18.48/29 exact; } then accept; } } policy-statement Wildern_non-inet-routes { term first { from { instance WildernVR; route-filter 192.168.0.0/16 exact; route-filter 10.217.163.0/24 exact; route-filter 172.19.0.0/16 exact; } then accept; } } policy-statement default-route { inactive: term HantsGW { from { instance HantsVR; route-filter 0.0.0.0/0 exact; } then accept; } term NetworkFlowGW { from { instance NetworkFlowVR; route-filter 0.0.0.0/0 exact; } then accept; } term last { then reject; } } } security { nat { source { pool source-nat-pool1 { address { 10.249.16.129/32; } } pool source-nat-pool2 { address { 217.20.18.49/32; } } pool Hants-source-nat-pool1 { address { 10.36.80.50/32; } } rule-set NetworkFlow-outbound-source-NAT { from zone management; to zone NetworkFlow; rule source-nat2 { match { source-address [ 192.168.0.0/16 10.217.163.0/24 ]; } then { source-nat { pool { source-nat-pool2; } } } } } rule-set NetworkFlow-DMZ-outbound-NAT { from zone NetworkFlow-DMZ; to zone NetworkFlow; rule source-nat4 { match { source-address 172.16.18.0/24; } then { source-nat { pool { source-nat-pool2; } } } } } rule-set Hants-ext-outbound-NAT { from zone management; to zone Hants-ext; rule source-nat5 { match { source-address [ 192.168.0.0/16 10.217.163.0/24 ]; } then { source-nat { pool { Hants-source-nat-pool1; } } } } } } destination { pool VNChosts { address 192.168.12.101/32 port 5500; } pool QTStreamingHosts { address 192.168.0.5/32; } pool scubahosts { address 192.168.45.104/32 port 3389; } pool rdesktop_dj { address 10.217.163.124/32 port 3389; } pool gameclub { address 192.168.45.112/32 port 25565; } pool governor-simcoe { address 192.168.12.31/32 port 22; } pool geniusbar-ftp { address 192.168.45.157/32 port 21; } pool managementbox { address 192.168.51.251/32 port 5900; } pool geniusbar-ssh { address 192.168.45.157/32 port 22; } pool loadbalancer-http { address 192.168.45.122/32 port 80; } pool loadbalancer-https { address 192.168.45.122/32 port 443; } pool loadbalancer-smtp { address 10.249.16.132/32 port 25; } pool loadbalancer-ssh { address 10.249.16.132/32 port 22; } pool blomidon-http { address 192.168.45.154/32 port 80; } pool blomidon-https { address 192.168.45.154/32 port 443; } pool blomidon-smtp { address 192.168.45.154/32 port 25; } pool blomidon-ssh { address 192.168.45.154/32 port 22; } pool bedford-ssh { address 192.168.45.152/32 port 22; } inactive: pool proxy-http { address 192.168.45.147/32 port 80; } inactive: rule-set hants-nat { from zone Hants-ext; rule VNC { match { destination-address 10.249.16.129/32; destination-port 5500; } then { destination-nat pool VNChosts; } } rule rdesktop { match { destination-address 10.249.16.129/32; destination-port 13389; } then { destination-nat pool scubahosts; } } inactive: rule rdesktop_dj { match { destination-address 10.249.16.129/32; destination-port 13390; } then { destination-nat pool rdesktop_dj; } } rule git_to_governor-simcoe { match { destination-address 10.249.16.129/32; destination-port 64222; } then { destination-nat pool governor-simcoe; } } rule geniusbar-ftp { match { destination-address 10.249.16.129/32; destination-port 23421; } then { destination-nat pool geniusbar-ftp; } } inactive: rule managementbox-vnc { match { destination-address 10.249.16.129/32; destination-port 25900; } then { destination-nat pool managementbox; } } rule geniusbar-ssh { match { destination-address 10.249.16.129/32; destination-port 23422; } then { destination-nat pool geniusbar-ssh; } } } rule-set NetworkFlow-NAT { from zone NetworkFlow; inactive: rule VNC { match { destination-address 10.249.16.129/32; destination-port 5500; } then { destination-nat pool VNChosts; } } rule rdesktop { match { destination-address 217.20.18.49/32; destination-port 13389; } then { destination-nat pool scubahosts; } } rule git_to_governor-simcoe { match { destination-address 217.20.18.49/32; destination-port 64222; } then { destination-nat pool governor-simcoe; } } rule geniusbar-ftp { match { destination-address 217.20.18.49/32; destination-port 23421; } then { destination-nat pool geniusbar-ftp; } } rule geniusbar-ssh { match { destination-address 217.20.18.49/32; destination-port 23422; } then { destination-nat pool geniusbar-ssh; } } } inactive: rule-set TransparentProxy { from zone management; rule RedirectToProxy { match { source-address 192.168.98.0/23; destination-address 0.0.0.0/0; destination-port 80; } then { destination-nat pool proxy-http; } } } } } zones { security-zone management { address-book { address server-4127dc01 192.168.0.11/32; address server-earliglow 192.168.0.22/32; address Development 192.168.12.0/24; address Management 192.168.51.0/24; address Curriculum 192.168.0.0/22; address Wireless 192.168.90.0/23; address server-bedford 192.168.0.9/32; address testbox-debian 192.168.51.253/32; address Servers 192.168.45.0/24; address loadbalanced-OUT 10.249.16.132/32; address tBG 192.168.133.0/24; address VNChost-jim 192.168.12.101/32; address server-paxton 192.168.0.5/32; address server-eros 192.168.0.30/32; address server-4127dc02 192.168.0.12/32; address server-camarosa 192.168.0.16/32; address server-cache02 192.168.0.39/32; address server-veestar 192.168.0.27/32; address server-latestar 192.168.0.26/32; address server-scuba 192.168.45.104/32; address client-ScubaMgmt 62.3.96.110/32; address service-piratesonline 198.105.196.91/32; address Admin 10.217.163.0/24; address client-ScubaEPOS-leisure 10.217.163.106/32; address Voice 192.168.70.0/24; address google1 216.239.32.0/19; address google2 64.233.160.0/19; address google3 66.249.80.0/20; address google4 72.14.192.0/18; address google5 209.85.128.0/17; address google6 66.102.0.0/20; address google7 74.125.0.0/16; address google8 64.18.0.0/20; address google9 207.126.144.0/20; address google10 173.194.0.0/16; address client-DJadminpc 10.217.163.124/32; address server-cache03 192.168.0.48/32; address server-gameclub 192.168.45.112/32; address server-cdc02 192.168.0.18/32; address server-dnsvip 192.168.45.199/32; address server-ldapvip 192.168.45.210/32; address server-radius03 192.168.45.173/32; address server-governorsimcoe 192.168.12.31/32; address server-whitepine 192.168.45.157/32; address client-managementbox 192.168.51.251/32; address server-pegasus 192.168.45.153/32; address server-blomidon 192.168.45.154/32; address-set webservers { address server-blomidon; address server-pegasus; address server-bedford; } address-set legacy-curriculumservers { address server-4127dc01; address server-4127dc02; address server-camarosa; address server-eros; address server-cache02; address server-veestar; address server-latestar; address server-earliglow; address server-cache03; address server-cdc02; } inactive: address-set google-nets { address google1; address google2; address google3; address google4; address google5; address google6; address google7; address google8; address google9; address google10; } address-set dnsservers { address server-dnsvip; address server-4127dc01; } address-set ldapservers { address server-ldapvip; } address-set radiusservers { address server-radius03; } } host-inbound-traffic { system-services { telnet; ssh; http; ping; all; snmp; } protocols { all; } } interfaces { ge-0/0/0.0; } } security-zone DMZ { address-book { address loadbalancer-DMZ 10.249.16.132/32; address security-asa5510 10.249.16.130/32; address temp-debianbox 10.249.16.140/32; address server-paxton 10.249.16.134/32; address server-webconf 10.249.16.134/32; address server-minecraft 10.249.16.135/32; address server-blomidon 10.249.16.154/32; address server-pegasus 10.249.16.153/32; address server-blomidon-int 192.168.45.154/32; address server-pegasus-int 192.168.45.153/32; address-set http-servers { address server-pegasus; address server-blomidon; address loadbalancer-DMZ; address server-blomidon-int; address server-pegasus-int; } } host-inbound-traffic { system-services { ping; } } interfaces { ge-0/0/0.128; } } security-zone Hants-ext { address-book { address client-ScubaMgmt 62.3.96.110/32; address service-piratesonline 198.105.196.91/32; address google1 216.239.32.0/19; address google2 64.233.160.0/19; address google3 66.249.80.0/20; address google4 72.14.192.0/18; address google5 209.85.128.0/17; address google6 66.102.0.0/20; address google7 74.125.0.0/16; address google8 64.18.0.0/20; address google9 207.126.144.0/20; address google10 173.194.0.0/16; address apple-akamai1 77.67.21.65/32; address apple-akamai2 77.67.21.43/32; address apple-itunes1 17.112.176.11/32; address apple-itunes2 17.112.200.65/32; address-set google-nets { address google1; address google2; address google3; address google4; address google5; address google6; address google7; address google8; address google9; address google10; } address-set apple-itunes { address apple-itunes1; address apple-itunes2; address apple-akamai1; address apple-akamai2; } } host-inbound-traffic { system-services { ping; } } interfaces { ge-0/0/0.16; } } security-zone NetworkFlow { address-book { address client-ScubaMgmt 62.3.96.110/32; } interfaces { ge-0/0/0.150 { host-inbound-traffic { system-services { ping; } } } } } security-zone NetworkFlow-DMZ { address-book { address loadbalancer-DMZ 217.20.18.51/32; address security-asa5510 217.20.18.50/32; } interfaces { ge-0/0/0.18 { host-inbound-traffic { system-services { ping; } } } } } security-zone Servers { interfaces { ge-0/0/0.545; } } } policies { from-zone DMZ to-zone management { inactive: policy allowALL { match { source-address any; destination-address any; application any; } then { permit; } } policy allow-dns { match { source-address any; destination-address dnsservers; application [ junos-dns-tcp junos-dns-udp ]; } then { permit; } } policy allow-ntp { match { source-address any; destination-address server-earliglow; application junos-ntp; } then { permit; } } policy allow-asa { match { source-address security-asa5510; destination-address any; application any; } then { permit; } } policy allow-NAT-VPN-traffic { match { source-address security-asa5510; destination-address any; application any; } then { permit; } } policy allow-ldap { match { source-address any; destination-address ldapservers; application junos-ldap; } then { permit; } } } from-zone management to-zone DMZ { policy DMZ-management { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone DMZ to-zone Hants-ext { policy DMZ-out { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone Hants-ext to-zone DMZ { policy allow-ICMP { match { source-address any; destination-address any; application junos-icmp-all; } then { permit; } } inactive: policy allow-HTTP { match { source-address any; destination-address loadbalancer-DMZ; application [ junos-http junos-https ]; } then { permit; } } policy allow-loadbalanced { match { source-address any; destination-address loadbalancer-DMZ; application [ junos-http junos-https junos-ssh junos-smtp ]; } then { permit; } } inactive: policy to-testbox { match { source-address any; destination-address temp-debianbox; application any; } then { permit; } } policy allow-IPSec { match { source-address any; destination-address security-asa5510; application [ junos-ike junos-ike-nat Cisco-IPSec junos-l2tp junos-gre Cisco-L2TP ]; } then { permit; } } inactive: policy allow-IPSec-all-test { match { source-address any; destination-address security-asa5510; application any; } then { permit; } } inactive: policy allow-RTSP { match { source-address any; destination-address server-paxton; application any; } then { permit; } } policy allow-bbb-traffic { match { source-address any; destination-address server-webconf; application jim-bbb; } then { permit; } } policy allow-minecraft-DMZ { match { source-address any; destination-address server-minecraft; application jim-gameclub; } then { permit; } } } from-zone management to-zone Hants-ext { policy management-OUT { match { source-address Management; destination-address any; application any; } then { permit; } } policy development-OUT { match { source-address Development; destination-address any; application any; } then { permit; } } policy servers-OUT { match { source-address Servers; destination-address any; application any; } then { permit; } } policy loadbalanced-OUT { match { source-address loadbalanced-OUT; destination-address any; application any; } then { permit; } } policy tBG-OUT { match { source-address tBG; destination-address any; application any; } then { permit; } } policy legacyservers-OUT { match { source-address legacy-curriculumservers; destination-address any; application any; } then { permit; } } policy piratesonline-OUT { match { source-address Curriculum; destination-address service-piratesonline; application any; } then { permit; } } policy admin-OUT { match { source-address Admin; destination-address any; application any; } then { permit; } } policy voice-OUT { match { source-address Voice; destination-address any; application any; } then { permit; } } policy spotifyAuth-OUT { match { source-address [ Curriculum Wireless ]; destination-address any; application spotifyAuth; } then { permit; } } policy googleIMAP-OUT { match { source-address Wireless; destination-address google-nets; application [ junos-imap junos-imaps jim-SSMTP ]; } then { permit; } } policy itunes-OUT { match { source-address Wireless; destination-address apple-itunes; application any; } then { permit; } } policy bbb-OUT { match { source-address [ Management Curriculum Wireless ]; destination-address any; application jim-bbb; } then { permit; } } } from-zone management to-zone management { policy allow { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone Hants-ext to-zone management { policy allow-scuba-access { match { source-address client-ScubaMgmt; destination-address server-scuba; application jim-RDP; } then { permit; } } inactive: policy allow-dj-rdesktop-access { match { source-address any; destination-address client-DJadminpc; application jim-RDP; } then { permit; } } policy allow-minecraft-gameclub { match { source-address any; destination-address server-gameclub; application jim-gameclub; } then { permit; } } policy allow-git-governorsimcoe { match { source-address any; destination-address server-governorsimcoe; application junos-ssh; } then { permit; } } policy allow-ftp-whitepine { match { source-address any; destination-address server-whitepine; application junos-ftp; } then { permit; } } inactive: policy allow-vnc-managementbox { match { source-address any; destination-address client-managementbox; application jim-VNC; } then { permit; } } policy allow-ssh-whitepine { match { source-address any; destination-address server-whitepine; application junos-ssh; } then { permit; } } } from-zone management to-zone NetworkFlow { policy development-OUT { match { source-address Development; destination-address any; application any; } then { permit; } } policy servers-OUT { match { source-address Servers; destination-address any; application any; } then { permit; } } policy management-OUT { match { source-address Management; destination-address any; application any; } then { permit; } } policy admin-OUT { match { source-address Admin; destination-address any; application any; } then { permit; } } policy all-OUT { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone NetworkFlow to-zone DMZ { policy allow-ICMP { match { source-address any; destination-address any; application junos-icmp-all; } then { permit; } } policy allow-loadbalanced { match { source-address any; destination-address loadbalancer-DMZ; application [ junos-http junos-https junos-ssh junos-smtp ]; } then { permit; } } policy allow-IPSec { match { source-address any; destination-address security-asa5510; application [ junos-ike junos-ike-nat Cisco-IPSec junos-l2tp junos-gre Cisco-L2TP ]; } then { permit; } } policy allow-bbb-traffic { match { source-address any; destination-address server-webconf; application jim-bbb; } then { permit; } } policy allow-minecraft-DMZ { match { source-address any; destination-address server-minecraft; application jim-gameclub; } then { permit; } } } from-zone DMZ to-zone NetworkFlow { policy servers-OUT { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone NetworkFlow-DMZ to-zone NetworkFlow { policy allow-ALL { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone NetworkFlow-DMZ to-zone management { policy allow-ALL { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone management to-zone NetworkFlow-DMZ { policy allow-ALL { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone NetworkFlow to-zone NetworkFlow-DMZ { policy allow-ICMP { match { source-address any; destination-address any; application junos-icmp-all; } then { permit; } } policy allow-loadbalanced { match { source-address any; destination-address loadbalancer-DMZ; application [ junos-http junos-https junos-ssh junos-smtp ]; } then { permit; } } policy allow-IPSec { match { source-address any; destination-address security-asa5510; application [ junos-ike junos-ike-nat Cisco-IPSec junos-l2tp junos-gre Cisco-L2TP ]; } then { permit; } } inactive: policy allow-minecraft-DMZ { match { source-address any; destination-address server-minecraft; application jim-gameclub; } then { permit; } } inactive: policy allow-ALL { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone NetworkFlow to-zone management { policy allow-scuba-access { match { source-address client-ScubaMgmt; destination-address server-scuba; application jim-RDP; } then { permit; } } policy allow-minecraft-gameclub { match { source-address any; destination-address server-gameclub; application jim-gameclub; } then { permit; } } policy allow-git-governorsimcoe { match { source-address any; destination-address server-governorsimcoe; application junos-ssh; } then { permit; } } policy allow-ftp-whitepine { match { source-address any; destination-address server-whitepine; application junos-ftp; } then { permit; } } policy allow-ssh-whitepine { match { source-address any; destination-address server-whitepine; application junos-ssh; } then { permit; } } } from-zone management to-zone Servers { policy allowall { match { source-address any; destination-address any; application any; } then { permit; } } } policy-rematch; } forwarding-options { family { inet6 { mode flow-based; } } } flow { traceoptions { file DebugTraffic size 1m files 2 world-readable; flag basic-datapath; packet-filter MatchTraffic { source-prefix 192.168.98.51/32; } inactive: packet-filter MatchTrafficReverse { source-prefix 84.18.193.2/32; destination-prefix 217.20.18.51/32; } } inactive: tcp-session { no-syn-check; } } } firewall { family inet { filter sample-in { term default { then { sample; accept; } } } filter host-inbound { term host-inbound-services { from { destination-address { 217.20.18.49/32; 192.168.51.13/32; 217.20.31.146/32; } } then accept; } } filter 4_incoming { term host-inbound-services { from { destination-address { 217.20.18.49/32; 192.168.51.13/32; 217.20.31.146/32; } } then accept; } inactive: term logged_addresses { from { address { 86.167.201.15/32; 86.147.242.98/32; 86.181.225.188/32; 86.3.216.86/32; 86.146.102.108/32; } } then { count packets; log; syslog; sample; next term; } } inactive: term blocked_addresses { from { address { 86.147.242.98/32; 86.167.201.15/32; } } then { discard; } } term 4_routeViaTransparentProxy { from { source-address { 192.168.98.0/23; } destination-address { 0.0.0.0/0; } destination-port http; } then { count redirected; routing-instance TransparentProxyVR; } } term default { then accept; } } filter 4_outbound_traffic { term 4_blocked_traffic { from { source-address { 10.217.163.100/32; } } then { reject host-prohibited; } } inactive: term 4_routeViaTransparentProxy { from { source-address { 192.168.98.0/23; } destination-port http; } then { routing-instance TransparentProxy; } } term def { then accept; } } } filter all { term all { then { sample; accept; } } } } access { ldap-options { base-distinguished-name "'dn=curriculum,dc=wildern,dc=hants,dc=sch,dc=uk'"; search { search-filter "'uid='"; } } ldap-server { ldap.wildern.hants.sch.uk port 389; } } routing-instances { HantsVR { instance-type virtual-router; interface ge-0/0/0.16; interface ge-0/0/0.128; routing-options { static { route 172.16.0.0/16 next-hop 10.36.80.1; route 172.25.0.0/16 next-hop 10.36.80.1; route 172.27.0.0/16 next-hop 10.36.80.1; route 172.28.0.0/16 next-hop 10.36.80.1; } instance-import Wildern_non-inet-routes; } } NetworkFlowVR { instance-type virtual-router; interface ge-0/0/0.18; interface ge-0/0/0.150; routing-options { inactive: interface-routes { rib-group inet allroutes; } rib NetworkFlowVR.inet6.0 { static { route ::/0 next-hop 2A02:2458:1:8::1; } } static { route 0.0.0.0/0 next-hop 217.20.31.145; } instance-import Wildern_non-inet-routes; } } TransparentProxyVR { instance-type forwarding; inactive: interface ge-0/0/0.545; routing-options { static { route 0.0.0.0/0 next-hop 192.168.45.147; route 192.168.0.0/16 next-table WildernVR.inet.0; } } } WildernVR { instance-type virtual-router; interface ge-0/0/0.0; routing-options { static { route 192.168.0.0/16 next-hop 192.168.51.37; route 10.217.163.0/24 next-hop 192.168.51.37; route 172.19.0.0/16 next-hop 192.168.51.12; inactive: route 172.16.0.0/16 next-hop 10.249.16.1; route 192.168.98.0/23 next-table inet.0; } instance-import [ NetworkFlow_VR-routes Hants_routes default-route ]; } } } applications { application jim-ESP protocol 50; application jim-AH protocol 51; application jim-RDP { protocol tcp; destination-port 3389; } application jim-L2TP_udp1701 { protocol udp; destination-port 1701; } application jim-L2TP_udp500 { protocol udp; destination-port 500; } application jim-L2TP_tcp1723 { protocol tcp; destination-port 1723; } application jim-NAT-T { protocol udp; destination-port 4500; } application spotifyAuth { protocol tcp; destination-port 4070; } application jim-minecraft-tcp { protocol tcp; destination-port 25565; } application jim-minecraft-udp { protocol udp; destination-port 25565; } application jim-minecraft-mod-tcp { protocol tcp; destination-port 8123; } application jim-bbb-desktopshare { protocol tcp; destination-port 1935; } application jim-bbb-rtmp { protocol tcp; destination-port 1935; } application jim-smtp-with-TLS { protocol tcp; destination-port 587; } application jim-smtp-over-SSL { protocol tcp; destination-port 465; } application jim-tf2-tcp { protocol tcp; destination-port 27075; } application jim-tf2-udp { protocol udp; destination-port 27075; } application jim-tf2-1-tcp { protocol tcp; destination-port 27075; } application jim-tf2-1-udp { protocol udp; destination-port 27075; } application jim-VNC { protocol tcp; destination-port 5900; } application jim-trackmania-1-tcp { protocol tcp; destination-port 2450; } application jim-trackmania-2-tcp { protocol tcp; destination-port 2350; } application jim-trackmania-2-udp { protocol udp; destination-port 2350; } application jim-trackmania-1-udp { protocol udp; destination-port 2450; } application-set Cisco-IPSec { application jim-AH; application jim-ESP; } application-set Cisco-L2TP { application jim-L2TP_udp500; application jim-L2TP_udp1701; application jim-L2TP_tcp1723; application jim-NAT-T; } application-set jim-bbb { application jim-bbb-desktopshare; application jim-bbb-rtmp; application junos-http; application junos-https; } application-set jim-SSMTP { application jim-smtp-over-SSL; application jim-smtp-with-TLS; } application-set jim-gameclub { application jim-minecraft-tcp; application jim-minecraft-udp; application jim-minecraft-mod-tcp; application jim-tf2-tcp; application jim-tf2-udp; application jim-tf2-1-tcp; application jim-tf2-1-udp; application jim-trackmania-1-tcp; application jim-trackmania-2-tcp; application jim-trackmania-2-udp; application jim-trackmania-1-udp; } }