一、新线路接入设置source-nat
root@SRX240# show interfaces #查看当前所有接口的设置 root@SRX240# edit security zones #新建一个区域 set security-zone untrust6 interfaces ge-0/0/5 set security-zone untrust6 interfaces ge-0/0/5 host-inbound-traffic system-services all set security-zone untrust6 interfaces ge-0/0/5 host-inbound-traffic protocols all root@SRX240# set interfaces ge-0/0/5 unit 0 family inet address 183.238.148.70/30 #配置接口IP地址 root@SRX240# edit routing-instances isp4 #编辑路由条目ISP4 set instance-type virtual-router set interface ge0/0/5 set routing-options static route 0.0.0.0/0 next-hop 183.238.148.69 set routing-options static route 192.168.0.0/16 next-table inet.0 root@SRX240# edit security nat source #编辑源NAT set rule-set trust-2-untrust6 rule trust-2-untrust6 set rule-set trust-2-untrust6 from zone trust set rule-set trust-2-untrust6 to zone untrust6 set rule-set trust-2-untrust6 rule trust-2-untrust6 match source-address 0.0.0.0/0 set rule-set trust-2-untrust6 rule trust-2-untrust6 match destination-address 0.0.0.0/0 set rule-set trust-2-untrust6 rule trust-2-untrust6 then source-nat interface root@SRX240# edit firewall filter F1 term 6 #编辑防火墙过滤规则 set from source-address 192.168.20.53/32 set then routing-instance isp4
二、开放端口:destination-nat
root@SRX240# edit security nat destination set pool ftp address 192.168.31.53/32 port 21 set rule-set Test from zone untrust6 set rule-set Test rule ftp match source-address 0.0.0.0/0 set rule-set Test rule ftp match destination-address 183.238.148.70/32 set rule-set Test rule ftp match destination-port 21 set rule-set Test rule ftp then destination-nat pool ftp root@SRX240# edit security zones security-zone trust set address-book address ftp 192.168.31.53/32 root@SRX240# edit applications #如果设置端口转发,两个端口都需要定义并允许通过 set application 8080 protocol tcp set application 8080 destination-port 8080 root@SRX240# edit security policies set from-zone untrust6 to-zone trust set from-zone untrust6 to-zone trust policy untrust6-to-trust match source-address any set from-zone untrust6 to-zone trust policy untrust6-to-trust match destination-address ftp set from-zone untrust6 to-zone trust policy untrust6-to-trust match application ftp set from-zone untrust6 to-zone trust policy untrust6-to-trust then permit set from-zone untrust6 to-zone trust policy untrust6-to-trust then log session-init set from-zone untrust6 to-zone trust policy untrust6-to-trust then log session-close
三、带宽限速。
set firewall policer BW-limit if-exceeding bandwidth-limit 22m #限制带宽 set firewall policer BW-limit if-exceeding burst-size-limit 1m #22m+1m峰值带宽 set firewall policer BW-limit then discard set firewall filter USER-IN term 3 from source-address 192.168.1.0/24 #限制的是上传总带宽 set firewall filter USER-IN term 3 then policer BW-limit set firewall filter USER-IN term 3 then accept set firewall filter USER-OUT term 1 from destination-address 192.168.1.0/24 #下载总带宽 set firewall filter USER-OUT term 1 then policer BW-limit set firewall filter USER-OUT term 1 then accept set interfaces vlan unit 0 family inet filter input USER-IN set interfaces vlan unit 0 family inet filter output USER-OUT set interfaces vlan unit 0 family inet address 172.16.1.1/24
四、一些常用命令。
root@SRX240# run show configuration | display set root@SRX240# show security flow session #查看实时会话 root@SRX240> request system reboot #重启设备 root@SRX240# set system login user XXX uid 2002 root@SRX240# set system login user xxx class super-user root@SRX240# set system login user xxx authentication plain-text-password #添加系统账号 root@SRX240# set snmp community juniper authorization read-only clients 192.168.0.0/24 #开启snmp root@SRX240# set snmp trap-group juniper240 categories link root@SRX240# set snmp trap-group juniper240 targets 192.168.3.15 #防火墙主动trap到指定主机 root@SRX240> show security flow statistics root@SRX240> show system processes extensive root@SRX240> show chassis forwarding root@SRX240> show security flow session summary root@SRX240> monitor interface ge-0/0/5 root# show | compare #查看commit前的改动项 root# show |display set |match pool #精确匹配 root# commit confirmed 5 #在五分钟后回滚最近配置,再次输入commit保存 root> show route forwarding-table
转载于:https://blog.51cto.com/liang178/1399508