前言
上一章节已全面详解了SRX300防火墙的基础配置,本次详解将带入DMZ(服务器)安全域的配置。
接口配置
#配置dmz接口,vlan id和irb后面的虚拟接口名称可以不进行变更
set vlans vlan-dmz vlan-id 5
set vlans vlan-dmz l3-interface irb.2
#配置dmz开放的协议
set security zones security-zone dmz interfaces irb.2 host-inbound-traffic system-services snmp
set security zones security-zone dmz interfaces irb.2 host-inbound-traffic system-services ping
#配置irb.2为三层口及IP地址
set interfaces irb unit 2 family inet address 172.16.2.1/24
#将g0/0/4和g0/0/5两个物理口设置成二层口,并且划到vlan-dmz区域。
del interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
del interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members vlan-dmz
set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members vlan-dmz
安全策略配置
假设允许访问的源地址为服务器地址172.16.2.50/32,目的地址为公网地址114.114.114.114,端口8080,配置如下:
#配置端口池
set applications application 8080-tcp protocol tcp
set applications application 8080-tcp source-port 0-65535
set applications application 8080-tcp destination-port 8080
#绑定用户dmz_172.16.2.50
set security zones security-zone dmz address-book address dmz_172.16.2.50 172.16.2.50/32
#绑定用户untrust_114.114.114.114
set security zones security-zone dmz address-book address untrust_114.114.114.114 114.114.114.114/32
#dmz区域绑定到irb.2
set security zones security-zone dmz interfaces irb.2
set security policies from-zone dmz to-zone untrust policy d-u match source-address dmz_172.16.2.50
set security policies from-zone dmz to-zone untrust policy d-u match destination-address untrust_114.114.114.114
set security policies from-zone dmz to-zone untrust policy d-u match application 8080-tcp
set security policies from-zone dmz to-zone untrust policy d-u then permit