diff options
Diffstat (limited to 'policies')
| -rw-r--r-- | policies/includes/untrusted-networks-blocking.inc | 18 | ||||
| -rw-r--r-- | policies/sample_srx.pol | 26 | ||||
| -rw-r--r-- | policies/sample_tug_wlc_fw.pol | 36 |
3 files changed, 80 insertions, 0 deletions
diff --git a/policies/includes/untrusted-networks-blocking.inc b/policies/includes/untrusted-networks-blocking.inc new file mode 100644 index 0000000..c77d064 --- /dev/null +++ b/policies/includes/untrusted-networks-blocking.inc @@ -0,0 +1,18 @@ +term deny-from-bogons { + comment:: "this is a sample edge input filter with a very very very long and + multi-line comment that" + comment:: "also has multiple entries." + source-address:: BOGON + action:: deny +} + +term deny-from-reserved { + source-address:: RESERVED + action:: deny +} + +term deny-to-rfc1918 { + destination-address:: RFC1918 + action:: deny +} + diff --git a/policies/sample_srx.pol b/policies/sample_srx.pol new file mode 100644 index 0000000..3649c47 --- /dev/null +++ b/policies/sample_srx.pol @@ -0,0 +1,26 @@ +# +# This is an example policy for capirca +# +header { + comment:: "this is a sample policy to generate Juniper SRX filter" + comment:: "from zone Untrust to zone DMZ." + target:: srx from-zone Untrust to-zone DMZ +} + +term test-tcp { + destination-address:: RFC1918 + protocol:: tcp udp + logging:: true + action:: accept +} + +term test-icmp { + destination-address:: RFC1918 + protocol:: icmp + icmp-type:: echo-request echo-reply + action:: accept +} + +term default-deny { + action:: deny +} diff --git a/policies/sample_tug_wlc_fw.pol b/policies/sample_tug_wlc_fw.pol new file mode 100644 index 0000000..76da91c --- /dev/null +++ b/policies/sample_tug_wlc_fw.pol @@ -0,0 +1,36 @@ +# +# This is an example policy for capirca +# +header { + comment:: "this is a sample output filter that generates" + comment:: "multiplatform for tug wlc protection" + target:: juniper fw_tug_wlc_protect inet + target:: srx from-zone NORDUnet_nets to-zone WLC_net + target:: cisco fw_tug_wlc_protect mixed + target:: speedway INPUT + target:: ciscoasa asa_in + target:: html MUPP +} + +term permit-icmp { + destination-address:: NDN_TUG_WLC_NET + protocol:: icmp + action:: accept +} + +term permit-traceroute { + destination-address:: NDN_TUG_WLC_NET + protocol:: udp + destination-port:: TRACEROUTE + action:: accept +} + +term permit-NORDUnet { + source-address:: NORDUNET_AGGREGATE SUNET_AP_STATICS + destination-address:: NDN_TUG_WLC_NET + action:: accept +} + +term default-deny { + action:: deny +} |