filters/sample_tug_wlc_fw.srx


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96

security {
    zones {
        security-zone WLC_net {
            replace: address-book {
                address NDN_TUG_WLC_NET_0 109.105.104.16/28;
                address-set NDN_TUG_WLC_NET {
                    address NDN_TUG_WLC_NET_0;
                }
            }
        }
        security-zone NORDUnet_nets {
            replace: address-book {
                address NORDUNET_AGGREGATE_0 109.105.96.0/19;
                address NORDUNET_AGGREGATE_1 193.10.252.0/24;
                address NORDUNET_AGGREGATE_2 193.10.254.0/24;
                address NORDUNET_AGGREGATE_3 193.11.3.0/24;
                address NORDUNET_AGGREGATE_4 194.68.13.0/24;
                address SUNET_AP_STATICS_0 130.242.82.30/32;
                address SUNET_AP_STATICS_1 130.242.121.137/32;
                address-set NORDUNET_AGGREGATE {
                    address NORDUNET_AGGREGATE_0;
                    address NORDUNET_AGGREGATE_1;
                    address NORDUNET_AGGREGATE_2;
                    address NORDUNET_AGGREGATE_3;
                    address NORDUNET_AGGREGATE_4;
                }
                address-set SUNET_AP_STATICS {
                    address SUNET_AP_STATICS_0;
                    address SUNET_AP_STATICS_1;
                }
            }
        }
    }
    replace: policies {
        /*
        $Id: ./filters/sample_tug_wlc_fw.srx $
        $Date: 2015/03/26 $
        */
        from-zone NORDUnet_nets to-zone WLC_net {
            policy permit-icmp {
                match {
                    source-address any;
                    destination-address [ NDN_TUG_WLC_NET ];
                    application permit-icmp-app;
                }
                then {
                    permit;
                }
            }
            policy permit-traceroute {
                match {
                    source-address any;
                    destination-address [ NDN_TUG_WLC_NET ];
                    application permit-traceroute-app;
                }
                then {
                    permit;
                }
            }
            policy permit-NORDUnet {
                match {
                    source-address [ NORDUNET_AGGREGATE SUNET_AP_STATICS ];
                    destination-address [ NDN_TUG_WLC_NET ];
                    application any;
                }
                then {
                    permit;
                }
            }
            policy default-deny {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    deny;
                }
            }
        }
    }
}
replace: applications {
    application-set permit-icmp-app {
        application permit-icmp-app1;
    }
    application permit-icmp-app1 {
        term t1 protocol icmp;
    }
    application-set permit-traceroute-app {
        application permit-traceroute-app1;
    }
    application permit-traceroute-app1 {
        term t1 protocol udp destination-port 33434-33534;
    }
}