forked from google/capirca
-
Notifications
You must be signed in to change notification settings - Fork 0
/
sample_stateful_multitarget_simple.pol
234 lines (203 loc) · 6.42 KB
/
sample_stateful_multitarget_simple.pol
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
################
### RULEBASE ###
################
# NOTE: makes sure zone names correspond to those specified in your firewall setup
header {
comment:: "this is a sample policy for a zone based filter that generates"
comment:: "multiple output formats. It checks logging options, tcp, udp"
comment:: "and icmp type options."
target:: paloalto from-zone internal to-zone external
target:: srx from-zone internal to-zone external
}
term test-tcp-log-both {
comment:: "Testing log-both for tcp."
protocol:: tcp
logging:: log-both
action:: accept
}
term test-udp-log {
comment:: "Testing logging for udp."
protocol:: udp
logging:: true
action:: accept
}
term test-tcp-udp-any {
comment:: "Testing any port for tcp, udp,"
comment:: "`when destination-port is unspecified."
protocol:: tcp udp
action:: accept
}
term accept-honestdns {
comment:: "Allow name resolution using honestdns."
destination-address:: GOOGLE_DNS
destination-port:: DNS
protocol:: udp
action:: accept
}
term accept-icmp-specific-types {
comment:: "Allow ICMPv4, with icmp types, and test counters."
source-address:: INTERNAL
protocol:: icmp
icmp-type:: echo-request echo-reply
counter:: icmp-ping
action:: accept
}
term accept-igmp {
comment:: "Allow IGMP, and test syslog logging."
source-address:: INTERNAL
protocol:: igmp
action:: accept
logging:: syslog
}
term accept-traceroute-source-ports {
comment:: "Allow traceroute with source port range for udp."
protocol:: udp
source-port:: TRACEROUTE
action:: accept
}
term deny-to-bad-destinations {
comment:: "Deny to bad destinations."
destination-address:: RFC1918 BOGON RESERVED
action:: deny
}
header {
comment:: "this is a sample policy for a zone based filter that generates"
comment:: "multiple output formats. It checks tcp-established and udp "
comment:: "established options."
target:: paloalto from-zone external to-zone internal
target:: srx from-zone external to-zone internal
}
term accept-webserver-traffic {
comment:: "Allow webserver inbound traffic."
destination-address:: WEB_SERVERS
destination-port:: WEB_SERVICES
protocol:: tcp
action:: accept
}
term test-tcp-established {
comment:: "Allow tcp-established traffic."
comment:: "This should not be generated since this is a stateful policy."
destination-address:: MAIL_SERVERS WEB_SERVERS PUBLIC_NAT
protocol:: tcp
option:: tcp-established
action:: accept
}
term test-dns-replies {
comment:: "Allow DNS replies, and test udp established option."
comment:: "This should not be generated since this is a stateful policy."
source-port:: DNS
destination-address:: INTERNAL
protocol:: udp
option:: established
counter:: dns-replies
action:: accept
}
header {
comment:: "this is a sample policy for a zone based filter that generates"
comment:: "multiple output formats. It checks inet6 options and icmpv6."
target:: paloalto from-zone internal to-zone external inet6
target:: srx from-zone internal to-zone external inet6
}
term ipv6-accept-honestdns {
comment:: "Allow name resolution using honestdns."
destination-address:: GOOGLE_DNS
destination-port:: DNS
protocol:: udp
action:: accept
}
term accept-icmpv6-specific-types {
comment:: "Allow ICMPv6, with icmpv6 types."
protocol:: icmpv6
icmp-type:: echo-request echo-reply
action:: accept
}
term ipv6-deny-to-bad-destinations {
comment:: "Deny to bad destinations."
destination-address:: RFC1918 BOGON RESERVED
action:: deny
}
header {
comment:: "this is a sample policy for a zone based filter that generates"
comment:: "multiple output formats. It checks inet6 options."
target:: paloalto from-zone external to-zone internal inet6
target:: srx from-zone external to-zone internal inet6
}
term ipv6-accept-webserver-traffic {
comment:: "Allow webserver inbound traffic."
destination-address:: WEB_IPV6_SERVERS
destination-port:: WEB_SERVICES
protocol:: tcp
action:: accept
}
term test-tcp-established {
comment:: "Allow tcp-established traffic."
comment:: "This should not be generated since this is a stateful policy."
destination-address:: WEB_IPV6_SERVERS
protocol:: tcp
option:: tcp-established
action:: accept
}
term test-dns-replies {
comment:: "Allow DNS replies, and test udp established option."
comment:: "This should not be generated since this is a stateful policy."
source-port:: DNS
destination-address:: INTERNAL
protocol:: udp
option:: established
counter:: dns-replies
action:: accept
}
header {
comment:: "this is a test policy for a zone based filter that generates"
comment:: "multiple output formats. It checks inet6 options for IPv4 rules."
target:: paloalto from-zone unknown to-zone internal inet6
target:: srx from-zone unknown to-zone internal inet6
}
term test-inet6-webserver-traffic {
comment:: "Allow webserver inbound traffic."
comment:: "This should not be generated since this only has IPv4 addresses."
source-address:: RFC1918
destination-address:: WEB_SERVERS
protocol:: tcp
action:: accept
}
term test-inet6-tcp-icmp-traffic {
comment:: "Allow all tcp and icmp traffic."
comment:: "The icmp term should not be generated since this is inet6."
comment:: "The tcp term should be generated."
protocol:: tcp icmp
action:: accept
}
term test-inet6-tcp-icmpv6-traffic {
comment:: "Allow all tcp and icmpv6 traffic."
comment:: "This should be generated since this has no ports specified."
protocol:: tcp icmpv6
action:: accept
}
header {
comment:: "this is a test policy for a zone based filter that generates"
comment:: "multiple output formats. It checks inet options for IPv6 rules."
target:: paloalto from-zone unknown to-zone internal inet
target:: srx from-zone unknown to-zone internal inet
}
term test-inet-webserver-traffic {
comment:: "Allow webserver inbound IPv6 traffic."
comment:: "This should not be generated since this only has IPv6 addresses."
source-address:: PUBLIC_IPV6_SERVERS
destination-address:: WEB_IPV6_SERVERS
protocol:: tcp
action:: accept
}
term test-inet-tcp-icmp-traffic {
comment:: "Allow all tcp and icmp traffic."
comment:: "This should be generated since this has no ports specified."
protocol:: tcp icmp
action:: accept
}
term test-inet-tcp-icmpv6-traffic {
comment:: "Allow all tcp and icmpv6 traffic."
comment:: "The icmpv6 term should not be generated since this is inet."
comment:: "The tcp term should be generated."
protocol:: icmpv6 tcp
action:: accept
}