|
內網通過源地址的NAT上網,通常情況下�����,這個公網IP是防火墻的IP,即內網公網IP�����。這個IP默認情況下管理員為了便于管理���,會打開http�����、https��、ssh等端口��。這樣容易被外網的人猜測到密碼������,F采取以下措施:
開放系統的相關服務:
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set system services ssh
set system services telnet
set system services web-management http interface ge-0/0/3.0
set system services web-management https system-generated-certificate
set system services web-management https interface ge-0/0/1.0
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services dhcp
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services http
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services https
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services ssh
現思路如下:
將該公網的ip的服務關閉,然后將防火墻內網IP的管理端口映射到其它公網的某個端口
delete security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
/*/建立元素
set security zones security-zone trust address-book address juniper2541 192.168.254.1/32
#建立NAT
set security nat destination pool 2541 address 192.168.254.1/32
set security nat destination pool 2541 address port 22
set security nat destination rule-set 1 rule 2541 match source-address 0.0.0.0/0
set security nat destination rule-set 1 rule 2541 match destination-address 113.106.95.x/32
set security nat destination rule-set 1 rule 2541 match destination-port 1055
set security nat destination rule-set 1 rule 2541 then destination-nat pool 2541
#建立策略
set security policies from-zone untrust to-zone trust policy yc2541 match source-address any
set security policies from-zone untrust to-zone trust policy yc2541 match destination-address juniper2541
set security policies from-zone untrust to-zone trust policy yc2541 match application juniper1055
set security policies from-zone untrust to-zone trust policy yc2541 then permit
億恩科技地址(ADD):鄭州市黃河路129號天一大廈608室 郵編(ZIP):450008 傳真(FAX):0371-60123888
聯系:億恩小凡
QQ:89317007
電話:0371-63322206
本文出自:億恩科技【www.laynepeng.cn】
服務器租用/服務器托管中國五強!虛擬主機域名注冊頂級提供商�����!15年品質保障���!--億恩科技[ENKJ.COM]
|
香港服務器租用
美國服務器租用
電信骨干機房
聯通骨干機房
0371-60135900
