zhoshou 2007-11-16 08:10 PM
防止ip address spoofing的sample config
system {
host-name provider;
root-authentication {
encrypted-password "$1$LZn..$5wu/mQL3Y07YWodOqBl5S1"; # SECRET-DATA
}
login {
user lab {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$cfuC.$vLPgSA7peoy/UzF7bIJJA0"; # SECRET-DATA
}
}
}
services {
ftp;
telnet;
}
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 172.17.3.232/23;
}
}
}
ge-7/1/0 {
gigether-options {
no-flow-control;
}
unit 0 {
family inet {
filter {
input no-spoofs-in;
output no-spoofs-out;
}
address 10.0.0.2/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 10.0.200.1/32;
}
}
}
so-3/1/3 {
sonet-options {
no-payload-scrambler;
}
unit 0 {
family inet {
address 10.0.3.2/24;
}
}
}
}
routing-options {
static {
route 192.168.0.0/24 nexthop 10.0.0.1;
}
}
protocols {
ospf {
export static-ospf;
area 0.0.0.0 {
interface ge-0/1/0.0;
interface ge-7/1/0.0 {
passive;
}
interface so-3/1/3.0;
interface lo0.0;
}
}
}
policy-options {
policy-statement static-ospf {
from protocol static;
then accept;
}
}
firewall {
filter no-spoofs-in {
term allow-valid {
from {
source-address {
192.168.0.0/24;
10.0.0.0/24;
}
}
then accept;
}
term reject-spoofs {
then {
count unauthorized-source-address;
log;
reject;
}
}
}
filter no-spoofs-out {
term reject-spoofs {
from {
source-address {
192.168.0.0/24;
}
}
then {
count unauthorized-source-address;
log;
reject;
}
}
term allow-valid {
then accept;
}
}
}
转自:杜松之家-juniper技术论坛 [url]www.juniperbbs.net[/url]