Embed Size (px)
Citation preview
Belajar Mengkonfigurasi Firewall Filter sederhana
Di Junos http://iwing.wordpress.com
--------------------------------------------------------
Topology yang digunakan adalah sebagai berikut:
--------------------------------------------------------
--------------------------------------------------------
Contoh konfigurasi IOS software:
--------------------------------------------------------
Router(config)#access-list 110 deny ip host 192.168.10.2 any
Router(config)#access-list 110 permit ip any any
--------------------------------------------------------
Contoh konfigurasi JUNOS software:
--------------------------------------------------------
[edit firewall family inet filter test-blok]
root@cnc2# set term test-blok-iwing from source-address 192.168.10.2/32
root@cnc2# set term test-blok-iwing then reject
root@cnc2# set term accept-all then accept
root@cnc2#
--------------------------------------------------------
Kasus nya adalah, saya ingin memblokir ip host 192.168.10.2,
untuk mengakses ip host 192.168.30.2
--------------------------------------------------------
--------------------------------------------------------
[edit firewall]
root@cnc2# show
family inet {
filter test-blok {
term test-blok-iwing {
from {
source-address {
192.168.10.2/32;
}
}
then {
reject;
}
}
term accept-all {
then accept;
}
}
}
[edit firewall]
root@cnc2#
--------------------------------------------------------
Seperti di IOS, kita bisa meletakan rule nya diarah
inbound atau outbound, pada kasus saya akan saya simpan
di arah outbound int fxp0.0
--------------------------------------------------------
[edit interfaces]
root@cnc2# set fxp0.0 family inet filter output test-blok
root@cnc2#
--------------------------------------------------------
[edit interfaces fxp0 unit 0]
root@cnc2# show
family inet {
filter {
output test-blok;
}
address 192.168.30.1/24;
}
[edit interfaces fxp0 unit 0]
root@cnc2#
--------------------------------------------------------
Hasilnya adalah :
--------------------------------------------------------
--------------------------------------------------------
Kasus kedua, saya ingin memblokir layanan telnet ke router
cnc2 dari network 192.168.10.0/24,rulenya saya coba
buat di router cnc1
--------------------------------------------------------
Contoh konfigurasi IOS software:
--------------------------------------------------------
Router(config)#access-list 120 deny tcp any host 192.168.20.2 eq telnet
Router(config)#access-list 120 deny tcp any host 192.168.30.1 eq telnet
Router(config)#access-list 120 deny tcp any host 2.2.2.2 eq telnet
Router(config)#access-list 120 permit ip any any
--------------------------------------------------------
Contoh konfigurasi JUNOS software:
--------------------------------------------------------
[edit firewall family inet filter protect-router]
root@cnc1# set term block-cli-access from destination-address 192.168.20.2/32
root@cnc1# set term block-cli-access from destination-address 192.168.30.1/32
root@cnc1# set term block-cli-access from destination-address 2.2.2.2/32
root@cnc1# set term block-cli-access from protocol tcp
root@cnc1# set term block-cli-access from destination-port telnet
root@cnc1# set term block-cli-access then reject
root@cnc1# set term allow-others then accept
root@cnc1#
--------------------------------------------------------
[edit firewall]
root@cnc1# show
family inet {
filter protect-router {
term block-cli-access {
from {
destination-address {
192.168.20.2/32;
2.2.2.2/32;
192.168.30.1/32;
}
protocol tcp;
destination-port telnet;
}
then {
reject;
}
}
term allow-others {
then accept;
}
}
}
[edit firewall]
root@cnc1#
--------------------------------------------------------
Seperti di IOS, kita bisa meletakan rule nya diarah
inbound atau outbound, pada kasus saya akan saya simpan
di arah inbound int fxp0.0
--------------------------------------------------------
[edit interfaces]
root@cnc1# set fxp0.0 family inet filter input protect-router
root@cnc1#
--------------------------------------------------------
[edit interfaces fxp0 unit 0]
root@cnc1# show
family inet {
filter {
input protect-router;
}
address 192.168.10.1/24;
}
[edit interfaces fxp0 unit 0]
root@cnc1#
--------------------------------------------------------
Hasilnya adalah sebagai berikut :
--------------------------------------------------------
--------------------------------------------------------
Sekian dulu mudah-mudahan bermanfaat, kalau ada yang keliru
tolong beritahu saya "CMIIW"
