## Last commit: 2015-04-02 17:34:26 CEST by technet version 12.1X47-D15.4; system { host-name fw1.tele; domain-name infra.tg15.party.gathering.org; time-zone Europe/Oslo; root-authentication { } name-server { 208.67.222.222; 208.67.220.220; } login { user technet { uid 2003; class super-user; authentication { } } } services { ssh { root-login deny; } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } file security-all { any any; match RT_FLOW; archive size 1000000 files 1; } file security-permit { any any; match RT_FLOW_SESSION_CREATE; archive size 1000000 files 1; } file security-deny { any any; match RT_FLOW_SESSION_DENY; archive size 1000000 files 1; } file policy_session { user info; match RT_FLOW; archive size 1000k world-readable; structured-data; } file web-filtering { any any; match WEBFILTER; archive size 1000000 files 1; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ntp { server 129.240.2.6; } } chassis { aggregated-devices { ethernet { device-count 5; } } } interfaces { ge-0/0/0 { disable; } ge-0/0/1 { disable; } ge-0/0/2 { disable; } ge-0/0/3 { disable; } ge-0/0/4 { disable; } ge-0/0/5 { disable; } ge-0/0/6 { disable; } ge-0/0/7 { disable; } ge-0/0/8 { disable; } ge-0/0/9 { disable; } xe-6/0/0 { description "TeleGW xe-0/2/3"; gigether-options { 802.3ad ae0; } } xe-6/0/1 { description "TeleGW xe-1/2/3"; gigether-options { 802.3ad ae0; } } ae0 { description rs1.tele; vlan-tagging; aggregated-ether-options { lacp { active; } } unit 10 { description "rs1.tele pre-nat"; vlan-id 10; family inet { filter { input v4-fbf; } address 151.216.128.7/31; } } unit 20 { description "rs1.tele post-nat"; vlan-id 20; family inet { address 151.216.128.9/31; } } unit 30 { description "rs1.tele firewall for event"; vlan-id 30; family inet { address 151.216.128.45/31; } } } lo0 { unit 0 { family inet { filter { input v4-mgmt; } address 10.60.254.129/32; address 151.216.255.9/32; } family inet6 { filter { input v6-mgmt; } address 2a02:ed02:ffff::9/128; } } } } routing-options { router-id 151.216.255.9; } protocols { ospf { export [ redistribute-direct redistribute-static ]; reference-bandwidth 1000g; area 0.0.0.0 { interface ae0.20; } } ospf3 { export [ redistribute-direct redistribute-static ]; reference-bandwidth 1000g; area 0.0.0.0 { interface ae0.20; } } } policy-options { prefix-list v4-mgmt { /* NOC clients */ 151.216.254.0/24; /* Servers */ 185.12.59.0/26; } prefix-list v6-mgmt { /* NOC clients */ 2a02:ed02:254::/64; /* Servers */ 2a02:ed02:1337::/64; } prefix-list mgmt { /* NOC clients */ 151.216.254.0/24; /* Servers */ 185.12.59.0/26; /* NOC clients */ 2a02:ed02:254::/64; /* Servers */ 2a02:ed02:1337::/64; } policy-statement redistribute-direct { from protocol direct; then { external { type 1; } accept; } } policy-statement redistribute-static { from protocol static; then { external { type 1; } accept; } } } security { nat { source { pool norwegian-addresses { address { 185.12.59.96/27; 185.12.59.128/25; } } rule-set untrust-to-untrust { from interface [ ae0.10 ae0.30 ]; to interface ae0.20; rule source-nat { match { source-address 0.0.0.0/0; } then { source-nat { pool { norwegian-addresses; } } } } } } destination { pool event-mediaserver { address 10.20.10.3/32 port 21; } rule-set to-storageserver { from zone untrust; rule r1 { match { destination-address 185.12.59.127/32; destination-port { 21; } } then { destination-nat { pool { event-mediaserver; } } } } } } } policies { from-zone untrust to-zone untrust { policy accept-all { match { source-address any; destination-address any; application any; } then { permit; log { session-init; session-close; } count; } } } from-zone untrust to-zone trust { policy accept-all { match { source-address any; destination-address any; application any; } then { permit; } } } } zones { security-zone untrust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ae0.10; ae0.20; ae0.30; } } security-zone trust { address-book { } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { lo0.0; } } } } firewall { family inet { filter v4-mgmt { term accept-ssh { from { source-prefix-list { v4-mgmt; } destination-port 22; } then { count accept-ssh; accept; } } term reject-ssh { from { destination-port 22; } then { count reject-ssh; reject; } } term accept-all { then { count accept-all; accept; } } } filter v4-fbf { term fbf-blizzard { from { destination-address { 12.129.242.30/32; 12.129.193.242/32; 80.239.186.0/25; 80.239.208.0/25; } } then { count fbf-blizzard; accept; } } term fbf-steam { from { destination-address { 92.122.219.117/32; 172.229.200.45/32; 95.101.248.45/32; 23.32.105.6/32; 23.214.66.123/32; 23.214.146.125/32; 2.17.35.235/32; 90.101.0.113/32; 146.66.156.10/32; 23.62.99.32/32; 2.18.192.192/32; 23.10.252.51/32; 23.215.60.219/32; 23.77.200.247/32; 23.10.252.26/32; 2.16.94.112/32; 95.101.0.0/22; 195.18.221.144/32; 72.165.61.0/24; 81.171.115.0/24; 87.248.217.0/24; 103.28.54.0/23; 146.66.152.0/23; 205.185.220.0/24; 208.64.200.0/24; 209.197.0.0/16; 212.187.201.0/24; } } then { count fbf-steam; accept; } } /* League of Legends EU West */ term fbf-riotgames { from { destination-address { 54.230.99.43/32; 195.18.221.144/32; 23.52.27.27/32; 172.255.83.1/32; 185.40.64.0/22; 178.255.83.1/32; } } then { count fbf-riotgames; accept; } } term fbf-spotify { from { destination-address { 54.230.98.246/32; 54.230.97.211/32; 54.230.99.207/32; 23.92.96.0/22; 23.92.100.0/22; 23.92.104.0/22; 78.31.8.0/22; 78.31.12.0/22; 192.121.53.0/24; 192.121.132.0/24; 192.121.140.0/24; 192.165.160.0/22; 193.181.4.0/22; 193.181.180.0/22; 193.182.3.0/24; 193.182.7.0/24; 193.182.8.0/21; 193.182.243.0/24; 193.234.240.0/22; 193.235.32.0/24; 193.235.51.0/24; 193.235.203.0/24; 193.235.206.0/24; 193.235.224.0/24; 193.235.232.0/22; 194.14.177.0/24; 194.68.28.0/22; 194.68.116.0/24; 194.68.169.0/24; 194.68.176.0/22; 194.68.181.0/24; 194.68.183.0/24; 194.71.148.0/22; 194.103.10.0/24; 194.103.13.0/24; 194.103.36.0/22; 194.132.152.0/22; 194.132.162.0/24; 194.132.168.0/22; 194.132.176.0/22; 194.132.196.0/22; 194.132.204.0/22; } } then { count fbf-spotify; accept; } } term fbf-origin { from { destination-address { 2.19.187.0/25; 184.86.15.128/25; 54.243.176.0/23; 23.15.8.0/24; 23.21.0.0/16; 23.23.0.0/16; 23.32.241.0/24; 23.46.0.0/16; 50.16.0.0/16; 50.17.0.0/16; 54.225.0.0/16; 81.21.146.0/24; 107.20.244.0/24; 120.29.145.0/24; 124.40.32.0/24; 125.56.200.0/24; 164.177.139.0/24; 184.73.0.0/16; 204.236.239.0/24; } } then { count fbf-origin; accept; } } term fbf-nrk { from { destination-address { 23.8.146.0/24; 46.137.77.0/24; 50.16.209.0/24; 50.16.231.0/24; 50.17.243.0/24; 54.225.239.0/24; 54.243.145.0/24; 54.243.68.0/24; 65.52.155.0/24; 77.88.106.0/24; 82.96.58.0/24; 94.245.71.0/24; 160.68.205.0/24; 174.129.219.0/24; 184.28.17.0/24; 184.73.220.0/24; 204.245.63.0/24; 204.236.234.0/24; 95.101.0.112/32; } } then { count fbf-nrk; accept; } } term fbf-twitch { from { destination-address { 185.42.204.0/22; 199.9.248.0/21; 192.16.64.0/21; } } then { count fbf-twitch; accept; } } term fbf-viaplay { from { destination-address { 54.72.0.0/13; 54.80.0.0/12; 54.224.0.0/12; 54.72.0.0/16; 54.144.0.0/14; 54.192.0.0/22; 54.246.173.25/32; 52.16.240.0/20; } } then { count fbf-viaplay; accept; } } term fbf-tv2 { from { destination-address { 77.75.208.0/21; 193.227.204.0/23; 193.160.156.0/23; } } then { count fbf-tv2; accept; } } term fbf-netflix { from { destination-address { 69.53.224.0/19; 208.75.77.0/24; 23.246.2.0/23; 23.246.4.0/22; 23.246.8.0/21; 23.246.16.0/21; 23.246.24.0/22; 23.246.28.0/23; 23.246.32.0/20; 23.246.48.0/20; 23.246.62.0/24; 23.246.63.0/24; 37.77.184.0/21; 108.175.32.0/20; 185.2.220.0/22; 185.9.188.0/23; 185.9.190.0/23; 192.173.64.0/20; 192.173.64.0/24; 192.173.80.0/20; 192.173.96.0/20; 192.173.112.0/20; 198.38.96.0/20; 198.38.112.0/21; 198.38.120.0/22; 198.38.124.0/23; 198.45.48.0/20; } } then { count fbf-netflix; accept; } } term fbf-ubisoft { from { destination-address { 216.98.62.0/23; 216.98.61.0/24; 216.98.59.0/24; 216.98.56.0/24; 216.98.48.0/24; 216.98.48.0/20; 195.88.183.0/24; 195.88.182.0/24; 195.22.144.0/23; 194.2.155.0/24; 194.169.249.0/24; 193.138.66.0/24; 185.38.20.0/22; } } then { count fbf-ubisoft; accept; } } term fbf-google { from { destination-address { 216.58.209.0/24; } } then { count fbf-google; accept; } } term accept-last { then { count accept-last; accept; } } } } family inet6 { filter v6-mgmt { term accept-ssh { from { source-prefix-list { v6-mgmt; } destination-port 22; } then { count accept-ssh; accept; } } term reject-ssh { from { destination-port 22; } then { count reject-ssh; reject; } } term accept-all { then { count accept-all; accept; } } } } }