vyos [ vyatta ]

期盼了很久 Vyatta 的社群版終於出現了.
 [vyatta community edition next ... Vyos ?? ]
自從 Brocade 收編了 Vyatta 之後,
已經沒有 open source 版的 vyatta 可供更新與使用.
還好在 wiki 看到了一則訊息,就是 Vyos 的誔生!


about  vyatta

http://en.wikipedia.org/wiki/Vyatta

Vyatta Core
The free community Vyatta Core software(VC) is an
open source network operating system
providing advanced IPv4 and IPv6 routing, stateful firewalling,
 secure communication through both an IPSec based VPN
as well as through the SSL based OpenVPN.[5]

In October 2013 an independent group started a fork of Vyatta Core under VyOS name.[6]


http://vyos.net/wiki/User_Guide


Introduction

VyOS is a Linux-based network operating system that provides software-based
networkrouting, firewall, and VPN functionality.
The VyOS project was started in late 2013 as a community fork of the GPL
portions of Vyatta Core 6.6R1 with the goal of maintaining a free and open source
network operating system in response to the decision to discontinue the community
edition of Vyatta.
VyOS is primarily based on Debian GNU/Linux and the Quagga routing engine. It's
configuration syntax and command-line interface are loosely derived from Juniper
JUNOS as modeled by the XORP project (which was the original routing engine Vyatta
was based upon). Vyatta changed to the Quagga routing engine for release 4.0.



http://vyos.net/wiki/Migrating_from_Vyatta


Migrating from Vyatta LAB 


vyatta@vyatta:~$ show system image 
The system currently has the following image(s) installed:

   1: VC6.6R1 (default boot)

vyatta@vyatta:~$ show ver 
Version:      VC6.6R1
Description:  Vyatta Core 6.6 R1
Copyright:    2006-2013 Vyatta, Inc.
Built by:     autobuild@vyatta.com
Built on:     Tue Apr 30 21:18:42 UTC 2013
Build ID:     1304302121-de93a07
System type:  Intel 32bit
Boot via:     image
Hypervisor:   VMware
HW model:     VMware Virtual Platform
HW S/N:       VMware-56 4d 0a 12 df 64 2e 88-1c 4c 89 e2 cb 05 78 f4
HW UUID:      564D0A12-DF64-2E88-1C4C-89E2CB0578F4
Uptime:       11:56:19 up 12 min,  2 users,  load average: 0.24, 0.14, 0.08

vyatta@vyatta:~$ show configuration commands
set interfaces ethernet eth0 address '192.168.100.99/24'
set interfaces ethernet eth0 hw-id '00:0c:29:05:78:f4'
set interfaces ethernet eth1 hw-id '00:0c:29:05:78:fe'
set interfaces ethernet eth2 hw-id '00:0c:29:05:78:08'
set interfaces loopback 'lo'
set service ssh port '22'
set system config-management commit-revisions '20'
set system console device ttyS0 speed '9600'
set system login user vyatta authentication encrypted-password '$1$EtTv8/b4$0wgW4lkykvMSOoXN/8gKH.'
set system login user vyatta level 'admin'
set system ntp server '0.vyatta.pool.ntp.org'
set system ntp server '1.vyatta.pool.ntp.org'
set system ntp server '2.vyatta.pool.ntp.org'
set system package repository community components 'main'
set system package repository community distribution 'stable'
set system package repository community url 'http://packages.vyatta.com/vyatta'
set system syslog global facility all level 'notice'
set system syslog global facility protocols level 'debug'

vyatta@vyatta:~$ add system image http://192.168.100.200/vyos-1.0.4-i586.iso
Trying to fetch ISO file from http://192.168.100.200/vyos-1.0.4-i586.iso
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  213M  100  213M    0     0  5383k      0  0:00:40  0:00:40 --:--:-- 5583k
ISO download succeeded.
Checking for digital signature file...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (22) The requested URL returned error: 404
Unable to fetch digital signature file.
Do you want to continue without signature check? (yes/no) [yes]
Checking MD5 checksums of files on the ISO image...OK.
Done!
What would you like to name this image? [1.0.4]:
OK.  This image will be named: 1.0.4
Installing "1.0.4" image.
Copying new release files...
Would you like to save the current configuration
directory and config file? (Yes/No) [Yes]:
Copying current configuration...
Would you like to save the SSH host keys from your
current configuration? (Yes/No) [Yes]:
Copying SSH keys...
Setting up grub configuration...
Done.


vyatta@vyatta:~$ reboot
Proceed with reboot? (Yes/No) [No] yes

Broadcast message from root@vyatta (pts/0) (Sat Sep 13 11:59:42 2014):

The system is going down for reboot NOW!
vyatta@vyatta:~$

以 SSH 登入後的驗證畫面

但還是沒有 web UI

 

直接新安裝的畫面

以 SSH 登入後的畫面

Welcome to VyOS
Linux vyatta 3.3.8-1-586-vyatta #1 SMP Sun Nov 17 02:19:52 CET 2013 i686
Welcome to VyOS.
This system is open-source software. The exact distribution terms for
each module comprising the full system are described in the individual
files in /usr/share/doc/*/copyright.
Last login: Sat Sep 13 12:39:45 2014 from 192.168.100.200
vyos@vyos:~$ show system image 
The system currently has the following image(s) installed:

   1: 1.0.4 (default boot)

vyos@vyos:~$ show ver 
Version:      VyOS 1.0.4
Description:  VyOS 1.0.4 (hydrogen)
Copyright:    2014 SO3 Group
Built by:     maintainers@vyos.net
Built on:     Mon Jun 16 16:01:30 UTC 2014
Build ID:     1406161601-32e5690
System type:  x86 32-bit
Boot via:     image
Hypervisor:   VMware
HW model:     VMware Virtual Platform
HW S/N:       VMware-56 4d 0a 12 df 64 2e 88-1c 4c 89 e2 cb 05 78 f4
HW UUID:      564D0A12-DF64-2E88-1C4C-89E2CB0578F4
Uptime:       12:40:30 up 3 min,  2 users,  load average: 0.15, 0.18, 0.08

vyos@vyos:~$ show configuration commands 
set interfaces ethernet eth0 address '192.168.100.99/24'
set interfaces ethernet eth0 hw-id '00:0c:29:05:78:f4'
set interfaces ethernet eth1 hw-id '00:0c:29:05:78:fe'
set interfaces ethernet eth2 hw-id '00:0c:29:05:78:08'
set interfaces loopback 'lo'
set service ssh port '22'
set system config-management commit-revisions '20'
set system console device ttyS0 speed '9600'
set system login user vyos authentication encrypted-password '$1$PytHQR0S$s8xrM13kk/YVbW0KR6s4n/'
set system login user vyos level 'admin'
set system ntp server '0.pool.ntp.org'
set system ntp server '1.pool.ntp.org'
set system ntp server '2.pool.ntp.org'
set system package repository community components 'main'
set system package repository community distribution 'hydrogen'
set system package repository community url 'http://packages.vyos.net/vyos'
set system syslog global facility all level 'notice'
set system syslog global facility protocols level 'debug'
vyos@vyos:~$

Logstash Shipper and Indexer

http://logstash.net/docs/1.2.2/tutorials/getting-started-centralized-overview-diagram.png

logstash shipper configuration  

[root@CentOS6 init.d]# pwd
/etc/init.d
[root@CentOS6 init.d]# cat logstash-agent
#!/bin/bash
# From The Logstash Book
# The original of this file can be found at: http://logstashbook.com/code/index.html
#
#
# Logstash Start/Stop logstash
#
# chkconfig: 345 99 99
# description: Logstash
# processname: logstash

name="logstash-agent"
logstash_bin="/opt/logstash/bin/logstash"
logstash_conf="/etc/logstash/shipper.conf"
logstash_log="/var/log/logstash/shipper.log"

find_logstash_process () {
    PIDTEMP=`ps ux | grep logstash | grep java | awk '{ print $2 }'`
    # Pid not found
    if [ "x$PIDTEMP" = "x" ]; then
        PID=-1
    else
        PID=$PIDTEMP
    fi
}

start () {
    LOG_DIR=`dirname ${logstash_log}`
    if [ ! -d $LOG_DIR ]; then
      echo "Log dir ${LOG_DIR} doesn't exist. Creating"
      mkdir $LOG_DIR
    fi
    nohup ${logstash_bin} agent --verbose -f ${logstash_conf} --log ${logstash_log} > /dev/null 2>&1 &
}

stop () {
    find_logstash_process
    if [ $PID -ne -1 ]; then
        kill $PID
    fi
}

case $1 in
start)
        start
        ;;
stop)
        stop
        exit 0
        ;;
reload)
        stop
        sleep 2
        start
        ;;
restart)
        stop
        sleep 2
        start
        ;;
status)
        find_logstash_process
        if [ $PID -gt 0 ]; then
          echo "logstash running: $PID"
          exit 0
        else
          echo "logstash not running"
          exit 1
        fi
        ;;
*)
        echo $"Usage: $0 {start|stop|restart|reload|status}"
        RETVAL=1
esac
exit 0
[root@CentOS6 init.d]# cat /etc/logstash/shipper.conf 
input {
file {
        type => "syslog"
path => ["/syslog/apache/mod_jk*.log","/syslog/tomcat/*.log"]
        tags => "tomcat"
}
}


output {
       redis {
       host => "192.168.1.145"
       data_type => "list"
       key => "logstash"
       }
}
[root@CentOS6 init.d]#

Logstash Indexer configuration 


[root@Test-Logstash conf.d]# pwd
/etc/logstash/conf.d
[root@Test--Logstash conf.d]# cat syslog.conf 
input {
  tcp {
    type => "syslog"
    port => 514
  }
  udp {
    type => "syslog"
    port => 514
  }
  redis {
host => "127.0.0.1"
type => "redis-input"
data_type => "list"
key => "logstash"
# codec => "json"
 }
}


filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
  if [type] == "apache" {
    grok {
      # See the following URL for a complete list of named patterns
      # logstash/grok ships with by default:
      # https://github.com/logstash/logstash/tree/master/patterns
      #
      # The grok filter will use the below pattern and on successful match use
      # any captured values as new fields in the event.
      match => { "message" => "%{COMBINEDAPACHELOG}" }
    }
    date {
      # Try to pull the timestamp from the 'timestamp' field (parsed above with
      # grok). The apache time format looks like: "18/Aug/2011:05:44:34 -0700"
      match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
    }
  }
}


output {
  elasticsearch {
    embedded => true
  }
}

[root@Test-Logstash conf.d]#

Logstash + Elasticsearch + Kibana

Logstash  + Elasticsearch + Kibana
類似 Splunk 的功能 OpenSource

Logstash 的使用結合  Elasticsearch  與  Kibana

Logstash + Elasticsearch + Kibana

角色說明:

(0) rsyslog [Remote linux server ]
(1) syslog collector [ Logstash ]
(2) search server [Elasticsearch ]
(3) web ui [ Kibana ]

官方實用說明
http://www.logstash.net/docs/1.4.2/tutorials/10-minute-walkthrough/
http://logstash.net/docs/1.4.2/tutorials/getting-started-with-logstash


分別使用 rpm & yum 安裝必要的軟體

(Logstash)

官網上下載該 rpm 安裝即可
 (  http://www.elasticsearch.org/overview/elkdownloads/  )
[root@Test-Logstash syslog]# rpm -qa | grep logstash
logstash-contrib-1.4.2-1_efd53ef.noarch
logstash-1.4.2-1_2c0f5a1.noarch

(Java)

yum 安裝即可
[root@Test-Logstash syslog]# rpm -qa | grep java
tzdata-java-2014e-1.el6.noarch
java-1.7.0-openjdk-1.7.0.65-2.5.1.2.el6_5.x86_64

(Elasticsearch)

官網上下載該 rpm 安裝即可
 ( http://www.elasticsearch.org/overview/elkdownloads/ )
[root@Test-Logstash src]# rpm -qa | grep elasticsearch
elasticsearch-1.3.2-1.noarch

(Kinaba)

kibana 官網上下載該檔案即可
 ( http://www.elasticsearch.org/overview/elkdownloads/ )
kibana-3.1.0.tar.gz 並解壓縮後放置於 /var/www/html 內即可,目錄名稱可自行命名之

(Remote Syslog Client)

修改 rsyslog.conf 並重啟該服務即可
最簡單的設定方式

在最下方加入
*.* @xxx.xxx.xxx
or
*.* @@xxx.xxx.xxx




設定 logstash 的 conf

[root@Test-Logstash conf.d]# pwd
/etc/logstash/conf.d
[root@Test-Logstash conf.d]# cat syslog.conf 
input {
  tcp {
    type => "syslog"
    port => 514
  }
  udp {
    type => "syslog"
    port => 514
  }
}

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}


output {
  elasticsearch {
    embedded => true
  }
}

[root@Test-Logstash conf.d]#


將 logstash 服務改由 root 身份啟動

[root@Test-Logstash init.d]# pwd
/etc/init.d
[root@Test-Logstash init.d]# cat logstash
#!/bin/sh
# Init script for logstash
# Maintained by Elasticsearch
# Generated by pleaserun.
# Implemented based on LSB Core 3.1:
#   * Sections: 20.2, 20.3
#
### BEGIN INIT INFO
# Provides:          logstash
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description:
# Description:        Starts Logstash as a daemon.
### END INIT INFO

PATH=/sbin:/usr/sbin:/bin:/usr/bin
export PATH

if [ `id -u` -ne 0 ]; then
   echo "You need root privileges to run this script"
   exit 1
fi

name=root
pidfile="/var/run/$name.pid"

LS_USER=root
LS_GROUP=root


設定 Kibana config  內的 elasticsearch 的 url

[root@Test-Logstash syslog]# pwd
/var/www/html/syslog
[root@Test-Logstash syslog]# cat config.js
/** @scratch /configuration/config.js/1
 *
 * == Configuration
 * config.js is where you will find the core Kibana configuration. This file contains parameter that
 * must be set before kibana is run for the first time.
 */
define(['settings'],
function (Settings) {


  /** @scratch /configuration/config.js/2
   *
   * === Parameters
   */
  return new Settings({

    /** @scratch /configuration/config.js/5
     *
     * ==== elasticsearch
     *
     * The URL to your elasticsearch server. You almost certainly don't
     * want +http://localhost:9200+ here. Even if Kibana and Elasticsearch are on
     * the same host. By default this will attempt to reach ES at the same host you have
     * kibana installed on. You probably want to set it to the FQDN of your
     * elasticsearch host
     *
     * Note: this can also be an object if you want to pass options to the http client. For example:
     *
     *  +elasticsearch: {server: "http://localhost:9200", withCredentials: true}+
     *
     */
    elasticsearch: "http://192.168.111.145:9200",


Demo

elasticsearch test 

Kibana

Rsyslog + Elasticsearch + Kibana

類似 Splunk 的功能 OpenSource

rsyslog 的進階使用結合  Elasticsearch  與  Kibana

Rsyslog + Elasticsearch + Kibana

角色說明:
(0) rsyslog [Remote linux server ]
(1) rsyslog collector [ Rsyslog ]
(2) search server [Elasticsearch ]
(3) web ui [ Kibana ]


(1)升級並安裝 rsyslog 8.x等必要套件

[root@Rsyslog yum.repos.d]# pwd
/etc/yum.repos.d
[root@Rsyslog yum.repos.d]# cat rsyslog.repo
[rsyslog_v8]
name=Adiscon CentOS-$releasever - local packages for $basearch
baseurl=http://rpms.adiscon.com/v8-stable/epel-$releasever/$basearch
enabled=1
gpgcheck=0
gpgkey=http://rpms.adiscon.com/RPM-GPG-KEY-Adiscon
protect=1
[root@Rsyslog yum.repos.d]#

yum update rsyslog
yum install rsyslog-debuginfo rsyslog-libdbi rsyslog-mysql rsyslog-relp rsyslog-snmp rsyslog-elasticsearch rsyslog-mmanon rsyslog-mmfields rsyslog-mmjsonparse rsyslog-mmnormalize rsyslog-mmutf8fix rsyslog-ommail

[root@Rsyslog rsyslog.d]# rpm -qa | grep rsyslog
rsyslog-8.2.2-1.el6.x86_64
rsyslog-mmfields-8.2.2-1.el6.x86_64
rsyslog-relp-8.2.2-1.el6.x86_64
rsyslog-snmp-8.2.2-1.el6.x86_64
rsyslog-ommail-8.2.2-1.el6.x86_64
rsyslog-mmjsonparse-8.2.2-1.el6.x86_64
rsyslog-mysql-8.2.2-1.el6.x86_64
rsyslog-debuginfo-8.2.2-1.el6.x86_64
rsyslog-mmutf8fix-8.2.2-1.el6.x86_64
rsyslog-mmnormalize-8.2.2-1.el6.x86_64
rsyslog-mmanon-8.2.2-1.el6.x86_64
rsyslog-elasticsearch-8.2.2-1.el6.x86_64
rsyslog-libdbi-8.2.2-1.el6.x86_64
[root@Rsyslog rsyslog.d]#

(2)安裝 java & Elasticsearch

http://www.elasticsearch.org/overview/elkdownloads/

wget https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.3.2.noarch.rpm

rpm 安裝即可

(3)安裝 Kibana ( search web api )
wget https://download.elasticsearch.org/kibana/kibana/kibana-3.1.0.tar.gz
放在 web -root 即可

其它重要設定

vi /etc/rsyslog.conf

新增 rsyslog  listen port

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514


新增與 Elasticsearch 介接設定 syslog.conf

[root@Rsyslog rsyslog.d]# pwd
/etc/rsyslog.d
[root@Rsyslog rsyslog.d]# cat syslog.conf
module(load="omelasticsearch") # for outputting to Elasticsearch

# this is for index names to be like: logstash-YYYY.MM.DD
template(name="logstash-index" type="list") {
 constant(value="logstash-")
 property(name="timereported" dateFormat="rfc3339" position.from="1" position.to="4")
 constant(value=".")
 property(name="timereported" dateFormat="rfc3339" position.from="6" position.to="7")
 constant(value=".")
 property(name="timereported" dateFormat="rfc3339" position.from="9" position.to="10")
}

# this is for formatting our syslog in JSON with @timestamp
 template(name="plain-syslog" type="list") {
 constant(value="{")
 constant(value="\"@timestamp\":\"")     property(name="timereported" dateFormat="rfc3339")
 constant(value="\",\"@host\":\"")       property(name="hostname")
 constant(value="\",\"@severity\":\"")   property(name="syslogseverity-text")
 constant(value="\",\"@facility\":\"")   property(name="syslogfacility-text")
 constant(value="\",\"@syslogtag\":\"")  property(name="syslogtag" format="json")
 constant(value="\",\"@message\":\"")    property(name="msg" format="json")
 constant(value="\"}")
 }
# this is where we actually send the logs to Elasticsearch (localhost:9200 by default)
action(type="omelasticsearch" template="plain-syslog" searchIndex="logstash-index" dynSearchIndex="on")

參考 url http://blog.sematext.com/2013/07/01/recipe-rsyslog-elasticsearch-kibana/

demo

rsyslog 的進階使用,將一般文字檔重導到 log server 內. ( InputFileName )

rsyslog 的進階使用,將一般文字檔重導到 log server 內.

使用環境 CentOS 6.5  rsyslog-5.8.10-8.el6.x86_64

[root@CentOS6 rsyslog.d]# pwd
/etc/rsyslog.d
[root@CentOS6 rsyslog.d]# cat messagesystem.conf

$ModLoad imfile
$WorkDirectory /var/spool/rsyslog


#Add a tag for tomcat events
$template LogglyFormatTomcat,"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [ MessageSystme tag=\"tomcat\"] %msg%\n"

# MessageSystem Log

$InputFileName /syslog/tomcat/MessageSystem.log
$InputFileTag messagesystem-log
$InputFileStateFile messagesystem-log
$InputFileSeverity info
$InputFilePollInterval 1
$InputFilePersistStateInterval 1
$InputRunFileMonitor
if $programname == 'messagesystem-log' then @192.168.1.1:514;LogglyFormatTomcat
if $programname == 'messagesystem-log' then ~

其它參考設定可自行參閱 https://www.loggly.com/docs/sending-apache-logs/
或使用參數 http://www.rsyslog.com/doc/property_replacer.html

Juniper VSRX ( Juniper SRX 虛擬機 )

繼 Olive 之後，Juniper又釋出 VSRX 的虛擬機供人試用，日前網上看到是

12.1X44-D20 以下 LAB 用的則是 junos-vsrx-12.1X44-D10.4-domestic.ova

https://www.juniper.net/support/downloads/?p=firefly#sw

可使用 VMware 的軟體將其載入為 GuestOS,

即然是 juniper srx 的模擬器，當然只可使用 com port 連入做初使化作業，

開機畫面跟 Olive 差不了多少，只是傳統的 Olive 是 Router 模擬器，而 vSRX 則是 Firewall 模擬器．在開機之後可使用 root 直接 login不需密碼，接下來就是開始設定 root 密碼，指令如下:

set system root-authentication plain-text-password 

如從未使用過 Junos 的人可參考下面這份中文手冊．以了解  Juniper  Junos 的作業系統

http://www.juniper.net/tw/tc/local/pdf/design-guides/JSF1_DO_JUNOS_CLI.pdf

當然也可以透過 start shll 的方式回到 OS 底層去修改 loader.conf 讓 vSRX 可以支援螢幕顯示．

vi  /boot/loader.conf

console="comconsole"　原始 console 設定 改為 console="vidconsole" 如下所示

root@% vi /boot/loader.conf 

kernel="/kernel"

bootfile="/kernel;/kernel.old"

autoboot_delay="2"

console="vidconsole"

libmbpool_load="YES"

if_em_vjx_load="YES"

kern.maxusers="16"

kern.maxfiles="1500"

kern.ipc.nmbclusters="640"

kern.maxdsiz="1073741824"

kern.lockable_mem_ratio="1"

kern.lapic_timer_use_hz="1"

kern.aps_lapic_timer_interrupt_enable="0"

kern.bsp_handle_all_interrupts="1"

kern.hz="500"

retype="129"

machdep.hyperthreading_allowed="1"

.

或者直接將 IP 設定上，用 web 或 ssh 直入

設定好 root 密碼與 ge-0/0/0 ip 時的 configuration 

root> show configuration | display set 

set version 12.1X44.4

set system root-authentication encrypted-password "$1$A0TymRZw$VZAOq32ZmadEQCfksmp.m."

set system login user juniper uid 100

set system login user juniper class super-user
set system login user juniper authentication encrypted-password "$1$E/kbFUN8$MytyvxTbYA29DY5v2kZ7X1"

set system services ssh

set system services web-management http interface ge-0/0/0.0

set system syslog user * any emergency

set system syslog file messages any any

set system syslog file messages authorization info

set system syslog file interactive-commands interactive-commands any

set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval

set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.100/24

set security screen ids-option untrust-screen icmp ping-death

set security screen ids-option untrust-screen ip source-route-option

set security screen ids-option untrust-screen ip tear-drop

set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024

set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200

set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024

set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048

set security screen ids-option untrust-screen tcp syn-flood queue-size 2000

set security screen ids-option untrust-screen tcp syn-flood timeout 20

set security screen ids-option untrust-screen tcp land

set security policies from-zone trust to-zone trust policy default-permit match source-address any

set security policies from-zone trust to-zone trust policy default-permit match destination-address any

set security policies from-zone trust to-zone trust policy default-permit match application any

set security policies from-zone trust to-zone trust policy default-permit then permit

set security policies from-zone trust to-zone untrust policy default-permit match source-address any

set security policies from-zone trust to-zone untrust policy default-permit match destination-address any

set security policies from-zone trust to-zone untrust policy default-permit match application any

set security policies from-zone trust to-zone untrust policy default-permit then permit

set security policies from-zone untrust to-zone trust policy default-deny match source-address any

set security policies from-zone untrust to-zone trust policy default-deny match destination-address any

set security policies from-zone untrust to-zone trust policy default-deny match application any

set security policies from-zone untrust to-zone trust policy default-deny then deny

set security zones security-zone trust tcp-rst

set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services http

set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services https

set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh

set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services telnet

set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp

set security zones security-zone untrust screen untrust-screen

 root> show version 

Model: junosv-firefly

JUNOS Software Release [12.1X44-D10.4]

root> 

30天試用 想學 srx 可由這開始