Juniper srx — block websites

Задача: запретить на уровне firewall пользователям локальной сети ходить на определенные IP-адреса (запрет социалок/сервисов/etc).

В данном примере я блокирую доступ по IP к ВК и одноклассникам.

conf
set interfaces pp0 unit 0 family inet filter output BLOCK_firewall
set firewall family inet filter BLOCK_firewall term VK0 from address 95.213.0.0/16
set firewall family inet filter BLOCK_firewall term VK0 then discard
set firewall family inet filter BLOCK_firewall term VK1 from address 95.142.206.0/24
set firewall family inet filter BLOCK_firewall term VK1 then discard 
set firewall family inet filter BLOCK_firewall term VK2 from address 95.142.202.0/24
set firewall family inet filter BLOCK_firewall term VK2 then discard 
set firewall family inet filter BLOCK_firewall term VK3 from address 95.142.200.0/24
set firewall family inet filter BLOCK_firewall term VK3 then discard
set firewall family inet filter BLOCK_firewall term VK4 from address 95.142.192.0/24
set firewall family inet filter BLOCK_firewall term VK4 then discard
set firewall family inet filter BLOCK_firewall term VK5 from address 93.186.232.0/24 
set firewall family inet filter BLOCK_firewall term VK5 then discard
set firewall family inet filter BLOCK_firewall term VK6 from address 93.186.224.0/24
set firewall family inet filter BLOCK_firewall term VK6 then discard
set firewall family inet filter BLOCK_firewall term VK7 from address 87.240.128.0/24
set firewall family inet filter BLOCK_firewall term VK7 then discard
set firewall family inet filter BLOCK_firewall term VK8 from address 185.32.251.0/24
set firewall family inet filter BLOCK_firewall term VK8 then discard
set firewall family inet filter BLOCK_firewall term VK9 from address 185.32.250.0/24
set firewall family inet filter BLOCK_firewall term VK9 then discard
set firewall family inet filter BLOCK_firewall term VK10 from address 185.32.248.0/24
set firewall family inet filter BLOCK_firewall term VK10 then discard
set firewall family inet filter BLOCK_firewall term VK11 from address 185.29.130.0/24
set firewall family inet filter BLOCK_firewall term VK11 then discard
set firewall family inet filter BLOCK_firewall term VK12 from address 87.240.165.0/24
set firewall family inet filter BLOCK_firewall term VK12 then discard
set firewall family inet filter BLOCK_firewall term odnok0 from address 217.20.155.0/24
set firewall family inet filter BLOCK_firewall term odnok0 then discard
set firewall family inet filter BLOCK_firewall term odnok1 from address 5.61.23.0/24
set firewall family inet filter BLOCK_firewall term odnok1 then discard
set firewall family inet filter BLOCK_firewall term odnok2 from address 217.20.156.0/24
set firewall family inet filter BLOCK_firewall term odnok2 then discard
set firewall family inet filter BLOCK_firewall term OTHER then accept
commit confirmed 3
commit

Теперь если пингануть сайт по доменному имени получим:

Добавить комментарий