Jon's Notes

On a Netscreen 5 using the Home–Work port mode, Home cannot talk to Work.
You cannot change or remove the rule that denies traffic from Home to Work. You cannot add a exception that allows some traffic from Home to Work. If you try to change the rule, you get a less than helpful error:
set policy from "Home" to "Work" "Any" "Any" "ANY" permit
unknown keyword Any

I'm aiming for a setup where I have separate networks for public services (Web, Email, DNS) and management/private services(SSH, LDAP, Syslog) with a firewall in the middle arbitrating access.
The general public should only be able to access public services on public service machines.
Public service machines should only be able to access services that they need on private service machines.
Private machines need full access to public machines for service monitoring (Nagios and Cacti/SNMP.)
So it turns out that I cannot use the Home–Work port mode because in some cases the public network needs access to the private network and the private network needs full access to the public network.

Tomorrow I'm going to try Trust–Untrust port mode with a secondary IP on the Trust interface for the private subnet and Intra–zone policies to control communication between the two subnets.

Labels: netscreen, sysadmin

¶ 1:10 AM 0 comments

So, I recently acquired a Netscreen 5XT—the smallest firewall available from Juniper.
Since I purchased it through eBay, Juniper will not let me purchase a support contract for it unless I first pay a warranty reinstatement fee. This reinstatement fee is equal to one year of support.

It turns out that the 5XT, one year of support, and the support reinstatement fee combined still costs less than a PIX 506e without support.

Now if I can just figure out why my VPN is not working…

Labels: netscreen, sysadmin

¶ 1:26 AM 0 comments