我想审计 screenOS 的 Juniper 防火墙。我已获得配置文件,但我不熟悉语法。我对“exit”命令感到疑惑。
在配置文件中,大多数策略后面都会跟着一到两个附加命令和一个退出语句:
[...]
set policy id <id1> name "<name1>" from "<zone1>" to "<zone2>" "<address1>" "<address2>" "<service1>" permit log
set policy id <id1>
exit
set policy id <id2> name "<name2>" from "<zone1>" to "<zone2>" "<address1>" "<address2>" "<service2>" permit log
set policy id <id2>
set service "<service3>"
set service "<service4>"
set service "<service5>"
set service "<service6>"
exit
[...]
我该如何解释这一点?如果退出语句将策略组合在一起,那么就只有冗余信息。上面的行中已经设置了策略 ID。下面几行中设置的服务 3、4、5、6 已经合并到服务 2 中。
exit 语句不仅出现在set policy语句之后。
答案1
Juniper ScreenOS 配置文件只是一长串 CLI 命令。如果我们在每行开头添加提示符,其目的exit就会变得更加清晰:
[...]
device-> set policy id <id1> name "<name1>" from "<zone1>" to "<zone2>" "<address1>" "<address2>" "<service1>" permit log
device-> set policy id <id1>
device(policy:<id1>)-> exit
device-> set policy id <id2> name "<name2>" from "<zone1>" to "<zone2>" "<address1>" "<address2>" "<service2>" permit log
device-> set policy id <id2>
device(policy:<id2>)-> set service "<service3>"
device(policy:<id2>)-> set service "<service4>"
device(policy:<id2>)-> set service "<service5>"
device(policy:<id2>)-> set service "<service6>"
device(policy:<id2>)-> exit
[...]
device-> save