華為防火牆安全策略配置
一、配置要求及拓撲;
要求:
1、trust區域使用者可以訪問untust區域與dmz區域使用者;
2、untrust區域使用者只能訪問dmz區域icmp與telnet流量;
3、dmz區域使用者即不能訪問untrust區域和tust區域;
4、區域trust內只允許源位址為192.168.1.0/24,icmp ;
二、基礎配置
防火牆huaweifw
system-view
sysname huaweifw
inte***ce gigabitethernet0/0/0
ip address 202.100.1.10 255.255.255.0
quit
inte***ce gigabitethernet0/0/1
ip address 172.16.1.10 255.255.255.0
quit
inte***ce gigabitethernet0/0/2
ip address 192.168.1.10 255.255.255.0
quit
inte***ce gigabitethernet0/0/3
ip address 192.168.10.10 255.255.255.0
quit
firewall zone trust
add inte***ce gigabitethernet0/0/2
add inte***ce gigabitethernet0/0/3
quit
firewall zone untrust
add inte***ce gigabitethernet0/0/0
quit
firewall zone dmz
add inte***ce gigabitethernet0/0/1
quit
ar1:
system-view
sysname ar5
inte***ce gigabitethernet0/0/0
ip address 192.168.10.1 255.255.255.0
quit
ip route-static 0.0.0.0 0.0.0.0 192.168.10.1
ar2system-view
sysname dmz
inte***ce gigabitethernet 0/0/0
ip address 172.16.1.1 24
quit
ip route-static 0.0.0.0 0 172.16.1.10
ar3system-view
sysname trust
inte***ce gigabitethernet 0/0/0
ip address 192.168.1.1 24
inte***ce loopback0
ip address 2.2.2.2 32
quit
ip route-static 0.0.0.0 0 192.168.1.10
quit
ar5system-view
sysname trust
inte***ce gigabitethernet 0/0/0
ip address 192.168.1.1 24
inte***ce loopback0
ip address 2.2.2.2 32
quit
ip route-static 0.0.0.0 0 192.168.1.10
quit
三、防火牆策略配置
防火牆預設策略為:
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction outbound
#
firewall session link-state check==啟用會話鏈路狀態檢查
firewall packet-filter default deny all==拒絕所有流量
配值安全訪問策略
trust區域使用者可以訪問untust區域與dmz區域使用者
firewall packet-filter default permit interzone trust untrust direction outbound
firewall packet-filter default permit interzone trust dmz direction outbound
untrust區域使用者只能訪問dmz區域icmp與telnet流量
policy interzone dmz untrust inbound
policy 1
action permit
policy service service-set icmp
policy destination 172.16.1.1 0
policy 2
action permit
policy service service-set telnet
policy destination 172.16.1.1 0
檢視會話:
[huaweifw]display policy interzone untrust dmz inbound
15:17:51 2015/02/02
policy interzone dmz untrust inbound
firewall default packet-filter is deny
policy 1 (2 times matched)
action permit
policy service service-set icmp (predefined)
policy source any
policy destination 172.16.1.1 0
policy 2 (4 times matched)
action permit
policy service service-set telnet (predefined)
policy source any
policy destination 172.16.1.1 0
[huaweifw]
dmz區域使用者即不能訪問untrust區域和tust區域(可以不用配置因為前面以拒絕過一次流量了)
區域trust內只允許源位址為192.168.1.0/24,icmp ;
policy zone trust
policy 1
action permit
policy service service-set icmp
policy source 192.168.1.0 mask 255.255.255.0
policy 2
action deny
安全HCIP之防火牆常見安全策略
基本指令 指令功能 備註service manage ping permit 使能某個介面能夠ping 進入指定介面下敲命令 web manager security enable 開啟web管理功能 啟用nat轉換 easy ip usg6000v1 nat policy usg6000v1 po...
防火牆安全策略之敲門暗號
增強計算機安全性的最後一種方案是最激進的 關閉所有開啟的埠,這會讓任何攻擊都無法攻破您的計算機。只向能夠提供 秘密敲門暗號 的使用者開放所需的埠,讓使用者能夠輸入密碼並訪問計算機。敲門守護程序 knockd 它監視敲門序列,當發現有效的序列時執行相應的操作,iptables開放指定的埠給使用者。配置...
防火牆 防火牆安全
作為計算機的第一道屏障,防火牆的重要性不言而喻,儘管防火牆在面臨網路攻擊時仍有很大的缺陷,不如無法阻止自內而外的攻擊,對複雜多變的網路攻擊攻擊無法預警和像ids所做的那樣。但防火牆依然是伺服器乃至個人機的一道不可或缺的屏障。木桶原理 本文將對防火牆做乙個初步的簡介,顯然像我們知道的那樣,防火牆是一款...