天融信防火墙配置手册 防火墙配置简要手册
一、电脑侧的配置(tftp server)
二、防火墙测配置:
1、查看防火墙的配置文件
dir
Directory of flash:/
1 -rw- 5527015 Mar 15 2011 11:33:46 system
2 -rw- 3819797 Mar 15 2011 11:34:25 http.zip
3 -rw- 3586 Jul 01 2011 11:27:43 config.cfg
15621 KB total (6484 KB free)
1
2、上传配置到防火墙
tftp 192.168.0.15 get newconfig.cfg config.cfg #192.168.0.15是上传电脑的地址
The file flash:/config.cfg exists. Overwrite it?[Y/N]:y
#tftp server侧的保存文件
Verifying server file...
Server file verify ok.
Deleting the old file, please wait................
File will be transferred in binary mode.
Downloading file from remote tftp server, please wait........
TFTP: 3586 bytes received in 0 second(s).
File downloaded successfully.
3、重启防火墙,启动后的防火墙配置将自动改成脚本中的
配置。
三、配置:
[H3C]dis cur
#
sysname H3C
#
firewall packet-filter enable
firewall packet-filter default permit # 开启防火
2
墙的默认规则为允许
#
insulate
#
firewall statistic system enable
#
radius scheme system
server-type extended
#
domain system
#
local-user admin # 定义telnet、web的登录用户名和密码 password simple gdnr
#用户名为admin,密码为gdnr
service-type telnet terminal
level 3
#
acl number 2000
rule 0 permit source 192.168.0.0 0.0.0.255 # 定义nat引用规则
#
acl number 3000 #
3
定义防火墙过滤规则
rule 0 permit tcp destination-port eq 3389
rule 1 permit tcp destination-port eq 9800
rule 2 permit tcp destination-port eq 9595
rule 3 permit tcp destination-port eq 1433
rule 4 permit tcp destination-port eq 10001
rule 5 permit tcp destination-port eq 5631
rule 6 permit tcp destination-port eq 5632
rule 7 permit tcp destination-port eq 19000
rule 8 permit tcp destination-port eq 3390
rule 9 permit tcp destination-port eq 9801
rule 10 permit tcp destination-port eq 9596
rule 11 permit tcp destination-port eq 1434
rule 12 permit tcp destination-port eq 10002
rule 13 permit tcp destination-port eq 5635
rule 14 permit tcp destination-port eq 5636
rule 15 permit tcp destination-port eq 19001
rule 16 permit tcp destination-port eq 2403
rule 17 permit tcp destination-port eq 2404
rule 18 permit tcp destination-port eq 2405
rule 19 permit tcp destination-port eq 5633
rule 20 permit tcp destination-port eq 5634
4
rule 21 permit tcp destination-port eq 3391
rule 22 permit icmp
rule 100 deny ip
#
interface Aux0
async mode flow
#
interface Ethernet0/0
description To-inside
ip address 192.168.0.254 255.255.255.0
#
interface Ethernet0/1
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface Ethernet1/0 # 定义内网口参数
description To_shuju # 定义外网口参数
ip address 10.35.21.42 255.255.255.0
firewall packet-filter 3000 inbound
5
nat outbound 2000 # 定
义nat
nat server protocol tcp global 10.35.21.42 3389 inside 192.168.0.10 3389 # 定义nat 服务器映射
nat server protocol tcp global 10.35.21.42 9800 inside 192.168.0.10 9800
nat server protocol tcp global 10.35.21.42 9595 inside 192.168.0.10 9595
nat server protocol tcp global 10.35.21.42 1433 inside 192.168.0.10 1433
nat server protocol tcp global 10.35.21.42 10001 inside 192.168.0.10 10001
nat server protocol tcp global 10.35.21.42 5631 inside 192.168.0.10 5631
nat server protocol tcp global 10.35.21.42 5632 inside 192.168.0.10 5632
nat server protocol tcp global 10.35.21.42 19000 inside 192.168.0.10 19000
nat server protocol tcp global 10.35.21.42 3390 inside 192.168.0.11 3390
nat server protocol tcp global 10.35.21.42 9801 inside 192.168.0.11 9801
6
nat server protocol tcp global 10.35.21.42 9596 inside 192.168.0.11 9596
nat server protocol tcp global 10.35.21.42 1434 inside 192.168.0.11 1434
nat server protocol tcp global 10.35.21.42 10002 inside 192.168.0.11 10002
nat server protocol tcp global 10.35.21.42 5635 inside 192.168.0.11 5635
nat server protocol tcp global 10.35.21.42 5636 inside 192.168.0.11 5636
nat server protocol tcp global 10.35.21.42 19001 inside 192.168.0.11 19001
nat server protocol tcp global 10.35.21.42 2403 inside 192.168.0.12 2403
nat server protocol tcp global 10.35.21.42 2404 inside 192.168.0.12 2404
nat server protocol tcp global 10.35.21.42 2405 inside 192.168.0.12 2405
nat server protocol tcp global 10.35.21.42 5633 inside 192.168.0.12 5633
nat server protocol tcp global 10.35.21.42 5634 inside 192.168.0.12 5634
7
nat server protocol tcp global 10.35.21.42 3391 inside
192.168.0.12 3391
#
interface Ethernet1/1
#
interface Ethernet1/2
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust # 将内部网口加入到信任区
add interface Ethernet0/0
set priority 85
#
firewall zone untrust # 将外部网口加入到非信任区
add interface Ethernet1/0
set priority 5
firewall zone DMZ
8
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
undo info-center enable
#
ip route-static 0.0.0.0 0.0.0.0 10.35.21.254 preference 60
#
firewall defend ip-spoofing # 启用防攻击类型 firewall defend land
firewall defend smurf
firewall defend fraggle
9
firewall defend winnuke
firewall defend icmp-redirect
firewall defend icmp-unreachable
firewall defend source-route
firewall defend route-record
firewall defend tracert
firewall defend ping-of-death
firewall defend tcp-flag
firewall defend ip-fragment
firewall defend large-icmp
firewall defend teardrop
firewall defend ip-sweep
firewall defend port-scan
firewall defend arp-spoofing
firewall defend arp-flood
firewall defend frag-flood
firewall defend syn-flood enable
firewall defend udp-flood enable
firewall defend icmp-flood enable # 设置外网网关
user-interface con 0
user-interface aux 0
user-interface vty 0 4 # 定义
10
telnet认证模式 authentication-mode scheme
百度搜索“就爱阅读”,专业资料,生活学习,尽在就爱阅读网
92to.com,您的在线图书馆
11
本文档为【天融信防火墙配置手册 防火墙配置简要手册】,请使用软件OFFICE或WPS软件打开。作品中的文字与图均可以修改和编辑,
图片更改请在作品中右键图片并更换,文字修改请直接点击文字进行修改,也可以新增和删除文档中的内容。
该文档来自用户分享,如有侵权行为请发邮件ishare@vip.sina.com联系网站客服,我们会及时删除。
[版权声明] 本站所有资料为用户分享产生,若发现您的权利被侵害,请联系客服邮件isharekefu@iask.cn,我们尽快处理。
本作品所展示的图片、画像、字体、音乐的版权可能需版权方额外授权,请谨慎使用。
网站提供的党政主题相关内容(国旗、国徽、党徽..)目的在于配合国家政策宣传,仅限个人学习分享使用,禁止用于任何广告和商用目的。