防火墙上机指导书.docx

防火墙上机指导书.docx

《防火墙上机指导书.docx》由会员分享，可在线阅读，更多相关《防火墙上机指导书.docx（22页珍藏版）》请在冰豆网上搜索。

防火墙上机指导书

防火墙上机指导书

Preparedby

拟制

Date

日期

2004/05/30

Reviewedby

评审人

Date

日期

Approvedby

批准

Date

日期

Authorizedby

签发

Date

日期

HuaweiTechnologiesCo.,Ltd.

华为技术有限公司

Allrightsreserved

版权所有XX

（REP01T01V2.31/IPD-CMMV2.0/forinternaluseonly）

（REP01T01V2.31/IPD-CMMV2.0/仅供内部使用）

Catalog目录

1防火墙的初始配置5

1.1透明模式的基本配置8

1.2路由模式组网实例11

1.3双机热备组网实例12

1.4透明模式组网实例16

1防火墙的初始配置

第一次启动，设备的配置为空，基本配置情况如下：

#

sysnameEudemon

#

tcpwindow8

#

firewallstatisticsystemenable

#

undomulticastigmp-all-enable

#

interfaceAux0

asyncmodeflow

link-protocolppp

#

interfaceEthernet0/0/0

#

interfaceEthernet0/0/1

#

interfaceEthernet1/0/0

#

interfaceEthernet1/0/1

#

interfaceNULL0

#

firewallzonelocal

setpriority100

#

firewallzonetrust

setpriority85

#

firewallzoneuntrust

setpriority5

#

firewallzoneDMZ

setpriority50

#

firewallinterzonelocaltrust

#

firewallinterzonelocaluntrust

#

firewallinterzonelocalDMZ

#

firewallinterzonetrustuntrust

#

firewallinterzonetrustDMZ

#

firewallinterzoneDMZuntrust

#

user-interfacecon0

user-interfaceaux0

user-interfacevty04

#

return

可见，基本的防火墙有4个预定义域，Local/trust/untrust/dmz。

第一件要做的事就是将接口加到相应的域中

[Eudemon]firewallzonetrust

[Eudemon-zone-trust]addinterfaceethernet0/0/0

如此往复，将所有需要用到的接口分别加到不同的域中，要遵循的是，只要希望数据在这两个接口之间流动的时候要经过防火墙检查，就需要将这两个接口分别加到不同的域里。

没有加入到域中的接口是无法在防火墙上转发报文的。

其次，检查域间的包过滤配置。

在组网开始的时候，为了测试网络的联通性，可以通过设置防火墙缺省规则将所有域间下包过滤的缺省规则都设置为允许。

在网络测试通畅之后再关闭这些许可，转而使用详细的ACL规则作为报文过滤的依据。

一个保证网络通畅的配置如下：

#

sysnameEudemon

#

tcpwindow8

#

firewallpacket-filterdefaultpermitinterzonelocaltrustdirectioninbound

firewallpacket-filterdefaultpermitinterzonelocaltrustdirectionoutbound

firewallpacket-filterdefaultpermitinterzonelocaluntrustdirectioninbound

firewallpacket-filterdefaultpermitinterzonelocaluntrustdirectionoutbound

firewallpacket-filterdefaultpermitinterzonelocalDMZdirectioninbound

firewallpacket-filterdefaultpermitinterzonelocalDMZdirectionoutbound

firewallpacket-filterdefaultpermitinterzonetrustuntrustdirectioninbound

firewallpacket-filterdefaultpermitinterzonetrustuntrustdirectionoutbound

firewallpacket-filterdefaultpermitinterzonetrustDMZdirectioninbound

firewallpacket-filterdefaultpermitinterzonetrustDMZdirectionoutbound

firewallpacket-filterdefaultpermitinterzoneDMZuntrustdirectioninbound

firewallpacket-filterdefaultpermitinterzoneDMZuntrustdirectionoutbound

#

firewallstatisticsystemenable

#

undomulticastigmp-all-enable

#

interfaceAux0

asyncmodeflow

link-protocolppp

#

interfaceEthernet0/0/0

ipaddress192.168.10.1255.255.255.0

#

interfaceEthernet0/0/1

ipaddress192.168.20.1255.255.255.0

#

interfaceEthernet1/0/0

ipaddress172.16.10.1255.255.0.0

#

interfaceEthernet1/0/1

ipaddress10.10.10.1255.0.0.0

#

interfaceNULL0

#

firewallzonelocal

setpriority100

#

firewallzonetrust

addinterfaceEthernet0/0/0

addinterfaceEthernet0/0/1

setpriority85

#

firewallzoneuntrust

addinterfaceEthernet1/0/0

setpriority5

#

firewallzoneDMZ

addinterfaceEthernet1/0/1

setpriority50

#

firewallinterzonelocaltrust

#

firewallinterzonelocaluntrust

#

firewallinterzonelocalDMZ

#

firewallinterzonetrustuntrust

#

firewallinterzonetrustDMZ

#

firewallinterzoneDMZuntrust

#

user-interfacecon0

user-interfaceaux0

user-interfacevty04

#

return

上述配置假设各接口IP地址符合实际网络的设置，且防火墙工作在路由模式。

如果符合上述条件，而防火墙都无法ping通其他设备、或其他设备无法ping通防火墙、或报文无法通过防火墙，请检查网络其他设备的配置情况。

1.1透明模式的基本配置

#

sysnameEudemon

#

tcpwindow8

#

firewallmodetransparent

#

firewallstatisticsystemenable

#

interfaceAux0

asyncmodeflow

link-protocolppp

#

interfaceEthernet0/0/0

#

interfaceEthernet0/0/1

#

interfaceEthernet1/0/0

#

interfaceEthernet1/0/1

#

interfaceNULL0

#

interfaceLoopBack0

#

firewallzonelocal

setpriority100

#

firewallzonetrust

setpriority85

#

firewallzoneuntrust

setpriority5

#

firewallzoneDMZ

setpriority50

#

firewallinterzonelocaltrust

#

firewallinterzonelocaluntrust

#

firewallinterzonelocalDMZ

#

firewallinterzonetrustuntrust

#

firewallinterzonetrustDMZ

#

firewallinterzoneDMZuntrust

#

user-interfacecon0

user-interfaceaux0

user-interfacevty04

#

return

如上，是一个防护墙在透明模式下的最基本配置，除了firewallmodetransparent命令之外，同在路由模式下的基本配置是基本一样的。

如果在透明模式下检测防火墙的联通性，最通用的配置如下

#

sysnameEudemon

#

tcpwindow8

#

firewallpacket-filterdefaultpermitinterzonelocaltrustdirectioninbound

firewallpacket-filterdefaultpermitinterzonelocaltrustdirectionoutbound

firewallpacket-filterdefaultpermitinterzonelocaluntrustdirectioninbound

firewallpacket-filterdefaultpermitinterzonelocaluntrustdirectionoutbound

firewallpacket-filterdefaultpermitinterzonelocalDMZdirectioninbound

firewallpacket-filterdefaultpermitinterzonelocalDMZdirectionoutbound

firewallpacket-filterdefaultpermitinterzonetrustuntrustdirectioninbound

firewallpacket-filterdefaultpermitinterzonetrustuntrustdirectionoutbound

firewallpacket-filterdefaultpermitinterzonetrustDMZdirectioninbound

firewallpacket-filterdefaultpermitinterzonetrustDMZdirectionoutbound

firewallpacket-filterdefaultpermitinterzoneDMZuntrustdirectioninbound

firewallpacket-filterdefaultpermitinterzoneDMZuntrustdirectionoutbound

#

firewallmodetransparent

firewallsystem-ip192.168.10.1255.255.255.0

#

firewallstatisticsystemenable

#

interfaceAux0

asyncmodeflow

link-protocolppp

#

interfaceEthernet0/0/0

#

interfaceEthernet0/0/1

#

interfaceEthernet1/0/0

#

interfaceEthernet1/0/1

#

interfaceNULL0

#

interfaceLoopBack0

#

firewallzonelocal

setpriority100

#

firewallzonetrust

addinterfaceEthernet0/0/0

addinterfaceEthernet0/0/1

setpriority85

#

firewallzoneuntrust

addinterfaceEthernet1/0/0

setpriority5

#

firewallzoneDMZ

addinterfaceEthernet1/0/1

setpriority50

#

firewallinterzonelocaltrust

#

firewallinterzonelocaluntrust

#

firewallinterzonelocalDMZ

#

firewallinterzonetrustuntrust

#

firewallinterzonetrustDMZ

#

firewallinterzoneDMZuntrust

#

user-interfacecon0

user-interfaceaux0

user-interfacevty04

#

return

上述配置假设防火墙处于192.168.10.0，子网掩码为255.255.255.0的子网中，防火墙的系统IP设置为192.168.10.1。

如果在这个配置下从其他设备仍无法ping通系统IP、或跨越防火墙不同域的设备无法互相ping通，请检查网络连接情况。

1.2路由模式组网实例

图1路由模式应用组网图

组网需求如下：

1．防火墙三个接口eth0/0/0属于trust域，eth0/0/1属于DMZ域，eth1/0/0属于untrust域

2．允许trust域主机经过easyip模式的nat转换，通过eth1/0/0接口访问ftp服务器

3．允许trust域主机192.168.10.20远程管理防火墙

4．允许外部主机访问位于dmz域的www服务器

5．防止对www服务器的syn-flood攻击

6．防止untrust域发起的端口扫描

7．防止地址欺骗

8．启动ACL加速查找功能

以4.1节描述的路由模式裸机配置为基础，要达到上述目的，需要进行如下配置：

system

//需求1

[Eudemon]firewallzonetrust

[Eudemon-zone-trust]addinterfaceethernet0/0/0

[Eudemon]firewallzonedmz

[Eudemon-zone-dmz]addinterfaceethernet0/0/1

[Eudemon]firewallzoneuntrust

[Eudemon-zone-untrust]addinterfaceethernet1/0/0

//需求2

[Eudemon]aclnum1//natpool

[Eudemon]rulepermitsource192.168.10.00.255.255.255

[Eudemon]aclnameoutadvanced

[Eudemon-acl-adv-out]rulepermittcpdestination202.169.10.1500destination-porteq21//允许访问untrust域ftp服务器

[Eudemon]firewallinterzonetrustuntrust

[Eudemon-interzone-trust-untrust]packet-filteroutoutbound

[Eudemon-interzone-trust-untrust]natoutbound1interfaceethernet1/0/0

[Eudemon-interzone-trust-untrust]detectftp

//需求3

[Eudemon]aclnamemanageadvanced

[Eudemon-acl-adv-manage]rulepermitipsource192.168.10.200//允许管理

[Eudemon]firewallinterzonetrustlocal

[Eudemon-interzone-local-trust]packet-filtermanageinbound

//需求4

[Eudemon]aclnametodadvanced

[Eudemon-acl-adv-tod]rulepermittcpdestination192.168.20.100//acl使用内网地址

[Eudemon]natserverprotocoltcpglobal202.169.10.10wwwinside192.168.20.10www

[Eudemon]firewallinterzonedmzuntrust

[Eudemon-interzone-dmz-untrust]packet-filtertodinbound

//需求5

[Eudemon]firewalldefendsyn-floodzonedmzmax-rate100

[Eudemon]firewallzonedmz

[Eudemon-zone-dmz]statisticenableipinzone

//需求6

[Eudemon]firewalldefendport-scanmax-rate10blacklist-timeout100//发现扫描加入黑名单100分钟

[Eudemon]firewallzoneuntrust

[Eudemon-zone-untrust]statisticenableipoutzone

//需求7

[Eudemon]firewalldefendip-spoofing

//需求8

[Eudemon]aclaccelerateenable

如上，防火墙就可以按照用户要求工作了

1.3双机热备组网实例

图2双机热备应用组网图

组网需求如下：

1、两台防火墙组成双机热备的组网环境

2、所有接口的接交换机

3、采用hrp方式进行双机备份

两台防火墙的配置如下：

防火墙1（Master）

return

sys

sysnamefirewall1

firewallpacket-filterdefaultpermitall

interfaceEthernet0/0

ipaddress192.168.10.1255.255.255.0

vrrpvrid1virtual-ip192.168.10.10

vrrpvrid1preempt-modetimerdelay3

interfaceEthernet0/1

ipaddress202.169.10.1255.255.255.0

vrrpvrid2virtual-ip202.169.10.10

vrrpvrid2preempt-modetimerdelay3

interfaceEthernet1/0

ipaddress192.168.1.1255.255.255.0

vrrpvrid3virtual-ip192.168.1.10

vrrpvrid3preempt-modetimerdelay3

interfaceEthernet1/1

ipaddress202.169.20.1255.255.255.0

vrrpvrid4virtual-ip202.169.20.10

vrrpvrid4preempt-modetimerdelay3

quit

firewallzonelocal

setpriority100

firewallzonetrust

addinterfaceEthernet0/0

addinterfaceEthernet1/0

setpriority85

firewallzoneuntrust

addinterfaceEthernet0/1

setpriority5

firewallzoneDMZ

addinterfaceEthernet1/1

setpriority50

quit

vrrpgroup1

addinterfaceEthernet0/1vrrpvrid2

addinterfaceEthernet1/0vrrpvrid3data

addinterfaceEthernet1/1vrrpvrid4

addinterfaceEthernet0/0vrrpvrid1datatransfer-only

vrrp-grouppriority110

vrrp-groupenable

quit

hrpen