防火墙上机指导书.docx
《防火墙上机指导书.docx》由会员分享,可在线阅读,更多相关《防火墙上机指导书.docx(22页珍藏版)》请在冰豆网上搜索。
防火墙上机指导书
防火墙上机指导书
Preparedby
拟制
Date
日期
2004/05/30
Reviewedby
评审人
Date
日期
Approvedby
批准
Date
日期
Authorizedby
签发
Date
日期
HuaweiTechnologiesCo.,Ltd.
华为技术有限公司
Allrightsreserved
版权所有XX
(REP01T01V2.31/IPD-CMMV2.0/forinternaluseonly)
(REP01T01V2.31/IPD-CMMV2.0/仅供内部使用)
Catalog目录
1防火墙的初始配置5
1.1透明模式的基本配置8
1.2路由模式组网实例11
1.3双机热备组网实例12
1.4透明模式组网实例16
1防火墙的初始配置
第一次启动,设备的配置为空,基本配置情况如下:
#
sysnameEudemon
#
tcpwindow8
#
firewallstatisticsystemenable
#
undomulticastigmp-all-enable
#
interfaceAux0
asyncmodeflow
link-protocolppp
#
interfaceEthernet0/0/0
#
interfaceEthernet0/0/1
#
interfaceEthernet1/0/0
#
interfaceEthernet1/0/1
#
interfaceNULL0
#
firewallzonelocal
setpriority100
#
firewallzonetrust
setpriority85
#
firewallzoneuntrust
setpriority5
#
firewallzoneDMZ
setpriority50
#
firewallinterzonelocaltrust
#
firewallinterzonelocaluntrust
#
firewallinterzonelocalDMZ
#
firewallinterzonetrustuntrust
#
firewallinterzonetrustDMZ
#
firewallinterzoneDMZuntrust
#
user-interfacecon0
user-interfaceaux0
user-interfacevty04
#
return
可见,基本的防火墙有4个预定义域,Local/trust/untrust/dmz。
第一件要做的事就是将接口加到相应的域中
[Eudemon]firewallzonetrust
[Eudemon-zone-trust]addinterfaceethernet0/0/0
如此往复,将所有需要用到的接口分别加到不同的域中,要遵循的是,只要希望数据在这两个接口之间流动的时候要经过防火墙检查,就需要将这两个接口分别加到不同的域里。
没有加入到域中的接口是无法在防火墙上转发报文的。
其次,检查域间的包过滤配置。
在组网开始的时候,为了测试网络的联通性,可以通过设置防火墙缺省规则将所有域间下包过滤的缺省规则都设置为允许。
在网络测试通畅之后再关闭这些许可,转而使用详细的ACL规则作为报文过滤的依据。
一个保证网络通畅的配置如下:
#
sysnameEudemon
#
tcpwindow8
#
firewallpacket-filterdefaultpermitinterzonelocaltrustdirectioninbound
firewallpacket-filterdefaultpermitinterzonelocaltrustdirectionoutbound
firewallpacket-filterdefaultpermitinterzonelocaluntrustdirectioninbound
firewallpacket-filterdefaultpermitinterzonelocaluntrustdirectionoutbound
firewallpacket-filterdefaultpermitinterzonelocalDMZdirectioninbound
firewallpacket-filterdefaultpermitinterzonelocalDMZdirectionoutbound
firewallpacket-filterdefaultpermitinterzonetrustuntrustdirectioninbound
firewallpacket-filterdefaultpermitinterzonetrustuntrustdirectionoutbound
firewallpacket-filterdefaultpermitinterzonetrustDMZdirectioninbound
firewallpacket-filterdefaultpermitinterzonetrustDMZdirectionoutbound
firewallpacket-filterdefaultpermitinterzoneDMZuntrustdirectioninbound
firewallpacket-filterdefaultpermitinterzoneDMZuntrustdirectionoutbound
#
firewallstatisticsystemenable
#
undomulticastigmp-all-enable
#
interfaceAux0
asyncmodeflow
link-protocolppp
#
interfaceEthernet0/0/0
ipaddress192.168.10.1255.255.255.0
#
interfaceEthernet0/0/1
ipaddress192.168.20.1255.255.255.0
#
interfaceEthernet1/0/0
ipaddress172.16.10.1255.255.0.0
#
interfaceEthernet1/0/1
ipaddress10.10.10.1255.0.0.0
#
interfaceNULL0
#
firewallzonelocal
setpriority100
#
firewallzonetrust
addinterfaceEthernet0/0/0
addinterfaceEthernet0/0/1
setpriority85
#
firewallzoneuntrust
addinterfaceEthernet1/0/0
setpriority5
#
firewallzoneDMZ
addinterfaceEthernet1/0/1
setpriority50
#
firewallinterzonelocaltrust
#
firewallinterzonelocaluntrust
#
firewallinterzonelocalDMZ
#
firewallinterzonetrustuntrust
#
firewallinterzonetrustDMZ
#
firewallinterzoneDMZuntrust
#
user-interfacecon0
user-interfaceaux0
user-interfacevty04
#
return
上述配置假设各接口IP地址符合实际网络的设置,且防火墙工作在路由模式。
如果符合上述条件,而防火墙都无法ping通其他设备、或其他设备无法ping通防火墙、或报文无法通过防火墙,请检查网络其他设备的配置情况。
1.1透明模式的基本配置
#
sysnameEudemon
#
tcpwindow8
#
firewallmodetransparent
#
firewallstatisticsystemenable
#
interfaceAux0
asyncmodeflow
link-protocolppp
#
interfaceEthernet0/0/0
#
interfaceEthernet0/0/1
#
interfaceEthernet1/0/0
#
interfaceEthernet1/0/1
#
interfaceNULL0
#
interfaceLoopBack0
#
firewallzonelocal
setpriority100
#
firewallzonetrust
setpriority85
#
firewallzoneuntrust
setpriority5
#
firewallzoneDMZ
setpriority50
#
firewallinterzonelocaltrust
#
firewallinterzonelocaluntrust
#
firewallinterzonelocalDMZ
#
firewallinterzonetrustuntrust
#
firewallinterzonetrustDMZ
#
firewallinterzoneDMZuntrust
#
user-interfacecon0
user-interfaceaux0
user-interfacevty04
#
return
如上,是一个防护墙在透明模式下的最基本配置,除了firewallmodetransparent命令之外,同在路由模式下的基本配置是基本一样的。
如果在透明模式下检测防火墙的联通性,最通用的配置如下
#
sysnameEudemon
#
tcpwindow8
#
firewallpacket-filterdefaultpermitinterzonelocaltrustdirectioninbound
firewallpacket-filterdefaultpermitinterzonelocaltrustdirectionoutbound
firewallpacket-filterdefaultpermitinterzonelocaluntrustdirectioninbound
firewallpacket-filterdefaultpermitinterzonelocaluntrustdirectionoutbound
firewallpacket-filterdefaultpermitinterzonelocalDMZdirectioninbound
firewallpacket-filterdefaultpermitinterzonelocalDMZdirectionoutbound
firewallpacket-filterdefaultpermitinterzonetrustuntrustdirectioninbound
firewallpacket-filterdefaultpermitinterzonetrustuntrustdirectionoutbound
firewallpacket-filterdefaultpermitinterzonetrustDMZdirectioninbound
firewallpacket-filterdefaultpermitinterzonetrustDMZdirectionoutbound
firewallpacket-filterdefaultpermitinterzoneDMZuntrustdirectioninbound
firewallpacket-filterdefaultpermitinterzoneDMZuntrustdirectionoutbound
#
firewallmodetransparent
firewallsystem-ip192.168.10.1255.255.255.0
#
firewallstatisticsystemenable
#
interfaceAux0
asyncmodeflow
link-protocolppp
#
interfaceEthernet0/0/0
#
interfaceEthernet0/0/1
#
interfaceEthernet1/0/0
#
interfaceEthernet1/0/1
#
interfaceNULL0
#
interfaceLoopBack0
#
firewallzonelocal
setpriority100
#
firewallzonetrust
addinterfaceEthernet0/0/0
addinterfaceEthernet0/0/1
setpriority85
#
firewallzoneuntrust
addinterfaceEthernet1/0/0
setpriority5
#
firewallzoneDMZ
addinterfaceEthernet1/0/1
setpriority50
#
firewallinterzonelocaltrust
#
firewallinterzonelocaluntrust
#
firewallinterzonelocalDMZ
#
firewallinterzonetrustuntrust
#
firewallinterzonetrustDMZ
#
firewallinterzoneDMZuntrust
#
user-interfacecon0
user-interfaceaux0
user-interfacevty04
#
return
上述配置假设防火墙处于192.168.10.0,子网掩码为255.255.255.0的子网中,防火墙的系统IP设置为192.168.10.1。
如果在这个配置下从其他设备仍无法ping通系统IP、或跨越防火墙不同域的设备无法互相ping通,请检查网络连接情况。
1.2路由模式组网实例
图1路由模式应用组网图
组网需求如下:
1.防火墙三个接口eth0/0/0属于trust域,eth0/0/1属于DMZ域,eth1/0/0属于untrust域
2.允许trust域主机经过easyip模式的nat转换,通过eth1/0/0接口访问ftp服务器
3.允许trust域主机192.168.10.20远程管理防火墙
4.允许外部主机访问位于dmz域的www服务器
5.防止对www服务器的syn-flood攻击
6.防止untrust域发起的端口扫描
7.防止地址欺骗
8.启动ACL加速查找功能
以4.1节描述的路由模式裸机配置为基础,要达到上述目的,需要进行如下配置:
system
//需求1
[Eudemon]firewallzonetrust
[Eudemon-zone-trust]addinterfaceethernet0/0/0
[Eudemon]firewallzonedmz
[Eudemon-zone-dmz]addinterfaceethernet0/0/1
[Eudemon]firewallzoneuntrust
[Eudemon-zone-untrust]addinterfaceethernet1/0/0
//需求2
[Eudemon]aclnum1//natpool
[Eudemon]rulepermitsource192.168.10.00.255.255.255
[Eudemon]aclnameoutadvanced
[Eudemon-acl-adv-out]rulepermittcpdestination202.169.10.1500destination-porteq21//允许访问untrust域ftp服务器
[Eudemon]firewallinterzonetrustuntrust
[Eudemon-interzone-trust-untrust]packet-filteroutoutbound
[Eudemon-interzone-trust-untrust]natoutbound1interfaceethernet1/0/0
[Eudemon-interzone-trust-untrust]detectftp
//需求3
[Eudemon]aclnamemanageadvanced
[Eudemon-acl-adv-manage]rulepermitipsource192.168.10.200//允许管理
[Eudemon]firewallinterzonetrustlocal
[Eudemon-interzone-local-trust]packet-filtermanageinbound
//需求4
[Eudemon]aclnametodadvanced
[Eudemon-acl-adv-tod]rulepermittcpdestination192.168.20.100//acl使用内网地址
[Eudemon]natserverprotocoltcpglobal202.169.10.10wwwinside192.168.20.10www
[Eudemon]firewallinterzonedmzuntrust
[Eudemon-interzone-dmz-untrust]packet-filtertodinbound
//需求5
[Eudemon]firewalldefendsyn-floodzonedmzmax-rate100
[Eudemon]firewallzonedmz
[Eudemon-zone-dmz]statisticenableipinzone
//需求6
[Eudemon]firewalldefendport-scanmax-rate10blacklist-timeout100//发现扫描加入黑名单100分钟
[Eudemon]firewallzoneuntrust
[Eudemon-zone-untrust]statisticenableipoutzone
//需求7
[Eudemon]firewalldefendip-spoofing
//需求8
[Eudemon]aclaccelerateenable
如上,防火墙就可以按照用户要求工作了
1.3双机热备组网实例
图2双机热备应用组网图
组网需求如下:
1、两台防火墙组成双机热备的组网环境
2、所有接口的接交换机
3、采用hrp方式进行双机备份
两台防火墙的配置如下:
防火墙1(Master)
return
sys
sysnamefirewall1
firewallpacket-filterdefaultpermitall
interfaceEthernet0/0
ipaddress192.168.10.1255.255.255.0
vrrpvrid1virtual-ip192.168.10.10
vrrpvrid1preempt-modetimerdelay3
interfaceEthernet0/1
ipaddress202.169.10.1255.255.255.0
vrrpvrid2virtual-ip202.169.10.10
vrrpvrid2preempt-modetimerdelay3
interfaceEthernet1/0
ipaddress192.168.1.1255.255.255.0
vrrpvrid3virtual-ip192.168.1.10
vrrpvrid3preempt-modetimerdelay3
interfaceEthernet1/1
ipaddress202.169.20.1255.255.255.0
vrrpvrid4virtual-ip202.169.20.10
vrrpvrid4preempt-modetimerdelay3
quit
firewallzonelocal
setpriority100
firewallzonetrust
addinterfaceEthernet0/0
addinterfaceEthernet1/0
setpriority85
firewallzoneuntrust
addinterfaceEthernet0/1
setpriority5
firewallzoneDMZ
addinterfaceEthernet1/1
setpriority50
quit
vrrpgroup1
addinterfaceEthernet0/1vrrpvrid2
addinterfaceEthernet1/0vrrpvrid3data
addinterfaceEthernet1/1vrrpvrid4
addinterfaceEthernet0/0vrrpvrid1datatransfer-only
vrrp-grouppriority110
vrrp-groupenable
quit
hrpen