1、防火墙上机指导书防火墙上机指导书Prepared by 拟制Date日期2004/05/30Reviewed by 评审人Date日期Approved by批准Date日期Authorized by签发Date日期Huawei Technologies Co., Ltd. 华为技术有限公司All rights reserved版权所有 XX(REP01T01 V2.31/ IPD-CMM V2.0 / for internal use only)(REP01T01 V2.31/ IPD-CMM V2.0 / 仅供内部使用)Catalog 目 录1 防火墙的初始配置 51.1 透明模式的基本配置
2、 81.2 路由模式组网实例 111.3 双机热备组网实例 121.4 透明模式组网实例 161 防火墙的初始配置第一次启动,设备的配置为空,基本配置情况如下:# sysname Eudemon# tcp window 8# firewall statistic system enable# undo multicast igmp-all-enable#interface Aux0 async mode flow link-protocol ppp#interface Ethernet0/0/0#interface Ethernet0/0/1#interface Ethernet1/0/0#i
3、nterface Ethernet1/0/1#interface NULL0#firewall zone local set priority 100#firewall zone trust set priority 85#firewall zone untrust set priority 5#firewall zone DMZ set priority 50#firewall interzone local trust#firewall interzone local untrust#firewall interzone local DMZ#firewall interzone trust
4、 untrust#firewall interzone trust DMZ#firewall interzone DMZ untrust#user-interface con 0user-interface aux 0user-interface vty 0 4#return可见,基本的防火墙有4个预定义域,Local/trust/untrust/dmz。第一件要做的事就是将接口加到相应的域中Eudemon firewall zone trustEudemon-zone-trust add interface ethernet 0/0/0如此往复,将所有需要用到的接口分别加到不同的域中,要遵循
5、的是,只要希望数据在这两个接口之间流动的时候要经过防火墙检查,就需要将这两个接口分别加到不同的域里。没有加入到域中的接口是无法在防火墙上转发报文的。其次,检查域间的包过滤配置。在组网开始的时候,为了测试网络的联通性,可以通过设置防火墙缺省规则将所有域间下包过滤的缺省规则都设置为允许。在网络测试通畅之后再关闭这些许可,转而使用详细的ACL规则作为报文过滤的依据。一个保证网络通畅的配置如下:# sysname Eudemon# tcp window 8# firewall packet-filter default permit interzone local trust direction in
6、bound firewall packet-filter default permit interzone local trust direction outbound firewall packet-filter default permit interzone local untrust direction inbound firewall packet-filter default permit interzone local untrust direction outbound firewall packet-filter default permit interzone local
7、DMZ direction inbound firewall packet-filter default permit interzone local DMZ direction outbound firewall packet-filter default permit interzone trust untrust direction inbound firewall packet-filter default permit interzone trust untrust direction outbound firewall packet-filter default permit in
8、terzone trust DMZ direction inbound firewall packet-filter default permit interzone trust DMZ direction outbound firewall packet-filter default permit interzone DMZ untrust direction inbound firewall packet-filter default permit interzone DMZ untrust direction outbound # firewall statistic system en
9、able# undo multicast igmp-all-enable#interface Aux0 async mode flow link-protocol ppp#interface Ethernet0/0/0 ip address 192.168.10.1 255.255.255.0#interface Ethernet0/0/1 ip address 192.168.20.1 255.255.255.0#interface Ethernet1/0/0 ip address 172.16.10.1 255.255.0.0#interface Ethernet1/0/1 ip addr
10、ess 10.10.10.1 255.0.0.0 #interface NULL0#firewall zone local set priority 100#firewall zone trust add interface Ethernet 0/0/0 add interface Ethernet 0/0/1 set priority 85#firewall zone untrust add interface Ethernet 1/0/0 set priority 5#firewall zone DMZ add interface Ethernet 1/0/1 set priority 5
11、0#firewall interzone local trust#firewall interzone local untrust#firewall interzone local DMZ#firewall interzone trust untrust#firewall interzone trust DMZ#firewall interzone DMZ untrust#user-interface con 0user-interface aux 0user-interface vty 0 4#return上述配置假设各接口IP地址符合实际网络的设置,且防火墙工作在路由模式。如果符合上述条件
12、,而防火墙都无法ping通其他设备、或其他设备无法ping通防火墙、或报文无法通过防火墙,请检查网络其他设备的配置情况。1.1 透明模式的基本配置# sysname Eudemon# tcp window 8# firewall mode transparent# firewall statistic system enable#interface Aux0 async mode flow link-protocol ppp#interface Ethernet0/0/0#interface Ethernet0/0/1#interface Ethernet1/0/0#interface Eth
13、ernet1/0/1#interface NULL0#interface LoopBack0#firewall zone local set priority 100#firewall zone trust set priority 85#firewall zone untrust set priority 5#firewall zone DMZ set priority 50#firewall interzone local trust#firewall interzone local untrust#firewall interzone local DMZ#firewall interzo
14、ne trust untrust#firewall interzone trust DMZ#firewall interzone DMZ untrust#user-interface con 0user-interface aux 0user-interface vty 0 4#return 如上,是一个防护墙在透明模式下的最基本配置,除了firewall mode transparent命令之外,同在路由模式下的基本配置是基本一样的。如果在透明模式下检测防火墙的联通性,最通用的配置如下# sysname Eudemon# tcp window 8# firewall packet-filte
15、r default permit interzone local trust direction inbound firewall packet-filter default permit interzone local trust direction outbound firewall packet-filter default permit interzone local untrust direction inbound firewall packet-filter default permit interzone local untrust direction outbound fir
16、ewall packet-filter default permit interzone local DMZ direction inbound firewall packet-filter default permit interzone local DMZ direction outbound firewall packet-filter default permit interzone trust untrust direction inbound firewall packet-filter default permit interzone trust untrust directio
17、n outbound firewall packet-filter default permit interzone trust DMZ direction inbound firewall packet-filter default permit interzone trust DMZ direction outbound firewall packet-filter default permit interzone DMZ untrust direction inbound firewall packet-filter default permit interzone DMZ untrus
18、t direction outbound # firewall mode transparent firewall system-ip 192.168.10.1 255.255.255.0 # firewall statistic system enable#interface Aux0 async mode flow link-protocol ppp#interface Ethernet0/0/0#interface Ethernet0/0/1#interface Ethernet1/0/0#interface Ethernet1/0/1#interface NULL0#interface
19、 LoopBack0#firewall zone local set priority 100#firewall zone trust add interface Ethernet 0/0/0 add interface Ethernet 0/0/1 set priority 85#firewall zone untrust add interface Ethernet 1/0/0 set priority 5#firewall zone DMZ add interface Ethernet 1/0/1 set priority 50#firewall interzone local trus
20、t#firewall interzone local untrust#firewall interzone local DMZ#firewall interzone trust untrust#firewall interzone trust DMZ#firewall interzone DMZ untrust#user-interface con 0user-interface aux 0user-interface vty 0 4#return 上述配置假设防火墙处于192.168.10.0,子网掩码为255.255.255.0的子网中,防火墙的系统IP设置为192.168.10.1。如果
21、在这个配置下从其他设备仍无法ping通系统IP、或跨越防火墙不同域的设备无法互相ping通,请检查网络连接情况。1.2 路由模式组网实例图1 路由模式应用组网图组网需求如下:1 防火墙三个接口eth0/0/0属于trust域,eth0/0/1属于DMZ域,eth1/0/0属于untrust域2 允许trust域主机经过easy ip模式的nat转换,通过eth1/0/0接口访问ftp服务器3 允许trust域主机192.168.10.20远程管理防火墙4 允许外部主机访问位于dmz域的www服务器5 防止对www服务器的syn-flood攻击6 防止untrust域发起的端口扫描7 防止地址欺
22、骗8 启动ACL加速查找功能以4.1节描述的路由模式裸机配置为基础,要达到上述目的,需要进行如下配置: system/需求1Eudemon firewall zone trustEudemon-zone-trust add interface ethernet 0/0/0Eudemon firewall zone dmzEudemon-zone-dmz add interface ethernet 0/0/1Eudemon firewall zone untrustEudemon-zone-untrust add interface ethernet 1/0/0/需求2Eudemon acl
23、num 1 / nat poolEudemon rule permit source 192.168.10.0 0.255.255.255Eudemon acl name out advancedEudemon-acl-adv-out rule permit tcp destination 202.169.10.150 0 destination-port eq 21 /允许访问untrust域ftp服务器Eudemon firewall interzone trust untrustEudemon-interzone-trust-untrust packet-filter out outbo
24、undEudemon-interzone-trust-untrust nat outbound 1 interface ethernet 1/0/0Eudemon-interzone-trust-untrust detect ftp/需求3Eudemon acl name manage advancedEudemon-acl-adv-manage rule permit ip source 192.168.10.20 0 /允许管理Eudemon firewall interzone trust localEudemon-interzone-local-trust packet-filter
25、manage inbound/需求4Eudemon acl name tod advancedEudemon-acl-adv-tod rule permit tcp destination 192.168.20.10 0 /acl使用内网地址Eudemon nat server protocol tcp global 202.169.10.10 www inside 192.168.20.10 wwwEudemon firewall interzone dmz untrustEudemon-interzone-dmz-untrust packet-filter tod inbound/需求5E
26、udemon firewall defend syn-flood zone dmz max-rate 100Eudemon firewall zone dmzEudemon-zone-dmz statistic enable ip inzone/需求6Eudemon firewall defend port-scan max-rate 10 blacklist-timeout 100 /发现扫描加入黑名单100分钟Eudemon firewall zone untrustEudemon-zone-untrust statistic enable ip outzone/需求7Eudemon fi
27、rewall defend ip-spoofing/需求8Eudemon acl accelerate enable如上,防火墙就可以按照用户要求工作了1.3 双机热备组网实例图2 双机热备应用组网图组网需求如下:1、两台防火墙组成双机热备的组网环境2、所有接口的接交换机3、采用hrp方式进行双机备份两台防火墙的配置如下:防火墙1(Master)return syssysname firewall1firewall packet-filter default permit allinterface Ethernet0/0 ip address 192.168.10.1 255.255.255.
28、0 vrrp vrid 1 virtual-ip 192.168.10.10 vrrp vrid 1 preempt-mode timer delay 3interface Ethernet0/1 ip address 202.169.10.1 255.255.255.0 vrrp vrid 2 virtual-ip 202.169.10.10 vrrp vrid 2 preempt-mode timer delay 3interface Ethernet1/0 ip address 192.168.1.1 255.255.255.0 vrrp vrid 3 virtual-ip 192.16
29、8.1.10 vrrp vrid 3 preempt-mode timer delay 3interface Ethernet1/1 ip address 202.169.20.1 255.255.255.0 vrrp vrid 4 virtual-ip 202.169.20.10 vrrp vrid 4 preempt-mode timer delay 3quitfirewall zone local set priority 100firewall zone trust add interface Ethernet0/0 add interface Ethernet1/0 set prio
30、rity 85firewall zone untrust add interface Ethernet0/1 set priority 5firewall zone DMZ add interface Ethernet1/1 set priority 50quitvrrp group 1 add interface Ethernet0/1 vrrp vrid 2 add interface Ethernet1/0 vrrp vrid 3 data add interface Ethernet1/1 vrrp vrid 4 add interface Ethernet0/0 vrrp vrid 1 data transfer-only vrrp-group priority 110vrrp-group enablequithrp en
copyright@ 2008-2022 冰豆网网站版权所有
经营许可证编号:鄂ICP备2022015515号-1