溫馨提示×
您好,登錄后才能下訂單哦!
點擊 登錄注冊 即表示同意《億速云用戶服務條款》
您好,登錄后才能下訂單哦!
華為防火墻安全策略配置
一、配置要求及拓撲;
要求:
1、Trust區域用戶可以訪問Untust區域與DMZ區域用戶;
2、Untrust區域用戶只能訪問DMZ區域ICMP與Telnet流量;
3、DMZ區域用戶即不能訪問Untrust區域和Tust區域;
4、區域trust內只允許源地址為192.168.1.0/24,ICMP ;
二、基礎配置
防火墻huaweiFW
system-view
sysname huaweiFW
interface GigabitEthernet0/0/0
ip address 202.100.1.10 255.255.255.0
quit
interface GigabitEthernet0/0/1
ip address 172.16.1.10 255.255.255.0
quit
interface GigabitEthernet0/0/2
ip address 192.168.1.10 255.255.255.0
quit
interface GigabitEthernet0/0/3
ip address 192.168.10.10 255.255.255.0
quit
firewall zone trust
add interface GigabitEthernet0/0/2
add interface GigabitEthernet0/0/3
quit
firewall zone untrust
add interface GigabitEthernet0/0/0
quit
firewall zone dmz
add interface GigabitEthernet0/0/1
quit
AR1:
system-view
sysname AR5
interface GigabitEthernet0/0/0
ip address 192.168.10.1 255.255.255.0
quit
ip route-static 0.0.0.0 0.0.0.0 192.168.10.1
AR2
system-view
sysname DMZ
interface GigabitEthernet 0/0/0
ip address 172.16.1.1 24
quit
ip route-static 0.0.0.0 0 172.16.1.10
AR3
system-view
sysname trust
interface GigabitEthernet 0/0/0
ip address 192.168.1.1 24
interface loopback0
ip address 2.2.2.2 32
quit
ip route-static 0.0.0.0 0 192.168.1.10
quit
AR5
system-view
sysname trust
interface GigabitEthernet 0/0/0
ip address 192.168.1.1 24
interface loopback0
ip address 2.2.2.2 32
quit
ip route-static 0.0.0.0 0 192.168.1.10
quit
三、防火墻策略配置
防火墻默認策略為:
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction outbound
#
firewall session link-state check ==啟用會話鏈路狀態檢查
firewall packet-filter default deny all ==拒絕所有流量
配值安全訪問策略
Trust區域用戶可以訪問Untust區域與DMZ區域用戶
firewall packet-filter default permit interzone trust untrust direction outbound
firewall packet-filter default permit interzone trust dmz direction outbound
Untrust區域用戶只能訪問DMZ區域ICMP與Telnet流量
policy interzone dmz untrust inbound
policy 1
action permit
policy service service-set icmp
policy destination 172.16.1.1 0
policy 2
action permit
policy service service-set telnet
policy destination 172.16.1.1 0
查看會話:
[huaweiFW]display policy interzone untrust dmz inbound
15:17:51 2015/02/02
policy interzone dmz untrust inbound
firewall default packet-filter is deny
policy 1 (2 times matched)
action permit
policy service service-set icmp (predefined)
policy source any
policy destination 172.16.1.1 0
policy 2 (4 times matched)
action permit
policy service service-set telnet (predefined)
policy source any
policy destination 172.16.1.1 0
[huaweiFW]
DMZ區域用戶即不能訪問Untrust區域和Tust區域(可以不用配置因為前面以拒絕過一次流量了)
區域trust內只允許源地址為192.168.1.0/24,ICMP ;
policy zone trust
policy 1
action permit
policy service service-set icmp
policy source 192.168.1.0 mask 255.255.255.0
policy 2
action deny
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。
