天融信防火墙配置手册 防火墙配置简要手册

天融信防火墙配置手册 防火墙配置简要手册 一、电脑侧的配置(tftp server) 二、防火墙测配置: 1、查看防火墙的配置文件 dir Directory of flash:/ 1 -rw- 5527015 Mar 15 2011 11:33:46 system 2 -rw- 3819797 Mar 15 2011 11:34:25 http.zip 3 -rw- 3586 Jul 01 2011 11:27:43 config.cfg 15621 KB total (6484 KB free) 1 2、上传配置到防火墙 tftp 192.168.0.15 get newconfig.cfg config.cfg #192.168.0.15是上传电脑的地址 The file flash:/config.cfg exists. Overwrite it?[Y/N]:y #tftp server侧的保存文件 Verifying server file... Server file verify ok. Deleting the old file, please wait................ File will be transferred in binary mode. Downloading file from remote tftp server, please wait........ TFTP: 3586 bytes received in 0 second(s). File downloaded successfully. 3、重启防火墙，启动后的防火墙配置将自动改成脚本中的 配置。 三、配置: [H3C]dis cur # sysname H3C # firewall packet-filter enable firewall packet-filter default permit # 开启防火 2 墙的默认规则为允许 # insulate # firewall statistic system enable # radius scheme system server-type extended # domain system # local-user admin # 定义telnet、web的登录用户名和密码 password simple gdnr #用户名为admin，密码为gdnr service-type telnet terminal level 3 # acl number 2000 rule 0 permit source 192.168.0.0 0.0.0.255 # 定义nat引用规则 # acl number 3000 # 3 定义防火墙过滤规则 rule 0 permit tcp destination-port eq 3389 rule 1 permit tcp destination-port eq 9800 rule 2 permit tcp destination-port eq 9595 rule 3 permit tcp destination-port eq 1433 rule 4 permit tcp destination-port eq 10001 rule 5 permit tcp destination-port eq 5631 rule 6 permit tcp destination-port eq 5632 rule 7 permit tcp destination-port eq 19000 rule 8 permit tcp destination-port eq 3390 rule 9 permit tcp destination-port eq 9801 rule 10 permit tcp destination-port eq 9596 rule 11 permit tcp destination-port eq 1434 rule 12 permit tcp destination-port eq 10002 rule 13 permit tcp destination-port eq 5635 rule 14 permit tcp destination-port eq 5636 rule 15 permit tcp destination-port eq 19001 rule 16 permit tcp destination-port eq 2403 rule 17 permit tcp destination-port eq 2404 rule 18 permit tcp destination-port eq 2405 rule 19 permit tcp destination-port eq 5633 rule 20 permit tcp destination-port eq 5634 4 rule 21 permit tcp destination-port eq 3391 rule 22 permit icmp rule 100 deny ip # interface Aux0 async mode flow # interface Ethernet0/0 description To-inside ip address 192.168.0.254 255.255.255.0 # interface Ethernet0/1 # interface Ethernet0/2 # interface Ethernet0/3 # interface Ethernet1/0 # 定义内网口参数 description To_shuju # 定义外网口参数 ip address 10.35.21.42 255.255.255.0 firewall packet-filter 3000 inbound 5 nat outbound 2000 # 定 义nat nat server protocol tcp global 10.35.21.42 3389 inside 192.168.0.10 3389 # 定义nat 服务器映射 nat server protocol tcp global 10.35.21.42 9800 inside 192.168.0.10 9800 nat server protocol tcp global 10.35.21.42 9595 inside 192.168.0.10 9595 nat server protocol tcp global 10.35.21.42 1433 inside 192.168.0.10 1433 nat server protocol tcp global 10.35.21.42 10001 inside 192.168.0.10 10001 nat server protocol tcp global 10.35.21.42 5631 inside 192.168.0.10 5631 nat server protocol tcp global 10.35.21.42 5632 inside 192.168.0.10 5632 nat server protocol tcp global 10.35.21.42 19000 inside 192.168.0.10 19000 nat server protocol tcp global 10.35.21.42 3390 inside 192.168.0.11 3390 nat server protocol tcp global 10.35.21.42 9801 inside 192.168.0.11 9801 6 nat server protocol tcp global 10.35.21.42 9596 inside 192.168.0.11 9596 nat server protocol tcp global 10.35.21.42 1434 inside 192.168.0.11 1434 nat server protocol tcp global 10.35.21.42 10002 inside 192.168.0.11 10002 nat server protocol tcp global 10.35.21.42 5635 inside 192.168.0.11 5635 nat server protocol tcp global 10.35.21.42 5636 inside 192.168.0.11 5636 nat server protocol tcp global 10.35.21.42 19001 inside 192.168.0.11 19001 nat server protocol tcp global 10.35.21.42 2403 inside 192.168.0.12 2403 nat server protocol tcp global 10.35.21.42 2404 inside 192.168.0.12 2404 nat server protocol tcp global 10.35.21.42 2405 inside 192.168.0.12 2405 nat server protocol tcp global 10.35.21.42 5633 inside 192.168.0.12 5633 nat server protocol tcp global 10.35.21.42 5634 inside 192.168.0.12 5634 7 nat server protocol tcp global 10.35.21.42 3391 inside 192.168.0.12 3391 # interface Ethernet1/1 # interface Ethernet1/2 # interface NULL0 # firewall zone local set priority 100 # firewall zone trust # 将内部网口加入到信任区 add interface Ethernet0/0 set priority 85 # firewall zone untrust # 将外部网口加入到非信任区 add interface Ethernet1/0 set priority 5 firewall zone DMZ 8 set priority 50 # firewall interzone local trust # firewall interzone local untrust # firewall interzone local DMZ # firewall interzone trust untrust # firewall interzone trust DMZ # firewall interzone DMZ untrust # undo info-center enable # ip route-static 0.0.0.0 0.0.0.0 10.35.21.254 preference 60 # firewall defend ip-spoofing # 启用防攻击类型 firewall defend land firewall defend smurf firewall defend fraggle 9 firewall defend winnuke firewall defend icmp-redirect firewall defend icmp-unreachable firewall defend source-route firewall defend route-record firewall defend tracert firewall defend ping-of-death firewall defend tcp-flag firewall defend ip-fragment firewall defend large-icmp firewall defend teardrop firewall defend ip-sweep firewall defend port-scan firewall defend arp-spoofing firewall defend arp-flood firewall defend frag-flood firewall defend syn-flood enable firewall defend udp-flood enable firewall defend icmp-flood enable # 设置外网网关 user-interface con 0 user-interface aux 0 user-interface vty 0 4 # 定义 10 telnet认证模式 authentication-mode scheme 百度搜索“就爱阅读”,专业,生活学习,尽在就爱阅读网 92to.com,您的在线图馆 11