华为防火墙安全策略配置
2017-01-24 20:23
691 查看
华为防火墙安全策略配置
一、配置要求及拓扑;
华为防火墙安全策略配置
要求:
1、Trust区域用户可以访问Untust区域与DMZ区域用户;
2、Untrust区域用户只能访问DMZ区域ICMP与Telnet流量;
3、DMZ区域用户即不能访问Untrust区域和Tust区域;
4、区域trust内只允许源地址为192.168.1.0/24,ICMP ;
二、基础配置
防火墙huaweiFW
system-view
sysname huaweiFW
interface GigabitEthernet0/0/0
ip address 202.100.1.10 255.255.255.0
quit
interface GigabitEthernet0/0/1
ip address 172.16.1.10 255.255.255.0
quit
interface GigabitEthernet0/0/2
ip address 192.168.1.10 255.255.255.0
quit
interface GigabitEthernet0/0/3
ip address 192.168.10.10 255.255.255.0
quit
firewall zone trust
add interface GigabitEthernet0/0/2
add interface GigabitEthernet0/0/3
quit
firewall zone untrust
add interface GigabitEthernet0/0/0
quit
firewall zone dmz
add interface GigabitEthernet0/0/1
quit
AR1:
system-view
sysname AR5
interface GigabitEthernet0/0/0
ip address 192.168.10.1 255.255.255.0
quit
ip route-static 0.0.0.0 0.0.0.0 192.168.10.1
AR2
system-view
sysname DMZ
interface GigabitEthernet 0/0/0
ip address 172.16.1.1 24
quit
ip route-static 0.0.0.0 0 172.16.1.10
AR3
system-view
sysname trust
interface GigabitEthernet 0/0/0
ip address 192.168.1.1 24
interface loopback0
ip address 2.2.2.2 32
quit
ip route-static 0.0.0.0 0 192.168.1.10
quit
AR5
system-view
sysname trust
interface GigabitEthernet 0/0/0
ip address 192.168.1.1 24
interface loopback0
ip address 2.2.2.2 32
quit
ip route-static 0.0.0.0 0 192.168.1.10
quit
三、防火墙策略配置
防火墙默认策略为:
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction outbound
#
firewall session link-state check ==启用会话链路状态检查
firewall packet-filter default deny all ==拒绝所有流量
配值安全访问策略
Trust区域用户可以访问Untust区域与DMZ区域用户
firewall packet-filter default permit interzone trust untrust direction outbound
firewall packet-filter default permit interzone trust dmz direction outbound
Untrust区域用户只能访问DMZ区域ICMP与Telnet流量
policy interzone dmz untrust inbound
policy 1
action permit
policy service service-set icmp
policy destination 172.16.1.1 0
policy 2
action permit
policy service service-set telnet
policy destination 172.16.1.1 0
查看会话:
[huaweiFW]display policy interzone untrust dmz inbound
15:17:51 2015/02/02
policy interzone dmz untrust inbound
firewall default packet-filter is deny
policy 1 (2 times matched)
action permit
policy service service-set icmp (predefined)
policy source any
policy destination 172.16.1.1 0
policy 2 (4 times matched)
action permit
policy service service-set telnet (predefined)
policy source any
policy destination 172.16.1.1 0
[huaweiFW]
DMZ区域用户即不能访问Untrust区域和Tust区域(可以不用配置因为前面以拒绝过一次流量了)
区域trust内只允许源地址为192.168.1.0/24,ICMP ;
policy zone trust
policy 1
action permit
policy service service-set icmp
policy source 192.168.1.0 mask 255.255.255.0
policy 2
action deny
本文出自 “飘落的心” 博客,请务必保留此出处http://plde3379.blog.51cto.com/10025808/1623872
一、配置要求及拓扑;
华为防火墙安全策略配置
要求:
1、Trust区域用户可以访问Untust区域与DMZ区域用户;
2、Untrust区域用户只能访问DMZ区域ICMP与Telnet流量;
3、DMZ区域用户即不能访问Untrust区域和Tust区域;
4、区域trust内只允许源地址为192.168.1.0/24,ICMP ;
二、基础配置
防火墙huaweiFW
system-view
sysname huaweiFW
interface GigabitEthernet0/0/0
ip address 202.100.1.10 255.255.255.0
quit
interface GigabitEthernet0/0/1
ip address 172.16.1.10 255.255.255.0
quit
interface GigabitEthernet0/0/2
ip address 192.168.1.10 255.255.255.0
quit
interface GigabitEthernet0/0/3
ip address 192.168.10.10 255.255.255.0
quit
firewall zone trust
add interface GigabitEthernet0/0/2
add interface GigabitEthernet0/0/3
quit
firewall zone untrust
add interface GigabitEthernet0/0/0
quit
firewall zone dmz
add interface GigabitEthernet0/0/1
quit
AR1:
system-view
sysname AR5
interface GigabitEthernet0/0/0
ip address 192.168.10.1 255.255.255.0
quit
ip route-static 0.0.0.0 0.0.0.0 192.168.10.1
AR2
system-view
sysname DMZ
interface GigabitEthernet 0/0/0
ip address 172.16.1.1 24
quit
ip route-static 0.0.0.0 0 172.16.1.10
AR3
system-view
sysname trust
interface GigabitEthernet 0/0/0
ip address 192.168.1.1 24
interface loopback0
ip address 2.2.2.2 32
quit
ip route-static 0.0.0.0 0 192.168.1.10
quit
AR5
system-view
sysname trust
interface GigabitEthernet 0/0/0
ip address 192.168.1.1 24
interface loopback0
ip address 2.2.2.2 32
quit
ip route-static 0.0.0.0 0 192.168.1.10
quit
三、防火墙策略配置
防火墙默认策略为:
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction outbound
#
firewall session link-state check ==启用会话链路状态检查
firewall packet-filter default deny all ==拒绝所有流量
配值安全访问策略
Trust区域用户可以访问Untust区域与DMZ区域用户
firewall packet-filter default permit interzone trust untrust direction outbound
firewall packet-filter default permit interzone trust dmz direction outbound
Untrust区域用户只能访问DMZ区域ICMP与Telnet流量
policy interzone dmz untrust inbound
policy 1
action permit
policy service service-set icmp
policy destination 172.16.1.1 0
policy 2
action permit
policy service service-set telnet
policy destination 172.16.1.1 0
查看会话:
[huaweiFW]display policy interzone untrust dmz inbound
15:17:51 2015/02/02
policy interzone dmz untrust inbound
firewall default packet-filter is deny
policy 1 (2 times matched)
action permit
policy service service-set icmp (predefined)
policy source any
policy destination 172.16.1.1 0
policy 2 (4 times matched)
action permit
policy service service-set telnet (predefined)
policy source any
policy destination 172.16.1.1 0
[huaweiFW]
DMZ区域用户即不能访问Untrust区域和Tust区域(可以不用配置因为前面以拒绝过一次流量了)
区域trust内只允许源地址为192.168.1.0/24,ICMP ;
policy zone trust
policy 1
action permit
policy service service-set icmp
policy source 192.168.1.0 mask 255.255.255.0
policy 2
action deny
本文出自 “飘落的心” 博客,请务必保留此出处http://plde3379.blog.51cto.com/10025808/1623872
相关文章推荐
- 华为防火墙安全策略配置
- ENGINEER03 - 系统安全保护 配置用户环境 配置高级连接 防火墙策略管理 常见协议
- 如何配置防火墙的安全策略
- win服务器防止安全策略或防火墙配置错误而导致远程无法连接的bat
- Pix515 防火墙配置策略实例分析
- CISCO PIX 防火墙及网络安全配置
- 使用设备安全管理器配置设备安全策略
- IIS配置安全策略
- IBM WebSphere Application Server V7.0 中的 Web Services 安全策略及配置
- 配置组策略以设置系统服务安全
- Internet防火墙技术及安全策略
- Cisco IOS防火墙的安全规则和配置方案
- pix515防火墙配置策略实例
- 华为防火墙配置演示 Quidway SecPath
- Cisco IOS防火墙的安全规则和配置方案
- 配置高级安全Windows Vista防火墙 推荐
- PIX515防火墙配置策略实例
- 日记 [2007年01月24日]服务器加强安全2 防火墙iptable配置
- 安全无小事 实战宽带ADSL猫防火墙配置
- CCSP实验:PIX 8.0(2)防火墙实现从低安全区域到高安全区域访问配置实验