防火墙配置简要手册

一、电脑侧的配置（tftp server）

二、防火墙测配置：

1、查看防火墙的配置文件

dir

Directory of flash:/

1 -rw- 5527015 Mar 15 2011 11:33:46 system

2 -rw- 3819797 Mar 15 2011 11:34:25 http.zip

3 -rw- 3586 Jul 01 2011 11:27:43 config.cfg

15621 KB total (6484 KB free)

2、上传配置到防火墙

tftp 192.168.0.15 get newconfig.cfg config.cfg #192.168.0.15是上传电脑的地址

The file flash:/config.cfg exists. Overwrite it?[Y/N]:y #tftp server侧的保存文件

Verifying server file...

Server file verify ok.

Deleting the old file, please wait................

File will be transferred in binary mode.

Downloading file from remote tftp server, please wait........

TFTP: 3586 bytes received in 0 second(s).

File downloaded successfully.

3、重启防火墙，启动后的防火墙配置将自动改成脚本中的配置。

三、配置：

[H3C]dis cur

#

sysname H3C

#

firewall packet-filter enable

firewall packet-filter default permit # 开启防火墙的默认规则为允许

#

insulate

#

firewall statistic system enable

#

radius scheme system

server-type extended

#

domain system

#

local-user admin # 定义telnet、web的登录用户名和密码 password simple gdnr #用户名为admin，密码为gdnr

service-type telnet terminal

level 3

#

acl number 2000

rule 0 permit source 192.168.0.0 0.0.0.255 # 定义nat引用规则

#

acl number 3000 # 定义防火墙过滤规则

rule 0 permit tcp destination-port eq 3389

rule 1 permit tcp destination-port eq 9800

rule 2 permit tcp destination-port eq 9595

rule 3 permit tcp destination-port eq 1433

rule 4 permit tcp destination-port eq 10001

rule 5 permit tcp destination-port eq 5631

rule 6 permit tcp destination-port eq 5632

rule 7 permit tcp destination-port eq 19000

rule 8 permit tcp destination-port eq 3390

rule 9 permit tcp destination-port eq 9801

rule 10 permit tcp destination-port eq 9596

rule 11 permit tcp destination-port eq 1434

rule 12 permit tcp destination-port eq 10002

rule 13 permit tcp destination-port eq 5635

rule 14 permit tcp destination-port eq 5636

rule 15 permit tcp destination-port eq 19001

rule 16 permit tcp destination-port eq 2403

rule 17 permit tcp destination-port eq 2404

rule 18 permit tcp destination-port eq 2405

rule 19 permit tcp destination-port eq 5633

rule 20 permit tcp destination-port eq 5634

rule 21 permit tcp destination-port eq 3391

rule 22 permit icmp

rule 100 deny ip

#

interface Aux0

async mode flow

#

interface Ethernet0/0

description To-inside

ip address 192.168.0.254 255.255.255.0

#

interface Ethernet0/1

#

interface Ethernet0/2

#

interface Ethernet0/3

#

interface Ethernet1/0 # 定义内网口参数

description To_shuju # 定义外网口参数

ip address 10.35.21.42 255.255.255.0

firewall packet-filter 3000 inbound

nat outbound 2000 # 定义nat

nat server protocol tcp global 10.35.21.42 3389 inside 192.168.0.10 3389 # 定义nat 服务器映射

nat server protocol tcp global 10.35.21.42 9800 inside 192.168.0.10 9800

nat server protocol tcp global 10.35.21.42 9595 inside 192.168.0.10 9595

nat server protocol tcp global 10.35.21.42 1433 inside 192.168.0.10 1433

nat server protocol tcp global 10.35.21.42 10001 inside 192.168.0.10 10001

nat server protocol tcp global 10.35.21.42 5631 inside 192.168.0.10 5631

nat server protocol tcp global 10.35.21.42 5632 inside 192.168.0.10 5632

nat server protocol tcp global 10.35.21.42 19000 inside 192.168.0.10 19000

nat server protocol tcp global 10.35.21.42 3390 inside 192.168.0.11 3390

nat server protocol tcp global 10.35.21.42 9801 inside 192.168.0.11 9801

nat server protocol tcp global 10.35.21.42 9596 inside 192.168.0.11 9596

nat server protocol tcp global 10.35.21.42 1434 inside 192.168.0.11 1434

nat server protocol tcp global 10.35.21.42 10002 inside 192.168.0.11 10002

nat server protocol tcp global 10.35.21.42 5635 inside 192.168.0.11 5635

nat server protocol tcp global 10.35.21.42 5636 inside 192.168.0.11 5636

nat server protocol tcp global 10.35.21.42 19001 inside 192.168.0.11 19001

nat server protocol tcp global 10.35.21.42 2403 inside 192.168.0.12 2403

nat server protocol tcp global 10.35.21.42 2404 inside 192.168.0.12 2404

nat server protocol tcp global 10.35.21.42 2405 inside 192.168.0.12 2405

nat server protocol tcp global 10.35.21.42 5633 inside 192.168.0.12 5633

nat server protocol tcp global 10.35.21.42 5634 inside 192.168.0.12 5634

nat server protocol tcp global 10.35.21.42 3391 inside 192.168.0.12 3391

#

interface Ethernet1/1

#

interface Ethernet1/2

#

interface NULL0

#

firewall zone local

set priority 100

#

firewall zone trust # 将内部网口加入到信任区

add interface Ethernet0/0

set priority 85

#

firewall zone untrust # 将外部网口加入到非信任区

add interface Ethernet1/0

set priority 5

firewall zone DMZ

set priority 50

#

firewall interzone local trust

#

firewall interzone local untrust

#

firewall interzone local DMZ

#

firewall interzone trust untrust

#

firewall interzone trust DMZ

#

firewall interzone DMZ untrust

#

undo info-center enable

#

ip route-static 0.0.0.0 0.0.0.0 10.35.21.254 preference 60

#

firewall defend ip-spoofing # 启用防攻击类型 firewall defend land

firewall defend smurf

firewall defend fraggle

firewall defend winnuke

firewall defend icmp-redirect

firewall defend icmp-unreachable

firewall defend source-route

firewall defend route-record

firewall defend tracert

firewall defend ping-of-death

firewall defend tcp-flag

firewall defend ip-fragment

firewall defend large-icmp

firewall defend teardrop

firewall defend ip-sweep

firewall defend port-scan

firewall defend arp-spoofing

firewall defend arp-flood

firewall defend frag-flood

firewall defend syn-flood enable

firewall defend udp-flood enable

firewall defend icmp-flood enable # 设置外网网关

user-interface con 0

user-interface aux 0

user-interface vty 0 4 # 定义telnet认证模式 authentication-mode scheme

一、电脑侧的配置（tftp server）

二、防火墙测配置：

1、查看防火墙的配置文件

dir

Directory of flash:/

1 -rw- 5527015 Mar 15 2011 11:33:46 system

2 -rw- 3819797 Mar 15 2011 11:34:25 http.zip

3 -rw- 3586 Jul 01 2011 11:27:43 config.cfg

15621 KB total (6484 KB free)

2、上传配置到防火墙

tftp 192.168.0.15 get newconfig.cfg config.cfg #192.168.0.15是上传电脑的地址

The file flash:/config.cfg exists. Overwrite it?[Y/N]:y #tftp server侧的保存文件

Verifying server file...

Server file verify ok.

Deleting the old file, please wait................

File will be transferred in binary mode.

Downloading file from remote tftp server, please wait........

TFTP: 3586 bytes received in 0 second(s).

File downloaded successfully.

3、重启防火墙，启动后的防火墙配置将自动改成脚本中的配置。

三、配置：

[H3C]dis cur

#

sysname H3C

#

firewall packet-filter enable

firewall packet-filter default permit # 开启防火墙的默认规则为允许

#

insulate

#

firewall statistic system enable

#

radius scheme system

server-type extended

#

domain system

#

local-user admin # 定义telnet、web的登录用户名和密码 password simple gdnr #用户名为admin，密码为gdnr

service-type telnet terminal

level 3

#

acl number 2000

rule 0 permit source 192.168.0.0 0.0.0.255 # 定义nat引用规则

#

acl number 3000 # 定义防火墙过滤规则

rule 0 permit tcp destination-port eq 3389

rule 1 permit tcp destination-port eq 9800

rule 2 permit tcp destination-port eq 9595

rule 3 permit tcp destination-port eq 1433

rule 4 permit tcp destination-port eq 10001

rule 5 permit tcp destination-port eq 5631

rule 6 permit tcp destination-port eq 5632

rule 7 permit tcp destination-port eq 19000

rule 8 permit tcp destination-port eq 3390

rule 9 permit tcp destination-port eq 9801

rule 10 permit tcp destination-port eq 9596

rule 11 permit tcp destination-port eq 1434

rule 12 permit tcp destination-port eq 10002

rule 13 permit tcp destination-port eq 5635

rule 14 permit tcp destination-port eq 5636

rule 15 permit tcp destination-port eq 19001

rule 16 permit tcp destination-port eq 2403

rule 17 permit tcp destination-port eq 2404

rule 18 permit tcp destination-port eq 2405

rule 19 permit tcp destination-port eq 5633

rule 20 permit tcp destination-port eq 5634

rule 21 permit tcp destination-port eq 3391

rule 22 permit icmp

rule 100 deny ip

#

interface Aux0

async mode flow

#

interface Ethernet0/0

description To-inside

ip address 192.168.0.254 255.255.255.0

#

interface Ethernet0/1

#

interface Ethernet0/2

#

interface Ethernet0/3

#

interface Ethernet1/0 # 定义内网口参数

description To_shuju # 定义外网口参数

ip address 10.35.21.42 255.255.255.0

firewall packet-filter 3000 inbound

nat outbound 2000 # 定义nat

nat server protocol tcp global 10.35.21.42 3389 inside 192.168.0.10 3389 # 定义nat 服务器映射

nat server protocol tcp global 10.35.21.42 9800 inside 192.168.0.10 9800

nat server protocol tcp global 10.35.21.42 9595 inside 192.168.0.10 9595

nat server protocol tcp global 10.35.21.42 1433 inside 192.168.0.10 1433

nat server protocol tcp global 10.35.21.42 10001 inside 192.168.0.10 10001

nat server protocol tcp global 10.35.21.42 5631 inside 192.168.0.10 5631

nat server protocol tcp global 10.35.21.42 5632 inside 192.168.0.10 5632

nat server protocol tcp global 10.35.21.42 19000 inside 192.168.0.10 19000

nat server protocol tcp global 10.35.21.42 3390 inside 192.168.0.11 3390

nat server protocol tcp global 10.35.21.42 9801 inside 192.168.0.11 9801

nat server protocol tcp global 10.35.21.42 9596 inside 192.168.0.11 9596

nat server protocol tcp global 10.35.21.42 1434 inside 192.168.0.11 1434

nat server protocol tcp global 10.35.21.42 10002 inside 192.168.0.11 10002

nat server protocol tcp global 10.35.21.42 5635 inside 192.168.0.11 5635

nat server protocol tcp global 10.35.21.42 5636 inside 192.168.0.11 5636

nat server protocol tcp global 10.35.21.42 19001 inside 192.168.0.11 19001

nat server protocol tcp global 10.35.21.42 2403 inside 192.168.0.12 2403

nat server protocol tcp global 10.35.21.42 2404 inside 192.168.0.12 2404

nat server protocol tcp global 10.35.21.42 2405 inside 192.168.0.12 2405

nat server protocol tcp global 10.35.21.42 5633 inside 192.168.0.12 5633

nat server protocol tcp global 10.35.21.42 5634 inside 192.168.0.12 5634

nat server protocol tcp global 10.35.21.42 3391 inside 192.168.0.12 3391

#

interface Ethernet1/1

#

interface Ethernet1/2

#

interface NULL0

#

firewall zone local

set priority 100

#

firewall zone trust # 将内部网口加入到信任区

add interface Ethernet0/0

set priority 85

#

firewall zone untrust # 将外部网口加入到非信任区

add interface Ethernet1/0

set priority 5

firewall zone DMZ

set priority 50

#

firewall interzone local trust

#

firewall interzone local untrust

#

firewall interzone local DMZ

#

firewall interzone trust untrust

#

firewall interzone trust DMZ

#

firewall interzone DMZ untrust

#

undo info-center enable

#

ip route-static 0.0.0.0 0.0.0.0 10.35.21.254 preference 60

#

firewall defend ip-spoofing # 启用防攻击类型 firewall defend land

firewall defend smurf

firewall defend fraggle

firewall defend winnuke

firewall defend icmp-redirect

firewall defend icmp-unreachable

firewall defend source-route

firewall defend route-record

firewall defend tracert

firewall defend ping-of-death

firewall defend tcp-flag

firewall defend ip-fragment

firewall defend large-icmp

firewall defend teardrop

firewall defend ip-sweep

firewall defend port-scan

firewall defend arp-spoofing

firewall defend arp-flood

firewall defend frag-flood

firewall defend syn-flood enable

firewall defend udp-flood enable

firewall defend icmp-flood enable # 设置外网网关

user-interface con 0

user-interface aux 0

user-interface vty 0 4 # 定义telnet认证模式 authentication-mode scheme