华为eudemon防火墙配置命令HUAWEI eudemon firewall configura.docx
- 文档编号:25891791
- 上传时间:2023-06-16
- 格式:DOCX
- 页数:7
- 大小:17.33KB
华为eudemon防火墙配置命令HUAWEI eudemon firewall configura.docx
《华为eudemon防火墙配置命令HUAWEI eudemon firewall configura.docx》由会员分享,可在线阅读,更多相关《华为eudemon防火墙配置命令HUAWEI eudemon firewall configura.docx(7页珍藏版)》请在冰豆网上搜索。
华为eudemon防火墙配置命令HUAWEIeudemonfirewallconfigura
华为eudemon防火墙配置命令(HUAWEIeudemonfirewallconfigurationcommand)
1,theconfigurationofthestandardaccesslistcommandformat
ACLacl-number[match-orderconfigauto]|
Rule{normalspecialpermit}||wdeny[sourcesource-addrsource-wildcardany|]
(1)configuretheextendedaccesslistofTCP/UDPprotocol:
Rule{normalspecialpermitdeny||w}{TCP}[sourcesource-addrsource-wildcardUDP||any][source-portoperatorport1[port2][destination]dest-addrdest-wildcardany[destination-portoperatorport1|][port2]][logging]
(2)configuretheextendedaccesslistofICMPprotocol:
Rule{normalspecialpermit}||wdenyICMP[sourcesource-addrsource-wildcardanydestinationdest-addrdest-|][wildcard][icmp-typeicmp-typeicmp-code][logging]any|
(3)extendedaccesslistsconfiguredwithotherprotocols:
Rule{normalspecialpermitdeny||w}{IP}IGMPOSPF|||GRE[sourcesource-addrsource-wildcardanydestinationdest-addrdest-|][wildcardany][logging]|
Amongthem,theoperatoroperatorhas:
EqualPortNumber(=portnumber)
Greater-thanPortNumber(>=portnumber)
Less-thanPortNumber(<=portnumber)
Not-equalPortNumber(<>portnumber)
Rangeportnumber1portnumber2(portnumber1>and Example: createaccesscontrollistwithnumber102. [Eudemon]ACLnumber102 ACL#configurationrules,allowspecificuserstoaccesstheinternalserverfromtheexternalnetwork. TheaboveconfigurationhascompletedthecreationofACL.ThefollowingconfigurationreferstoACLinpacketfilteringapplications,andthespecificexplanationsofthecommandsaredescribedintherelevantchapters. #ACLRule101inTrustregiontotheUntrustregionofthedirection. [Eudemon-Interzone-trust-untrust]packet-filter101outbound #ACLrule102inunTrustregiontothetrustregionbetweenthedirectionof. [Eudemon-Interzone-trust-untrust]packet-filter102inbound Theapplicationof#protocolbetweenTrustandUntrustregionsenableFTPprotocoltesting. [Eudemon-Interzone-trust-untrust]detectFTP 2,ASPFconfigurationexample [Eudemon]firewallsessionaging-timeFTP3000 [Eudemon]firewallsessionaging-timeHTTP3000 [Eudemon]ACLnumber101 [Eudemon-acl-adv-101]ruledenyIP [Eudemon]ACLnumber10 [Eudemon-acl-basic-10]rulepermitsourceany [Eudemon]firewallpacket-filterdefaultpermitinterzonetrustuntrustdirectionoutbound [Eudemon]firewallinterzonetrustuntrust [Eudemon-interzone-trust-untrust]packet-filter101inbound [Eudemon-interzone-trust-untrust]detectFTP [信任]信任精灵区间检测HTTP [信任]信任精灵区间检测java阻塞10 3、黑名单例子 [精灵]防火墙包过滤ICMP范围全球黑名单 [精灵]黑名单的使 4、多对多地址转换NAT (1)在系统视图下定义一个可以根据需要进行分配的NAT地址池 NAT地址组数起始地址结束地址 其中,组数是标识这个地址池的编号,起始地址结束地址是地址池的起始和结束IP地址。 (2)在系统视图和ACL视图下定义一个访问控制列表 在系统视图下定义访问控制列表 ACLACL数量数[比赛秩序{config|汽车}] 在ACL视图下定义访问控制规则 规则[规则]{允许|否认}[源地址通配符|酸酸的任何][时间范围时间名称][日志] (3)在域间视图下将访问控制列表和NAT地址池关联 NAT出站ACL号码地址组组号 5、NAT服务器配置--在内部提供一台机器供外部HTTP或者FTP 实际是将外部地址、端口映射到内部服务器上 NAT服务器协议亲型全球地址[][]global-port1global-port2主机地址[内]host-addr2主机端口 NAT服务器全球地址内部主机地址 6、简单IP配置 出站ACL号码接口接口名称 7、应用级网关ALG 解决NAT只能对IP报文头部地址和TCP/UDP头部端口进行信息转换问题,因为如ICMP/FTP协议报文数据部分包含了IP地址和端口信息,则: (1)在系统视图下执行下列命令则使能了相应协议的ALG功能 NATALG使{FTP|H323|ICMP|RAS} (2)在域间视图下为应用层协议配置ASPF检测 检测协议 8、精灵防火墙配置步骤 (1)防火墙组网规划 组网拓朴图(具体到网络设备物理端口的分配和连接);IP地址的分配(具体到网络设备所有IP地址的分配);防火墙上的区域划分;防火墙的地址映射关系;防火墙需要开放的策略; (2)配置接口IP地址 配置IP地址,把各接口的IP地址配置好 #配置防火墙接口以太网0/0/0。 [精灵]以太网接口的0/0/0 [0/0]eudemon-ethernet0/退出 如为双机,需要在接口下配置VRRP [精灵]intETH0/0/0 #在接口eth0/0/0下配置VRRP备份组1,注意虚拟IP需要和接口地址同一网段 [eudemon-ethernet0/0/0/0/0]以太网接口1 #interfaceintheeth0/0/1configurationofVRRPbackupgroup2 Note: donotconfiguretheVRRPprioritywhenconfiguringVRRPundertheinterface (3)configurationdomain #configurationareadmz. [Eudemon]firewallzonenamedmz1 [Eudemon-zone-dmz1]setpriority70 (4)dividetheinterfaceintodomains #Ethernet1/0/0joinedthefirewallconfigurationinterfaceinDMZdomain. [Eudemon]firewallzoneDMZ [Eudemon-zone-dmz]addinterfaceEthernet1/0/0 [Eudemon-zone-dmz]quit (5)configuringVRRP(twocomputers) #createVRRPmanagementgroup1,theVRRPbackupgroupalladdedtothemanagementgroupforunifiedmanagement [Eudemon]vrrp-group1 #inVGMPgroup,andVGMPwilljointhevirtualrouting,automaticallysortedaccordingtotheconfigurationoftherange,suchasthefollowingconfigurationwhenexecutingdisplaycurrentaddinterfaceEthernet2/0/0VRRPcanseeVRID3datatransfer-only1,VRRP1andvrrp2were1,2. [Eudemon-vrrpgroup-1]addinterfaceEthernet0/0/0VRRPVRID1data [Eudemon-vrrpgroup-1]addinterfaceEthernet0/0/1VRRPVRID2data Thechannelconfiguredwiththetransfer-onlyparameterwillbethepreferredchannel,andthechangeofthestateofthechannelwillnotaffectthechangeoftheVGMPpriorityandcausestateswitching [Eudemon-vrrpgroup-1]addinterfaceEthernet2/0/0VRRPVRID3datatransfer-only EnableVRRPmanagementgroup,onlyenableVGMP,canbeunifiedmanagementofVRRP [Eudemon-vrrpgroup-1]vrrpenable Automatic#preemptionenabledVRRPmanagementgroup,toseizethedelaytimeof0secondsbydefault [Eudemon-vrrpgroup-1]vrrppreedom (6)configuretheVRRPgroup WhenthefirewalldoesnotconfigurethepriorityofVGMP,thedefaultpriorityis100.WhentheallocationpriorityshouldpayattentiontodecreasingalgorithmVGMPpriority: afterdecreasingpriority=prioritypriority/16,whenthemainfirewallfails,afterdecreasingpriorityshouldbealowerprioritythantheslavefirewall,canswitchstandby,orafirewallisstillmainlyfaultstate,leadingtobusinessinterruption.Forexample,thefollowingconfigurationafterdecreasingpriorityfor105105/16=98,soslaveshouldbethehighprioritythanfirewall. [Eudemon-vrrpgroup-1]vrrppriority105 [Eudemon-vrrpgroup-1]quit Thefunctionoffirewall (7)configuringHRP #enableHRPfunction,whentheenableHRPfunctionwilldisplayHRP_Minfrontofthe[Eudemon]fromthefirewallwillbedisplayedontheHRP_S,thedefaultisautomaticreal-timebackup. [Eudemon]hrpenable Theconfigurationoftheabovefirewallisbasicallythesameasthatofthemainfirewall,andonlyneedstobechanged ChangetheIPaddressoftheinterface. (8)verifytheconfigurationoftwocomputers (9)configuringaddresstranslation (10)configuringACL Eudemon]ACLnameTODadvanced (11)applyingACLbetweendomains [Eudemon]firewallinterzoneDMZuntrust [Eudemon-interzone-dmz-untrust]packet-filterTODinbound (12)checkserviceconfiguration Checkdoublemachinestatus: checkwhetherdoubleswitchhasinfluenceonService Checkconfigurationsynchronization: checkwhethertheconfigurationofthehostandstandbymachineissynchronized,andcanbeimplementedbycomparingconfiguration Checktheserviceisnormal: Testbusinessisnormal 8.Maintenancecommandoffirewall (1)显示诊断信息收集防火墙的所有信息,用于提交支持人员分析所用 (2)显示防火墙会话表V此命令用于查看防火墙连接信息表 (3)调试命令 把调试的输出显示到当前Telnet或控制台窗口方式: 同时使用终端调试和termainl监控这两个命令(在线业务禁止使用) 有调试数据包 防火墙包过滤所有区间的不信任的信任 调试、IP、ICMP调试通过的平包 IP数据包的IP数据包调试所有的调试
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- 华为eudemon防火墙配置命令HUAWEI eudemon firewall configura 华为 防火墙 配置 命令 HUAWEI
链接地址:https://www.bdocx.com/doc/25891791.html