电信网通双出口负载分担配置指导 (4)
2008-02-23 05:00:40来源:互联网 阅读 ()
acl number 3002
rule 10 deny tcp destination-port eq 445
rule 11 deny udp destination-port eq 445
rule 20 deny tcp destination-port eq 135
rule 21 deny udp destination-port eq 135
rule 30 deny tcp destination-port eq 137
rule 31 deny udp destination-port eq netbios-ns
rule 40 deny tcp destination-port eq 138
rule 41 deny udp destination-port eq netbios-dgm
rule 50 deny tcp destination-port eq 139
rule 51 deny udp destination-port eq netbios-ssn
rule 61 deny udp destination-port eq tftp
rule 70 deny tcp destination-port eq 593
rule 80 deny tcp destination-port eq 4444
rule 90 deny tcp destination-port eq 707
rule 100 deny tcp destination-port eq 1433
rule 101 deny udp destination-port eq 1433
rule 110 deny tcp destination-port eq 1434
rule 111 deny udp destination-port eq 1434
rule 120 deny tcp destination-port eq 5554
rule 130 deny tcp destination-port eq 9996
rule 141 deny udp source-port eq bootps
rule 160 permit icmp icmp-type echo
rule 161 permit icmp icmp-type echo-reply
rule 162 permit icmp icmp-type ttl-exceeded
rule 165 deny icmp
rule 200 deny tcp destination-port eq www
rule 202 deny tcp destination-port eq ftp
rule 204 deny tcp destination-port eq 3389
rule 2000 permit ip destination 221.12.79.54 0
rule 2001 permit ip destination 192.168.2.0 0.0.0.255
rule 2002 deny ip
定义内网使用的acl 3003:
可以用实际内网地址网段替换192.168.2.0 0.0.0.255后直接复制粘贴:
acl number 3003
rule 10 deny tcp destination-port eq 445
rule 11 deny udp destination-port eq 445
rule 20 deny tcp destination-port eq 135
rule 21 deny udp destination-port eq 135
rule 30 deny tcp destination-port eq 137
rule 31 deny udp destination-port eq netbios-ns
rule 40 deny tcp destination-port eq 138
rule 41 deny udp destination-port eq netbios-dgm
rule 50 deny tcp destination-port eq 139
rule 51 deny udp destination-port eq netbios-ssn
rule 61 deny udp destination-port eq tftp
rule 70 deny tcp destination-port eq 593
rule 80 deny tcp destination-port eq 4444
rule 90 deny tcp destination-port eq 707
rule 100 deny tcp destination-port eq 1433
rule 101 deny udp destination-port eq 1433
rule 110 deny tcp destination-port eq 1434
rule 111 deny udp destination-port eq 1434
rule 120 deny tcp destination-port eq 5554
rule 130 deny tcp destination-port eq 9996
rule 141 deny udp source-port eq bootps
rule 160 permit icmp icmp-type echo
rule 161 permit icmp icmp-type echo-reply
rule 162 permit icmp icmp-type ttl-exceeded
rule 165 deny icmp
rule 2030 permit ip source 192.168.2.0 0.0.0.255
rule 3000 deny ip
在全局和接口下分别启用防火墙:
[Quidway]firewall enable
[Quidway]firewall default deny
[Quidway] interface Ethernet 1/0
[Quidway-Ethernet1/0]firewall packet-filter 3001 inbound
[Quidway-Ethernet1/0]quit
[Quidway]interface Ethernet 2/0
[Quidway-Ethernet2/0]firewall packet-filter 3002 inbound
[Quidway-Ethernet2/0]quit
[Quidway]interface Ethernet 3/0
[Quidway-Ethernet3/0]firewall packet-filter 3003 inbound
[Quidway-Ethernet3/0]
以上配置为Ethernet 1/0连接电信线路,Ethernet 2/0连接网通线路,Ethernet 3/0连接内网,可以根据实际组网进行调整。
标签:
版权申明:本站文章部分自网络,如有侵权,请联系:west999com@outlook.com
特别注意:本站所有转载文章言论不代表本站观点,本站所提供的摄影照片,插画,设计作品,如需使用,请与原作者联系,版权归原作者所有
上一篇:物理隔离网闸
下一篇:中小型机房超温报警解决方案
IDC资讯: 主机资讯 注册资讯 托管资讯 vps资讯 网站建设
网站运营: 建站经验 策划盈利 搜索优化 网站推广 免费资源
网络编程: Asp.Net编程 Asp编程 Php编程 Xml编程 Access Mssql Mysql 其它
服务器技术: Web服务器 Ftp服务器 Mail服务器 Dns服务器 安全防护
软件技巧: 其它软件 Word Excel Powerpoint Ghost Vista QQ空间 QQ FlashGet 迅雷
网页制作: FrontPages Dreamweaver Javascript css photoshop fireworks Flash
