您的位置: 首页  >  文章  >  防火墙基础学习1

防火墙基础学习1

分类: 文章 2024-06-15 14:54:04

防火墙基本概念
位置:边界
形态:软件防火墙、硬件防火墙
范围:单机防火墙、网络防火墙
检测:状态检测型防火墙:数据在转发的过程中会产生一个会话表
代理型防火墙(淘汰)、
包过滤防火(淘汰)
防火墙的局限性:
防火墙基础学习1
防火墙安全区域定义
缺省安全区域
 非受信区域Untrust
 非军事化区域DMZ
 受信区域Trust
 本地区域Local
当你把防火墙上的一些接口划分到了某一个区域的时候,指这个借口下所连接的设备是属于那个区域的。
所有接口都是属于local这个区域
防火墙的区域
 Local区域,优先级为100
 Trust区域,优先级为85
 DNZ区域,优先级为50
 Untrust区域,优先级为5
区域优先级是无法改变,所有接口都属于loacl
华为所有防火墙的第0个接口,都是默认的预配。
所有防火墙都支持图形化配置。

防火墙基础学习1
防火墙配置

防火墙基础学习1
1、 查看防火墙的默认的四个区域
[SRG]display CU
2、 自定义区域
[SRG]firewall zone name lewis
[SRG-zone-lewis]set priority 80
[SRG]undo firewall zone name lewis
3、 G0/0/0接口的默认配置(用户:admin 密码:[email protected]
[SRG]display current-configuration 20:48:47 2019/07/11
interface GigabitEthernet0/0/0
alias GE0/MGMT
ip address 192.168.0.1 255.255.255.0
dhcp select interface
dhcp server gateway-list 192.168.0.1
4、将接口划分到相应的区域
防火墙上如果接口没有划分到区域
[SRG]sys FW1
[FW1]interface GigabitEthernet 0/0/0
[FW1-GigabitEthernet0/0/0]IP ADD 192.168.1.254 24
Info: The DHCP server configuration on this interface will bedeleted.
[FW1-GigabitEthernet0/0/0]Q
[FW1]firewall zone trust
[FW1-zone-trust]display this
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
[FW1-zone-trust]INT G0/0/01
[FW1-GigabitEthernet0/0/1]IP ADD 192.168.2.254 24
[FW1]firewall zone trust
[FW1-zone-trust]ADD interface GigabitEthernet 0/0/1
[FW1-zone-trust]display this 21:04:59 2019/07/11
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet0/0/1
[FW1]interface G0/0/2
[FW1-GigabitEthernet0/0/2]IP ADD 192.168.3.254 24
[FW1]firewall zone dmz 21:05:53 2019/07/11
[FW1-zone-dmz]add interface GigabitEthernet 0/0/2
[FW1-zone-dmz]display this 21:06:17 2019/07/11
[FW1-zone-dmz]int g0/0/3 21:06:28 2019/07/11
[FW1-GigabitEthernet0/0/3]ip add 202.1.1.254 24
[FW1]firewall zone untrust 21:06:59 2019/07/11
[FW1-zone-untrust]add interface g 0/0/3
[FW1-zone-untrust]display this 21:07:14 2019/07/11
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/3
一、防火墙的基本配置-区域间规则
1、 查看默认的区域间规则
[FW1]display firewall packet-filter default all //查看防火墙策略命令
问:
1、 防火墙是否可以访问其他三个默认区域的设备(可以用ping)
2、 Cliene1是否可以ping通client2?
3、 三个默认区域之间可以相互访问吗?
2、 放行trust到DMZ之间的流量
放行trust 到dmz (85至50 是outbound)
[FW1]firewall packet-filter default permit interzone trust dmz direction outbound

3、查看会话表项
[FW1]display firewall session table
二、防火墙的基本配置—基本管理
防火墙 默认的登入账号:
用户名:admin 密码:[email protected]
测试一:R1可以Telnet到防火墙(local到 untrust 方向是inbound)
[FW1]firewall packet-filter default permit interzone local untrust direction inbound
/*Telnet 202.1.1.254
测试二:创建AAA账户
修改用户级别的三个方案
1、 针对某一个用户
[FW1-aaa]local-user lewis password cipher 123 //创建一个用户及密码
[FW1-aaa]local-user lewis service-type telnet //设置用户类型是
[FW1-aaa]local-user lewis level 3 //设置权限级别
[FW1]user-interface vty 0 4 :13:07 2019/07/11
[FW1-ui-vty0-4]authentication-mode aaa //认证是通过aaa认证的
2、 针对部分用户
[FW1-aaa]local-user lewis1 password cipher 123 //创建超级用户
[FW1-aaa]local-user lewis1 service-type telnet
[FW1-aaa]super password level 3 cipher [email protected]
3、 针对大面积用户(只用通过vty0-4就能telnet了)
[FW1]user-interface vty 0 4 22:39:19 2019/07/11
[FW1-ui-vty0-4]user privilege l
[FW1-ui-vty0-4]user privilege level 3
三、防火墙的中的流量过滤
域内流量过滤:
测试:pc 1无法访问pc2(使用policy来完成)
[FW1]policy zone trust //策略域内用 22:49:29 2019/07/11
[FW1-policy-zone-trust] policy 10 //给一个策略Id号
[FW1-policy-zone-trust-10]policy source 192.168.1.0 0.0.0.255 //策略的源地址ip及反掩码
[FW1-policy-zone-trust-10] policy destination 192.168.2.0 0.0.0.255
//策略的目的地址ip及反掩码
[FW1-policy-zone-trust-10]action deny //制定规则deny
或者[FW1-policy-zone-trust-10]action permit
域间流量过滤:
测试一:只允许外网访问内部服务器的ping/ftp/www流量
非法操作
1、 放行untrust到dmz–等会解决
放行untrust 到dmz (5至50 是intbound)
[FW1] firewall packet-filter default permit interzone untrust dmz direction intbound

[FW1] firewall packet-filter default deny interzone untrust dmz direction inbound //关闭untrust到dmz方向的策略命令
[FW1] ip service-set set1 type object // ip 服务集
[FW1-object-service-set-set1] service 0 protocol icmp //ping
[FW1-object-service-set-set1] service 1 protocol tcp destination-port 21 //
[FW1-object-service-set-set1] service 2 protocol tcp destination-port 80
[FW1] policy interzone untrust dmz inbound
[FW1-policy-interzone-dmz-untrust-inbound-10] action permit
[FW1] policy interzone untrust dmz inbound
[FW1-policy-interzone-dmz-untrust-inbound] policy 10
[FW1-policy-interzone-dmz-untrust-inbound-10] action permit
[FW1-policy-interzone-dmz-untrust-inbound-10] policy service service-set set1 //调用服务集
[FW1-policy-interzone-dmz-untrust-inbound-10] policy destination 192.168.3.10 0.0.0.0
/*
防火墙基础学习1
2、R1上添加一条去3.0路由–等会解决
[FW1]acl 2000 21:54:44 2019/07/16
[FW1-acl-basic-2000]rule 10 permit source 192.168.1.0 0.0.0.255
[FW1]nat-policy interzone untrust trust outbound
[FW1-nat-policy-interzone-trust-untrust-outbound]policy 10
[FW1-nat-policy-interzone-trust-untrust-outbound-10]action source-nat
[FW1-nat-policy-interzone-trust-untrust-outbound-10]policy source 192.168.1.0 0.0.0.255
[FW1-nat-policy-interzone-trust-untrust-outbound-10]easy-ip GigabitEthernet 0/0/3
[FW1-nat-policy-interzone-trust-untrust-outbound-10]
[FW1]firewall packet-filter default permit interzone untrust trust direction outbound

[FW1]display firewall session table nat //查看会话表

[FW1]nat server global 202.1.1.123 inside 192.168.3.10
测试二:成功后,在把ICMP给拒绝掉。
[FW1]ip service-set set1 type object
[FW1]firewall interzone untrust dmz 21:35:50 2019/07/16
[FW1-interzone-dmz-untrust]detect ?
activex-blocking Indicate ActiveX blocking
dns Indicate the DNS protocol
ftp Indicate the File Transfer Protocol
h323 Indicate the H.323 protocol
icq Indicate ICQ protocol
ils Indicate the ILS protocol
ipv6 Configure internet protocol version 6
java-blocking Indicate Java blocking
mgcp Indicate the Media Gateway Control Protocol
mms Indicate the MMS protocol
msn Indicate MSN
nat64 Configure the information about network address and
protocol translation from IPv6 clients to IPv4
servers (NAT64)
netbios Indicate the NetBIOS protocol
pptp Indicate the Point-to-Point Tunnel Protocol
qq Indicate QQ
rtsp Indicate the Real Time Streaming Protocol
sip Indicate the Session Initiation Protocol
sqlnet Indicate the SQL*NET protocol
user-defined Indicate defined by user
[FW1-interzone-dmz-untrust]detect qq 21:36:00 2019/07/16
[FW1-interzone-dmz-untrust]dis this 21:37:23 2019/07/16
#interzone dmz untrust
detect qq#
[FW1]policy interzone untrust dmz inbound 21:40:33 2019/07/16
[FW1-policy-interzone-dmz-untrust-inbound]policy 5 21:40:38 2019/07/16
[FW1-policy-interzone-dmz-untrust-inbound-5]action deny
21:40:45 2019/07/16
[FW1-policy-interzone-dmz-untrust-inbound-5]policy destination 192.168.3.10 0.0.0.0 21:41:02 2019/07/16
[FW1-policy-interzone-dmz-untrust-inbound-5]dis this 21:41:08 2019/07/16
#policy 5
action deny
policy destination 192.168.3.10 0.0.0.0

[FW1-policy-interzone-dmz-untrust-inbound-5]policy servic service-set icmp 21:42:44 2019/07/16
[FW1-policy-interzone-dmz-untrust-inbound]policy move 5 before 10
21:45:41 2019/07/16
[FW1-policy-interzone-dmz-untrust-inbound]dis this
21:45:50 2019/07/16

policy interzone dmz untrust inbound
policy 5
action deny
policy service service-set icmp
policy destination 192.168.3.10 0.0.0.0

policy 10
action permit
policy service service-set set1
policy destination 192.168.3.10 0.0.0.0

Return

相关推荐