网络安全 频道
IT168首页 > 网络安全 > 网络安全技术 > 正文

简单防火墙

作者:IT168 编辑: 杨京京 2008-10-18 08:58 来源:IT168
分享

 interface Ethernet 0/0 ! Mosbach lokal

  ip address 129.143.204.13 255.255.255.252

  description Ethernet zum RZ-Router

  no ip directed-broadcast ! wg. Hacker (denial of service)

  ip inspect FIWA in ! Ueberpruefung des IP-Verkehrs

  ip access-group 101 in ! Anti-Spoofing

  ip access-group 102 out ! zusaetzliches Welt-LAN-Filter wegen Servern

  no shutdown

  !

  no access-list 101

  access-list 101 permit tcp 129.143.204.12 0.0.0.3 any ! RZ-Router Anti-Spoofing

  access-list 101 permit udp 129.143.204.12 0.0.0.3 any ! RZ-Router Anti-Spoofing

  access-list 101 permit icmp 129.143.204.12 0.0.0.3 any ! RZ-Router Anti-Spoofing

  access-list 101 permit tcp 193.196.5.0 0.0.0.255 any ! Netz der BA-Mo Anti-Spoofing

  access-list 101 permit udp 193.196.5.0 0.0.0.255 any ! Netz der BA-Mo Anti-Spoofing

  access-list 101 permit icmp 193.196.5.0 0.0.0.255 any ! Netz der BA-Mo Anti-Spoofing

  access-list 101 deny ip any any

  !

  ! Zulassen von gewissen Diensten auf die Server

  no access-list 102

  !

  access-list 102 permit tcp any any eq 22 ! SSH

  access-list 102 permit tcp any any eq 113 ! Ident

  access-list 102 permit tcp any any eq 487 ! SAFT

  !

  permit tcp any gt 1023 host 193.196.5.107 eq 21 ! FTP-Commands (fuer PASV FTP)

  permit tcp any gt 1023 host 193.196.5.105 eq 21 ! FTP-Commands (fuer PASV FTP)

  !

  access-list 102 permit tcp any host 193.196.5.107 eq 25 ! SMTP zulassen

  access-list 102 permit tcp any host 193.196.5.105 eq 25 ! SMTP zulassen

  !

  access-list 102 permit tcp host 129.143.2.1 host 193.196.5.107 eq 53 ! DNS Zone-Transfer

  access-list 102 permit tcp host 129.206.100.126 host 193.196.5.107 eq 53 ! DNS Zone-Transfer

  access-list 102 permit tcp host 129.206.100.127 host 193.196.5.107 eq 53 ! DNS Zone-Transfer

  access-list 102 permit tcp host 129.143.2.1 host 193.196.5.105 eq 53 ! DNS Zone-Transfer

  access-list 102 permit tcp host 129.206.100.126 host 193.196.5.105 eq 53 ! DNS Zone-Transfer

  access-list 102 permit tcp host 129.206.100.127 host 193.196.5.105 eq 53 ! DNS Zone-Transfer

  access-list 102 permit permit tcp any host 193.196.5.107 eq 80 ! WWW

  access-list 102 permit permit tcp any host 193.196.5.105 eq 80 ! WWW

  !

  access-list 102 permit tcp any host 193.196.5.107 eq 119 ! nntp

  access-list 102 permit tcp any host 193.196.5.105 eq 119 ! nntp

  !

  access-list 102 permit udp any host 193.196.5.107 eq 123 ! ntp

  access-list 102 permit udp any host 193.196.5.105 eq 123 ! ntp

  !

  access-list 102 permit tcp any host 193.196.5.107 eq 389 ! ldap

  access-list 102 permit tcp any host 193.196.5.105 eq 389 ! ldap

  !

  access-list 102 permit tcp any host 193.196.5.107 eq 443 ! https

  access-list 102 permit tcp any host 193.196.5.105 eq 443 ! https

  !

  access-list 102 permit tcp any host 193.196.5.107 eq 993 ! Secure-IMAP

  access-list 102 permit tcp any host 193.196.5.105 eq 993 ! Secure-IMAP

  !

  access-list 102 permit tcp any host 193.196.5.107 eq 995 ! Secure-POP3

  access-list 102 permit tcp any host 193.196.5.105 eq 995 ! Secure-POP3

  !

  ! bei geringeren Sicherheitsanforderungen:

  !

  access-list 102 permit tcp any host 193.196.5.107 eq 110 ! POP3 zulassen

  access-list 102 permit tcp any host 193.196.5.105 eq 110 ! POP3 zulassen

  access-list 102 permit udp any host 193.196.5.105 eq 53 ! DNS-Anfragen

  access-list 102 permit udp any host 193.196.5.107 eq 53 ! DNS-Anfragen

  !

  !

  access-list 102 permit icmp any host 193.196.5.107 administratively-prohibited

  access-list 102 permit icmp any host 193.196.5.107 echo

  access-list 102 permit icmp any host 193.196.5.107 echo-reply

  access-list 102 permit icmp any host 193.196.5.107 packet-too-big

  access-list 102 permit icmp any host 193.196.5.107 time-exceeded

  access-list 102 permit icmp any host 193.196.5.107 traceroute

  access-list 102 permit icmp any host 193.196.5.107 unreachable

  access-list 102 deny ip any any

  !

  ip inspect name FIWA http java-list 50 ! JavaScript ablehnen nach ACL 50

  ip inspect name FIWA realaudio timeout 3600

  ip inspect name FIWA smtp timeout 3600

  ip inspect name FIWA tftp timeout 30

  ip inspect name FIWA ftp timeout 3600

  ip inspect name FIWA udp timeout 15

  ip inspect name FIWA tcp timeout 3600

  !

  no access-list 50

  access-list 50 permit any log

  评:虽然是很好.但是访问列表过多,一旦被DOS一攻可能路由器马上瘫痪…重启…所以我认为要在前面加多一台Router来做个TCP Intercept 来拦截DOS攻击.如下:

  假如管理到个服务器群网络上192.168.111.0 & 192.168.112.0 内的目标主机的TCP连接请求.使用拦截模式,随机丢弃连接:

  access-list 123 permit tcp any 192.168.111.0 0.0.0.255

  access-liat 123 permit tcp any 192.168.112..0 0.0.0.255

  ip tcp intercept list 123

  ip tcp intercept mode intercept

  ip tcp intercept drop-mode random

  做好以后.两个Router在做个HSRP ……..

  这样还可以嘛…呵呵….

  

0
相关文章
    盛拓传媒简介 关于IT168 广告服务 使用条款 投稿指南 联系我们
    北京盛拓优讯信息技术有限公司. 版权所有 中华人民共和国增值电信业务经营许可证 编号:京B2-20170206 北京市公安局海淀分局网监中心备案编号:11010802020118
    广播电视节目制作经营许可证:(京) 字第25315号 信息系统安全等级保护备案:11010813655-00001 京公网安备11010802020118号
    违法和不良信息举报电话 :010-58859066,18101376593,shengtuo20@it168.com