关闭

华赛防火墙上网配置

5025人阅读 评论(0) 收藏 举报
17:32:44  2012/02/25
#
ip address-set ygm type group
 address 0 range ip ip
 address 1 ip mask 32
#
acl number 2000
 rule 0 permit
#
acl number 3000
 rule 0 permit ip
acl number 3001
 rule 0 deny ip source address-set ygm
acl number 3002
 rule 0 deny ip destination address-set ygm
#
 sysname name
#
 web-manager security enable
#
 l2tp enable
#
 firewall packet-filter default permit interzone local trust direction inbound
 firewall packet-filter default permit interzone local trust direction outbound
 firewall packet-filter default permit interzone trust untrust direction inbound
 firewall packet-filter default permit interzone trust untrust direction outbound
#
 nat address-group 1 ip ip
 nat server 0 protocol tcp global ip port inside ip port vrrp 1 no-reverse
 nat server 1 protocol tcp global ip port inside ip port vrrp 2
#
 dhcp server forbidden-ip ip ip
 dhcp server forbidden-ip ip ip
#
 time-range work 07:30 to 19:00 daily
#
 firewall defend ip-spoofing enable
 firewall defend arp-spoofing enable
 firewall defend land enable
 firewall defend smurf enable
 firewall defend fraggle enable
 firewall defend winnuke enable
 firewall defend icmp-redirect enable
 firewall defend icmp-unreachable enable
 firewall defend source-route enable
 firewall defend route-record enable
 firewall defend tracert enable
 firewall defend time-stamp enable        
 firewall defend ping-of-death enable
 firewall defend teardrop enable
 firewall defend tcp-flag enable
 firewall defend ip-fragment enable
 firewall defend large-icmp enable
 firewall defend ip-sweep enable
 firewall defend port-scan enable
 firewall defend syn-flood enable
 firewall defend udp-flood enable
 firewall defend icmp-flood enable
 firewall defend get-flood enable
 firewall defend dns-flood enable
 firewall defend tcp-illeage-session enable
 firewall defend sip-flood enable
 firewall defend arp-flood enable
#
 firewall statistic system enable
#
dhcp server ip-pool ippool1
 network ip mask mask
 gateway-list ip
 dns-list ip
#                                         
interface GigabitEthernet0/0/0
 ip address ip 255.255.255.0
#
interface GigabitEthernet0/0/1
 ip address ip 255.255.255.0
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface NULL0
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/1
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/0       
#
firewall zone dmz
 set priority 50
#
firewall zone vzone
 set priority 0
#
firewall interzone trust untrust
 detect qq
 detect msn
 detect icq
 detect ftp
 detect h323
 detect sip
 detect mgcp
 detect mms
 detect sqlnet
 detect pptp
 detect hwcc
 detect http
 detect netbios
 detect rtsp
 p2p-car 3002 class 0 inbound             
 p2p-car 3001 class 0 outbound
 p2p-detect enable
#
policy interzone trust untrust inbound
 policy 0
 action permit
 policy service service-set l2tp
 policy service service-set pptp
#
policy interzone trust untrust outbound
 policy 0
 action permit
 policy service service-set pptp
 policy service service-set l2tp
#
nat-policy interzone trust untrust outbound
 policy 1
 action source-nat
 address-group 1
#
aaa
 local-user admin password cipher *
 local-user admin service-type web terminal telnet ssh
 local-user admin level 3
 authentication-scheme default
#
 authorization-scheme default
#
 accounting-scheme default
#
 domain default
#
#
right-manager server-group
#
 slb
#
p2p-class 0
 cir 10 index 1 time-range work
#
#
 ip route-static 0.0.0.0 0.0.0.0 ip
 ip route-static ip 255.255.255.0 ip
#
 ssh user admin authentication-type password
#
user-interface con 0
user-interface vty 0 4
 authentication-mode aaa
 set authentication password cipher *
#
return

结束
0
0

查看评论
* 以上用户言论只代表其个人观点,不代表CSDN网站的观点或立场
    个人资料
    • 访问:31022次
    • 积分:484
    • 等级:
    • 排名:千里之外
    • 原创:16篇
    • 转载:9篇
    • 译文:1篇
    • 评论:0条