设置网关:
set system gateway-address 172.16.0.1
设置预共享的密钥:
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret xxx
不论是否输入相应的共享密钥、输入的内容是否正确 都可以连接VPN,不知道这个设置后,如何使用
set system login user (NAME for USER):
set system login user test authentication plaintext-password pass
set system login user test level admin
set interfaces ethernet eth0 address '192.168.15.1/24'
set interfaces ehternet eth0 desctription 'Inside'
为FWTEST-1及其规则规则1创建配置节点。此规则拒绝符合指定条件的流量
# set firewall name FWTEST‐1 rule 1 action reject
此规则适用于流量有176.16.0.26作为源
# set firewall name FWTEST‐1 rule 1 source address 172.16.0.26
将FWTEST-1应用到入站数据包在eth0。
# set interfaces ethernet eth0 firewall in name FWTEST‐1
# show firewall name FWTEST‐1
rule 1 {
action reject
source {
address 172.16.0.26
}
}
# show interfaces ethernet eth0
address 172.16.1.1/24
firewall {
in {
name FWTEST‐1
}
}
2、过滤源和目标IP
创建配置节点对于FWTEST-2及其规则规则1。此规则接受流量匹配指定的条件
# set firewall name FWTEST‐2 rule 1 action accept
此规则适用于流量有10.10.30.46作为源。
# set firewall name FWTEST‐2 rule 1 source address 10.10.30.46
此规则适用于流量有10.10.40.101为目的地。
# set firewall name FWTEST‐2 rule 1 destination address 10.10.40.101
将FWTEST-2应用到出站数据包在eth1 vif 40。
# set interfaces ethernet eth1 vif 40 firewall out name FWTEST‐2
# show firewall name FWTEST‐2
rule 1 {
action accept
destination {
address 10.10.40.101
}
source {
address 10.10.30.46
}
}
# show interfaces ethernet eth1
vif 40 {
firewall {
out {
name FWTEST‐2
}
}
}
3、过滤源IP和目标协议
创建配置节点对于FWTEST-3及其规则规则1。此规则接受流量匹配指定的条件
# set firewall name FWTEST‐3 rule 1 action accept
此规则适用于流量有10.10.30.46作为源
# set firewall name FWTEST‐3 rule 1 source address 10.10.30.46
此规则适用于TCP流量。
# set firewall name FWTEST‐3 rule 1 protocol tcp
此规则适用于流量目的地为Telnet服务。
# set firewall name FWTEST‐3 rule 1 destination port telnet
对报文应用FWTEST-3绑定此路由器到达eth1。
# set interfaces ethernet eth1 firewall local name FWTEST‐3
# show firewall name FWTEST‐3
rule 1 {
action accept
destination {
port telnet
}
protocol tcp
source {
address 10.10.30.46
}
}
# show interfaces ethernet eth1
firewall {
local {
name FWTEST‐3
}
}
vif 40 {
firewall {
out {
name FWTEST‐2
}
}
}
4、定义网络到网络过滤器
创建配置节点对于FWTEST-4及其规则规则1。此规则接受流量匹配指定的条件。
# set firewall name FWTEST‐4 rule 1 action accept
此规则适用于流量来自网络10.10.40.0/24。
# set firewall name FWTEST‐4 rule 1 source address 10.10.40.0/24
此规则适用于流量目的地为网络172.16.0.0/24。
# set firewall name FWTEST‐4 rule 1 destination address 172.16.0.0/24
对报文应用FWTEST-4绑定此路由器到达通过eth1上的vif 40。
# set interfaces ethernet eth1 vif 40 firewall in name FWTEST‐4
# show firewall name FWTEST‐4
rule 1 {
action accept
destination {
address 172.16.0.0/24
}
source {
address 10.10.40.0/24
}
}
# show interfaces ethernet eth1
firewall {
local {
name FWTEST‐3
}
}
vif 40 {
firewall {
in {
name FWTEST‐4
}
out {
name FWTEST‐2
}
}
}
5、在源MAC地址过滤
创建配置节点对于FWTEST-5及其规则规则1。此规则接受流量匹配指定的条件。
# set firewall name FWTEST‐5 rule 1 action accept
此规则适用于流量有00:13:ce:29:be:e7源MAC地址。
# set firewall name FWTEST‐5 rule 1 source mac‐address 00:13:ce:29:be:e7
将FWTEST-5应用到入站数据包在eth0。
# set interfaces ethernet eth0 firewall in name FWTEST‐5
# show firewall name FWTEST‐5
rule 1 {
action accept
source {
mac‐address 00:13:ce:29:be:e7
}
}
show interfaces ethernet eth0
address 172.16.1.1/24
firewall {
in {
name FWTEST‐5
}
}
11、排除地址
创建配置节点对于FWTEST-5及其规则10。给出规则的描述。
# set firewall name NEGATED‐EXAMPLE rule 10 description "Allow all traffic from LAN except to server 192.168.1.100"
符合规则的所有流量将被接受。
# set firewall name NEGATED‐EXAMPLE rule 10 action accept
来自网络的任何流量172.16.1.0/24匹配规则
# set firewall name NEGATED‐EXAMPLE rule 10 source address 172.16.1.0/24
到任何地方的流量EXCEPT 192.168.1.100匹配规则。 那个交通不行匹配规则,并调用隐含“拒绝所有”规则
# set firewall name NEGATED‐EXAMPLE rule 10 destination address !192.168.1.100
应用实例NEGATED-EXAMPLE到入站数据包在eth0。
# set interfaces ethernet eth0 firewall in name NEGATED‐EXAMPLE
# show firewall name NEGATED‐EXAMPLE
{
rule 10 {
action accept
description "Allow all traffic from LAN except to server 192.168.1.100"
destination {
address 192.168.1.100
}
source {
address 172.16.1.0/24
}
}
}
# show interfaces ethernet eth0
address 172.16.1.1/24
firewall {
in {
name NEGATED‐EXAMPLE
}
}
hw‐id 00:0c:29:99:d7:74
12、在指定时间段内激活
设置开始时间为上午9:00。
# set firewall name NEGATED‐EXAMPLE rule 10 time starttime 09:00:00
设置停止时间为下午5:00。
# set firewall name NEGATED‐EXAMPLE rule 10 time stoptime 17:00:00
设置一周的日期。
# set firewall name NEGATED‐EXAMPLE rule 10 time weekdays Mon,Tue,Wed,Thu,Fri
# show firewall
name NEGATED‐EXAMPLE {
rule 10 {
action accept
description "Allow all traffic from LAN except to
server 192.168.1.100"
destination {
address !192.168.1.100
}
source {
address 172.16.1.0/24
}
time {
starttime 09:00:00
stoptime 17:00:00
weekdays Mon,Tue,Wed,Thu,Fri
}
}
}
vyatta@R1# show interfaces ethernet eth0
address 172.16.1.1/24
firewall {
in {
name NEGATED‐EXAMPLE
}
}
hw‐id 00:0c:29:99:d7:74
13、限制特定传入数据包的速率
设置要匹配的协议ICMP。
# set firewall name RATE‐LIMIT rule 20 protocol icmp
设置ICMP类型为8(回声请求)。
# set firewall name RATE‐LIMIT rule 20 icmp type 8
将类型8的ICMP代码设置为0
# set firewall name RATE‐LIMIT rule 20 icmp code 0
设置所需的2个数据包的速率每秒
# set firewall name RATE‐LIMIT rule 20 limit rate 2/second
设置突发大小为5个报文
# set firewall name RATE‐LIMIT rule 20 limit burst 5
将操作设置为接受。
# set firewall name RATE‐LIMIT rule 20 action accept
设置描述。
# set firewall name RATE‐LIMIT rule 20 description “Rate‐limit incoming icmp echo‐request packets to 2/second allowing short bursts of 5 packets”
设置要匹配的协议ICMP。
# set firewall name RATE‐LIMIT rule 30 protocol icmp
设置ICMP类型为8(回声请求)。
# set firewall name RATE‐LIMIT rule 30 icmp type 8
将类型8的ICMP代码设置为0
# set firewall name RATE‐LIMIT rule 30 icmp code 0
将操作设置为删除。
# set firewall name RATE‐LIMIT rule 30 action drop
设置描述。
# set firewall name RATE‐LIMIT rule 30 description “Drop remaining echo requests in excess of the rate in rule 20”
# show firewall name RATE‐LIMIT
rule 20 {
action accept
description "Rate‐limit incoming icmp echo‐request packets to 2/second allowing short bursts of 5 packets"
icmp {
code 0
type 8
}
limit {
burst 5
rate 2/second
}
protocol icmp
}
rule 30 {
action drop
description "Drop remaining echo requests in excess of the rate in rule 20"
icmp {
code 0
type 8
}
protocol icmp
}
14、接受设置了特定TCP标志的数据包
设置协议以匹配tcp
# set firewall name TCP‐FLAGS rule 30 protocol tcp
设置TCP标志匹配。
# set firewall name TCP‐FLAGS rule 30 tcp flags SYN,!ACK,!FIN,!RST
将操作设置为接受。
# set firewall name TCP‐FLAGS rule 30 action accept
# show firewall name TCP‐FLAGS
rule 30 {
action accept
protocol tcp
tcp {
flags SYN,!ACK,!FIN,!RST
}
}
15、接受具有特定类型名称的ICMP数据包
设置要匹配的协议icmp。
# set firewall name ICMP‐NAME rule 40 protocol icmp
将ICMP包类型设置为匹配。
# set firewall name ICMP‐NAME rule 40 icmp type‐name echo‐request
将操作设置为接受。
# set firewall name ICMP‐NAME rule 40 action accept
# show firewall name ICMP‐NAME
rule 40 {
action accept
protocol icmp
icmp {
type‐name echo‐request
}
}
16、根据地址,网络和端口组拒绝流量
向地址中添加地址范围地址组。
# set firewall group address‐group SERVERS address 1.1.1.1‐1.1.1.5
向其中添加另一个地址地址组。
# set firewall group address‐group SERVERS address 1.1.1.7
将网络添加到网络组。
# set firewall group network‐group NETWORKS network 10.0.10.0/24
将端口添加到端口组。
# set firewall group port‐group PORTS port 22
向端口添加端口名组。
# set firewall group port‐group PORTS port ftp
向端口添加一系列端口组。
# set firewall group port‐group PORTS port 1000‐2000
# show firewall group
group {
address‐group SERVERS {
address 1.1.1.1‐1.1.1.5
address 1.1.1.7
}
network‐group NETWORKS {
network 10.0.10.0/24
}
port‐group PORTS {
port 22
port ftp
port 1000‐2000
}
}
在a中指定拒绝操作防火墙实例。
# set firewall name REJECT‐GROUPS rule 10 action reject
将地址组指定为匹配作为目标。
# set firewall name REJECT‐GROUPS rule 10 destination group address‐group SERVERS
指定要匹配的端口组作为目的地。
# set firewall name REJECT‐GROUPS rule 10 destination group port‐group PORTS
将网络组指定为匹配作为源。
# set firewall name REJECT‐GROUPS rule 10 source group network‐group NETWORKS
# show firewall name REJECT‐GROUPS
rule 10{
action reject
destination {
group {
address‐group SERVERS
port‐group PORTS
}
}
source {
group {
network‐group NETWORKS
}
}
}
17、在给定的情况下,尝试从同一个源尝试超过指定的阈值期。
匹配TCP数据包。
# set firewall name STOP‐BRUTE rule 10 protocol tcp
匹配目标端口22(即ssh)。
# set firewall name STOP‐BRUTE rule 10 destination port 22
匹配连接尝试。
# set firewall name STOP‐BRUTE rule 10 state new enable
匹配相同的源地址3次在...
# set firewall name STOP‐BRUTE rule 10 recent count 3
... 30秒。
# set firewall name STOP‐BRUTE rule 10 recent time 30
丢弃匹配这些的数据包标准。
# set firewall name STOP‐BRUTE rule 10 action drop
# show firewall name STOP‐BRUTE
rule 10{
action drop
destination {
port 22
}
protocol tcp
recent {
count 3
time 30
}
state {
new enable
}
}
18、创建每个规则集状态规则
创建配置节点为TEST1规则集并给出a规则集的描述。
# set firewall name TEST1 description "Filter traffic statefully"
创建只允许的状态规则建立和相关交通。这意味着只有流量启动在系统或交通相关建立连接(如FTP数据连接或ICMP消息与流相关联)允许
# set firewall name TEST1 rule 1 action accept
# set firewall name TEST1 rule 1 state established enable
# set firewall name TEST1 rule 1 state related enable
创建状态规则删除无效流量。
# set firewall name TEST1 rule 2 action drop
# set firewall name TEST1 rule 2 state invalid enable
# set firewall name TEST1 rule 2 log enable
# show firewall name TEST1
description "Filter traffic statefully"
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
log enable
state {
invalid enable
}
}
19、设置全局状态策略
允许返回流量和流量与现有连接相关。删除无效流量并记录下降。
# set firewall state‐policy established action accept
# set firewall state‐policy related action accept
# set firewall state‐policy invalid action drop
# set firewall state‐policy invalid log enable
# show firewall state‐policy
established {
action accept
}
related {
action accept
}
invalid {
action drop
log enable
}
21、创建区域策略
创建配置节点为DMZ区和给描述区域。
# set zone‐policy zone dmz description “DMZ ZONE”
添加中包含的接口DMZ区。
# set zone‐policy zone dmz interface eth2
创建配置节点为私人区和给一个描述区域。
# set zone‐policy zone private description “PRIVATE ZONE”
添加其中一个接口包含在私有区域中。
# set zone‐policy zone private interface eth0
添加另一个接口包含在私有区域中。
# set zone‐policy zone private interface eth1
创建配置节点为公共区域和给描述区域。
# set zone‐policy zone public description “PUBLIC ZONE”
添加中包含的接口公共区。
# set zone‐policy zone public interface eth3
# show zone‐policy
zone dmz {
description "DMZ ZONE"
interface eth2
}
zone private {
description "PRIVATE ZONE"
interface eth0
interface eth1
}
zone public {
description "PUBLIC ZONE"
interface eth3
}
22、为到公共区域的流量创建规则集
为to_public规则集和创建配置节点给出规则的描述组。
# set firewall name to_public description "allow all traffic to PUBLIC zone"
创建规则以接受所有流量发送到公共区域。
# set firewall name to_public rule 1 action accept
# show firewall name to_public
description "allow all traffic to PUBLIC zone"
rule 1 {
action accept
}
为到DMZ区域的流量创建规则集
创建配置节点为private_to_dmz规则集并给出描述规则集。
# set firewall name private_to_dmz description "filter traffic from PRIVATE zone to DMZ zone"
创建允许发送流量的规则从私有区域到HTTP,HTTPS,FTP,SSH和Telnet端口在DMZ区域。
# set firewall name private_to_dmz rule 1 action accept
# set firewall name private_to_dmz rule 1 destination port http,https,ftp,ssh,telnet
# set firewall name private_to_dmz rule 1 protocol tcp
创建一个允许所有ICMP的规则从私人发送的流量区域到DMZ区域。
# set firewall name private_to_dmz rule 2 action accept
# set firewall name private_to_dmz rule 2 icmp type‐name any
# set firewall name private_to_dmz rule 2 protocol icmp
# show firewall name private_to_dmz
description "filter traffic from PRIVATE zone to DMZ zone"
rule 1 {
action accept
destination {
port http,https,ftp,ssh,telnet
}
protocol tcp
}
rule 2 {
action accept
icmp {
type‐name any
}
protocol icmp
}
创建配置节点用于public_to_dmz规则集并给出描述规则集。
# set firewall name public_to_dmz description "filter traffic from PUBLIC zone to DMZ zone"
创建允许发送流量的规则从公共区只到HTTP和HTTPS端口DMZ区
# set firewall name public_to_dmz rule 1 action accept
# set firewall name public_to_dmz rule 1 destination port http,https
# set firewall name public_to_dmz rule 1 protocol tcp
创建一个允许所有ICMP的规则从公共区域发送的流量到DMZ区。
# set firewall name public_to_dmz rule 2 action accept
# set firewall name public_to_dmz rule 2 icmp type‐name any
# set firewall name public_to_dmz rule 2 protocol icmp
# show firewall name public_to_dmz
description "filter traffic from PUBLIC zone to DMZ zone"
rule 1 {
action accept
destination {
port http,https
}
protocol tcp
}
rule 2 {
action accept
icmp {
type‐name any
}
protocol icmp
}
23、为到私有区域的流量创建规则集
创建配置节点为to_private规则集和给出规则的描述组。
# set firewall name to_private description "filter traffic to PRIVATE zone"
创建一个仅允许的规则建立和相关流量私人区。 意即只有在启动的流量私人区域或交通相关建立连接(如FTP数据连接或ICMP与a相关联的消息流量)。
# set firewall name to_private rule 1 action accept
# set firewall name to_private rule 1 state established enable
# set firewall name to_private rule 1 state related enable
# set firewall name to_private rule 1 protocol all
# show firewall name to_private
description "filter traffic to PRIVATE zone"
rule 1 {
action accept
protocol all
state {
established enable
related enable
}
}
24、将规则集应用于DMZ区域。
应用private_to_dmz规则设置为从私人的流量区域到DMZ区域
# set zone‐policy zone dmz from private firewall name private_to_dmz
应用public_to_dmz规则设置为来自公共的流量区域到DMZZone。
# set zone‐policy zone dmz from public firewall name public_to_dmz
# show zone‐policy zone dmz
description "DMZ ZONE"
from private {
firewall {
name private_to_dmz
}
}
from public {
firewall {
name public_to_dmz
}
}
interface eth2
25、将to_private规则集应用于交通从DMZ区到专用区。
# set zone‐policy zone private from dmz firewall name to_private
将to_private规则集应用于从公共区的交通私人区
# set zone‐policy zone private from public firewall name to_private
# show zone‐policy zone private
description "PRIVATE ZONE"
from dmz {
firewall {
name to_private
}
}
from public {
firewall {
name to_private
}
}
interface eth0
interface eth1
26、将规则集应用于公共区域。
将to_public规则集应用于交通从DMZ区到公共区域。
# set zone‐policy zone public from dmz firewall name to_public
将to_pubic规则集应用于从私人区的交通公共区域。
# set zone‐policy zone public from private firewall name to_public
# show zone‐policy zone public
description "PUBLIC ZONE"
from dmz {
firewall {
name to_public
}
}
from private {
firewall {
name to_public
}
}
interface eth3
27、限制Vyatta系统访问位于专用区域中的主机。
创建配置节点为private_to_vyatta规则设置并给出描述规则集。
# set firewall name private_to_vyatta description “filter traffic from PRIVATE zone to local‐zone”
允许所有流量。
# set firewall name private_to_vyatta rule 1 action accept
# show firewall name private_to_vyatta
description "filter traffic from PRIVATE zone to local‐zone"
rule 1{
action accept
}
应用private_to_vyatta规则设置为从私人的流量区域到本地区域。
# set zone‐policy zone vyatta from private firewall name private_to_vyatta
设置本地区域。
# set zone‐policy zone vyatta local‐zone
# show zone‐policy zone vyatta
from private {
firewall {
name private_to_vyatta
}
}
local‐zone
28、过滤从公共区域到Vyatta系统的流量。
创建配置节点用于public_to_vyatta规则集并给出描述规则集。
# set firewall name public_to_vyatta description “filter traffic from PUBLIC zone to local‐zone”
允许指定的流量
# set firewall name public_to_vyatta rule 1 action accept
# set firewall name public_to_vyatta rule 1 protocol all
# set firewall name public_to_vyatta rule 1 state established enable
# set firewall name public_to_vyatta rule 1 state related enable
# show firewall name public_to_vyatta
description "filter traffic from PUBLIC zone to local‐zone"
rule 1{
action accept
protocol all
state {
established enable
related enable
}
}
应用public_to_vyatta规则设置为来自公共的流量区域到本地区域。
# show zone‐policy zone vyatta
from private {
firewall {
name private_to_vyatta
}
}
from public {
firewall {
name public_to_vyatta
}
}
local‐zone
29、允许从Vyatta系统到专用区域的流量
创建配置节点为from_vyatta规则集和给出规则的描述组。
# set firewall name from_vyatta description “allow all traffic from local‐zone”
允许指定的流量
# set firewall name from_vyatta rule 1 action accept
# set firewall name from_vyatta rule 1 protocol all
# show firewall name from_vyatta
description "allow all traffic from local‐zone"
rule 1{
action accept
protocol all
}
应用from_vyatta规则集从本地区域流量到私人区。
# set zone‐policy zone private from vyatta firewall name from_vyatta
# show zone‐policy zone private
description "PRIVATE ZONE"
from dmz {
firewall {
name to_private
}
}
from public {
firewall {
name to_private
}
}
from vyatta {
firewall {
name from_vyatta
}
}
interface eth0
interface eth1
30、添加了VPN区域的区域策略
# show zone‐policy zone vpn
default‐action drop
description "REMOTE ACCESS VPN ZONE"
from dmz {
firewall {
name to_private
}
}
from public {
firewall {
name to_private
}
}
from vyatta {
firewall {
name from_vyatta
}
}
interface l2tp+
interface pptp+
# show zone‐policy zone dmz
description "DMZ ZONE"
from private {
firewall {
name private_to_dmz
}
}
from public {
firewall {
name public_to_dmz
}
}
from vpn {
firewall {
name private_to_dmz
}
}
interface eth2
# show zone‐policy zone private
description "PRIVATE ZONE"
from dmz {
firewall {
name to_private
}
}
from public {
firewall {
name to_private
}
}
from vyatta {
firewall {
name from_vyatta
}
}
interface eth0
interface eth1
# show zone‐policy zone public
description "PUBLIC ZONE"
from dmz {
firewall {
name to_public
}
}
from private {
firewall {
name to_public
}
}
from vpn {
firewall {
name to_public
}
}
interface eth3
# show zone‐policy zone vyatta
from private {
firewall {
name private_to_vyatta
}
}
from public {
firewall {
name public_to_vyatta
}
}
from vpn {
firewall {
name private_to_vyatta
}
}
local‐zone
31、具有三个区域(DMZ,公共和本地区域)的拓扑的区域策略。
# show zone‐policy
zone dmz {
default‐action drop
description "DMZ ZONE"
from public {
firewall {
name public_to_dmz
}
}
interface eth2
}
zone public {
default‐action drop
description "PUBLIC ZONE"
from dmz {
firewall {
name to_public
}
}
interface eth3
}
zone vyatta {
default‐action drop
from dmz {
firewall {
name dmz_to_vyatta
}
}
from public {
firewall {
name public_to_vyatta
}
}
local‐zone
}
32、拒绝来自区域的流量,并仅允许LAN之间的ICMP。
# show firewall name allow_ping_only
description "allow nothing from zones. allow icmp packets between LANs"
rule 1 {
action reject
protocol all
source {
group {
network‐group not_allowed_nets
}
}
}
rule 2 {
action accept
icmp {
type‐name any
}
protocol icmp
}
# show interfaces ethernet eth0 firewall
out {
name allow_ping_only
}
# show interfaces ethernet eth1 firewall
out {
name allow_ping_only
}
33、应用防火墙规则集到VRRP接口
# show interfaces ethernet eth2
address 172.16.1.20/24
duplex auto
firewall {
in {
name FWTEST‐1
}
}
hw‐id 00:0c:29:c6:a2:59
smp_affinity auto
speed auto
vrrp {
vrrp‐group 15 {
advertise‐interval 1
interface {
}
preempt true
sync‐group test
virtual‐address 172.16.1.25
}
}
附加相同的FW-TEST1规则为入站流量设置VRRP接口
set interfaces ethernet eth2 vrrp vrrp‐group 15 firewall in name FWTEST‐1
# show interfaces ethernet eth2
address 172.16.1.20/24
duplex auto
firewall {
in {
name FWTEST‐1
}
}
hw‐id 00:0c:29:c6:a2:59
smp_affinity auto
speed auto
vrrp {
vrrp‐group 15 {
advertise‐interval 1
interface {
firewall {
in {
name FWTEST‐1
}
}
}
preempt true
sync‐group test
virtual‐address 172.16.1.25
}
}
34、将VRRP接口加入私有区域
添加其中一个接口包含在私有区域中。
# set zone‐policy zone private interface eth0 vrrp vrrp‐group 99 interface
添加另一个接口包含在私有区域中。
# set zone‐policy zone private interface eth1 vrrp vrrp‐group 101 interface
# show zone‐policy zone private
description "PRIVATE ZONE"
from dmz {
firewall {
name to_private
}
}
from public {
firewall {
name to_private
}
}
from vyatta {
firewall {
name from_vyatta
}
}
interface eth0
interface eth0v99
interface eth1
interface eth1v101
35、显示防火墙实例
~$ show firewall FWTEST‐1
Active on (eth0, IN)
State Codes: E ‐ Established, I ‐ Invalid, N ‐ New, R ‐ Related
rule action source destination proto state
‐‐‐‐ ‐‐‐‐‐‐ ‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐ ‐‐‐‐‐
1 REJECT 172.16.0.26 0.0.0.0/0 all any
1025 DROP 0.0.0.0/0 0.0.0.0/0 all any
~$ show firewall FWTEST‐3
Active on (eth1, LOCAL)
State Codes: E ‐ Established, I ‐ Invalid, N ‐ New, R ‐ Related
rule action source destination proto state
‐‐‐‐ ‐‐‐‐‐‐ ‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐ ‐‐‐‐‐
1 ACCEPT 10.10.30.46 0.0.0.0/0 tcp any
dst ports: telnet
1025 DROP 0.0.0.0/0 0.0.0.0/0 all any
36、显示接口上的防火墙配置
# show interfaces ethernet eth0 firewall
in {
name FWTEST‐1
}
37、显示“防火墙”配置节点
1# show firewall
name FWTEST‐1 {
rule 1 {
action reject
source {
address 172.16.0.26
}
}
}
name FWTEST‐2 {
rule 1 {
action accept
destination {
address 10.10.40.101
}
source {
address 10.10.30.46
}
}
}
name FWTEST‐3 {
rule 1 {
action accept
destination {
port telnet
}
protocol tcp
source {
address 10.10.30.46
}
}
}
name FWTEST‐4 {
rule 1 {
action accept
destination {
address 172.16.0.0/24
}
source {
address 10.10.40.0/24
}
}
}
name FWTEST‐5 {
rule 1 {
action accept
source {
mac‐addr 00:13:ce:29:be:e7
}
}
}
41、全局防火墙命令
~$ show firewall
~$ show firewall detail
~$ show firewall statistics
~$ show firewall group
https://54712289bdd910def82d-5cc7866f7aae0a382278b5bce7412a4a.ssl.cf1.rackcdn.com/Vyatta-Firewall_6.5R1_v01.pdf