17:32:44 2012/02/25
#
ip address-set ygm type group
address 0 range ip ip
address 1 ip mask 32
#
acl number 2000
rule 0 permit
#
acl number 3000
rule 0 permit ip
acl number 3001
rule 0 deny ip source address-set ygm
acl number 3002
rule 0 deny ip destination address-set ygm
#
sysname name
#
web-manager security enable
#
l2tp enable
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outbound
#
nat address-group 1 ip ip
nat server 0 protocol tcp global ip port inside ip port vrrp 1 no-reverse
nat server 1 protocol tcp global ip port inside ip port vrrp 2
#
dhcp server forbidden-ip ip ip
dhcp server forbidden-ip ip ip
#
time-range work 07:30 to 19:00 daily
#
firewall defend ip-spoofing enable
firewall defend arp-spoofing enable
firewall defend land enable
firewall defend smurf enable
firewall defend fraggle enable
firewall defend winnuke enable
firewall defend icmp-redirect enable
firewall defend icmp-unreachable enable
firewall defend source-route enable
firewall defend route-record enable
firewall defend tracert enable
firewall defend time-stamp enable
firewall defend ping-of-death enable
firewall defend teardrop enable
firewall defend tcp-flag enable
firewall defend ip-fragment enable
firewall defend large-icmp enable
firewall defend ip-sweep enable
firewall defend port-scan enable
firewall defend syn-flood enable
firewall defend udp-flood enable
firewall defend icmp-flood enable
firewall defend get-flood enable
firewall defend dns-flood enable
firewall defend tcp-illeage-session enable
firewall defend sip-flood enable
firewall defend arp-flood enable
#
firewall statistic system enable
#
dhcp server ip-pool ippool1
network ip mask mask
gateway-list ip
dns-list ip
#
interface GigabitEthernet0/0/0
ip address ip 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address ip 255.255.255.0
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/1
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/0
#
firewall zone dmz
set priority 50
#
firewall zone vzone
set priority 0
#
firewall interzone trust untrust
detect qq
detect msn
detect icq
detect ftp
detect h323
detect sip
detect mgcp
detect mms
detect sqlnet
detect pptp
detect hwcc
detect http
detect netbios
detect rtsp
p2p-car 3002 class 0 inbound
p2p-car 3001 class 0 outbound
p2p-detect enable
#
policy interzone trust untrust inbound
policy 0
action permit
policy service service-set l2tp
policy service service-set pptp
#
policy interzone trust untrust outbound
policy 0
action permit
policy service service-set pptp
policy service service-set l2tp
#
nat-policy interzone trust untrust outbound
policy 1
action source-nat
address-group 1
#
aaa
local-user admin password cipher *
local-user admin service-type web terminal telnet ssh
local-user admin level 3
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
#
right-manager server-group
#
slb
#
p2p-class 0
cir 10 index 1 time-range work
#
#
ip route-static 0.0.0.0 0.0.0.0 ip
ip route-static ip 255.255.255.0 ip
#
ssh user admin authentication-type password
#
user-interface con 0
user-interface vty 0 4
authentication-mode aaa
set authentication password cipher *
#
return
结束