bbs.51cto.com wanghaoqd
我所在的单位从2006年开始,一直用华为Eudemon 200防火墙单设备来做互联网接入。由于此设备没有对BT、eMule和迅雷等P2P流量直接限制的功能,所以只能考虑通过访问控制列表来对P2P软件进行完全屏蔽。
在查阅各P2P软件相关资料之后,我发现新版本的BT软件如BitComet、BitSpirit等使用的通讯端口并不像最初的BitTorrent那样固定,迅雷等软件还会根据通信情况即时调整使用的端口范围。所以使用封闭端口范围的方式并不能很好的屏蔽这些软件。
所以我考虑通过设置ACL,在工作时间只放行少数常用端口的通信,来达到屏蔽P2P软件的目的。
在防火墙上进行的相关设置如下:
time-range off-work-time1 00:00 to 07:30 daily
time-range off-work-time2 17:00 to 24:00 daily //定义设置两个非工作时间段
acl number 3002
description discarding unnecessary packets
rule 10 permit ip time-range off-work-time1
rule 11 permit ip time-range off-work-time2 //非工作时间放行所有通信
rule 12 permit udp destination-port eq dns //允许dns查询
rule 13 permit tcp destination-port eq www //允许访问网页
rule 14 permit tcp destination-port eq 443 //允许访问加密网页
rule 15 permit tcp destination-port eq ftp //允许FTP下载
rule 16 permit tcp destination-port eq pop3 //允许POP3收信
rule 17 permit tcp destination-port eq smtp //允许SMTP发信
rule 18 permit udp destination-port eq 8000 //允许使用QQ
rule 19 permit tcp destination-port eq 1863 //允许MSN文件传输
rule 20 permit tcp destination-port eq domain
rule 30 permit icmp //允许ping外网ip
rule 31 permit tcp destination-port eq telnet //允许telnet外网设备
rule 50 deny ip //其它都禁止
firewall interzone trust untrust
packet-filter 3002 outbound //在trust->untrust方向加载
加载该ACL之后,通过display acl 3002命令,可观察到如“rule 12 permit udp destination-port eq dns (29968 times matched)”的信息,说明该列表已生效。工作时间在上网的PC机上使用迅雷和eMule软件测试,绝大部分P2P资源已经连接不上,证明本方法有效。
此方法已在防火墙上运行接近一年,运行效果良好,在工作时间能有效屏蔽绝大部分P2P通信。其缺点是不够灵活,如果工作时间确实需要用到股票和网络游戏等其它软件,需要到装有软件的计算机上抓包分析目的端口,然后向ACL中添加相应规则。
附我单位Eudemon 200的完整配置,稍加修改即可应用于H3C Secpath全系列设备。
#
sysname Eudemon
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction inbound
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outbound
firewall packet-filter default permit interzone trust dmz direction inbound
firewall packet-filter default permit interzone trust dmz direction outbound
firewall packet-filter default permit interzone dmz untrust direction inbound
firewall packet-filter default permit interzone dmz untrust direction outbound
#
nat address-group 1 a.a.a.a a.a.a.a
nat server global a.a.a.b inside 10.0.0.1
nat server protocol tcp global a.a.a.e www inside 10.0.0.2 www
nat server global a.a.a.f inside 10.0.0.3
nat server protocol 47 global a.a.a.e inside 10.0.0.4
nat server protocol tcp global a.a.a.e 1723 inside 10.0.0.4 1723
nat server global a.a.a.c inside 10.0.0.5
nat alg enable ftp
nat alg enable dns
nat alg enable icmp
nat alg enable netbios
undo nat alg enable h323
undo nat alg enable hwcc
undo nat alg enable ils
nat alg enable pptp
undo nat alg enable qq
undo nat alg enable msn
undo nat alg enable user-define
undo nat alg enable rtsp
firewall permit sub-ip
#
firewall defend ip-spoofing enable
firewall defend land enable
firewall defend smurf enable
firewall defend fraggle enable
firewall defend winnuke enable
firewall defend syn-flood enable
firewall defend udp-flood enable
firewall defend icmp-flood enable
firewall defend icmp-redirect enable
firewall defend icmp-unreachable enable
firewall defend ip-sweep enable
firewall defend port-scan enable
firewall defend source-route enable
firewall defend route-record enable
firewall defend tracert enable
firewall defend time-stamp enable
firewall defend ping-of-death enable
firewall defend teardrop enable
firewall defend tcp-flag enable
firewall defend ip-fragment enable
firewall defend large-icmp enable
#
firewall statistic system enable
#
traffic classifier video operator and
if-match acl 3004
#
traffic behavior video
queue ef bandwidth 2048 cbs 262144
#
qos policy video
classifier video behavior video
#
interface Aux0
async mode flow
link-protocol ppp
#
interface Ethernet0/0/0
description WAN
ip address 10.228.x.x 255.255.255.248
qos reserved-bandwidth pct 100
qos apply policy video outbound
#
interface Ethernet0/0/1
description LAN
ip address 10.0.0.20 255.255.255.0
#
interface NULL0
#
interface LoopBack0
ip address a.a.a.a 255.255.255.255
#
acl number 3001
description AntiVirus ACL
rule 0 deny udp destination-port eq 445
rule 1 deny ip destination a.a.a.a 0
rule 2 deny udp destination-port eq netbios-dgm
rule 3 deny udp destination-port eq netbios-ssn
rule 4 deny udp destination-port eq 1434
rule 5 deny tcp destination-port eq 135
rule 6 deny tcp destination-port eq 139
rule 7 deny tcp destination-port eq 389
rule 8 deny tcp destination-port eq 445
rule 9 deny tcp destination-port eq 636
rule 10 deny tcp destination-port eq 1025
rule 11 deny tcp destination-port eq 1503
rule 12 deny tcp destination-port eq 3268
rule 13 deny tcp destination-port eq 3269
rule 14 deny tcp destination-port eq 4444
rule 15 deny tcp destination-port eq 5554
rule 16 deny tcp destination-port eq 5800
rule 17 deny tcp destination-port eq 5900
rule 18 deny tcp destination-port eq 9996
rule 19 deny tcp destination-port eq 6667
rule 20 deny udp destination-port eq 593
rule 21 deny tcp destination-port eq 593
rule 22 deny tcp destination-port eq 9995
rule 24 deny icmp
acl number 3002
description discarding unnecessary packets
rule 10 permit ip time-range off-work-time1
rule 11 permit ip time-range off-work-time2
rule 12 permit udp destination-port eq dns
rule 13 permit tcp destination-port eq www
rule 14 permit tcp destination-port eq 443
rule 15 permit tcp destination-port eq ftp
rule 16 permit tcp destination-port eq pop3
rule 17 permit tcp destination-port eq smtp
rule 18 permit udp destination-port eq 8000
rule 19 permit tcp destination-port eq 1863
rule 20 permit tcp destination-port eq domain
rule 21 permit tcp destination-port eq 5000
rule 30 permit icmp
rule 31 permit tcp destination-port eq telnet
rule 50 deny ip
acl number 3004
description video
rule 0 permit udp destination-port range 8880 8881
rule 1 permit tcp destination-port range 8880 8881
acl number 3100
description NAT ACL
rule 10 permit ip source 10.0.3.1 0
rule 11 permit ip source 10.0.0.0 0.0.0.255
rule 12 permit ip source 10.0.2.0 0.0.0.255
rule 30 deny ip
#
time-range off-work-time1 00:00 to 07:29 daily
time-range off-work-time2 17:01 to 24:00 daily
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface Ethernet0/0/1
#
firewall zone untrust
set priority 5
add interface Ethernet0/0/0
#
firewall zone dmz
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
packet-filter 3001 inbound
#
firewall interzone local dmz
#
firewall interzone trust untrust
nat outbound 3100 address-group 1
packet-filter 3002 outbound
#
firewall interzone trust dmz
#
firewall interzone dmz untrust
#
aaa
local-user admin password cipher A^.5
local-user admin service-type terminal telnet
local-user admin level 3
local-user huawei password cipher N`C55QK
local-user huawei service-type telnet
local-user huawei level 1
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
#
ip route-static 0.0.0.0 0.0.0.0 10.228.x.y
ip route-static 10.0.0.0 255.0.0.0 10.0.0.254
ip route-static 172.20.20.0 255.255.255.0 10.0.0.254
ip route-static 192.168.0.0 255.255.0.0 10.0.0.254
#
snmp-agent
snmp-agent local-engineid 000007DB7F0000010000370D
snmp-agent community read ***
snmp-agent community write ***
snmp-agent sys-info version all
#
user-interface con 0
authentication-mode aaa
user-interface aux 0
authentication-mode aaa
user-interface vty 0 4
authentication-mode aaa
#
return
转载于:https://blog.51cto.com/sfwang/293415
6110
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
