【Firewall系列二】解析基于区域的防火墙方案如何过滤内网用户web访问

最新推荐文章于 2024-09-16 09:36:19 发布

weixin_33963594

最新推荐文章于 2024-09-16 09:36:19 发布

阅读量192

点赞数

文章标签：网络运维

原文链接：http://blog.51cto.com/ciscoskys/881203

版权

【Firewall系列二】解析基于区域的防火墙方案如何过滤内网用户web访问

背景描述

对于企业管理者来说，上班时间都是希望员工认认真真的工作，尽量少做与工作无关的事情，但是实际上，对于员工们来说，一天到晚在办公室埋头工作，也是需要休息放松一下的。

于是乎矛盾产生了：管理者希望员工少上公网，不希望员工利用工作时间聊天、看电影……

员工希望能聊天、看电影……

对于企业网络工程师来说，把要求中和一下，符合领导的要求，又不至于把同仁们逼上梁山，于是乎就是下文。

实施目标

1.过滤QQ\MSN\开心网\迅雷\土豆\优酷\爱奇艺\淘宝\58同城\6房间\……

2.放行其余站点

3.设置违规日志记录，以备领导查询（-_-）

4.DMZ区域访问不受限制

-----------------------------------------------------

关键命令

定义过滤站点，分两种方式xx.xx\.*xx.xx，注意最后放行所有其余站点流量，否则同志们是会造反的-_-

parameter-map type regex uri.regex.cm
pattern .*sex
pattern .*game
pattern .*download
pattern .*qq

parameter-map type urlf-glob qq
pattern qq.com
pattern *.qq.com

parameter-map type urlf-glob msn
pattern *.msn.com
pattern msn.com

parameter-map type urlf-glob taobao
pattern taobao.com
pattern *.taobao.com

parameter-map type urlf-glob renren
pattern *.renren.com
pattern renren.com

parameter-map type urlf-glob kaixin001
pattern kaixin001.com
pattern *.kaixin001.com

parameter-map type urlf-glob 58
pattern *.58.com
pattern 58.com

parameter-map type urlf-glob xunlei
pattern xunlei.com
pattern *.xunlei.com

parameter-map type urlf-glob 6
pattern *.6.com
pattern 6.com

parameter-map type urlf-glob tudou
pattern tudou.com
pattern *.tudou.com

parameter-map type urlf-glob youku
pattern *.youku.com
pattern youku.com

parameter-map type urlf-glob iqiyi
pattern iqiyi.com
pattern *.iqiyi.com

parameter-map type urlf-glob per.sites
pattern *

定义url 过滤类

也分两部分，一部分是受限的，还有一部分是完全访问

class-map type urlfilter match-any dis.web
match server-domain urlf-glob qq
match server-domain urlf-glob taobao
match server-domain urlf-glob renren
match server-domain urlf-glob kaixin001
match server-domain urlf-glob 58
match server-domain urlf-glob 6
match server-domain urlf-glob xunlei
match server-domain urlf-glob youku
match server-domain urlf-glob tudou
match server-domain urlf-glob iqiyi
match server-domain urlf-glob msn

class-map type urlfilter match-any per.sites
match server-domain urlf-glob per.sites

创建url 过滤专用的策略

类别动作

受限的记录/重置会话

完全访问记录/放行

policy-map type inspect urlfilter dis.web
class type urlfilter dis.web
log
reset
class type urlfilter per.sites
allow
log

关联policy

policy-map type inspect in.out.policy
class type inspect in.out.web
inspect
service-policy urlfilter dis.web
class type inspect per.traffic
inspect
class class-default
drop

查看结果

nanjing#show class-map type urlfilter
Class Map type urlfilter match-any dis.web (id 2)
   Match server-domain urlf-glob qq
   Match server-domain urlf-glob taobao
   Match server-domain urlf-glob renren
   Match server-domain urlf-glob kaixin001
   Match server-domain urlf-glob 58
   Match server-domain urlf-glob 6
   Match server-domain urlf-glob xunlei
   Match server-domain urlf-glob youku
   Match server-domain urlf-glob tudou
   Match server-domain urlf-glob iqiyi
   Match server-domain urlf-glob msn

Class Map type urlfilter match-any per.sites (id 4)
Match server-domain urlf-glob per.sites

测试QQ\MSN\tudou\百度

ok……相关站点已经没法访问了，但是百度等其他站点可以正常访问

相关log记录

*May 28 22:02:26.587: %URLF-4-SITE_BLOCKED: (target:class)-(in.out:in.out.web):Access denied for the site 'www.qq.com', client 172.18.10.1:1433 server 202.102.65.32:80
nanjing#
*May 28 22:02:31.563: %URLF-4-SITE_BLOCKED: (target:class)-(in.out:in.out.web):Access denied for the site 'www.qq.com', client 172.18.10.1:1434 server 202.102.65.32:80
nanjing#
*May 28 22:02:41.719: %URLF-4-SITE_BLOCKED: (target:class)-(in.out:in.out.web):Access denied for the site 'www.qq.com', client 172.18.10.1:1435 server 202.102.65.32:80

nanjing#
*May 28 22:06:56.179: %URLF-4-SITE_BLOCKED: (target:class)-(in.out:in.out.web):Access denied for the site 'www.tudou.com', client 172.18.10.1:1436 server 222.73.6.34:80
nanjing#
*May 28 22:07:04.731: %URLF-4-SITE_BLOCKED: (target:class)-(in.out:in.out.web):Access denied for the site 'www.tudou.com', client 172.18.10.1:1437 server 222.73.6.34:80
nanjing#
*May 28 22:07:07.091: %URLF-6-SITE_ALLOWED: (target:class)-(in.out:in.out.web):Client 172.18.10.1:1438 accessed server 222.186.189.137:80
nanjing#
*May 28 22:07:08.535: %URLF-6-SITE_ALLOWED: (target:class)-(in.out:in.out.web):Client 172.18.10.1:1439 accessed server 61.160.209.220:80
*May 28 22:07:09.523: %URLF-6-SITE_ALLOWED: (target:class)-(in.out:in.out.web):Client 172.18.10.1:1440 accessed server 180.153.229.16:80

nanjing#
*May 28 22:07:09.595: %URLF-6-SITE_ALLOWED: (target:class)-(in.out:in.out.web):Client 172.18.10.1:1441 accessed server 180.153.229.16:80
*May 28 22:07:09.719: %URLF-6-SITE_ALLOWED: (target:class)-(in.out:in.out.web):Client 172.18.10.1:1442 accessed server 180.153.229.16:80

nanjing#
*May 28 22:07:54.939: %URLF-4-SITE_BLOCKED: (target:class)-(in.out:in.out.web):Access denied for the site 'www.msn.com', client 172.18.10.1:1444 server 65.54.161.34:80
nanjing#
*May 28 22:08:03.327: %URLF-4-SITE_BLOCKED: (target:class)-(in.out:in.out.web):Access denied for the site 'www.msn.com', client 172.18.10.1:1445 server 65.54.161.34:80

查看url过滤详情（会话数、数据量、方向等……）

nanjing#show policy-map t inspect zone-pair urlfilter

policy exists on zp in.out
Zone-pair: in.out

Service-policy inspect : in.out.policy

    Class-map: in.out.web (match-any)
      Match: protocol http
        148 packets, 4736 bytes
        30 second rate 0 bps

   Inspect
        Packet inspection statistics [process switch:fast switch]
        tcp packets: [31:1742]

        Session creations since subsystem startup or last reset 148
        Current session counts (estab/half-open/terminating) [0:0:0]
        Maxever session counts (estab/half-open/terminating) [14:24:2]
        Last session created 00:02:06
        Last statistic reset never
        Last session creation rate 0
        Maxever session creation rate 56
        Last half-open session total 0
        TCP reassembly statistics
received 4 packets out-of-order; dropped 0
        peak memory usage 1 KB; current usage: 0 KB
        peak queue length 1

URL Filtering is in ALLOW_MODE

        Current requests count: 0
        Current packet buffer count(in use): 0
        Maxever request count: 0
        Maxever packet buffer count: 0
        Total cache hit count: 0
        Total requests sent to URL Filter Server :0
        Total responses received from URL Filter Server :0
        Total error responses received from URL Filter Server :0
        Total requests allowed: 0
        Total requests blocked: 0
        1min/5min Avg Round trip time to URLF Server: 0/0 millisecs
        1min/5min Minimum round trip time to URLF server: 0/0 millisecs
        1min/5min Maximum round trip time to URLF server: 0/0 millisecs
        Last req round trip time to URLF Server: 0 millisecs

    Class-map: per.traffic (match-any)
Match: protocol https
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol ssh
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol telnet
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol icmp
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol pop3
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol imap3
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol dns
        34 packets, 1375 bytes
        30 second rate 0 bps
      Match: protocol smtp
        0 packets, 0 bytes
        30 second rate 0 bps
Match: protocol snmp
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol ftp
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol ntp
        0 packets, 0 bytes
        30 second rate 0 bps

   Inspect
        Packet inspection statistics [process switch:fast switch]
        udp packets: [70:0]

        Session creations since subsystem startup or last reset 34
        Current session counts (estab/half-open/terminating) [0:0:0]
        Maxever session counts (estab/half-open/terminating) [11:3:0]
        Last session created 00:09:09
        Last statistic reset never
        Last session creation rate 0
        Maxever session creation rate 14
        Last half-open session total 0
        TCP reassembly statistics
        received 0 packets out-of-order; dropped 0
peak memory usage 0 KB; current usage: 0 KB
        peak queue length 0

    Class-map: class-default (match-any)
      Match: any
      Drop
        26 packets, 968 bytes

policy exists on zp in.dmz
Zone-pair: in.dmz

Service-policy inspect : in.dmz.policy

    Class-map: in.out.web (match-any)
      Match: protocol http
        0 packets, 0 bytes
        30 second rate 0 bps

   Inspect
        Session creations since subsystem startup or last reset 0
        Current session counts (estab/half-open/terminating) [0:0:0]
        Maxever session counts (estab/half-open/terminating) [0:0:0]
        Last session created never
Last statistic reset never
        Last session creation rate 0
        Maxever session creation rate 0
        Last half-open session total 0
        TCP reassembly statistics
        received 0 packets out-of-order; dropped 0
        peak memory usage 0 KB; current usage: 0 KB
        peak queue length 0

    Class-map: per.traffic (match-any)
      Match: protocol https
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol ssh
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol telnet
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol icmp
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol pop3
0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol imap3
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol dns
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol smtp
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol snmp
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol ftp
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol ntp
        0 packets, 0 bytes
        30 second rate 0 bps

   Inspect
        Session creations since subsystem startup or last reset 0
        Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:0:0]
        Last session created never
        Last statistic reset never
        Last session creation rate 0
        Maxever session creation rate 0
        Last half-open session total 0
        TCP reassembly statistics
        received 0 packets out-of-order; dropped 0
        peak memory usage 0 KB; current usage: 0 KB
        peak queue length 0

    Class-map: class-default (match-any)
      Match: any
      Drop
        0 packets, 0 bytes

policy exists on zp out.dmz
Zone-pair: out.dmz

Service-policy inspect : out.dmz.policy

    Class-map: out.dmz.class (match-all)
      Match: access-group name server
Match: class-map match-any per.traffic
        Match: protocol https
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol ssh
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol telnet
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol icmp
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol pop3
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol imap3
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol dns
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol smtp
          0 packets, 0 bytes
30 second rate 0 bps
        Match: protocol snmp
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol ftp
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol ntp
          0 packets, 0 bytes
          30 second rate 0 bps

   Inspect
        Packet inspection statistics [process switch:fast switch]
        tcp packets: [3:95]

        Session creations since subsystem startup or last reset 6
        Current session counts (estab/half-open/terminating) [0:0:0]
        Maxever session counts (estab/half-open/terminating) [2:1:1]
        Last session created 00:08:23
        Last statistic reset never
        Last session creation rate 0
        Maxever session creation rate 5
        Last half-open session total 0
        TCP reassembly statistics
received 0 packets out-of-order; dropped 0
        peak memory usage 0 KB; current usage: 0 KB
        peak queue length 0

    Class-map: class-default (match-any)
      Match: any
      Drop
        3 packets, 84 bytes

policy exists on zp dmz.out
Zone-pair: dmz.out

Service-policy inspect : dmz.out.policy

    Class-map: dmz.out.class (match-any)
      Match: class-map match-any in.out.web
        0 packets, 0 bytes
        30 second rate 0 bps
        Match: protocol http
          0 packets, 0 bytes
          30 second rate 0 bps
      Match: class-map match-any per.traffic
        0 packets, 0 bytes
30 second rate 0 bps
        Match: protocol https
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol ssh
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol telnet
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol icmp
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol pop3
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol imap3
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol dns
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol smtp
          0 packets, 0 bytes
30 second rate 0 bps
        Match: protocol snmp
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol ftp
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol ntp
          0 packets, 0 bytes
          30 second rate 0 bps

   Inspect
        Packet inspection statistics [process switch:fast switch]
        udp packets: [2:0]

        Session creations since subsystem startup or last reset 1
        Current session counts (estab/half-open/terminating) [0:0:0]
        Maxever session counts (estab/half-open/terminating) [1:1:0]
        Last session created 00:18:25
        Last statistic reset never
        Last session creation rate 0
        Maxever session creation rate 1
        Last half-open session total 0
        TCP reassembly statistics
received 0 packets out-of-order; dropped 0
        peak memory usage 0 KB; current usage: 0 KB
        peak queue length 0

    Class-map: class-default (match-any)
      Match: any
      Drop
        0 packets, 0 bytes

最后看看nat记录，也是正常的，dmz区域访问也正常

nanjing#show ip nat tr
Pro Inside global      Inside local       Outside local      Outside global
tcp 39.0.88.200:20     172.18.20.1:20     ---                ---
tcp 39.0.88.200:21     172.18.20.1:21     ---                ---
tcp 39.0.88.200:22     172.18.20.1:22     ---                ---
tcp 39.0.88.200:23     172.18.20.1:23     39.0.88.3:4302     39.0.88.3:4302
tcp 39.0.88.200:23     172.18.20.1:23     ---                ---
tcp 39.0.88.200:25     172.18.20.1:25     39.0.88.3:4461     39.0.88.3:4461
tcp 39.0.88.200:25     172.18.20.1:25     ---                ---
udp 39.0.88.200:53     172.18.20.1:53     ---                ---
tcp 39.0.88.200:80     172.18.20.1:80     39.0.88.3:4470     39.0.88.3:4470
tcp 39.0.88.200:80     172.18.20.1:80     ---                ---
tcp 39.0.88.200:110    172.18.20.1:110    39.0.88.3:4465     39.0.88.3:4465
tcp 39.0.88.200:110    172.18.20.1:110    ---                ---
tcp 39.0.88.200:143    172.18.20.1:143    ---                ---
tcp 39.0.88.200:443    172.18.20.1:443    39.0.88.3:4458     39.0.88.3:4458
tcp 39.0.88.200:443    172.18.20.1:443    ---                ---

结语

1.命令的部署的实现就在于如何区分数据的方向和类型，以及符合预期的需求。

2.命令不在于多，而在于实现目标，能用一条实现的，就不要用两条。

3.要尽可能精确的控制影响范围，比如，你要限制clientA的访问权限，那么就该使用host关键字，而不应该用network。

4.配置要有流程，否则容易乱。

以上是本人在工作中的见解，有不足之处，请指正。

转载于:https://blog.51cto.com/ciscoskys/881203