【Firewall系列二】解析基于区域的防火墙方案如何过滤内网用户web访问
背景描述
对于企业管理者来说,上班时间都是希望员工认认真真的工作,尽量少做与工作无关的事情,但是实际上,对于员工们来说,一天到晚在办公室埋头工作,也是需要休息放松一下的。
于是乎矛盾产生了:管理者希望员工少上公网,不希望员工利用工作时间聊天、看电影……
员工希望能聊天、看电影……
对于企业网络工程师来说,把要求中和一下,符合领导的要求,又不至于把同仁们逼上梁山,于是乎就是下文。
实施目标
1.过滤QQ\MSN\开心网\迅雷\土豆\优酷\爱奇艺\淘宝\58同城\6房间\……
2.放行其余站点
3.设置违规日志记录,以备领导查询(-_-)
4.DMZ区域访问不受限制
-----------------------------------------------------
-----------------------------------------------------
关键命令
定义过滤站点,分两种方式xx.xx\.*xx.xx,注意最后放行所有其余站点流量,否则同志们是会造反的-_-
parameter-map type regex uri.regex.cm parameter-map type urlf-glob qq parameter-map type urlf-glob msn parameter-map type urlf-glob taobao parameter-map type urlf-glob renren parameter-map type urlf-glob kaixin001 parameter-map type urlf-glob 58 parameter-map type urlf-glob xunlei parameter-map type urlf-glob 6 parameter-map type urlf-glob tudou parameter-map type urlf-glob youku parameter-map type urlf-glob iqiyi parameter-map type urlf-glob per.sites |
定义url 过滤 类
也分两部分,一部分是受限的,还有一部分是完全访问
class-map type urlfilter match-any dis.web match server-domain urlf-glob qq match server-domain urlf-glob taobao match server-domain urlf-glob renren match server-domain urlf-glob kaixin001 match server-domain urlf-glob 58 match server-domain urlf-glob 6 match server-domain urlf-glob xunlei match server-domain urlf-glob youku match server-domain urlf-glob tudou match server-domain urlf-glob iqiyi match server-domain urlf-glob msn |
class-map type urlfilter match-any per.sites match server-domain urlf-glob per.sites |
创建url 过滤专用的策略
类别 动作
受限的 记录/重置会话
完全访问 记录/放行
policy-map type inspect urlfilter dis.web class type urlfilter dis.web log reset class type urlfilter per.sites allow log |
关联policy
policy-map type inspect in.out.policy class type inspect in.out.web inspect service-policy urlfilter dis.web class type inspect per.traffic inspect class class-default drop |
查看结果
Class Map type urlfilter match-any per.sites (id 4) |
测试QQ\MSN\tudou\百度
ok……相关站点已经没法访问了,但是百度等其他站点可以正常访问
相关log记录
*May 28 22:02:26.587: %URLF-4-SITE_BLOCKED: (target:class)-(in.out:in.out.web):Access denied for the site 'www.qq.com', client 172.18.10.1:1433 server 202.102.65.32:80
nanjing# nanjing#
|
查看url过滤详情(会话数、数据量、方向等……)
nanjing#show policy-map t inspect zone-pair urlfilter policy exists on zp in.out Service-policy inspect : in.out.policy Class-map: in.out.web (match-any) Inspect Session creations since subsystem startup or last reset 148
Current requests count: 0
Inspect Session creations since subsystem startup or last reset 34
policy exists on zp in.dmz Service-policy inspect : in.dmz.policy Class-map: in.out.web (match-any) Inspect
Inspect
policy exists on zp out.dmz Service-policy inspect : out.dmz.policy Class-map: out.dmz.class (match-all) Inspect Session creations since subsystem startup or last reset 6
policy exists on zp dmz.out Service-policy inspect : dmz.out.policy Class-map: dmz.out.class (match-any) Inspect Session creations since subsystem startup or last reset 1
|
最后看看nat记录,也是正常的,dmz区域访问也正常
nanjing#show ip nat tr Pro Inside global Inside local Outside local Outside global tcp 39.0.88.200:20 172.18.20.1:20 --- --- tcp 39.0.88.200:21 172.18.20.1:21 --- --- tcp 39.0.88.200:22 172.18.20.1:22 --- --- tcp 39.0.88.200:23 172.18.20.1:23 39.0.88.3:4302 39.0.88.3:4302 tcp 39.0.88.200:23 172.18.20.1:23 --- --- tcp 39.0.88.200:25 172.18.20.1:25 39.0.88.3:4461 39.0.88.3:4461 tcp 39.0.88.200:25 172.18.20.1:25 --- --- udp 39.0.88.200:53 172.18.20.1:53 --- --- tcp 39.0.88.200:80 172.18.20.1:80 39.0.88.3:4470 39.0.88.3:4470 tcp 39.0.88.200:80 172.18.20.1:80 --- --- tcp 39.0.88.200:110 172.18.20.1:110 39.0.88.3:4465 39.0.88.3:4465 tcp 39.0.88.200:110 172.18.20.1:110 --- --- tcp 39.0.88.200:143 172.18.20.1:143 --- --- tcp 39.0.88.200:443 172.18.20.1:443 39.0.88.3:4458 39.0.88.3:4458 tcp 39.0.88.200:443 172.18.20.1:443 --- --- |
结语
1.命令的部署的实现就在于如何区分数据的方向和类型,以及符合预期的需求。
2.命令不在于多,而在于实现目标,能用一条实现的,就不要用两条。
3.要尽可能精确的控制影响范围,比如,你要限制clientA的访问权限,那么就该使用host关键字,而不应该用network。
4.配置要有流程,否则容易乱。
以上是本人在工作中的见解,有不足之处,请指正。
转载于:https://blog.51cto.com/ciscoskys/881203