H3C SecPath F100-C-EI防火墙设置一例

#
 sysname H3C
#
 firewall packet-filter enable
 firewall packet-filter default permit
#
 insulate
#
 nat address-group 0 222.92.223.107 222.92.223.108  //ISP分配的固定IP地址池
#
 firewall statistic system enable
#
 DNS server 61.177.7.1  //ISP DNS
#
radius scheme system
 server-type extended
#
domain system
 authentication none
 authorization none
 accounting none
#
local-user admin
 password simple admin0fnoah
 service-type telnet terminal
 level 3
 service-type ftp
#
acl number 2001
 rule 0 permit source 192.168.50.0 0.0.0.255
#
interface Aux0
 async mode flow
#
interface Ethernet0/0
 ip address 192.168.50.254 255.255.255.0 //内网口IP cnwan.com.cn
#
interface Ethernet0/1
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface Ethernet0/4
 ip address 222.92.223.110 255.255.255.248  //公网口IP
 nat outbound 2001 address-group 0  //启用NAT
 nat server protocol tcp global 222.92.223.107 www inside 192.168.50.11 www  //端口映射
 nat server protocol tcp global 222.92.223.107 8080 inside 192.168.50.11 8080
 nat server protocol tcp global 222.92.223.107 3389 inside 192.168.50.11 3389
 nat server protocol tcp global 222.92.223.108 www inside 192.168.50.10 www
 nat server protocol tcp global 222.92.223.108 8080 inside 192.168.50.10 8080
 nat server protocol tcp global 222.92.223.108 3389 inside 192.168.50.10 3389
#
interface Encrypt1/0
#
interface NULL0

菜鸟技术网

#
firewall zone local
 set priority 100
#
firewall zone trust
 add interface Ethernet0/0  //内网口加入安全域
 set priority 85
#
firewall zone untrust
 add interface Ethernet0/4
 set priority 5
#
firewall zone DMZ
 set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
 FTP server enable
#
 ip route-static 0.0.0.0 0.0.0.0 222.92.223.105 preference 60  //路由
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
 authentication-mode scheme
#
return cnwan.com.cn
本文来自: 菜鸟技术网(www.cnwan.com.cn) 详细出处参考：http://www.cnwan.com.cn/a/firewall/yingjianfanghuoqiang/2010/1126/1075.html

转载于:https://blog.51cto.com/lanring/435074