透明模式
#
sysname f100-s
#
firewall packet-filter enable //必配 开启防火墙双向通信
firewall packet-filter default permit // 必配 开启防火墙双向通信
firewall mode transparent //透明模式下管理地址的配置
firewall system-ip 192.168.100.3 255.255.255.0
#
firewall statistic system enable //必配 开启防火墙双向通信
#
#
local-user 81851107 //登录的用户名
password simple 81851107
service-type telnet terminal
level 3
#
acl number 3333 //防护策略
rule 1 deny tcp destination-port eq 135
rule 2 deny udp destination-port eq 135
rule 3 deny udp destination-port eq netbios-ns
rule 4 deny udp destination-port eq netbios-dgm
rule 5 deny tcp destination-port eq 139
rule 6 deny udp destination-port eq netbios-ssn
rule 7 deny tcp destination-port eq 445
rule 8 deny udp destination-port eq 445
rule 9 deny tcp destination-port eq 539
rule 10 deny udp destination-port eq 539
rule 11 deny udp destination-port eq 593
rule 12 deny tcp destination-port eq 593
rule 13 deny udp destination-port eq 1434
rule 14 deny udp destination-port eq 1433
rule 15 deny tcp destination-port eq 4444
rule 16 deny tcp destination-port eq 9996
rule 17 deny tcp destination-port eq 5554
rule 18 deny udp destination-port eq 9996
rule 19 deny udp destination-port eq 5554
rule 20 deny tcp destination-port eq 137
rule 21 deny tcp destination-port eq 138
rule 22 deny tcp destination-port eq 1025
rule 23 deny udp destination-port eq 1025
rule 24 deny tcp destination-port eq 9995
rule 25 deny udp destination-port eq 9995
rule 26 deny tcp destination-port eq 1068
rule 27 deny udp destination-port eq 1068
rule 28 deny tcp destination-port eq 1023
rule 29 deny udp destination-port eq 1023
#
interface Aux0
async mode flow
#
interface Ethernet0/0
promiscuous
#
interface Ethernet0/1
promiscuous
#
interface Ethernet0/2
promiscuous
#
interface Ethernet0/3
promiscuous
#
interface Encrypt1/0
#
interface NULL0
#
interface LoopBack0 //环回本地地址
ip address 192.168.100.3 255.255.255.0
#
firewall zone local
set priority 100
#
firewall zone trust //内网接口加入安全域
add interface Ethernet0/1
add interface Ethernet0/2
add interface Ethernet0/3
set priority 85
#
firewall zone untrust //wan口 非受信
add interface Ethernet0/0
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
ip route-static 0.0.0.0 0.0.0.0 192.168.100.1 preference 60 //管理路由
ip route-static 192.168.0.0 255.255.0.0 192.168.100.2 preference 60 //管理路由
#
firewall defend land
firewall defend smurf
firewall defend fraggle
firewall defend winnuke
firewall defend icmp-redirect
firewall defend icmp-unreachable
firewall defend source-route
firewall defend route-record
firewall defend tracert
firewall defend ping-of-death
firewall defend tcp-flag
firewall defend ip-fragment
firewall defend large-icmp
firewall defend teardrop
firewall defend ip-sweep
firewall defend port-scan
firewall defend arp-spoofing
firewall defend arp-flood
firewall defend frag-flood
firewall defend syn-flood enable
firewall defend udp-flood enable
firewall defend icmp-flood enable
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
[f100-s]
第二种开启透明模式
#
bridge enable //开启桥接模式
bridge 1 enable
interface Ethernet0/0 、//把接口加入桥
bridge-set 1
interface Ethernet0/1
bridge-set 1
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/1
set priority 85
#
firewall zone untrust
add interface Ethernet0/0
set priority 5
#
firewall zone DMZ
set priority 50
路由模式
DIS CU
#
sysname H3C
#
firewall packet-filter enable
firewall packet-filter default permit
#
firewall statistic system enable
#
#
local-user
password simple
service-type telnet terminal
level 3
#
dhcp server ip-pool 1 //DHCP服务器
network 192.168.1.0 mask 255.255.255.0
gateway-list 192.168.1.1
dns-list 202.102.152.3
#
acl number 3000 //允许的上网网段
rule 0 permit ip
acl number 3333
rule 1 deny tcp destination-port eq 135
rule 2 deny udp destination-port eq 135
rule 3 deny udp destination-port eq netbios-ns
rule 4 deny udp destination-port eq netbios-dgm
rule 5 deny tcp destination-port eq 139
rule 6 deny udp destination-port eq netbios-ssn
rule 7 deny tcp destination-port eq 445
rule 8 deny udp destination-port eq 445
rule 9 deny tcp destination-port eq 539
rule 10 deny udp destination-port eq 539
rule 11 deny udp destination-port eq 593
rule 12 deny tcp destination-port eq 593
rule 13 deny udp destination-port eq 1434
rule 14 deny udp destination-port eq 1433
rule 15 deny tcp destination-port eq 4444
rule 16 deny tcp destination-port eq 9996
rule 17 deny tcp destination-port eq 5554
rule 18 deny udp destination-port eq 9996
rule 19 deny udp destination-port eq 5554
rule 20 deny tcp destination-port eq 137
rule 21 deny tcp destination-port eq 138
rule 22 deny tcp destination-port eq 1025
rule 23 deny udp destination-port eq 1025
rule 24 deny tcp destination-port eq 9995
rule 25 deny udp destination-port eq 9995
rule 26 deny tcp destination-port eq 1068
rule 27 deny udp destination-port eq 1068
rule 28 deny tcp destination-port eq 1023
rule 29 deny udp destination-port eq 1023
#
interface Aux0
async mode flow
#
interface Ethernet0/0
ip address X.X.X.X 255.255.255.192
firewall packet-filter 3333 inbound
nat outbound 3000 //
#
interface Ethernet0/1
ip address 192.168.100.1 255.255.255.0
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface Encrypt2/0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/1
add interface Ethernet0/2
add interface Ethernet0/3
set priority 85
#
firewall zone untrust
add interface Ethernet0/0
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
ip route-static 0.0.0.0 0.0.0.0 X.X.X.X preference 60
ip route-static 192.168.0.0 255.255.0.0 192.168.100.2 preference 60
#
firewall defend land
firewall defend smurf
firewall defend fraggle
firewall defend winnuke
firewall defend icmp-redirect
firewall defend icmp-unreachable
firewall defend source-route
firewall defend route-record
firewall defend tracert
firewall defend ping-of-death
firewall defend tcp-flag
firewall defend ip-fragment
firewall defend large-icmp
firewall defend teardrop
firewall defend ip-sweep
firewall defend port-scan
firewall defend arp-spoofing
firewall defend arp-flood
firewall defend frag-flood
firewall defend syn-flood enable
firewall defend udp-flood enable
firewall defend icmp-flood enable
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
set authentication password simple XXXXXXXXXXXXXXX
return