【導(dǎo)讀】華為技術(shù)有限公司。版權(quán)所有侵權(quán)必究。安全域概念介紹...8. 訪問控制策略和報(bào)文過濾...12. 防火墻缺省動(dòng)作...16. 基于純VRRP的備份...18. 雙機(jī)熱備的注意事項(xiàng)...19. 攻擊檢測(cè)模塊同黑名單聯(lián)動(dòng)...20. 對(duì)有潛在危害性的報(bào)文的過濾...23. 配置的常見問題...36. ACL加速編譯失敗...37. 使能地址綁定功能之后，原來配置的靜態(tài)ARP表項(xiàng)消失...37. 配置了ASPF功能，要進(jìn)行java/activexblock功能，也配置了ACL用來劃定范圍，但是卻。攻擊防范和統(tǒng)計(jì)功能...37. 使能了地址掃描/端口掃描共能，但卻沒有作用...37. 在應(yīng)用正常的情況下，改動(dòng)了vrrp的屬性發(fā)現(xiàn)通訊有問題，表現(xiàn)為能ping通接口，但是不。VRRP配置不一致的時(shí)候，屏幕上打印大量告警影響使用...38. VRRP狀態(tài)不穩(wěn)定切換頻繁...38. Eudemon200防火墻操作指導(dǎo)。摘要：本文對(duì)Eudemon200防火墻的特點(diǎn)、典型應(yīng)用以及常見的攻擊方式及在。Eudemon200上的防范方法作了簡(jiǎn)要的說明。目的本文通過對(duì)Eudemon200防火墻的特點(diǎn)，使用方法作出描述，使讀者可以對(duì)我司的狀。態(tài)防火墻有一個(gè)初步的認(rèn)識(shí)，可以結(jié)合實(shí)例和攻擊的特點(diǎn)對(duì)防火墻進(jìn)行有效的配置，保護(hù)網(wǎng)

　　

【正文】 icast igmpallenable interface Aux0 async mode flow linkprotocol ppp interface Ether0/0/0 interface Ether0/0/1 interface Ether1/0/0 interface Ether1/0/1 interface NULL0 firewall zone local set priority 100 firewall zone trust set priority 85 firewall zone untrust set priority 5 firewall zone DMZ set priority 50 firewall interzone local trust firewall interzone local untrust firewall interzone local DMZ firewall interzone trust untrust firewall interzone trust DMZ firewall interzone DMZ untrust userinterface con 0 userinterface aux 0 userinterface vty 0 4 return 可見，基本的防火墻有 4個(gè)預(yù)定義域， Local/trust/untrust/dmz。 第一件要做的事就是將接口加到相應(yīng)的域中 [Eudemon] firewall zone trust [Eudemonzonetrust] add interface ether 0/0/0 如此往復(fù)，將所有需要用到的接口分別加到不同的域中，要遵循的是，只要希望數(shù)據(jù)在這兩個(gè)接口之間流動(dòng)的時(shí)候要經(jīng)過防火墻檢查，就需要將這兩個(gè)接口分別加到不同的域里。沒有加入到域中的接口是無法在防火墻上轉(zhuǎn)發(fā)報(bào)文的。 其次，檢查域間的包過濾配置。在組網(wǎng)開始的時(shí)候，為了測(cè)試網(wǎng)絡(luò)的聯(lián)通性，可以通過設(shè)置防火墻缺省規(guī)則將所有域間下包過濾的缺省規(guī)則都設(shè)置為允許。在網(wǎng)絡(luò)測(cè)試通暢之后再關(guān)閉這些許可，轉(zhuǎn) 而使用詳細(xì)的 ACL規(guī)則作為報(bào)文過濾的依據(jù)。 一個(gè)保證網(wǎng)絡(luò)通暢的配置如下： sysname Eudemon tcp window 8 firewall packetfilter default permit interzone local trust direction inbound firewall packetfilter default permit interzone local trust direction outbound firewall packetfilter default permit interzone local untrust direction inbound firewall packetfilter default permit interzone local untrust direction outbound firewall packetfilter default permit interzone local DMZ direction inbound firewall packetfilter default permit interzone local DMZ direction outbound firewall packetfilter default permit interzone trust untrust direction inbound firewall packetfilter default permit interzone trust untrust direction outbound firewall packetfilter default permit interzone trust DMZ direction inbound firewall packetfilter default permit interzone trust DMZ direction outbound firewall packetfilter default permit interzone DMZ untrust direction inbound firewall packetfilter default permit interzone DMZ untrust direction outbound firewall statistic system enable undo multicast igmpallenable interface Aux0 async mode flow linkprotocol ppp interface Ether0/0/0 ip address interface Ether0/0/1 ip address interface Ether1/0/0 ip address interface Ether1/0/1 ip address interface NULL0 firewall zone local set priority 100 firewall zone trust add interface Ether 0/0/0 add interface Ether 0/0/1 set priority 85 firewall zone untrust add interface Ether 1/0/0 set priority 5 firewall zone DMZ add interface Ether 1/0/1 set priority 50 firewall interzone local trust firewall interzone local untrust firewall interzone local DMZ firewall interzone trust untrust firewall interzone trust DMZ firewall interzone DMZ untrust userinterface con 0 userinterface aux 0 userinterface vty 0 4 return 上述配置假設(shè)各接口 IP 地址符合實(shí)際網(wǎng)絡(luò)的設(shè)置，且防火墻工作在路由模式。如果符合上述條件，而防火墻都無法 ping通其他設(shè)備、或其他設(shè)備無法 ping通防火 墻、或報(bào)文無法通過防火墻，請(qǐng)檢查網(wǎng)絡(luò)其他設(shè)備的配置情況。 透明模式的基本配置 sysname Eudemon tcp window 8 firewall mode transparent firewall statistic system enable interface Aux0 async mode flow linkprotocol ppp interface Ether0/0/0 interface Ether0/0/1 interface Ether1/0/0 interface Ether1/0/1 interface NULL0 interface LoopBack0 firewall zone local set priority 100 firewall zone trust set priority 85 firewall zone untrust set priority 5 firewall zone DMZ set priority 50 firewall interzone local trust firewall interzone local untrust firewall interzone local DMZ firewall interzone trust untrust firewall interzone trust DMZ firewall interzone DMZ untrust userinterface con 0 userinterface aux 0 userinterface vty 0 4 return 如上，是一個(gè)防護(hù)墻在透明模式下的最基本配置，除了 firewall mode transparent命令之外，同在路由模式下的基本配置是基本一樣的。 如果在透明模式下檢測(cè)防火墻的聯(lián)通性，最通用的配置如下 sysname Eudemon tcp window 8 firewall packetfilter default permit interzone local trust direction inbound firewall packetfilter default permit interzone local trust direction outbound firewall packetfilter default permit interzone local untrust direction inbound firewall packetfilter default permit interzone local untrust direction outbound firewall packetfilter default permit interzone local DMZ direction inbound firewall packetfilter default permit interzone local DMZ direction outbound firewall packetfilter default permit interzone trust untrust direction inbound firewall packetfilter default permit interzone trust untrust direction outbound firewall packetfilter default permit interzone trust DMZ direction inbound firewall packetfilter default permit interzone trust DMZ direction outbound firewall packetfilter default permit interzone DMZ untrust direction inbound firewall packetfilter default permit interzone DMZ untrust direction outbound firewall mode transparent firewall systemip firewall statistic system enable interface Aux0 async mode flow linkprotocol ppp interface Ether0/0/0 interface Ether0/0/1 interface Ether1/0/0 interface Ether1/0/1 interface NULL0 interface LoopBack0 firewall zone local set priority 100 firewall zone trust add interface Ether 0/0/0 add interface Ether 0/0/1 set priority 85 firewall zone untrust add interface Ether 1/0/0 set priority 5 firewall zone DMZ add interface Ether 1/0/1 set priority 50 firewall interzone local trust firewall interzone local untrust firewall interzone local DMZ firewall interzone trust untrust