【導讀】華為技術有限公司。版權所有侵權必究。安全域概念介紹...8. 訪問控制策略和報文過濾...12. 防火墻缺省動作...16. 基于純VRRP的備份...18. 雙機熱備的注意事項...19. 攻擊檢測模塊同黑名單聯動...20. 對有潛在危害性的報文的過濾...23. 配置的常見問題...36. ACL加速編譯失敗...37. 使能地址綁定功能之后，原來配置的靜態(tài)ARP表項消失...37. 配置了ASPF功能，要進行java/activexblock功能，也配置了ACL用來劃定范圍，但是卻。攻擊防范和統計功能...37. 使能了地址掃描/端口掃描共能，但卻沒有作用...37. 在應用正常的情況下，改動了vrrp的屬性發(fā)現通訊有問題，表現為能ping通接口，但是不。VRRP配置不一致的時候，屏幕上打印大量告警影響使用...38. VRRP狀態(tài)不穩(wěn)定切換頻繁...38. Eudemon200防火墻操作指導。摘要：本文對Eudemon200防火墻的特點、典型應用以及常見的攻擊方式及在。Eudemon200上的防范方法作了簡要的說明。目的本文通過對Eudemon200防火墻的特點，使用方法作出描述，使讀者可以對我司的狀。態(tài)防火墻有一個初步的認識，可以結合實例和攻擊的特點對防火墻進行有效的配置，保護網

　　

【正文】 icast igmpallenable interface Aux0 async mode flow linkprotocol ppp interface Ether0/0/0 interface Ether0/0/1 interface Ether1/0/0 interface Ether1/0/1 interface NULL0 firewall zone local set priority 100 firewall zone trust set priority 85 firewall zone untrust set priority 5 firewall zone DMZ set priority 50 firewall interzone local trust firewall interzone local untrust firewall interzone local DMZ firewall interzone trust untrust firewall interzone trust DMZ firewall interzone DMZ untrust userinterface con 0 userinterface aux 0 userinterface vty 0 4 return 可見，基本的防火墻有 4個預定義域， Local/trust/untrust/dmz。 第一件要做的事就是將接口加到相應的域中 [Eudemon] firewall zone trust [Eudemonzonetrust] add interface ether 0/0/0 如此往復，將所有需要用到的接口分別加到不同的域中，要遵循的是，只要希望數據在這兩個接口之間流動的時候要經過防火墻檢查，就需要將這兩個接口分別加到不同的域里。沒有加入到域中的接口是無法在防火墻上轉發(fā)報文的。 其次，檢查域間的包過濾配置。在組網開始的時候，為了測試網絡的聯通性，可以通過設置防火墻缺省規(guī)則將所有域間下包過濾的缺省規(guī)則都設置為允許。在網絡測試通暢之后再關閉這些許可，轉 而使用詳細的 ACL規(guī)則作為報文過濾的依據。 一個保證網絡通暢的配置如下： sysname Eudemon tcp window 8 firewall packetfilter default permit interzone local trust direction inbound firewall packetfilter default permit interzone local trust direction outbound firewall packetfilter default permit interzone local untrust direction inbound firewall packetfilter default permit interzone local untrust direction outbound firewall packetfilter default permit interzone local DMZ direction inbound firewall packetfilter default permit interzone local DMZ direction outbound firewall packetfilter default permit interzone trust untrust direction inbound firewall packetfilter default permit interzone trust untrust direction outbound firewall packetfilter default permit interzone trust DMZ direction inbound firewall packetfilter default permit interzone trust DMZ direction outbound firewall packetfilter default permit interzone DMZ untrust direction inbound firewall packetfilter default permit interzone DMZ untrust direction outbound firewall statistic system enable undo multicast igmpallenable interface Aux0 async mode flow linkprotocol ppp interface Ether0/0/0 ip address interface Ether0/0/1 ip address interface Ether1/0/0 ip address interface Ether1/0/1 ip address interface NULL0 firewall zone local set priority 100 firewall zone trust add interface Ether 0/0/0 add interface Ether 0/0/1 set priority 85 firewall zone untrust add interface Ether 1/0/0 set priority 5 firewall zone DMZ add interface Ether 1/0/1 set priority 50 firewall interzone local trust firewall interzone local untrust firewall interzone local DMZ firewall interzone trust untrust firewall interzone trust DMZ firewall interzone DMZ untrust userinterface con 0 userinterface aux 0 userinterface vty 0 4 return 上述配置假設各接口 IP 地址符合實際網絡的設置，且防火墻工作在路由模式。如果符合上述條件，而防火墻都無法 ping通其他設備、或其他設備無法 ping通防火 墻、或報文無法通過防火墻，請檢查網絡其他設備的配置情況。 透明模式的基本配置 sysname Eudemon tcp window 8 firewall mode transparent firewall statistic system enable interface Aux0 async mode flow linkprotocol ppp interface Ether0/0/0 interface Ether0/0/1 interface Ether1/0/0 interface Ether1/0/1 interface NULL0 interface LoopBack0 firewall zone local set priority 100 firewall zone trust set priority 85 firewall zone untrust set priority 5 firewall zone DMZ set priority 50 firewall interzone local trust firewall interzone local untrust firewall interzone local DMZ firewall interzone trust untrust firewall interzone trust DMZ firewall interzone DMZ untrust userinterface con 0 userinterface aux 0 userinterface vty 0 4 return 如上，是一個防護墻在透明模式下的最基本配置，除了 firewall mode transparent命令之外，同在路由模式下的基本配置是基本一樣的。 如果在透明模式下檢測防火墻的聯通性，最通用的配置如下 sysname Eudemon tcp window 8 firewall packetfilter default permit interzone local trust direction inbound firewall packetfilter default permit interzone local trust direction outbound firewall packetfilter default permit interzone local untrust direction inbound firewall packetfilter default permit interzone local untrust direction outbound firewall packetfilter default permit interzone local DMZ direction inbound firewall packetfilter default permit interzone local DMZ direction outbound firewall packetfilter default permit interzone trust untrust direction inbound firewall packetfilter default permit interzone trust untrust direction outbound firewall packetfilter default permit interzone trust DMZ direction inbound firewall packetfilter default permit interzone trust DMZ direction outbound firewall packetfilter default permit interzone DMZ untrust direction inbound firewall packetfilter default permit interzone DMZ untrust direction outbound firewall mode transparent firewall systemip firewall statistic system enable interface Aux0 async mode flow linkprotocol ppp interface Ether0/0/0 interface Ether0/0/1 interface Ether1/0/0 interface Ether1/0/1 interface NULL0 interface LoopBack0 firewall zone local set priority 100 firewall zone trust add interface Ether 0/0/0 add interface Ether 0/0/1 set priority 85 firewall zone untrust add interface Ether 1/0/0 set priority 5 firewall zone DMZ add interface Ether 1/0/1 set priority 50 firewall interzone local trust firewall interzone local untrust firewall interzone local DMZ firewall interzone trust untrust