简单防火墙 (简单防火墙的设计与实现)
编辑:rootadmin
interfaceEthernet0/0!Mo*achlokal ipaddress...... descriptionEthernetzumRZ-Router noipdirected-broadcast!wg.Hacker(denialofservice) ipinspectFIWAin!UeberpruefungdesIP-Verkehrs ipaccess-groupin!Anti-Spoofing ipaccess-groupout!zusaetzlichesWelt-LAN-FilterwegenServern noshutdown ! noaccess-list access-listpermittcp....0.0.3any!RZ-RouterAnti-Spoofing access-listpermitudp....0.0.3any!RZ-RouterAnti-Spoofing access-listpermiticmp....0.0.3any!RZ-RouterAnti-Spoofing access-listpermittcp..5..0.0.any!NetzderBA-MoAnti-Spoofing access-listpermitudp..5..0.0.any!NetzderBA-MoAnti-Spoofing access-listpermiticmp..5..0.0.any!NetzderBA-MoAnti-Spoofing access-listdenyipanyany ! !ZulassenvongewissenDienstenaufdieServer noaccess-list ! access-listpermittcpanyanyeq!SSH access-listpermittcpanyanyeq!Ident access-listpermittcpanyanyeq!SAFT ! permittcpanygthost..5.eq!FTP-Commands(fuerPASVFTP) permittcpanygthost..5.eq!FTP-Commands(fuerPASVFTP) ! access-listpermittcpanyhost..5.eq!SMTPzulassen access-listpermittcpanyhost..5.eq!SMTPzulassen ! access-listpermittcphost..2.1host..5.eq!DNSZone-Transfer access-listpermittcphost...host..5.eq!DNSZone-Transfer access-listpermittcphost...host..5.eq!DNSZone-Transfer access-listpermittcphost..2.1host..5.eq!DNSZone-Transfer access-listpermittcphost...host..5.eq!DNSZone-Transfer access-listpermittcphost...host..5.eq!DNSZone-Transfer access-listpermitpermittcpanyhost..5.eq!WWW access-listpermitpermittcpanyhost..5.eq!WWW ! access-listpermittcpanyhost..5.eq!nntp access-listpermittcpanyhost..5.eq!nntp ! access-listpermitudpanyhost..5.eq!ntp access-listpermitudpanyhost..5.eq!ntp ! access-listpermittcpanyhost..5.eq!ldap access-listpermittcpanyhost..5.eq!ldap ! access-listpermittcpanyhost..5.eq!https access-listpermittcpanyhost..5.eq!https ! access-listpermittcpanyhost..5.eq!Secure-IMAP access-listpermittcpanyhost..5.eq!Secure-IMAP ! access-listpermittcpanyhost..5.eq!Secure-POP3 access-listpermittcpanyhost..5.eq!Secure-POP3 ! !beigeringerenSicherheitsanforderungen: ! access-listpermittcpanyhost..5.eq!POP3zulassen access-listpermittcpanyhost..5.eq!POP3zulassen access-listpermitudpanyhost..5.eq!DNS-Anfragen access-listpermitudpanyhost..5.eq!DNS-Anfragen ! ! access-listpermiticmpanyhost..5.administratively-prohibited access-listpermiticmpanyhost..5.echo access-listpermiticmpanyhost..5.echo-reply access-listpermiticmpanyhost..5.packet-too-big access-listpermiticmpanyhost..5.time-exceeded access-listpermiticmpanyhost..5.traceroute access-listpermiticmpanyhost..5.unreachable access-listdenyipanyany ! ipinspectnameFIWAhttpjava-list!JavaScriptablehnennachACL ipinspectnameFIWArealaudiotimeout ipinspectnameFIWA*tptimeout ipinspectnameFIWAtftptimeout ipinspectnameFIWAftptimeout ipinspectnameFIWAudptimeout ipinspectnameFIWAtcptimeout ! noaccess-list access-listpermitanylog 评:虽然是很好.但是访问列表过多,一旦被DOS一攻可能路由器马上瘫痪…重启…所以我认为要在前面加多一台Router来做个TCPIntercept来*DOS攻击.如下: 假如管理到个服务器群网络上...0&...0内的目标主机的TCP连接请求.使用*模式,随机丢弃连接: access-listpermittcpany....0.0. access-liatpermittcpany.....0.0. iptcpinterceptlist iptcpinterceptmodeintercept iptcpinterceptdrop-moderandom 做好以后.两个Router在做个HSRP……..
