H3C 防火墙基于用户的负载分担典型配置.doc

disp cu5 s G! Y- W- Q6 X3 qB, X l#* w+ # f7 R4 v* M7 G sysname H3C8 X3 x, c* G3 C#. i4 s3 i6 I3 _7 _undo info-center enable/ c- B& ( v! / O+ I% F#( e9 1 i1 D+ o firewall packet-filter enable5 Q! P V# D8 + W* C# t d#6 H, D; K1 w- W8 4 qV& E+ a nat aging-time tcp 3007 F+ D1 c- N1 F4 I# B H. n) OB nat aging-time pptp 3000 S4 D& N4 z5 Y% - u) U* m( D* oM nat aging-time dns 10) f( d2 o R: R) 9 S; q: c- S nat aging-time ftp-ctrl 300( + u. E8 B: D nat aging-time tcp-fin 10/ v+ G% f9 4 T8 Q nat aging-time tcp-syn 108 f) e$ X! j7 w% ( L7 |$ 3 ?#: J$ N r & Q& W; q4 h5 l- e6 U undo icmp redirect send, k) w: d8 z$ A& undo icmp unreach send3 J1 J% L; q5 s2 z0 r 8 E) q0 N#( 6 v* _0 e8 n3 / a ip user-based-sharing enable) m& & F, e/ ( b7 Nip user-based-sharing route 9 N% g+ + 2 # l9 J/ E( a% K3 v5 w# c* firewall defend enable3 ! V( T+ q o. qo s. o# j, n$ |6 2 ? flow-interval 53 l, y5 G5 l3 u 4 v4 h0 Z#* P4 b9 F7 Z& r3 J2 O- v% m qos carl 1 source-ip-address range to 40 per-address, K4 L) Q8 Y# r* ( qos carl 2 destination-ip-address range to 40 per-address& g: 2 w8 2 9 w- d; x% c; G qos carl 3 source-ip-address range to 40 per-address6 O) a5 c3 8 K% c! A+ W# d, H+ g3 nqos carl 4 destination-ip-address range to 40 per-addres, _! |+ O, A2 3 ( uq3 s5 T/ f4 m4 ; #( 1 N; s! r4 B! R7 Adns server 6& o BR k1 r dns server 666 I9 a/ A) a1 #; f4 v% |- n! H8 wradius scheme system, E& l- g% - t* _4 s( E# C$ 7 |# Y7 ?/ |2 m; bdomain system9 X6 x( n3 U7 v& R3 $ #, H1 M3 5 E9 J4 Nlocal-user admin$ D- S, x8 i2 r( * F5 T7 Y password simple adminsjwl4 x$ K4 I% D0 c# J1 7 T4 1 Fservice-type telnet/ W0 9 B& T G7 b w3 ylevel 3: r, V1 & x( h$ O2 t- f3 E#, P* V* ! 4 t! z$ R: R) wacl number 2000* |3 r/ C) & , z7 xN; o rule 0 permit source 55l; H* g# d+ s1 G MJ, d# T5 k# # T. j2 d2 i4 wacl number 3101, p6 8 L; |+ P8 h6 ( d! L& C2 N; I rule 10 permit icmp icmp-type echo* E- _& M9 W- g6 P: rule 20 permit icmp icmp-type echo-reply n4 p$ / z* r; Frule 30 permit icmp icmp-type ttl-exceeded- 3 l* J4 3 r; Srule 40 deny icmp: G) E# p! 7 I8 rule 110 deny tcp destination-port eq 1355 H7 Y5 c- j$ O rule 120 deny udp destination-port eq 135: N. q- e. A G! k1 f rule 130 deny udp destination-port eq netbios-ns% q6 x, : L) & X rule 140 deny udp destination-port eq netbios-dgm- Q6 Y$ |% Y o- s rule 150 deny tcp destination-port eq 139- g* / : & I. * I rule 160 deny udp destination-port eq netbios-ssn8 H: V H; W# 2 q5 7 Krule 170 deny tcp destination-port eq 445- c+ F$ - . m/ Srule 180 deny udp destination-port eq 445/ M8 y. D/ M2 p, H rule 190 deny udp destination-port eq 593/ U% jrW1 n7 L% U4 ( qrule 200 deny tcp destination-port eq 5938 2 u( y5 q0 # C7 a5 i7 Yqrule 210 deny tcp destination-port eq 1433, s# Q) E4 . H& 2 v rule 220 deny tcp destination-port eq 1434. R/ b5 N c& m2 K rule 230 deny tcp destination-port eq 4444- O; V+ a8 G% ! Q6 M: s: L D rule 240 deny tcp destination-port eq 1025. k. I# S% fa! prule 250 deny tcp destination-port eq 1068( L: D1 m3 d/ Ty5 p/ G U rule 260 deny tcp destination-port eq 707! O2 X U0 W; 0 t9 D: z rule 270 deny tcp destination-port eq 5554% i x4 g5 b% ) wrule 280 deny tcp destination-port eq 9996 m: S; N! _+ Y2 Z0 x1 i. P& a5 Zrule 2000 permit ip source 55% h& D: _2 W# 7 P- f i rule 3000 deny ip. K: A1 b, B! K1 Pacl number 3102: _% 7 L: f, Ux- c; L5 * rule 10 permit icmp icmp-type echo% W( j- ) K# d% G rule 20 permit icmp icmp-type echo-reply6 1 |9 N; 3 W( rule 30 permit icmp icmp-type ttl-exceeded. # L9 ? Y( 1 4 & S* zrule 40 deny icmp8 A! 9 K5 S- g, m w% t) 7 x Wrule 110 deny tcp destination-port eq 1352 c$ Q, U: jX9 Q9 Y u rule 120 deny udp destination-port eq 135+ z* b2 |1 _ n+ n6 Y rule 130 deny udp destination-port eq netbios-ns8 |: X& ! Z4 U* trule 140 deny udp destination-port eq netbios-dgmq7 l i D2 y0 N rule 150 deny tcp destination-port eq 1392 Y# D# O; Q) wrule 160 deny udp destination-port eq netbios-ssn3 y. h* W- R V; r rule 170 deny tcp destination-port eq 4456 h/ f1 C% x- Q/ p3 d rule 180 deny udp destination-port eq 445( J1 - _( C4 C8 c# X4 u) R- rrule 190 deny udp destination-port eq 593% 0 x, w, G; t7 L) V rule 200 deny tcp destination-port eq 5933 + Z0 h% n7 D5 yx: |rule 210 deny tcp destination-port eq 1433$ H |7 a( F D- Frule 220 deny tcp destination-port eq 14345 Z3 a! W& w9 |1 SX5 y% 3 wrule 230 deny tcp destination-port eq 4444* y) z/ l w4 0 S6 v7 5 Wrule 240 deny tcp destination-port eq 10257 N; l6 N$ R: y- a B rule 250 deny tcp destination-port eq 1068! W) : U) 8 j9 m4 S/ K* rule 260 deny tcp destination-port eq 707, ?8 K- M; x( E! t9 rule 270 deny tcp destination-port eq 55549 K. - S& r4 Y( b. G u) D rule 280 deny tcp destination-port eq 9996; A5 x& H, L2 y$ r9 t rule 2000 permit ip destination 55: ?3 A7 4 n; a) s3 y$ G8 W0 _ rule 2010 permit tcp destination-port eq telnet2 t8 j! s + zrule 3000 deny ip2 Q9 9 d: Z2 A/ gacl number 3103( E5 |7 P2 L5 E4 ; H7 zC rule 10 permit icmp icmp-type echo: X1 H* h1 . Z9 q b! rule 20 permit icmp icmp-type echo-reply, S# Z4 ! ?* + U0 Grule 30 permit icmp icmp-type ttl-exceeded. K% h! U0 u& , eE w# _ q rule 40 deny icmp3 O% GL, ? x6 B7 q+ m5 y, |2 krule 110 deny tcp destination-port eq 135! jf8 x- s% cC# a; W rule 120 deny udp destination-port eq 135! K, s% ?9 W4 H9 Z9 j rule 130 deny udp destination-port eq netbios-ns X3 K! |: ?) a) U4 I h J b rule 140 deny udp destination-port eq netbios-dgm( f% s0 t9 t Q7 X rule 150 deny tcp destination-port eq 139$ v K! j- j: y rule 160 deny udp destination-port eq netbios-ssn9 R+ v2 l- Z, Trule 170 deny tcp destination-port eq 445; v9 m5 PZ I rule 180 deny udp destination-port eq 445( n0 u6 9 N) f- rule 190 deny udp destination-port eq 5935 O8 _* M* + m+ x7 / e orule 200 deny tcp destination-port eq 5934 C& I( G, 0 g( * Wrule 210 deny tcp destination-port eq 1433) R# v3 & f& I% v6 ! rule 220 deny tcp destination-port eq 1434; r& eP$ l1 V( r* O3 O/ t$ D; , s rule 230 deny tcp destination-port eq 4444& k; _% r2 n. 4 |0 rule 240 deny tcp destination-port eq 1025( F6 f% J6 R% z # a( I! v$ o rule 250 deny tcp destination-port eq 1068+ , u( r- * D) t) ) Prule 260 deny tcp destination-port eq 707% B( _! f! W2 s/ A4 R0 J& I8 Vrule 270 deny tcp destination-port eq 5554* e5 k# s) 8 ?) w5 C6 Z) v rule 280 deny tcp destination-port eq 99962 q# W9 * m( i n- rule 2000 permit ip destination 552 l6 G# O3 Q I) A. rule 2010 permit tcp destination-port eq telnet) O: o: Q# b4 S1 ?- I. | rule 3000 deny ip& w- y* D. w9 I$ x9 Y i#! 2 v- 5 x. R4 M) D _interface Aux0) 5 F7 * c- X& y+ X9 Qasync mode flow0 h$ E ; J! c# F s; 7 s% k#7 I7 o* H2 3 x/ Pinterface GigabitEthernet1/07 z+ p+ l/ y) Y2 c1 Kip address 54 * u( k V/ b/ M9 & Rarp send-gratuitous-arp 10 M* p) h( Y% Z7 k! q1 Oyfirewall packet-filter 3101 inbound3 q( B5 D7 J& h9 4 A5 M4 Yqos car inbound carl 1 cir 800000 cbs 800000 ebs 0 green pass red discard9 D1 z, g+ a! 7 v6 Iqos car inbound carl 3 cir 800000 cbs 800000 ebs 0 green pass red discardGL1 O% J4 ) * ?0 C9 f5 g% V) qos car outbound carl 2 cir 800000 cbs 800000 ebs 0 green pass red discard8 / l; U$ a/ o2 H s6 Y4 r; R qos car outbound carl 4 cir 800000 cbs 800000 ebs 0 green pass red discard$ s8 j1 W r. y! l. U#2 k; D! s& P: _: Ointerface GigabitEthernet2/02 G3 m6 G$ Dh, M. N. m; L Ploadbandwidth 10240+ O) o. - J$ u. c _% Jip address 02 484 _ C% q! X9 b5 w. N5 Z* ) arp send-gratuitous-arp 1: p4 S7 L T& r* Z; y4 t firewall packet-filter 3102 inbound& s; K7 e, q) ! v! a; Q% B6 nat outbound 2000 Z% R* B) e; #) j# ) k# 7 E% r9 k& W6 F4 uinterface GigabitEthernet3/0) G& h! ! p6 L. O3 T2 f loadbandwidth 2048# : g! u% x) T* f: ip address 10 52% o, 3 j5 s# J( Y firewall packet-filter 3103 inbound6 E% Z7 x: J3 E8 n9 w( t- J nat outbound 20001 f$ 4 M. C; R& e( b#0 x( r0 H2 i3 O e1 a0 V- dinterface GigabitEthernet4/06 t- A0 y# i% o6 f, s L- Q9 s#_7 E% I) b0 s5 q* interface NULL09 u! 9 5 g L) O: H#9 s+ L0 1 e! 6 y; V E$ _8 firewall zone local0 ?8 h* ( R/ v5 ?/ 2 P set priority 100; C) . Q. q# U, X#1 H# Z: u& I$ R& afirewall zone trust N/ D* w: w, G+ 0 ( q! J add interface GigabitEthernet1/0+ u% H9 v( h7 O& l; _7 G) , wadd interface GigabitEthernet4/0( P 9 o5 S# Y. h4 Wset priority 854 On2 A6 U% z F- X- d jf#* c$ K4 M. Y B) u6 k6 % F6 Vfirewall zone untrust8 $ a2 H; R ?2 e7 X add interface GigabitEthernet2/0 o, w+ K! 3 e3 o; Qadd interface GigabitEthernet3/0, 9 o, x* Y 3 x set priority 5; t$ , q G, P7 t: d8 z 9 H#1 Q# T- M1 w; o* w3 D2 xfirewall zone DMZ9 V% 2 h! A! set priority 50- G! b% B7 j: T. ) i5 N#( a+ k0 p0 g* p9 jf1 t undo dhcp enable- . v# L/ A5 |. 8 Y$ c! p#f Q& tG4 Qip route-static 01 preference 60# r! F9 q: f1 ! n1 t5 z! I ip route-static 09 preference 60. g: # V L* P4 C; fW ip route-static NULL 0 preference 60! i7 K/ t$ DL# F% z. Zip route-static NULL 0 preference 60! k) F! Z. |; ! ip route-static NULL 0 preference 609 O! L7 Y3 q3 V/ x+ n, z, ip route-static NULL 0 preference 601 D$ w6 r3 P- F3 x8 i1 E) g* b#0 7 6 M, s i: Z- C e2 rfirewall defend land; Q6 T+ V. N9 B! q0 r J# M% firewall defend smurf1 V& A U9 r q: / i- 6 2 ofirewall defend fraggle3 G; W# g! v% f% B9 2 d1 V8 i2 x6 firewall defend winnuke8 n. % |/ D2 B s8 n! O/ S jfirewall defend icmp-redirect- I2 i. % b) B G8 R, |firewall defend icmp-unreachable5 u$ - 2 B: R firewall defend source-route3 D1 , Q3 k+ l$ Z& cfirewall defend route-record: U S$ K% J) W3 r! v. firewall defend tracert J- Z; O* _% * j3 P firewall defend ping-of-death) I4 R1 z+ . z$ p0 Ifirewall defend tcp-flag1 |$ J* 1 J; i5 z9 Q& 0 c3 ? firewall defend ip-fragmentR) D1 S% T5 _/ 7 firewall defend large-icmp, o( . d( N9 u1 a9 X* V firewall defend teardrop8 z E+ g X# ; s: T firewall defe