防火墙设置内容.doc

50/ superman talent 1、2、运行信息3、4、5、6、7、8、9、10、11、12、13、14、15、16、17、18、19、20、21、22、23、24、25、25、helpmode chinesesystem time set timezone +8system devname set TopsecOSnetwork startnetwork resetID 7000 network attribute add name eth0ID 7001 network attribute add name eth1ID 7002 network attribute add name eth2ID 7003 network attribute add name eth3ID 7004 network attribute add name eth4ID 7005 network attribute add name eth5ID 7006 network attribute add name eth6ID 7007 network attribute add name eth7ID 7008 network attribute add name adslID 7009 network attribute add name ipsec0ID 7010 network attribute add name ipsec1ID 7011 network attribute add name ipsec2ID 7012 network attribute add name ipsec3ID 7013 network attribute add name wanID 7014 network attribute add name lanID 7015 network attribute add name ssnID 7016 network attribute add name pppID 7017 network attribute add name l2tpID 7018 network attribute add name pptpID 7019 network attribute add name bond0ID 7020 network attribute add name bond1ID 7021 network attribute add name bond2ID 7022 network attribute add name bond3network interface eth0 description intranetnetwork interface eth0 mtu 1500network interface eth0 ip add 54 mask label 0network interface eth0 speed autonetwork interface eth0 duplex autonetwork interface eth0 no switchportnetwork interface eth0 switchport mode accessnetwork interface eth0 switchport trunk encapsulation dot1qnetwork interface eth0 switchport trunk native-vlan 1network interface eth0 switchport access-vlan 1network interface eth0 switchport trunk allowed-vlan 1-1000network interface eth0 ha-metric 0network interface eth0 attribute add eth0network interface eth0 mss-adjust offnetwork interface eth0 mode-set ipsnetwork interface eth0 reverse-path offnetwork interface eth0 gratuitous-arp-interval 0network interface eth0 vsid 0network interface eth0 vrid 0network interface eth0 no shutdownnetwork interface eth1 description T0-彬县内网network interface eth1 mtu 1500network interface eth1 ip add 54 mask label 0network interface eth1 speed autonetwork interface eth1 duplex autonetwork interface eth1 no switchportnetwork interface eth1 switchport mode accessnetwork interface eth1 switchport trunk encapsulation dot1qnetwork interface eth1 switchport trunk native-vlan 1network interface eth1 switchport access-vlan 1network interface eth1 switchport trunk allowed-vlan 1-1000network interface eth1 ha-metric 0network interface eth1 attribute add eth1network interface eth1 mss-adjust offnetwork interface eth1 mode-set ipsnetwork interface eth1 reverse-path offnetwork interface eth1 gratuitous-arp-interval 0network interface eth1 vsid 0network interface eth1 vrid 0network interface eth1 no shutdownnetwork interface eth2 description TO-市局network interface eth2 mtu 1500network interface eth2 ip add mask label 0network interface eth2 speed autonetwork interface eth2 duplex autonetwork interface eth2 no switchportnetwork interface eth2 switchport mode accessnetwork interface eth2 switchport trunk encapsulation dot1qnetwork interface eth2 switchport trunk native-vlan 1network interface eth2 switchport access-vlan 1network interface eth2 switchport trunk allowed-vlan 1-1000network interface eth2 ha-metric 0network interface eth2 attribute add eth2network interface eth2 mss-adjust offnetwork interface eth2 mode-set ipsnetwork interface eth2 reverse-path offnetwork interface eth2 gratuitous-arp-interval 0network interface eth2 vsid 0network interface eth2 vrid 0network interface eth2 no shutdownnetwork interface eth3 description TO-INTERNETnetwork interface eth3 mtu 1500network interface eth3 ip add 50 mask 52 label 0network interface eth3 speed autonetwork interface eth3 duplex autonetwork interface eth3 no switchportnetwork interface eth3 switchport mode accessnetwork interface eth3 switchport trunk encapsulation dot1qnetwork interface eth3 switchport trunk native-vlan 1network interface eth3 switchport access-vlan 1network interface eth3 switchport trunk allowed-vlan 1-1000network interface eth3 ha-metric 0network interface eth3 attribute add eth3network interface eth3 mss-adjust offnetwork interface eth3 mode-set ipsnetwork interface eth3 reverse-path offnetwork interface eth3 gratuitous-arp-interval 0network interface eth3 vsid 0network interface eth3 vrid 0network interface eth3 no shutdownnetwork interface eth4 mtu 1500network interface eth4 speed autonetwork interface eth4 duplex autonetwork interface eth4 no switchportnetwork interface eth4 switchport mode accessnetwork interface eth4 switchport trunk encapsulation dot1qnetwork interface eth4 switchport trunk native-vlan 1network interface eth4 switchport access-vlan 1network interface eth4 switchport trunk allowed-vlan 1-1000network interface eth4 ha-metric 0network interface eth4 attribute add eth4network interface eth4 mss-adjust offnetwork interface eth4 mode-set ipsnetwork interface eth4 reverse-path offnetwork interface eth4 gratuitous-arp-interval 0network interface eth4 vsid 0network interface eth4 vrid 0network interface eth4 no shutdownnetwork interface eth5 mtu 1500network interface eth5 speed autonetwork interface eth5 duplex autonetwork interface eth5 no switchportnetwork interface eth5 switchport mode accessnetwork interface eth5 switchport trunk encapsulation dot1qnetwork interface eth5 switchport trunk native-vlan 1network interface eth5 switchport access-vlan 1network interface eth5 switchport trunk allowed-vlan 1-1000network interface eth5 ha-metric 0network interface eth5 attribute add eth5network interface eth5 mss-adjust offnetwork interface eth5 mode-set ipsnetwork interface eth5 reverse-path offnetwork interface eth5 gratuitous-arp-interval 0network interface eth5 vsid 0network interface eth5 vrid 0network interface eth5 no shutdownnetwork interface eth6 mtu 1500network interface eth6 speed autonetwork interface eth6 duplex autonetwork interface eth6 no switchportnetwork interface eth6 switchport mode accessnetwork interface eth6 switchport trunk encapsulation dot1qnetwork interface eth6 switchport trunk native-vlan 1network interface eth6 switchport access-vlan 1network interface eth6 switchport trunk allowed-vlan 1-1000network interface eth6 ha-metric 0network interface eth6 attribute add eth6network interface eth6 mss-adjust offnetwork interface eth6 mode-set ipsnetwork interface eth6 reverse-path offnetwork interface eth6 gratuitous-arp-interval 0network interface eth6 vsid 0network interface eth6 vrid 0network interface eth6 no shutdownnetwork interface eth7 mtu 1500network interface eth7 speed autonetwork interface eth7 duplex autonetwork interface eth7 no switchportnetwork interface eth7 switchport mode accessnetwork interface eth7 switchport trunk encapsulation dot1qnetwork interface eth7 switchport trunk native-vlan 1network interface eth7 switchport access-vlan 1network interface eth7 switchport trunk allowed-vlan 1-1000network interface eth7 ha-metric 0network interface eth7 attribute add eth7network interface eth7 mss-adjust offnetwork interface eth7 mode-set ipsnetwork interface eth7 reverse-path offnetwork interface eth7 gratuitous-arp-interval 0network interface eth7 vsid 0network interface eth7 vrid 0network interface eth7 no shutdownnetwork spantree set mode offnetwork cdp_neighbors set cdpthru onnetwork mpls handle offnetwork session timeout defaultnetwork session protocol defaultnetwork session icmp-redirect offnetwork session tcp-reset offnetwork session session-integrity onnetwork session only-syn-create onnetwork session packet-checksum offnetwork session syn-reset offnetwork session log-op delete onnetwork session log-op create offnetwork session log-op statistics offnetwork session quota tcp 0network session quota udp 0network session quota other 0network session count offnetwork session count interval 5network port-statistic offnetwork port-statistic set port1 80 port2 8080 port3 20 port4 21 port5 110 port6 25network port-statistic set statistic 1800network port-statistic set send 1 network arp limit offnetwork route add dst /24 gw metric 1 id 102network route add dst /24 gw metric 1 id 103network route add dst /8 gw metric 1 id 101network route add dst /0 gw 49 metric 1 id 100network route intelligent-opt offsystem authset setdefault system authset authfail set maxnum 5 system authset usermaxlogin set maxnum 10 system authset maxonlineadm set maxnum 5 system authset managermaxlogin set maxnum 5 system authset faillock set time 60 system authset passwd-type set type ciphersystem authset timeout set num 100aaa config resetaaa auth-map modify server cert mapping-type default status valid system top-policy set-ip ip notify-port 2010 policy-port 2010 type master local nosystem top-policy set-ip ip notify-port 2010 policy-port 2010 type slave local nonetwork mroute cleannetwork dns clearnetwork suitstate disableID 8002 define area add name area_eth0 attribute eth0 access on vsid 0 ID 8028 define area add name 外网 attribute eth3 access on vsid 0 ID 8029 define area add name 市局 attribute eth2 access on vsid 0 ID 8030 define area add name 彬县 attribute eth1 access on vsid 0 ID 8001 define range add name any ip1 ip2 55 vsid 0 qos config cleandpi ar im-account set type msn account default-access denydpi ar im-account set type qq account default-access denydpi ar statistics type ip set srcip dpi policy cleanID 8020 dpi policy add net mask protocol tcp port 21 name ftp enable yesID 8021 dpi policy add net mask protocol tcp port 25 name smtp enable yesID 8022 dpi policy add net mask protocol udp port 69 name tftp enable yesID 8023 dpi policy add net mask protocol tcp port 80 name http enable yesID 8024 dpi policy add net mask protocol tcp port 110 name pop3 enable yesID 8025 dpi policy add net mask protocol tcp port 1521 name sqlnet enable yesID 8026 dpi policy add net mask protocol tcp port 23 name telnet enable yesdpi max-connection set 60000ID 8037 nat policy add srcarea 彬县 dstarea 外网 trans_src eth3 vsid 0 firewall enhancement switch overlap-exam off accelerate offlog log set ipaddr 53 port UDP:514 logtype syslog trans disablelog log log_key set log log log_crypt disable log log type_set add nonelog log level_set 0 ids cleanids attack clearids source-check offids white-list-check offids sessions set 3ids list-expire-time set 30ids packet set 0ids max-source set 10000ids max-destination set 5000ids expire-time set 60ids log onpf service log offID 8010 pf service add name gui area area_eth0 addressname anyID 8012 pf service add name update area area_eth0 addressname anyID 8013 pf service add name ping area area_eth0 addressname anyID 8014 pf service add name webui area area_eth0 addressname anyID 8031 pf service add name webui area 外网 addressname anyID 8032 pf service add name ping area 外网 addressname anyID 8033 pf service add name webui area 市局 addressname anyID 8034 pf service add name ping area 市局 addressname anyID 8035 pf service add name webui area 彬县 addressname anyID 8036 pf service add name ping area 彬县 addressname anyID 8039 pf service add name telnet area 外网 addressname anypf idbprule log offpf idbprule drop-log offpf rule set default action accept log nopki cleanpki usb set uktype none pki remoteauth disable proto ldappki remoteauth disable proto ocsppki cacert crltimer interval 86400vpn ifbind cleanvpn localnet clearvpn localnet add ip 2 mask 2vpn localnet add ip 2 mask 21vpn localnet add ip 10 mask 2vpn localnet add ip 05 mask 09vpn localnet add ip 7 mask 2vpn localnet add ip 7 mask 2vpn localnet add ip 16 mask 111.32.10