AR系列路由器包過濾控制訪問列表的配置方法
2020-02-09 23:51:31
供稿:網友
對內網地址192.168.1.0/25訪問外網不作限制
對于內網地址192.168.1.128/25只允許收發郵件,不允許訪問外網
#
sysname RouterA
#
firewall enable /使能防火墻功能/
firewall default deny /配置防火墻缺省操作為deny/
#
radius scheme system
#
domain system
#
acl number 2000 /定義用于NAT轉換的ACL/
rule 0 permit source 192.168.1.0 0.0.0.255
rule 1 deny
#
acl number 3001 /定義用于包過濾的ACL/
rule 0 permit ip source 192.168.1.0 0.0.0.127
/內網地址192.168.1.0/25訪問外網不作限制/
rule 1 permit tcp source 192.168.1.128 0.0.0.127 destination-port eq pop3
rule 2 permit tcp source 192.168.1.128 0.0.0.127 destination-port eq smtp
/內網地址192.168.1.128/25只能收發郵件/
#
interface Ethernet1/0/0
ip address 192.168.1.1 255.255.255.0
firewall packet-filter 3001 inbound /對inbound流量使用包過濾/
#
interface Serial2/0/0
link-protocol ppp
ip address 202.101.1.2 255.255.255.252
nat outbound 2000
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 202.101.1.1 preference 60
#
user-interface con 0
user-interface vty 0 4
#
return
通過查看disp firewall-statistics all、disp acl 3001確認防火墻確實生效
disp firewall-statistics all
Firewall is enable, default filtering method is 'deny'.
Interface: Ethernet1/0/0
In-bound Policy: acl 3001
Fragments matched normally
From 2006-05-31 5:05:50 to 2006-05-31 6:32:49
198 packets, 24129 bytes, 4% permitted,
0 packets, 0 bytes, 0% denied,
0 packets, 0 bytes, 0% permitted default,
5919 packets, 1021492 bytes, 96% denied default,
Totally 198 packets, 24129 bytes, 4% permitted,
Totally 5919 packets, 1021492 bytes, 96% denied.
disp acl 3001
Advanced ACL 3001, 3 rules
Acl's step is 1
rule 0 permit ip source 192.168.1.0 0.0.0.127 (194 times matched)
rule 1 permit tcp source 192.168.1.128 0.0.0.127 destination-port eq pop3 (9 times matched)
rule 2 permit tcp source 192.168.1.128 0.0.0.127 destination-port eq smtp (0 times matched)
【提示】
1、 系統缺省情況下為禁止防火墻(firewall disable),需要使用命令“firewall enable”來使能防火墻功能
2、 防火墻缺省過濾方式為允許通過(permit),可以通過“firewall default deny”修改為禁止通過
3、 在內網使用包過濾,并同時使用DHCP server分配地址時,需要在acl 3001中添加一條“rule 0 permit ip source 0.0.0.0 0”否則會出現DHCP Server無法分配地址的問題。
