网络设备配置中经常使用的access-list(Cisco)或rule(华为设备中使用)网络设备配置中经常使用的访问列表或rule(华为设备中使用)
Cisco(or CLI like cisco device)
access-list 101 deny tcp any any eq chargen access-list 101 deny tcp any any eq echo access-list 101 deny tcp any any eq 135access-list 101 deny tcp any any eq 136access-list 101 deny tcp any any eq 137access-list 101 deny tcp any any eq 138access-list 101 deny tcp any any eq 139access-list 101 deny tcp any any eq 389access-list 101 deny tcp any any eq 445access-list 101 deny tcp any any eq 593access-list 101 deny udp any any eq 135access-list 101 deny udp any any eq 136access-list 101 deny udp any any eq netbios-ns access-list 101 deny udp any any eq netbios-dgm access-list 101 deny udp any any eq netbios-ss access-list 101 deny udp any any eq 389access-list 101 deny udp any any eq 445access-list 101 deny udp any any eq 593access-list 101 deny udp any any eq 1433access-list 101 deny udp any any eq 1434access-list 101 deny udp any eq 2699 any access-list 101 deny tcp any any eq 3389access-list 101 deny tcp any any eq 4444access-list 101 deny tcp any any eq 9996access-list 101 deny tcp any any eq 5554access-list 101 deny tcp any any eq 1068access-list 101 deny icmp any any access-list 101 deny 255 any any access-list 101 deny 0 any any access-list 101 permit ip any any
H3C(Just test at ComWare platform)
acl number 3001rule 10 deny tcp destination-port eq 445rule 11 deny udp destination-port eq 445rule 20 deny tcp destination-port eq 135rule 21 deny udp destination-port eq 135rule 30 deny tcp destination-port eq 137rule 31 deny udp destination-port eq netbios-ns rule 40 deny tcp destination-port eq 138rule 41 deny udp destination-port eq netbios-dgm rule 50 deny tcp destination-port eq 139rule 51 deny udp destination-port eq netbios-ssn rule 61 deny udp destination-port eq tftp rule 70 deny tcp destination-port eq 593rule 80 deny tcp destination-port eq 4444rule 90 deny tcp destination-port eq 707rule 100 deny tcp destination-port eq 1433rule 101 deny udp destination-port eq 1433rule 110 deny tcp destination-port eq 1434rule 111 deny udp destination-port eq 1434rule 120 deny tcp destination-port eq 5554rule 130 deny tcp destination-port eq 9996rule 141 deny udp source-port eq bootps rule 160 permit icmp icmp-type echo rule 161 permit icmp icmp-type echo-reply rule 162 permit icmp icmp-type ttl-exceeded rule 165 deny icmp rule 204 deny tcp destination-port eq 3389rule 205 permit ip acl number 3003rule 10 deny tcp destination-port eq 445rule 11 deny udp destination-port eq 445rule 20 deny tcp destination-port eq 135rule 21 deny udp destination-port eq 135rule 30 deny tcp destination-port eq 137rule 31 deny udp destination-port eq netbios-ns rule 40 deny tcp destination-port eq 138rule 41 deny udp destination-port eq netbios-dgm rule 50 deny tcp destination-port eq 139rule 51 deny udp destination-port eq netbios-ssn rule 61 deny udp destination-port eq tftp rule 70 deny tcp destination-port eq 593rule 80 deny tcp destination-port eq 4444rule 90 deny tcp
Linux下静态路由问题
destination-port eq 707rule 100 deny tcp destination-port eq 1433rule 101 deny udp destination-port eq 1433rule 110 deny tcp destination-port eq 1434rule 111 deny udp destination-port eq 1434rule 120 deny tcp destination-port eq 5554rule 130 deny tcp destination-port eq 9996rule 141 deny udp source-port eq bootps rule 160 permit icmp icmp-type echo rule 161 permit icmp icmp-type echo-reply rule 162 permit icmp icmp-type ttl-exceeded rule 165 deny icmp rule 204 deny tcp destination-port eq 3389rule 205 permit ip
两者有一些差异,但是防御的目标大体相同.这些目标包括"冲击波"及其变种,"蠕虫网"等.
从上面可以看出华为ComWare平台的设备能对ICMP做精确的控制!同样也可以在CISCO平台使用
... access-list 101 deny icmp any any echo-reply access-list 101 deny icmp any any echo access-list 101 deny icmp any any time-exceeded access-list 101 deny icmp any any ...
大家在配置上面的条目后一定要进行测试,确保不影响网络正常业务.比如上面的一些条目会使你通过samba进行文件共享失败,同样的Windows平台上的文件共享,RPC都不会正常工作.所以这些条目一般应用在网络出口或WAN上,而对网络内部交换机上的应用要修改要测试.
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
