CISCO IOS防火墙配置问题
悬赏分:0 - 解决时间:2008-10-9 17:46
悬赏分:0 - 解决时间:2008-10-9 17:46 请问下列几条命令分别表示什么意思
deny ip host 255.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 0.0.0.0 any
deny ip any any log
另一个严重的问题,如何根据那些ACL来判定是为信任接口还是非信任接口配置的呢?
10.1.2.0 |
内部 10.1.3.0 | 外部
64.1.1.4 |
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 deny ip 10.1.3.0 0.0.0.255 any
access-list 102 deny ip 10.1.2.0 0.0.0.255 any
access-list 102 deny ip 64.1.1.4 0.0.0.3 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 deny ip 10.1.3.0 0.0.0.255 any
access-list 103 deny ip 10.1.2.0 0.0.0.255 any
access-list 103 deny ip 10.1.4.0 0.0.0.255 any
access-list 103 permit icmp any host 64.1.1.5 echo-reply
access-list 103 permit icmp any host 64.1.1.5 time-exceeded
access-list 103 permit icmp any host 64.1.1.5 unreachable
access-list 103 permit ospf any any
access-list 103 deny ip 10.0.0.0 0.255.255.255 any
access-list 103 deny ip 172.16.0.0 0.15.255.255 any
access-list 103 deny ip 192.168.0.0 0.0.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip host 0.0.0.0 any
access-list 103 deny ip any any log<这里,前面都是deny,为什么这里还有deny any any 呢,用这一句不是包含前面所有的了吗> 提问者: xianguo_he - 中级魔法师 四级
这是一个关于ios安全的配置,他保护的是一个身后的接口不接受到如下的包括RFC1918的地址,一般放在inbound方向也就是外部接口的in方向或内部接口的out方向: deny ip host 255.255.255.255 any 广播流量 deny ip 127.0.0.0 0.255.255.255 any换回地址 deny ip host 0.0.0.0 any dhcp第一个包,也是不应该的 deny ip any any log这句的意思是deny掉所有流量还要发log信息。 你最后的deny any是比较讲究的配法,没有错误。 上面的人说的话真是。。。
0
提问者对于答案的评价:
感谢感谢
