华为设备防病毒ACL配置实例
|
创建acl
acl number 100 禁止ping
rule deny icmp source any destination any 用于控制Blaster蠕虫的传播
rule deny udp source any destination any destination-port eq 69 rule deny tcp source any destination any destination-port eq 4444 用于控制冲击波病毒的扫描和攻击
rule deny tcp source any destination any destination-port eq 135 rule deny udp source any destination any destination-port eq 135 rule deny udp source any destination any destination-port eq netbios-ns rule deny udp source any destination any destination-port eq netbios-dgm rule deny tcp source any destination any destination-port eq 139 rule deny udp source any destination any destination-port eq 139 rule deny tcp source any destination any destination-port eq 445 rule deny udp source any destination any destination-port eq 445 rule deny udp source any destination any destination-port eq 593 rule deny tcp source any destination any destination-port eq 593 用于控制振荡波的扫描和攻击
rule deny tcp source any destination any destination-port eq 445 rule deny tcp source any destination any destination-port eq 5554 rule deny tcp source any destination any destination-port eq 9995 rule deny tcp source any destination any destination-port eq 9996 用于控制 Worm_MSBlast.A 蠕虫的传播
rule deny udp source any destination any destination-port eq 1434 一些不出名的病毒端口号
rule deny tcp source any destination any destination-port eq 1068 rule deny tcp source any destination any destination-port eq 5800 rule deny tcp source any destination any destination-port eq 5900 rule deny tcp source any destination any destination-port eq 10080 rule deny tcp source any destination any destination-port eq 455 rule deny udp source any destination any destination-port eq 455 rule deny tcp source any destination any destination-port eq 3208 rule deny tcp source any destination any destination-port eq 1871 rule deny tcp source any destination any destination-port eq 4510 rule deny udp source any destination any destination-port eq 4334 rule deny tcp source any destination any destination-port eq 4331 rule deny tcp source any destination any destination-port eq 4557 下发配置
packet-filter ip-group 100 目的:针对目前网上出现的问题,对目的是端口号为1434的UDP报文进行过滤的配置方法,详细和复杂的配置请看配置手册。 NE80的配置:
NE80(config)#rule-map r1 udp any any eq 1434 //r1为role-map的名字,udp 为关键字,any any 所有源、目的IP,eq为等于,1434为udp端口号 NE80(config)#acl a1 r1 deny //a1为acl的名字,r1为要绑定的rule-map的名字 NE80(config-if-Ethernet1/0/0)#access-group acl a1 //在1/0/0接口上绑定acl,acl为关键字,a1为acl的名字 NE16的配置:
NE16-4(config)#firewall enable all //首先启动防火墙 NE16-4(config)#access-list 101 deny udp any any eq 1434 //deny为禁止的关键字,针对udp报文,any any 为所有源、目的IP,eq为等于,1434为udp端口号 NE16-4(config-if-Ethernet2/2/0)#ip access-group 101 in //在接口上启用access-list,in表示进来的报文,也可以用out表示出去的报文 中低端路由器的配置
[Router]firewall enable [Router]acl 101 [Router-acl-101]rule deny udp source any destion any destination-port eq 1434 [Router-Ethernet0]firewall packet-filter 101 inbound 6506产品的配置:
旧命令行配置如下: 6506(config)#acl extended aaa deny protocol udp any any eq 1434 6506(config-if-Ethernet5/0/1)#access-group aaa 国际化新命令行配置如下: [Quidway]acl number 100 [Quidway-acl-adv-100]rule deny udp source any destination any destination-port eq 1434 [Quidway-acl-adv-100]quit [Quidway]interface ethernet 5/0/1 [Quidway-Ethernet5/0/1]packet-filter inbound ip-group 100 not-care-for-interface 5516产品的配置:
旧命令行配置如下: 5516(config)#rule-map l3 aaa protocol-type udp ingress any egress any eq 1434 5516(config)#flow-action fff deny 5516(config)#acl bbb aaa fff 5516(config)#access-group bbb 国际化新命令行配置如下: [Quidway]acl num 100 [Quidway-acl-adv-100]rule deny udp source any destination any destination-port eq 1434 [Quidway]packet-filter ip-group 100 3526产品的配置:
旧命令行配置如下: rule-map l3 r1 0.0.0.0 0.0.0.0 1.1.0.0 255.255.0.0 eq 1434 flow-action f1 deny acl acl1 r1 f1 access-group acl1 国际化新命令配置如下: acl number 100 rule 0 deny udp source 0.0.0.0 0 source-port eq 1434 destination 1.1.0.0 0 packet-filter ip-group 101 rule 0 注:3526产品只能配置外网对内网的过滤规则,其中1.1.0.0 255.255.0.0是内网的地址段。 8016产品的配置: 旧命令行配置如下: 8016(config)#rule-map intervlan aaa udp any any eq 1434 8016(config)#acl bbb aaa deny 8016(config)#access-group acl bbb vlan 10 port all 国际化新命令行配置如下: 8016(config)#rule-map intervlan aaa udp any any eq 1434 8016(config)#eacl bbb aaa deny 8016(config)#access-group eacl bbb vlan 10 port all |
