您的位置:360文档中心› 华为防火墙典型配置

华为防火墙典型配置


#
web-manager enable
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outboun
d
firewall packet-filter default permit interzone local dmz direction inbound
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outboun
d
firewall packet-filter default permit interzone trust dmz direction inbound
firewall packet-filter default permit interzone trust dmz direction outbound
firewall packet-filter default permit interzone dmz untrust direction inbound
firewall packet-filter default permit interzone dmz untrust direction outbound
#
nat address-group 10 222.240.221.50 222.240.221.50
nat address-group 20 222.240.221.52 222.240.221.52
nat address-group 30 222.240.221.53 222.240.221.53
nat server protocol tcp global 222.240.221.51 www inside 10.43.0.3 www
nat server protocol tcp global 222.240.221.56 www inside 10.43.0.3 83
nat server protocol tcp global 222.240.221.54 www 80 inside 10.43.0.3 10.43.0.3
82
firewall permit sub-ip
#
dhcp server forbidden-ip 10.72.0.1
dhcp server forbidden-ip 10.72.0.2
dhcp server forbidden-ip 10.72.0.3
dhcp server forbidden-ip 10.72.0.4
dhcp server forbidden-ip 10.72.0.5
dhcp server forbidden-ip 10.72.0.251
dhcp server forbidden-ip 10.72.0.252
dhcp server forbidden-ip 10.72.0.253
dhcp server forbidden-ip 10.72.0.254
dhcp server forbidden-ip 10.43.0.1
dhcp server forbidden-ip 10.43.0.2
dhcp server forbidden-ip 10.43.0.3
dhcp server forbidden-ip 10.43.0.4
dhcp server forbidden-ip 10.43.0.5
dhcp server forbidden-ip 10.43.0.251
dhcp server forbidden-ip 10.43.0.252
dhcp server forbidden-ip 10.43.0.253
dhcp server forbidden-ip 10.43.0.254
dhcp server forbidden-ip 10.72.0.250
dhcp server forbidden-ip 10.43.0.250
dhcp server forbidden-ip 10.55.0.1
dhcp server forbidden-ip 10.55.0.2
dhcp server forbidden-ip 10.55.0.3
dhcp server forbidden-ip 10.55.0.4
dhcp server forbidden-ip 10.55.0.5
dhcp server forbidden-ip 10.55.0.250
dhcp server forbidden-ip 10.55.0.251
dhcp server forbidden-ip 10.55.0.252
dhcp server forbidden-ip 10.55.0.253
dhcp server forbidden-ip 10.55.0.254
dhcp enable
#
firewall mac-binding enable
#
firewall statistic system enable
#
dns resolve
dns server 222.246.129.80
dns server 59.51.78.210
#
dhcp server ip-pool 10.43.0.254
network 10.43.0.0 mask 255.255.255.0
gateway-list 10.43.0.254
dns-list 222.246.129.80 59.51.78.210
#
dhcp server ip-pool 10.55.0.254
network 10.55.0.0 mask 255.255.255.0
gateway-list 10.55.0.254
dns-list 222.246.129.80 59.51.78.210
#


dhcp server ip-pool 10.72.0.254
network 10.72.0.0 mask 255.255.255.0
gateway-list 10.72.0.254
dns-list 222.246.129.80 59.51.78.210
#
interface GigabitEthernet0/0
ip address 222.240.221.50 255.255.255.240
#
interface GigabitEthernet0/1
ip address 10.72.0.254 255.255.255.0
#
interface GigabitEthernet0/2
ip address 10.43.0.254 255.255.255.0
#
interface GigabitEthernet0/3
ip address 10.55.0.254 255.255.255.0
#
interface Secp3/0
#
interface NULL0
#
right-manager server-group
#
acl number 2000
rule 0 permit source 10.43.0.0 0.0.0.255
acl number 2001
rule 0 permit source 10.55.0.0 0.0.0.255
rule 5 permit source 10.72.0.254 0
acl number 2002
rule 0 permit source 10.72.0.0 0.0.0.255
acl number 2100
rule 0 permit source 10.43.0.0 0.0.0.255
rule 5 permit source 10.55.0.0 0.0.0.255
rule 10 permit source 10.72.0.0 0.0.0.255
#
acl number 3000
rule 0 permit tcp destination-port eq telnet
acl number 3001
rule 0 permit tcp destination 10.43.0.3 0 destination-port eq www
rule 5 permit tcp destination 10.43.0.3 0 destination-port eq 83
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/1
add interface GigabitEthernet0/2
add interface GigabitEthernet0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0
#
firewall zone dmz
set priority 50
#
firewall interzone local trust
packet-filter 2100 inbound
packet-filter 2100 outbound
#
firewall interzone local untrust
packet-filter 3000 inbound
detect http
detect activex-blocking
#
firewall interzone local dmz
#
firewall interzone trust untrust
packet-filter 3001 inbound
nat outbound 2000 address-group 10
nat outbound 2001 address-group 20
nat outbound 2002 address-group 30
detect ftp
detect pptp
detect http
detect qq
detect msn
#
firewall interzone trust dmz
detect ftp
detect pptp
detect hwcc
detect http
detect netbios
#
firewall interzone dmz untrust
packet-filter 3001 inbound
#
cms
set re_establish true
set reSendCount 2
set graceperiod 30
set oldkeylife 10080
set waittime 1000
set cms name cms/https://www.360docs.net/doc/d44396847.html, realm https://www.360docs.net/doc/d44396847.html,
set cms_ncs_port 2727
set clockskew 300
set sa duration_time 600
set authentication-algorithm sha1
set encryption-algorithm 3des
#
aaa
local-user admin password simple 4226198abcdefg
local-user admin service-type web
local-user admin level 3
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
#
slb
#
ip route-static 0.0.0.0 0.0.0.0 222.240.221.49
#
user-interface con 0
user-interface vty 0 4
user privilege level 3
set authentication password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
#
common
update auto ips time 2:05
update auto dpi time 2:05
update server server-name https://www.360docs.net/doc/d44396847.html,
#
surfbehavior
#
ips
#
protocol
ftp inspect enable
dns insp

ect enable
smtp inspect enable
pop3 inspect enable
imap inspect enable
http inspect enable
#
mailfilter
#
return

相关主题
相关文档
最新文档