• 软件测试技术
  • 软件测试博客
  • 软件测试视频
  • 开源软件测试技术
  • 软件测试论坛
  • 软件测试沙龙
  • 软件测试资料下载
  • 软件测试杂志
  • 软件测试人才招聘
    暂时没有公告

字号: | 推荐给好友 上一篇 | 下一篇

简单防火墙

发布: 2007-6-23 18:14 | 作者:   | 来源:   | 查看: 11次 | 进入软件测试论坛讨论

领测软件测试网

   
  interface Ethernet 0/0 ! Mosbach lokal
  ip address 129.143.204.13 255.255.255.252
  description Ethernet zum RZ-Router
  no ip directed-broadcast ! wg. Hacker (denial of service)

  ip inspect FIWA in ! Ueberpruefung des IP-Verkehrs
  ip access-group 101 in ! Anti-Spoofing
  ip access-group 102 out ! zusaetzliches Welt-LAN-Filter wegen Servern
  no shutdown
  !
  no access-list 101
  access-list 101 permit tcp 129.143.204.12 0.0.0.3 any ! RZ-Router Anti-Spoofing
  access-list 101 permit udp 129.143.204.12 0.0.0.3 any ! RZ-Router Anti-Spoofing
  access-list 101 permit icmp 129.143.204.12 0.0.0.3 any ! RZ-Router Anti-Spoofing
  access-list 101 permit tcp 193.196.5.0 0.0.0.255 any ! Netz der BA-Mo Anti-Spoofing
  access-list 101 permit udp 193.196.5.0 0.0.0.255 any ! Netz der BA-Mo Anti-Spoofing
  access-list 101 permit icmp 193.196.5.0 0.0.0.255 any ! Netz der BA-Mo Anti-Spoofing
  access-list 101 deny ip any any
  !
  ! Zulassen von gewissen Diensten auf die Server
  no access-list 102
  !
  access-list 102 permit tcp any any eq 22 ! SSH
  access-list 102 permit tcp any any eq 113 ! Ident
  access-list 102 permit tcp any any eq 487 ! SAFT
  !
  permit tcp any gt 1023 host 193.196.5.107 eq 21 ! FTP-Commands (fuer PASV FTP)
  permit tcp any gt 1023 host 193.196.5.105 eq 21 ! FTP-Commands (fuer PASV FTP)
  !
  access-list 102 permit tcp any host 193.196.5.107 eq 25 ! SMTP zulassen
  access-list 102 permit tcp any host 193.196.5.105 eq 25 ! SMTP zulassen
  !
  access-list 102 permit tcp host 129.143.2.1 host 193.196.5.107 eq 53 ! DNS Zone-Transfer
  access-list 102 permit tcp host 129.206.100.126 host 193.196.5.107 eq 53 ! DNS Zone-Transfer
  access-list 102 permit tcp host 129.206.100.127 host 193.196.5.107 eq 53 ! DNS Zone-Transfer
  access-list 102 permit tcp host 129.143.2.1 host 193.196.5.105 eq 53 ! DNS Zone-Transfer
  access-list 102 permit tcp host 129.206.100.126 host 193.196.5.105 eq 53 ! DNS Zone-Transfer
  access-list 102 permit tcp host 129.206.100.127 host 193.196.5.105 eq 53 ! DNS Zone-Transfer
  
  access-list 102 permit permit tcp any host 193.196.5.107 eq 80 ! WWW
  access-list 102 permit permit tcp any host 193.196.5.105 eq 80 ! WWW
  !
  access-list 102 permit tcp any host 193.196.5.107 eq 119 ! nntp
  access-list 102 permit tcp any host 193.196.5.105 eq 119 ! nntp
  !
  access-list 102 permit udp any host 193.196.5.107 eq 123 ! ntp
  access-list 102 permit udp any host 193.196.5.105 eq 123 ! ntp
  !
  access-list 102 permit tcp any host 193.196.5.107 eq 389 ! ldap
  access-list 102 permit tcp any host 193.196.5.105 eq 389 ! ldap
  !
  access-list 102 permit tcp any host 193.196.5.107 eq 443 ! https
  access-list 102 permit tcp any host 193.196.5.105 eq 443 ! https
  !
  access-list 102 permit tcp any host 193.196.5.107 eq 993 ! Secure-IMAP
  access-list 102 permit tcp any host 193.196.5.105 eq 993 ! Secure-IMAP
  !
  access-list 102 permit tcp any host 193.196.5.107 eq 995 ! Secure-POP3
  access-list 102 permit tcp any host 193.196.5.105 eq 995 ! Secure-POP3
  !
  ! bei geringeren Sicherheitsanforderungen:
  !
  access-list 102 permit tcp any host 193.196.5.107 eq 110 ! POP3 zulassen
  access-list 102 permit tcp any host 193.196.5.105 eq 110 ! POP3 zulassen
  access-list 102 permit udp any host 193.196.5.105 eq 53 ! DNS-Anfragen
  access-list 102 permit udp any host 193.196.5.107 eq 53 ! DNS-Anfragen
  !
  !
  access-list 102 permit icmp any host 193.196.5.107 administratively-prohibited
  access-list 102 permit icmp any host 193.196.5.107 echo
  access-list 102 permit icmp any host 193.196.5.107 echo-reply
  access-list 102 permit icmp any host 193.196.5.107 packet-too-big
  access-list 102 permit icmp any host 193.196.5.107 time-exceeded
  access-list 102 permit icmp any host 193.196.5.107 traceroute
  access-list 102 permit icmp any host 193.196.5.107 unreachable
  access-list 102 deny ip any any
  !
  ip inspect name FIWA http java-list 50 ! JavaScript ablehnen nach ACL 50
  ip inspect name FIWA realaudio timeout 3600
  ip inspect name FIWA smtp timeout 3600
  ip inspect name FIWA tftp timeout 30
  ip inspect name FIWA ftp timeout 3600
  ip inspect name FIWA udp timeout 15
  ip inspect name FIWA tcp timeout 3600
  !
  no access-list 50
  access-list 50 permit any log
  
  评:虽然是很好.但是访问列表过多,一旦被DOS一攻可能路由器马上瘫痪…重启…所以我认为要在前面加多一台Router来做个TCP Intercept 来拦截DOS攻击.如下:
  假如管理到个服务器网络上192.168.111.0 & 192.168.112.0 内的目标主机的TCP连接请求.使用拦截模式,随机丢弃连接:
  access-list 123 permit tcp any 192.168.111.0 0.0.0.255
  access-liat 123 permit tcp any 192.168.112..0 0.0.0.255
  ip tcp intercept list 123
  ip tcp intercept mode intercept
  ip tcp intercept drop-mode random
  
  做好以后.两个Router在做个HSRP ……..
  
  这样还可以嘛…呵呵….

延伸阅读

文章来源于领测软件测试网 https://www.ltesting.net/

软件测试论坛

领测软件测试网最新更新
软件测试技术相关文章

软件测试培训信息
最新软件测试技术专题
最新领测软件测试网新闻
软件测试技术文章排行榜
  • 编辑推荐
  • 周排行
  • 月排行
软件测试技术分类最新内容
关于领测软件测试网 | 领测软件测试网合作伙伴 | 广告服务 | 投稿指南 | 联系我们 | 网站地图 | 友情链接
版权所有(C) 2003-2010 TestAge(领测软件测试网)|领测国际科技(北京)有限公司|软件测试工程师培训网 All Rights Reserved
北京市海淀区中关村南大街9号北京理工科技大厦1402室 京ICP备10010545号-5
技术支持和业务联系:info@testage.com.cn 电话:010-51297073

软件测试 | 领测国际ISTQBISTQB官网TMMiTMMi认证国际软件测试工程师认证领测软件测试网