>
基于包过滤的FIREWALL的过滤法则

基于包过滤的FIREWALL的过滤法则

下面是我觉得有必要的法则:

# Between The World and Public Interface
# Service : Anti Spoofing
# Description : Deny inbound non-secure packets with secure
source addresses
#
# 禁止IP欺骗:
# 攻击者伪造IP,使IP包看来像从安全网络的一台信任主机发出的,所以我们拒绝目标地址为安全网段IP的包从非安全网卡出站
#
deny 0 0 192.168.1.1 255.255.255.0 all any 0 any 0 non-secure
both outbound l=n f=y
#
# Between RFC 1627 Clase B reserves IP and The World
# Service : Deny Inbound Non-secure Interface
# Description : Deny Inbound Non-secure Interface
#
# 禁止源IP地址为B类保留IP地址的IP包从非安全网卡进站
#
deny 172.16.0.0 255.240.0.0 0 0 all any 0 any 0 non-secure
both inbound l=n f=y
#
# Between RFC 1627 Clase C reserves IP and The World
# Service : Deny Inbound Non-secure Interface
# Description : Deny Inbound Non-secure Interface
#
# 禁止源IP地址为C类保留IP地址的IP包从非安全网卡进站
#
deny 192.168.0.0 255.255.0.0 0 0 all any 0 any 0 non-secure
both inbound l=n f=y
#
# Between RFC 1627 Clase A reservers IP and The World
# Service : Deny Inbound Non-secure Interface
# Description : Deny Inbound Non-secure Interface
#
# 禁止源IP地址为A类保留IP地址的IP包从非安全网卡进站
#
deny 10.0.0.0 255.0.0.0 0 0 all any 0 any 0 non-secure both
inbound l=n f=y
#
# Between The World and The World
# Service : Definiton UDP port 514
# Description : Definiton UDP port 514
#
# 保护SYSLOG SERVER(UDP PROT 514)
#
deny 0 0 0 0 udp any 0 eq 514 both both both l=n f=y
#
# Between Loopback Address and The World
# Service : All Deny
# Description : All Deny
#
# Loopback地址是不会出现在真实的网卡上的,禁止Loopback地址进出FIREWALL
#
deny 127.0.0.0 255.0.0.0 0 0 all any 0 any 0 both both both
l=y f=y
#
# Between The World and The World
# Service : Protect Resource System
# Description : Protect Resource System
#
# 这是AIX控制系统资源的端口,Ω媒
#
deny 0 0 0 0 all any 0 eq 200 non-secure both inbound l=n
f=y
#
# Between Security Network and The World
# Service : HTTP direct out
# Description : Permit HTTP from secure network directly to
non-secure network
#
# 允许从安全网络访问外部网络的WEB资源
#
permit 192.168.1.0 255.255.255.0 0 0 tcp gt 1023 eq 80 secure
route inbound l=n f=y
permit 192.168.1.0 255.255.255.0 0 0 tcp gt 1023 eq 80 non-secure
route outbound l=n f=y
permit 0 0 192.168.1.0 255.255.255.0 tcp/ack eq 80 gt 1023
non-secure route inbound l=n f=y
permit 0 0 192.168.1.0 255.255.255.0 tcp/ack eq 80 gt 1023
secure route outbound l=n f=y
#
# Between Security Network and The World
# Service : Ping
# Description : Permit Ping outbound secure network to anywhere
#
# 允许从安全网络PING外部网络
#
permit 192.168.1.0 255.255.255.0 0 0 icmp eq 8 eq 0 both both
both l=n f=y
permit 0 0 192.168.1.0 255.255.255.0 icmp eq 0 eq 0 both both
both l=n f=y
#
# Between Security Network and The World
# Service : Allow FTP outbound Secure Interface
# Description : Allow FTP outbound Secure Interface
#
# 允许从安全网络FTP到外部网络的FTP SERVER
#
route inbound l=n f=y
permit 192.168.1.0 255.255.255.0 0 0 tcp gt 1023 eq 21 non-secure
route outbound l=n f=y
permit 0 0 192.168.1.0 255.255.255.0 tcp/ack eq 21 gt 1023
permit 192.168.1.0 255.255.255.0 0 0 tcp gt 1023 eq 21 secure
non-secure route inbound l=n f=y
permit 0 0 192.168.1.0 255.255.255.0 tcp/ack eq 21 gt 1023
secure route outbound l=n f=y
permit 0 0 192.168.1.0 255.255.255.0 tcp eq 20 gt 1023 non-secure
route inbound l=n f=y
permit 0 0 192.168.1.0 255.255.255.0 tcp eq 20 gt 1023 secure
route outbound l=n f=y
permit 192.168.1.0 255.255.255.0 0 0 tcp/ack gt 1023 eq 20
non-secure route outbound l=n f=y
permit 192.168.1.0 255.255.255.0 0 0 tcp/ack gt 1023 eq 20
secure route inbound l=n f=y
permit 0 0 192.168.1.0 255.255.255.0 tcp/ack gt 1023 gt 1023
non-secure route inbound l=n f=y
permit 0 0 192.168.1.0 255.255.255.0 tcp/ack gt 1023 gt 1023
secure route outbound l=n f=y
permit 192.168.1.0 255.255.255.0 0 0 tcp gt 1023 gt 1023 secure
route inbound l=n f=y
permit 192.168.1.0 255.255.255.0 0 0 tcp gt 1023 gt 1023 non-secure
route outbound l=n f=y
#
# Between Security Network and The World
# Service : Telnet direct out
# Description : Permit Telnet outbound from secure network
to non-secure network
#
# 允许从安全网络TELNET外部网络的主机
#
permit 192.168.1.0 255.255.255.0 0 0 tcp gt 1023 eq 23 secure
route inbound l=n f=y
permit 192.168.1.0 255.255.255.0 0 0 tcp gt 1023 eq 23 non-secure
route outbound l=n f=y
permit 0 0 192.168.1.0 255.255.255.0 tcp/ack eq 23 gt 1023
non-secure route inbound l=n f=y
permit 0 0 192.168.1.0 255.255.255.0 tcp/ack eq 23 gt 1023
secure route outbound l=n f=y


--------------------------------------------------------------------------------


上一篇:Win2000 Server入侵监测
下一篇:安全事件日志中的事件编号与描述

相关文章: 无相关信息
热门文章:

  • ·H3C交换机查看光功率、收发光情况的命
  • ·Mac OS X 通过Terminal和shell修改DNS
  • ·无线路由器的设置使用方法
  • ·常用交换机状态查询命令
  • ·巧设无线路由获得更稳定信号
  • ·CISCO路由器的端口聚合功能详解
  • ·H3C 交换机的基础配置和命令行与无线路
  • ·云主机配置OpenStack使用spice的方法
  • ·VMware VSAN 入门与配置VSAN网络和集群
  • ·ups连接输入输出电缆注意事项
  • ·CISCO Switch port-channel追加vlan设
  • ·文件服务器安装与配置Windows Server

  • 发表点评 共有条点评
    会员 内容 时间
    用户名: 密码:
    验证码: 匿名发表