創建acl
acl number 100
禁ping
rule deny icmp source any destination any
用於控制Blaster蠕蟲的傳播
rule deny udp source any destination any destination-port eq 69
rule deny tcp source any destination any destination-port eq 4444
用於控制衝擊波病毒的掃描和***
rule deny tcp source any destination any destination-port eq 135
rule deny udp source any destination any destination-port eq 135
rule deny udp source any destination any destination-port eq netbios-ns
rule deny udp source any destination any destination-port eq netbios-dgm
rule deny tcp source any destination any destination-port eq 139
rule deny udp source any destination any destination-port eq 139
rule deny tcp source any destination any destination-port eq 445
rule deny udp source any destination any destination-port eq 445
rule deny udp source any destination any destination-port eq 593
rule deny tcp source any destination any destination-port eq 593
用於控制振盪波的掃描和***
rule deny tcp source any destination any destination-port eq 445
rule deny tcp source any destination any destination-port eq 5554
rule deny tcp source any destination any destination-port eq 9995
rule deny tcp source any destination any destination-port eq 9996
用於控制 Worm_MSBlast.A 蠕蟲的傳播
rule deny udp source any destination any destination-port eq 1434
下面的不出名的病毒端口號 (可以不作)
rule deny tcp source any destination any destination-port eq 1068
rule deny tcp source any destination any destination-port eq 5800
rule deny tcp source any destination any destination-port eq 5900
rule deny tcp source any destination any destination-port eq 10080
rule deny tcp source any destination any destination-port eq 455
rule deny udp source any destination any destination-port eq 455
rule deny tcp source any destination any destination-port eq 3208
rule deny tcp source any destination any destination-port eq 1871
rule deny tcp source any destination any destination-port eq 4510
rule deny udp source any destination any destination-port eq 4334
rule deny tcp source any destination any destination-port eq 4331
rule deny tcp source any destination any destination-port eq 4557
然後下發配置
packet-filter ip-group 100
目的:針對目前網上出現的問題,對目的是端口號爲1434的UDP報文進行過濾的配置方法,詳細和複雜的配置請看配置手冊。
NE80的配置:
NE80(config)#rule-map r1 udp any any eq 1434
//r1爲role-map的名字,udp 爲關鍵字,any any 所有源、目的IP,eq爲等於,1434爲udp端口號
NE80(config)#acl a1 r1 deny
//a1爲acl的名字,r1爲要綁定的rule-map的名字,
NE80(config-if-Ethernet1/0/0)#access-group acl a1
//在1/0/0接口上綁定acl,acl爲關鍵字,a1爲acl的名字
NE16的配置:
NE16-4(config)#firewall enable all
//首先啓動防火牆
NE16-4(config)#access-list 101 deny udp any any eq 1434
//deny爲禁止的關鍵字,針對udp報文,any any 爲所有源、目的IP,eq爲等於, 1434爲udp端口號
NE16-4(config-if-Ethernet2/2/0)#ip access-group 101 in
//在接口上啓用access-list,in表示進來的報文,也可以用out表示出去的報文
中低端路由器的配置
[Router]firewall enable
[Router]acl 101
[Router-acl-101]rule deny udp source any destion any destination-port eq 1434
[Router-Ethernet0]firewall packet-filter 101 inbound
6506產品的配置:
舊命令行配置如下:
6506(config)#acl extended aaa deny protocol udp any any eq 1434
6506(config-if-Ethernet5/0/1)#access-group aaa
國際化新命令行配置如下:
[Quidway]acl number 100
[Quidway-acl-adv-100]rule deny udp source any destination any destination-port eq 1434
[Quidway-acl-adv-100]quit
[Quidway]interface ethernet 5/0/1
[Quidway-Ethernet5/0/1]packet-filter inbound ip-group 100 not-care-for-interface
5516產品的配置:
舊命令行配置如下:
5516(config)#rule-map l3 aaa protocol-type udp ingress any egress any eq 1434
5516(config)#flow-action fff deny
5516(config)#acl bbb aaa fff
5516(config)#access-group bbb
國際化新命令行配置如下:
[Quidway]acl num 100
[Quidway-acl-adv-100]rule deny udp source any destination any destination-port eq 1434
[Quidway]packet-filter ip-group 100
3526產品的配置:
舊命令行配置如下:
rule-map l3 r1 0.0.0.0 0.0.0.0 1.1.0.0 255.255.0.0 eq 1434
flow-action f1 deny
acl acl1 r1 f1
access-group acl1
國際化新命令配置如下:
acl number 100
rule 0 deny udp source 0.0.0.0 0 source-port eq 1434 destination 1.1.0.0 0
packet-filter ip-group 101 rule 0
注:3526產品只能配置外網對內網的過濾規則,其中1.1.0.0 255.255.0.0是內網的地址段。
8016產品的配置:
舊命令行配置如下:
8016(config)#rule-map intervlan aaa udp any any eq 1434
8016(config)#acl bbb aaa deny
8016(config)#access-group acl bbb vlan 10 port all
國際化新命令行配置如下:
8016(config)#rule-map intervlan aaa udp any any eq 1434
8016(config)#eacl bbb aaa deny
8016(config)#access-group eacl bbb vlan 10 port all
華爲3COM交換機防病毒策略
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.