华为防火墙安全策略配置

华为防火墙安全策略配置

一、配置要求及拓扑；

要求：

1、Trust区域用户可以访问Untust区域与DMZ区域用户；

2、Untrust区域用户只能访问DMZ区域ICMP与Telnet流量；

3、DMZ区域用户即不能访问Untrust区域和Tust区域；

4、区域trust内只允许源地址为192.168.1.0/24,ICMP ；

二、基础配置

防火墙huaweiFW

system-view 

sysname huaweiFW

interface GigabitEthernet0/0/0

 ip address 202.100.1.10 255.255.255.0

quit

interface GigabitEthernet0/0/1

 ip address 172.16.1.10 255.255.255.0

quit

interface GigabitEthernet0/0/2

 

 ip address 192.168.1.10 255.255.255.0

quit

interface GigabitEthernet0/0/3

 ip address 192.168.10.10 255.255.255.0

quit

firewall zone trust

 add interface GigabitEthernet0/0/2

 add interface GigabitEthernet0/0/3

 quit

firewall zone untrust

 add interface GigabitEthernet0/0/0

 quit

firewall zone dmz

 add interface GigabitEthernet0/0/1

 quit

 

AR1：

system-view 

sysname AR5

interface GigabitEthernet0/0/0

 ip address 192.168.10.1 255.255.255.0 

quit

ip route-static 0.0.0.0 0.0.0.0 192.168.10.1

AR2

system-view 

sysname DMZ

interface GigabitEthernet 0/0/0

ip address 172.16.1.1 24

quit

ip route-static 0.0.0.0 0 172.16.1.10

AR3

system-view 

sysname trust

interface GigabitEthernet 0/0/0

ip address 192.168.1.1 24

interface loopback0

ip address 2.2.2.2 32

quit

ip route-static 0.0.0.0 0 192.168.1.10

quit

AR5

system-view 

sysname trust

interface GigabitEthernet 0/0/0

ip address 192.168.1.1 24

interface loopback0

ip address 2.2.2.2 32

quit

ip route-static 0.0.0.0 0 192.168.1.10

quit

三、防火墙策略配置

防火墙默认策略为：

#                                         

 firewall packet-filter default permit interzone local trust direction inbound

 firewall packet-filter default permit interzone local trust direction outbound

 firewall packet-filter default permit interzone local untrust direction outbound

 firewall packet-filter default permit interzone local dmz direction outbound

# 

firewall session link-state check ==启用会话链路状态检查

firewall packet-filter default deny all ==拒绝所有流量

配值安全访问策略

Trust区域用户可以访问Untust区域与DMZ区域用户

firewall packet-filter default permit interzone trust untrust direction outbound

firewall packet-filter default permit interzone trust dmz direction outbound

Untrust区域用户只能访问DMZ区域ICMP与Telnet流量

policy interzone dmz untrust inbound

 policy 1

  action permit

  policy service service-set icmp

  policy destination 172.16.1.1 0

 policy 2

  action permit

  policy service service-set telnet

  policy destination 172.16.1.1 0         

  查看会话：

[huaweiFW]display policy interzone untrust dmz inbound

15:17:51  2015/02/02

policy interzone dmz untrust inbound

 firewall default packet-filter is deny

 policy 1 (2 times matched)

  action permit 

  policy service service-set icmp (predefined)

  policy source any

  policy destination 172.16.1.1 0

 policy 2 (4 times matched)

  action permit 

  policy service service-set telnet (predefined)

  policy source any

  policy destination 172.16.1.1 0

[huaweiFW]   

DMZ区域用户即不能访问Untrust区域和Tust区域（可以不用配置因为前面以拒绝过一次流量了）

区域trust内只允许源地址为192.168.1.0/24,ICMP ；

policy zone trust

 policy 1

  action permit

  policy service service-set icmp

  policy source 192.168.1.0 mask 255.255.255.0

 policy 2

  action deny

来源：CSDN

作者：foamy_3379

链接：https://blog.csdn.net/foamy_3379/article/details/45103967