防火墙设置内容.doc

1、https:/219.145.108.250/ superman talent 1、2、运行信息3、4、5、6、7、8、9、10、11、12、13、14、15、16、17、18、19、20、21、22、23、24、25、25、helpmode chinesesystem time set timezone +8system devname set TopsecOSnetwork startnetwork resetID 7000 network attribute add name eth0ID 7001 network attribute add name eth1ID 7002 netwo

2、rk attribute add name eth2ID 7003 network attribute add name eth3ID 7004 network attribute add name eth4ID 7005 network attribute add name eth5ID 7006 network attribute add name eth6ID 7007 network attribute add name eth7ID 7008 network attribute add name adslID 7009 network attribute add name ipsec

3、0ID 7010 network attribute add name ipsec1ID 7011 network attribute add name ipsec2ID 7012 network attribute add name ipsec3ID 7013 network attribute add name wanID 7014 network attribute add name lanID 7015 network attribute add name ssnID 7016 network attribute add name pppID 7017 network attribut

4、e add name l2tpID 7018 network attribute add name pptpID 7019 network attribute add name bond0ID 7020 network attribute add name bond1ID 7021 network attribute add name bond2ID 7022 network attribute add name bond3network interface eth0 description intranetnetwork interface eth0 mtu 1500network inte

5、rface eth0 ip add 192.168.1.254 mask 255.255.255.0 label 0network interface eth0 speed autonetwork interface eth0 duplex autonetwork interface eth0 no switchportnetwork interface eth0 switchport mode accessnetwork interface eth0 switchport trunk encapsulation dot1qnetwork interface eth0 switchport t

6、runk native-vlan 1network interface eth0 switchport access-vlan 1network interface eth0 switchport trunk allowed-vlan 1-1000network interface eth0 ha-metric 0network interface eth0 attribute add eth0network interface eth0 mss-adjust offnetwork interface eth0 mode-set ipsnetwork interface eth0 revers

7、e-path offnetwork interface eth0 gratuitous-arp-interval 0network interface eth0 vsid 0network interface eth0 vrid 0network interface eth0 no shutdownnetwork interface eth1 description T0-彬县内网network interface eth1 mtu 1500network interface eth1 ip add 10.61.120.254 mask 255.255.255.0 label 0network

8、 interface eth1 speed autonetwork interface eth1 duplex autonetwork interface eth1 no switchportnetwork interface eth1 switchport mode accessnetwork interface eth1 switchport trunk encapsulation dot1qnetwork interface eth1 switchport trunk native-vlan 1network interface eth1 switchport access-vlan 1

9、network interface eth1 switchport trunk allowed-vlan 1-1000network interface eth1 ha-metric 0network interface eth1 attribute add eth1network interface eth1 mss-adjust offnetwork interface eth1 mode-set ipsnetwork interface eth1 reverse-path offnetwork interface eth1 gratuitous-arp-interval 0network

10、 interface eth1 vsid 0network interface eth1 vrid 0network interface eth1 no shutdownnetwork interface eth2 description TO-市局network interface eth2 mtu 1500network interface eth2 ip add 172.16.1.1 mask 255.255.255.0 label 0network interface eth2 speed autonetwork interface eth2 duplex autonetwork in

11、terface eth2 no switchportnetwork interface eth2 switchport mode accessnetwork interface eth2 switchport trunk encapsulation dot1qnetwork interface eth2 switchport trunk native-vlan 1network interface eth2 switchport access-vlan 1network interface eth2 switchport trunk allowed-vlan 1-1000network int

12、erface eth2 ha-metric 0network interface eth2 attribute add eth2network interface eth2 mss-adjust offnetwork interface eth2 mode-set ipsnetwork interface eth2 reverse-path offnetwork interface eth2 gratuitous-arp-interval 0network interface eth2 vsid 0network interface eth2 vrid 0network interface e

13、th2 no shutdownnetwork interface eth3 description TO-INTERNETnetwork interface eth3 mtu 1500network interface eth3 ip add 219.145.108.250 mask 255.255.255.252 label 0network interface eth3 speed autonetwork interface eth3 duplex autonetwork interface eth3 no switchportnetwork interface eth3 switchpo

14、rt mode accessnetwork interface eth3 switchport trunk encapsulation dot1qnetwork interface eth3 switchport trunk native-vlan 1network interface eth3 switchport access-vlan 1network interface eth3 switchport trunk allowed-vlan 1-1000network interface eth3 ha-metric 0network interface eth3 attribute a

15、dd eth3network interface eth3 mss-adjust offnetwork interface eth3 mode-set ipsnetwork interface eth3 reverse-path offnetwork interface eth3 gratuitous-arp-interval 0network interface eth3 vsid 0network interface eth3 vrid 0network interface eth3 no shutdownnetwork interface eth4 mtu 1500network int

16、erface eth4 speed autonetwork interface eth4 duplex autonetwork interface eth4 no switchportnetwork interface eth4 switchport mode accessnetwork interface eth4 switchport trunk encapsulation dot1qnetwork interface eth4 switchport trunk native-vlan 1network interface eth4 switchport access-vlan 1netw

17、ork interface eth4 switchport trunk allowed-vlan 1-1000network interface eth4 ha-metric 0network interface eth4 attribute add eth4network interface eth4 mss-adjust offnetwork interface eth4 mode-set ipsnetwork interface eth4 reverse-path offnetwork interface eth4 gratuitous-arp-interval 0network int

18、erface eth4 vsid 0network interface eth4 vrid 0network interface eth4 no shutdownnetwork interface eth5 mtu 1500network interface eth5 speed autonetwork interface eth5 duplex autonetwork interface eth5 no switchportnetwork interface eth5 switchport mode accessnetwork interface eth5 switchport trunk

19、encapsulation dot1qnetwork interface eth5 switchport trunk native-vlan 1network interface eth5 switchport access-vlan 1network interface eth5 switchport trunk allowed-vlan 1-1000network interface eth5 ha-metric 0network interface eth5 attribute add eth5network interface eth5 mss-adjust offnetwork in

20、terface eth5 mode-set ipsnetwork interface eth5 reverse-path offnetwork interface eth5 gratuitous-arp-interval 0network interface eth5 vsid 0network interface eth5 vrid 0network interface eth5 no shutdownnetwork interface eth6 mtu 1500network interface eth6 speed autonetwork interface eth6 duplex au

21、tonetwork interface eth6 no switchportnetwork interface eth6 switchport mode accessnetwork interface eth6 switchport trunk encapsulation dot1qnetwork interface eth6 switchport trunk native-vlan 1network interface eth6 switchport access-vlan 1network interface eth6 switchport trunk allowed-vlan 1-100

22、0network interface eth6 ha-metric 0network interface eth6 attribute add eth6network interface eth6 mss-adjust offnetwork interface eth6 mode-set ipsnetwork interface eth6 reverse-path offnetwork interface eth6 gratuitous-arp-interval 0network interface eth6 vsid 0network interface eth6 vrid 0network

23、 interface eth6 no shutdownnetwork interface eth7 mtu 1500network interface eth7 speed autonetwork interface eth7 duplex autonetwork interface eth7 no switchportnetwork interface eth7 switchport mode accessnetwork interface eth7 switchport trunk encapsulation dot1qnetwork interface eth7 switchport t

24、runk native-vlan 1network interface eth7 switchport access-vlan 1network interface eth7 switchport trunk allowed-vlan 1-1000network interface eth7 ha-metric 0network interface eth7 attribute add eth7network interface eth7 mss-adjust offnetwork interface eth7 mode-set ipsnetwork interface eth7 revers

25、e-path offnetwork interface eth7 gratuitous-arp-interval 0network interface eth7 vsid 0network interface eth7 vrid 0network interface eth7 no shutdownnetwork spantree set mode offnetwork cdp_neighbors set cdpthru onnetwork mpls handle offnetwork session timeout defaultnetwork session protocol defaul

26、tnetwork session icmp-redirect offnetwork session tcp-reset offnetwork session session-integrity onnetwork session only-syn-create onnetwork session packet-checksum offnetwork session syn-reset offnetwork session log-op delete onnetwork session log-op create offnetwork session log-op statistics offn

27、etwork session quota tcp 0network session quota udp 0network session quota other 0network session count offnetwork session count interval 5network port-statistic offnetwork port-statistic set port1 80 port2 8080 port3 20 port4 21 port5 110 port6 25network port-statistic set statistic 1800network por

28、t-statistic set send 1network arp limit offnetwork route add dst 192.168.1.0/24 gw 172.16.1.2 metric 1 id 102network route add dst 10.61.112.0/24 gw 172.16.1.2 metric 1 id 103network route add dst 10.0.0.0/8 gw 172.16.1.2 metric 1 id 101network route add dst 0.0.0.0/0 gw 219.145.108.249 metric 1 id

29、100network route intelligent-opt offsystem authset setdefault system authset authfail set maxnum 5 system authset usermaxlogin set maxnum 10 system authset maxonlineadm set maxnum 5 system authset managermaxlogin set maxnum 5 system authset faillock set time 60 system authset passwd-type set type ci

30、phersystem authset timeout set num 100aaa config resetaaa auth-map modify server cert mapping-type default status valid system top-policy set-ip ip 0.0.0.0 notify-port 2010 policy-port 2010 type master local nosystem top-policy set-ip ip 0.0.0.0 notify-port 2010 policy-port 2010 type slave local non

31、etwork mroute cleannetwork dns clearnetwork suitstate disableID 8002 define area add name area_eth0 attribute eth0 access on vsid 0 ID 8028 define area add name 外网 attribute eth3 access on vsid 0 ID 8029 define area add name 市局 attribute eth2 access on vsid 0 ID 8030 define area add name 彬县 attribut

32、e eth1 access on vsid 0 ID 8001 define range add name any ip1 0.0.0.0 ip2 255.255.255.255 vsid 0 qos config cleandpi ar im-account set type msn account default-access denydpi ar im-account set type qq account default-access denydpi ar statistics type ip set srcip 0.0.0.0dpi policy cleanID 8020 dpi p

33、olicy add net 0.0.0.0 mask 0.0.0.0 protocol tcp port 21 name ftp enable yesID 8021 dpi policy add net 0.0.0.0 mask 0.0.0.0 protocol tcp port 25 name smtp enable yesID 8022 dpi policy add net 0.0.0.0 mask 0.0.0.0 protocol udp port 69 name tftp enable yesID 8023 dpi policy add net 0.0.0.0 mask 0.0.0.0

34、 protocol tcp port 80 name http enable yesID 8024 dpi policy add net 0.0.0.0 mask 0.0.0.0 protocol tcp port 110 name pop3 enable yesID 8025 dpi policy add net 0.0.0.0 mask 0.0.0.0 protocol tcp port 1521 name sqlnet enable yesID 8026 dpi policy add net 0.0.0.0 mask 0.0.0.0 protocol tcp port 23 name t

35、elnet enable yesdpi max-connection set 60000ID 8037 nat policy add srcarea 彬县 dstarea 外网 trans_src eth3 vsid 0 firewall enhancement switch overlap-exam off accelerate offlog log set ipaddr 192.168.1.253 port UDP:514 logtype syslog trans disablelog log log_key set log log log_crypt disable log log ty

36、pe_set add nonelog log level_set 0 ids cleanids attack clearids source-check offids white-list-check offids sessions set 3ids list-expire-time set 30ids packet set 0ids max-source set 10000ids max-destination set 5000ids expire-time set 60ids log onpf service log offID 8010 pf service add name gui a

37、rea area_eth0 addressname anyID 8012 pf service add name update area area_eth0 addressname anyID 8013 pf service add name ping area area_eth0 addressname anyID 8014 pf service add name webui area area_eth0 addressname anyID 8031 pf service add name webui area 外网 addressname anyID 8032 pf service add

38、 name ping area 外网 addressname anyID 8033 pf service add name webui area 市局 addressname anyID 8034 pf service add name ping area 市局 addressname anyID 8035 pf service add name webui area 彬县 addressname anyID 8036 pf service add name ping area 彬县 addressname anyID 8039 pf service add name telnet area

39、外网 addressname anypf idbprule log offpf idbprule drop-log offpf rule set default action accept log nopki cleanpki usb set uktype none pki remoteauth disable proto ldappki remoteauth disable proto ocsppki cacert crltimer interval 86400vpn ifbind cleanvpn localnet clearvpn localnet add ip 112.107.105.

40、32 mask 117.115.98.32vpn localnet add ip 115.101.116.32 mask 117.107.116.121vpn localnet add ip 112.101.32.110 mask 111.110.101.32vpn localnet add ip 10.112.107.105 mask 32.114.101.109vpn localnet add ip 111.116.101.97 mask 117.116.104.32vpn localnet add ip 100.105.115.97 mask 98.108.101.32vpn local

41、net add ip 112.114.111.116 mask 111.32.108.100vpn localnet add ip 97.112.10.112 mask 107.105.32.114vpn localnet add ip 101.109.111.116 mask 101.97.117.116vpn localnet add ip 104.32.100.105 mask 115.97.98.108vpn vdc timer set notify_timer 15 down_policy_timer 15 syn_tunnel_timer 20 resolv_name_timer

42、60vpn vdc setup-rate set max 20vpn device-priority set priority 0vpn tunnel clean vpn vrc cleanvpn vrc config set auth_mode local check_time 30 expired_time 120 timeout 60 dhcp-pool - dhcp-if - dns1 0.0.0.0 dns2 0.0.0.0 wins1 0.0.0.0 wins2 0.0.0.0 max_authnum 20 vip_control off fw-control off versio

43、n-control off version standardvpn vrc cert_access set acc off control off cn on mail offvpn ddns clean vpn vroute cleanvpn ipsec-config resetha cleanha mode asha as-vrid 100ha gratuitous-arp 90ha hello-interval 1ha rtosync ack disableha rtosync ack time-out 10ha rtosync ack resend-count 2ha rtconfig

44、-sync disableha disablenetwork probeha stopnetwork pptp set port 1723dpi global mail-warning subject dpi global mail-warning body system telnetd startsystem httpd startsystem monitord stopsystem probe-time set 10system probe-server-time set 3system probe-package set 1system webui idle-timeout 180system webui ssl-verify-client nosystem webui max-client 5system netflow set ipaddr 4.3.2.1system netflow set port udp:9991system netflow set transfer disablesystem config implement