电脑技术学习

巧设防火墙 封杀特定网址

dn001

出于安全方面的考虑,PIX防火墙的具体配置我就不列出了,把与本文有关的内容列出,重点应该看以下两条:

access-group acl_inside in interface outside
access-group acl_inside in interface inside

即当前应用的访问列表为acl_inside,然后再看acl_inside是如何写的:

access-list acl_inside deny udp any any eq tftp
access-list acl_inside deny tcp any any eq 135
access-list acl_inside deny udp any any eq 135
access-list acl_inside deny tcp any any eq 137
access-list acl_inside deny udp any any eq netbios-ns
access-list acl_inside deny tcp any any eq 138
access-list acl_inside deny udp any any eq netbios-dgm
access-list acl_inside deny tcp any any eq netbios-ssn
access-list acl_inside deny udp any any eq 139
access-list acl_inside deny tcp any any eq 445
access-list acl_inside deny tcp any any eq 593
access-list acl_inside deny tcp any any eq 4444
access-list acl_inside permit ip any any
access-list acl_inside permit tcp any any eq 1723
access-list acl_inside permit gre any any

从中我们可以看到原访问列表只是对某些端口的使用做了限制,而不涉及对某个IP地址进行访问的限制,为了稳妥起见,我们要先清楚的了解访问列表的格式,如下:

pixfirewall(config)# access-list ?
Usage:  [no] access-list compiled
[no] access-list  compiled
[no] access-list  deny|permit |object-group

  | object-group 
[  [] | object-group ]
  | object-group 
[  [] | object-group ]
[no] access-list  deny|permit icmp
  | object-group 
  | object-group 
[ | object-group ]

从帮助信息中大致了解到应该先写源IP,后写目标IP,因此对于我们想限制对于某个IP地址的访问就应该写成access-list acl_inside deny ip any host 58.61.155.44

三、具体的操作步骤

为了保障在添加一条对于某个IP地址限制的过程中PIX520的正常工作不受影响,我们应该按照以下步骤来进行操作

1、在内外端口上停掉访问控制列表

pixfirewall# conf t
pixfirewall(config)#access-group acl_inside in interface outside
pixfirewall(config)#access-group acl_inside in interface inside

2、去掉访问列表acl_inside

pixfirewall# conf t
pixfirewall(config)# no access-list acl-inside

3、重写access-list

pixfirewall(config)# access-list acl_inside deny udp any any eq tftp
pixfirewall(config)# access-list acl_inside deny tcp any any eq 135
pixfirewall(config)# access-list acl_inside deny udp any any eq 135
pixfirewall(config)# access-list acl_inside deny tcp any any eq 137
pixfirewall(config)# access-list acl_inside deny udp any any eq netbios -ns
pixfirewall(config)# access-list acl_inside deny tcp any any eq 138
pixfirewall(config)# access-list acl_inside deny udp any any eq netbios -dgm
pixfirewall(config)# access-list acl_inside deny tcp any any eq netbios -ssn
pixfirewall(config)# access-list acl_inside deny udp any any eq 139
pixfirewall(config)# access-list acl_inside deny tcp any any eq 445
pixfirewall(config)# access-list acl_inside deny tcp any any eq 593
pixfirewall(config)# access-list acl_inside deny tcp any any eq 4444
pixfirewall(config)# access-list acl_inside permit tcp any any eq 1723
pixfirewall(config)# access-list acl_inside permit gre any any
pixfirewall(config)# access-list acl_inside deny ip any host 58.61.155.44
pixfirewall(config)# access-list acl_inside permit ip any any

即保证permit ip any any这条命令是在最后面一行

4、在内外端口上应用访问列表

pixfirewall(config)#access-gropu acl_inside in inter outside
pixfirewall(config)#access-gropu acl_inside in inter outside

四、验证是否真正的对某个IP地址进行了限制

1、 进行完配置后肯定要先看一下当前配置:show run

2、可以通过tracert命令来验证,如下所示:

C:>tracert www.ttsou.cn
Tracing route to www.ttsou.cn [58.61.155.44]
over a maximum of 30 hops:
1    <1 ms    <1 ms    <1 ms  10.75.0.1
2     *        *        *     Request timed out.
3     *        *        *     Request timed out.
4     *        *        *     Request timed out.
5     *        *        *     Request timed out.

从中可以看出,对于www.ttsou.cn这个网址从三层交换机往上就不通了,证明在PIX520防火墙上已经成功的阻止了对于该网址的访问。

标签: 防火墙

首页上一页12

上一篇 上网不用防火墙 一招克死病毒

下一篇 Linux的防火墙配置――基础篇

相关文章

    Win8系统关闭防火墙的操作方法

    Win8系统关闭防火墙的操作方法

    Windows 8教程 dn001 67

    win10防火墙怎么关

    win10防火墙怎么关

    Windows 10资讯 dn001 108

    win10防火墙怎么关闭?

    win10防火墙怎么关闭?

    电脑常识 dn001 102

    电脑防火墙在哪里设置

    电脑防火墙在哪里设置

    电脑常识 dn001 78

    WindowsServer2008防火墙解析

    WindowsServer2008防火墙解析

    Windows技巧 dn001 399

    巧用防火墙端口来禁止迅雷、BT等软件

    巧用防火墙端口来禁止迅雷、BT等软件

    局域网组建 dn001 434