网络设备配置中经常使用的access-list(Cisco)或rule(华为设备中使用)
网络设备配置中经常使用的访问列表或rule(华为设备中使用)Cisco(or CLI like cisco device)
access-list 101 deny tcp any any eq chargen
access-list 101 deny tcp any any eq echo
access-list 101 deny tcp any any eq 135
access-list 101 deny tcp any any eq 136
access-list 101 deny tcp any any eq 137
access-list 101 deny tcp any any eq 138
access-list 101 deny tcp any any eq 139
access-list 101 deny tcp any any eq 389
access-list 101 deny tcp any any eq 445
access-list 101 deny tcp any any eq 593
access-list 101 deny udp any any eq 135
access-list 101 deny udp any any eq 136
access-list 101 deny udp any any eq netbios-ns
access-list 101 deny udp any any eq netbios-dgm
access-list 101 deny udp any any eq netbios-ss
access-list 101 deny udp any any eq 389
access-list 101 deny udp any any eq 445
access-list 101 deny udp any any eq 593
access-list 101 deny udp any any eq 1433
access-list 101 deny udp any any eq 1434
access-list 101 deny udp any eq 2699 any
access-list 101 deny tcp any any eq 3389
access-list 101 deny tcp any any eq 4444
access-list 101 deny tcp any any eq 9996
access-list 101 deny tcp any any eq 5554
access-list 101 deny tcp any any eq 1068
access-list 101 deny icmp any any
access-list 101 deny 255 any any
access-list 101 deny 0 any any
access-list 101 permit ip any any
H3C(Just test at ComWare platform)
acl number 3001
rule 10 deny tcp destination-port eq 445
rule 11 deny udp destination-port eq 445
rule 20 deny tcp destination-port eq 135
rule 21 deny udp destination-port eq 135
rule 30 deny tcp destination-port eq 137
rule 31 deny udp destination-port eq netbios-ns
rule 40 deny tcp destination-port eq 138
rule 41 deny udp destination-port eq netbios-dgm
rule 50 deny tcp destination-port eq 139
rule 51 deny udp destination-port eq netbios-ssn
rule 61 deny udp destination-port eq tftp
rule 70 deny tcp destination-port eq 593
rule 80 deny tcp destination-port eq 4444
rule 90 deny tcp destination-port eq 707
rule 100 deny tcp destination-port eq 1433
rule 101 deny udp destination-port eq 1433
rule 110 deny tcp destination-port eq 1434
rule 111 deny udp destination-port eq 1434
rule 120 deny tcp destination-port eq 5554
rule 130 deny tcp destination-port eq 9996
rule 141 deny udp source-port eq bootps
[b]rule 160 permit icmp icmp-type echo
rule 161 permit icmp icmp-type echo-reply
rule 162 permit icmp icmp-type ttl-exceeded
rule 165 deny icmp[/b]
rule 204 deny tcp destination-port eq 3389
rule 205 permit ip
acl number 3003
rule 10 deny tcp destination-port eq 445
rule 11 deny udp destination-port eq 445
rule 20 deny tcp destination-port eq 135
rule 21 deny udp destination-port eq 135
rule 30 deny tcp destination-port eq 137
rule 31 deny udp destination-port eq netbios-ns
rule 40 deny tcp destination-port eq 138
rule 41 deny udp destination-port eq netbios-dgm
rule 50 deny tcp destination-port eq 139
rule 51 deny udp destination-port eq netbios-ssn
rule 61 deny udp destination-port eq tftp
rule 70 deny tcp destination-port eq 593
rule 80 deny tcp destination-port eq 4444
rule 90 deny tcp destination-port eq 707
rule 100 deny tcp destination-port eq 1433
rule 101 deny udp destination-port eq 1433
rule 110 deny tcp destination-port eq 1434
rule 111 deny udp destination-port eq 1434
rule 120 deny tcp destination-port eq 5554
rule 130 deny tcp destination-port eq 9996
rule 141 deny udp source-port eq bootps
rule 160 permit icmp icmp-type echo
rule 161 permit icmp icmp-type echo-reply
rule 162 permit icmp icmp-type ttl-exceeded
rule 165 deny icmp
rule 204 deny tcp destination-port eq 3389
rule 205 permit ip
两者有一些差异,但是防御的目标大体相同.这些目标包括"冲击波"及其变种,"蠕虫网"等.
从上面可以看出华为ComWare平台的设备能对ICMP做精确的控制!同样也可以在CISCO平台使用
...
access-list 101 deny icmp any any echo-reply
access-list 101 deny icmp any any echo
access-list 101 deny icmp any any time-exceeded
access-list 101 deny icmp any any
...
大家在配置上面的条目后一定要进行测试,确保不影响网络正常业务.比如上面的一些条目会使你通过samba进行文件共享失败,同样的Windows平台上的文件共享,RPC都不会正常工作.所以这些条目一般应用在网络出口或WAN上,而对网络内部交换机上的应用要修改要测试.
大家还有什么好的条目,请补充!
页:
[1]