国产一级a片免费看高清,亚洲熟女中文字幕在线视频,黄三级高清在线播放,免费黄色视频在线看

打開APP
userphoto
未登錄

開通VIP,暢享免費電子書等14項超值服

開通VIP

首頁

好書

留言交流

下載APP

聯(lián)系客服
使用ACL防病毒 - H3C認證 - 51CTO技術(shù)論壇

使用ACL防病毒

使用ACL防病毒
建議:在配置病毒列表之前
1
確認用戶的業(yè)務(wù)端口與列表的規(guī)則不沖突。
2
確認交換機或者路由器的性能可以承受訪問控制列表的過濾。
Juniper:
create acl acl0 udp DIP any ip-port 69 SIP any ip-port any deny ports any
create acl acl1 tcp DIP any ip-port 113 SIP any ip-port any deny ports any
create acl acl2 udp DIP any ip-port 135 SIP any ip-port any deny ports any
create acl acl3 tcp DIP any ip-port 135 SIP any ip-port any deny ports any
create acl acl4 udp DIP any ip-port 137 SIP any ip-port any deny ports any
create acl acl5 udp DIP any ip-port 138 SIP any ip-port any deny ports any
create acl acl6 tcp DIP any ip-port 139 SIP any ip-port any deny ports any
create acl acl7 udp DIP any ip-port 139 SIP any ip-port any deny ports any
create acl acl8 udp DIP any ip-port 445 SIP any ip-port any deny ports any
create acl acl9 tcp DIP any ip-port 445 SIP any ip-port any deny ports any
create acl acl10 tcp DIP any ip-port 593 SIP any ip-port any deny ports any
create acl acl11 udp DIP any ip-port 593 SIP any ip-port any deny ports any
create acl acl12 tcp DIP any ip-port 1022 SIP any ip-port any deny ports any
create acl acl13 tcp DIP any ip-port 1023 SIP any ip-port any deny ports any
create acl acl14 tcp DIP any ip-port 1025 SIP any ip-port any deny ports any
create acl acl15 tcp DIP any ip-port 1029 SIP any ip-port any deny ports any
create acl acl16 tcp DIP any ip-port 1034 SIP any ip-port 80 deny ports any
create acl acl17 tcp DIP any ip-port 1068 SIP any ip-port any deny ports any
create acl acl18 udp DIP any ip-port 1434 SIP any ip-port any deny ports any
create acl acl19 tcp DIP any ip-port 1871 SIP any ip-port any deny ports any
create acl acl20 tcp DIP any ip-port 2745 SIP any ip-port any deny ports any
create acl acl21 tcp DIP any ip-port 3067 SIP any ip-port any deny ports any
create acl acl22 tcp DIP any ip-port 3127 SIP any ip-port any deny ports any
create acl acl23 tcp DIP any ip-port 3208 SIP any ip-port any deny ports any
create acl acl24 tcp DIP any ip-port 4331 SIP any ip-port any deny ports any
create acl acl25 tcp DIP any ip-port 4334 SIP any ip-port any deny ports any
create acl acl26 tcp DIP any ip-port 4444 SIP any ip-port any deny ports any
create acl acl27 tcp DIP any ip-port any SIP any ip-port 4444 deny ports any
create acl acl28 tcp DIP any ip-port 4510 SIP any ip-port any deny ports any
create acl acl29 tcp DIP any ip-port 4557 SIP any ip-port any deny ports any
create acl acl30 tcp DIP any ip-port 5554 SIP any ip-port any deny ports any
create acl acl31 tcp DIP any ip-port 5800 SIP any ip-port any deny ports any
create acl acl32 tcp DIP any ip-port 5900 SIP any ip-port any deny ports any
create acl acl33 tcp DIP any ip-port 6129 SIP any ip-port any deny ports any
create acl acl34 tcp DIP any ip-port 6667 SIP any ip-port any deny ports any
create acl acl35 tcp DIP any ip-port 9995 SIP any ip-port any deny ports any
create acl acl36 tcp DIP any ip-port 9996 SIP any ip-port any deny ports any
create acl acl37 tcp DIP any ip-port 10080 SIP any ip-port any deny ports any
create acl acl38 tcp DIP any ip-port 20168 SIP any ip-port any deny ports any
H3C:
acl number 3000

rule 1 deny udp destination-port eq 69
rule 2 deny udp destination-port eq 135
rule 3 deny tcp destination-port eq 135
rule 4 deny udp destination-port eq 137
rule 5 deny udp destination-port eq 138
rule 6 deny udp destination-port eq 139
rule 7 deny tcp destination-port eq 139
rule 8 deny udp destination-port eq 445
rule 9 deny tcp destination-port eq 445
rule 10 deny udp destination-port eq 593
rule 11 deny tcp destination-port eq 593
rule 12 deny tcp destination-port eq 1022
rule 13 deny tcp destination-port eq 1023
rule 14 deny tcp destination-port eq 1025
rule 15 deny tcp source-port eq 1034 destination-port eq 80
rule 16 deny tcp destination-port eq 1068
rule 17 permit tcp source any destination 10.1.7.0 0.0.0.255 destination-port eq 1433
rule 18 permit tcp source any destination 10.1.10.0 0.0.0.255 destination-port eq 1433
rule 19 deny tcp destination-port eq 1433
rule 20 deny udp destination-port eq 1434
rule 21 deny tcp destination-port eq 1871
rule 22 deny tcp destination-port eq 2745
rule 23 deny tcp destination-port eq 3127
rule 24 deny tcp destination-port eq 3208
rule 25 deny tcp destination-port eq 4331
rule 26 deny tcp destination-port eq 4334
rule 27 deny tcp destination-port eq 4444
rule 28 deny tcp destination-port eq 4510
rule 29 deny tcp destination-port eq 4557
rule 30 deny tcp destination-port eq 5554
rule 31 deny tcp destination-port eq 5800
rule 32 deny tcp destination-port eq 5900
rule 33 deny tcp destination-port eq 6129
rule 34 deny tcp destination-port eq 6667
rule 35 deny tcp destination-port eq 9995
rule 36 deny tcp destination-port eq 9996
rule 37 deny tcp destination-port eq 10080
rule 38 deny tcp source-port eq 4444 destination-port any

啟用acl(S6616是全局啟用acl,對每個端口生效)

packet-filter ip-group 3000 rule 1
packet-filter ip-group 3000 rule 2
packet-filter ip-group 3000 rule 3
packet-filter ip-group 3000 rule 4
packet-filter ip-group 3000 rule 5
packet-filter ip-group 3000 rule 6
packet-filter ip-group 3000 rule 7
packet-filter ip-group 3000 rule 8
packet-filter ip-group 3000 rule 9
packet-filter ip-group 3000 rule 10
packet-filter ip-group 3000 rule 11
packet-filter ip-group 3000 rule 12
packet-filter ip-group 3000 rule 13
packet-filter ip-group 3000 rule 14
packet-filter ip-group 3000 rule 15
packet-filter ip-group 3000 rule 16
packet-filter ip-group 3000 rule 17
packet-filter ip-group 3000 rule 18
packet-filter ip-group 3000 rule 19
packet-filter ip-group 3000 rule 20
packet-filter ip-group 3000 rule 21
packet-filter ip-group 3000 rule 22
packet-filter ip-group 3000 rule 23
packet-filter ip-group 3000 rule 24
packet-filter ip-group 3000 rule 25
packet-filter ip-group 3000 rule 26
packet-filter ip-group 3000 rule 27
packet-filter ip-group 3000 rule 28
packet-filter ip-group 3000 rule 29
packet-filter ip-group 3000 rule 30
packet-filter ip-group 3000 rule 31
packet-filter ip-group 3000 rule 32
packet-filter ip-group 3000 rule 33
packet-filter ip-group 3000 rule 34
packet-filter ip-group 3000 rule 35
packet-filter ip-group 3000 rule 36
packet-filter ip-group 3000 rule 37
packet-filter ip-group 3000 rule 38






創(chuàng)建acl
acl number 100
ping
rule deny icmp source any destination any
用于控制Blaster蠕蟲的傳播
rule deny udp source any destination any destination-port eq 69
rule deny tcp source any destination any destination-port eq 4444
用于控制沖擊波病毒的掃描和攻擊
rule deny tcp source any destination any destination-port eq 135
rule deny udp source any destination any destination-port eq 135
rule deny udp source any destination any destination-port eq netbios-ns
rule deny udp source any destination any destination-port eq netbios-dgm
rule deny tcp source any destination any destination-port eq 139
rule deny udp source any destination any destination-port eq 139
rule deny tcp source any destination any destination-port eq 445
rule deny udp source any destination any destination-port eq 445
rule deny udp source any destination any destination-port eq 593
rule deny tcp source any destination any destination-port eq 593
用于控制振蕩波的掃描和攻擊
rule deny tcp source any destination any destination-port eq 445
rule deny tcp source any destination any destination-port eq 5554
rule deny tcp source any destination any destination-port eq 9995
rule deny tcp source any destination any destination-port eq 9996
用于控制 Worm_MSBlast.A 蠕蟲的傳播
rule deny udp source any destination any destination-port eq 1434
下面的不出名的病毒端口號
(可以不作)
rule deny tcp source any destination any destination-port eq 1068
rule deny tcp source any destination any destination-port eq 5800
rule deny tcp source any destination any destination-port eq 5900
rule deny tcp source any destination any destination-port eq 10080
rule deny tcp source any destination any destination-port eq 455
rule deny udp source any destination any destination-port eq 455
rule deny tcp source any destination any destination-port eq 3208
rule deny tcp source any destination any destination-port eq 1871
rule deny tcp source any destination any destination-port eq 4510
rule deny udp source any destination any destination-port eq 4334
rule deny tcp source any destination any destination-port eq 4331
rule deny tcp source any destination any destination-port eq 4557
然后下發(fā)配置
packet-filter ip-group 100
目的:針對目前網(wǎng)上出現(xiàn)的問題,對目的是端口號為1434UDP報文進行過濾的配置方法,詳細和復(fù)雜的配置請看配置手冊。

NE80的配置:
NE80(config)#rule-map r1 udp any any eq 1434
//r1role-map的名字,udp 為關(guān)鍵字,any any 所有源、目的IP,eq為等于,1434udp端口號
NE80(config)#acl a1 r1 deny
//a1acl的名字,r1為要綁定的rule-map的名字,
NE80(config-if-Ethernet1/0/0)#access-group acl a1
//1/0/0接口上綁定acl,acl為關(guān)鍵字,a1acl的名字
NE16的配置:
NE16-4(config)#firewall enable all
//首先啟動防火墻
NE16-4(config)#access-list 101 deny udp any any eq 1434
//deny為禁止的關(guān)鍵字,針對udp報文,any any 為所有源、目的IPeq為等于, 1434udp端口號
NE16-4(config-if-Ethernet2/2/0)#ip access-group 101 in
//在接口上啟用access-list,in表示進來的報文,也可以用out表示出去的報文
中低端路由器的配置
[Router]firewall enable
[Router]acl 101
[Router-acl-101]rule deny udp source any destion any destination-port eq 1434
[Router-Ethernet0]firewall packet-filter 101 inbound
6506產(chǎn)品的配置:
舊命令行配置如下:
6506(config)#acl extended aaa deny protocol udp any any eq 1434
6506(config-if-Ethernet5/0/1)#access-group aaa
國際化新命令行配置如下:
[Quidway]acl number 100
[Quidway-acl-adv-100]rule deny udp source any destination any destination-port eq 1434
[Quidway-acl-adv-100]quit
[Quidway]interface ethernet 5/0/1
[Quidway-Ethernet5/0/1]packet-filter inbound ip-group 100 not-care-for-interface

5516產(chǎn)品的配置:
舊命令行配置如下:
5516(config)#rule-map l3 aaa protocol-type udp ingress any egress any eq 1434
5516(config)#flow-action fff deny
5516(config)#acl bbb aaa fff
5516(config)#access-group bbb
國際化新命令行配置如下:
[Quidway]acl num 100
[Quidway-acl-adv-100]rule deny udp source any destination any destination-port eq 1434
[Quidway]packet-filter ip-group 100

3526產(chǎn)品的配置:
舊命令行配置如下:
rule-map l3 r1 0.0.0.0 0.0.0.0 1.1.0.0 255.255.0.0 eq 1434
flow-action f1 deny
acl acl1 r1 f1
access-group acl1
國際化新命令配置如下:
acl number 100
rule 0 deny udp source 0.0.0.0 0 source-port eq 1434 destination 1.1.0.0 0
packet-filter ip-group 101 rule 0
注:3526產(chǎn)品只能配置外網(wǎng)對內(nèi)網(wǎng)的過濾規(guī)則,其中1.1.0.0 255.255.0.0是內(nèi)網(wǎng)的地址段。

8016產(chǎn)品的配置:
舊命令行配置如下:
8016(config)#rule-map intervlan aaa udp any any eq 1434
8016(config)#acl bbb aaa deny
8016(config)#access-group acl bbb vlan 10 port all
國際化新命令行配置如下:
8016(config)#rule-map intervlan aaa udp any any eq 1434
8016(config)#eacl bbb aaa deny
8016(config)#access-group eacl bbb vlan 10 port all
本站僅提供存儲服務(wù),所有內(nèi)容均由用戶發(fā)布,如發(fā)現(xiàn)有害或侵權(quán)內(nèi)容,請點擊舉報。
打開APP,閱讀全文并永久保存 查看更多類似文章
猜你喜歡
類似文章
H3C 的路由器配置命令詳解
華為交換機各種配置實例(1)
Quidway S6500系列交換機防病毒配置方案模板|中國IT實驗室
思科|華為:ACL基本命令配置
交換機某個端口如何限制dhcp報文?王海軍老師告訴你
H3C S5500 vlan間訪問控制
更多類似文章 >>
生活服務(wù)
分享 收藏 導(dǎo)長圖 關(guān)注 下載文章
綁定賬號成功
后續(xù)可登錄賬號暢享VIP特權(quán)!
如果VIP功能使用有故障,
可點擊這里聯(lián)系客服!

聯(lián)系客服