日本免费全黄少妇一区二区三区-高清无码一区二区三区四区-欧美中文字幕日韩在线观看-国产福利诱惑在线网站-国产中文字幕一区在线-亚洲欧美精品日韩一区-久久国产精品国产精品国产-国产精久久久久久一区二区三区-欧美亚洲国产精品久久久久

  1. 首頁(yè) > 云知道 > >

巧設(shè)防火墻 封殺特定網(wǎng)址

云知道

作為一名網(wǎng)管,經(jīng)常會(huì)接收用戶(hù)反映某個(gè)網(wǎng)址有惡意程序,希望我們過(guò)濾一下,我們單位上網(wǎng)是通過(guò) PIX520防火墻作NAT的,因此也就涉及到如何在PIX520防火墻上限制對(duì)于某些IP地址訪(fǎng)問(wèn)的問(wèn)題,為此,就結(jié)合自己的實(shí)際工作經(jīng)驗(yàn)寫(xiě)了這篇文章 。(網(wǎng)絡(luò)拓?fù)淙鐖D1所示)
圖1
一、得到某網(wǎng)址與IP地址的對(duì)應(yīng)關(guān)系
比如要封www.ttsou.cn,有兩種方法可以得到該網(wǎng)址對(duì)應(yīng)的IP地址,第一是ping該網(wǎng)址,如下所示:
C:>ping www.ttsou.cnPinging www.ttsou.cn [58.61.155.44] with 32 bytes of data:Reply from 58.61.155.44: bytes=32 time=80ms TTL=116Reply from 58.61.155.44: bytes=32 time=78ms TTL=116Reply from 58.61.155.44: bytes=32 time=92ms TTL=116Reply from 58.61.155.44: bytes=32 time=85ms TTL=116Ping statistics for 58.61.155.44:Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),Approximate round trip times in milli-seconds:Minimum = 78ms, Maximum = 92ms, Average = 83ms
從中我們可以得到www.ttsou.cn對(duì)應(yīng)的IP地址為58.61.155.44.但是這種方法存在一個(gè)缺陷,即如果該網(wǎng)址對(duì)應(yīng)有多個(gè)IP地址的話(huà),用ping的方法不可能得到所有對(duì)應(yīng)的IP地址,我們可以用nslookup來(lái)解決,如下所示:
C:>nslookupDefault Server:ns.jncatv.netAddress:222.175.169.91> www.ttsou.cnServer:ns.jncatv.netAddress:222.175.169.91Non-authoritative answer:Name:www.ttsou.cnAddress:58.61.155.44> www.sina.com.cnServer:ns.jncatv.netAddress:222.175.169.91Non-authoritative answer:Name:hydra.sina.com.cnAddresses:218.30.108.58, 218.30.108.59, 218.30.108.61, 218.30.108.62218.30.108.64, 218.30.108.65, 218.30.108.66, 218.30.108.67, 218.30.108.68218.30.108.69, 218.30.108.72, 218.30.108.73, 218.30.108.74, 218.30.108.55218.30.108.56, 218.30.108.57Aliases:www.sina.com.cn, jupiter.sina.com.cn
從以上的結(jié)果我們可以看出,www.ttsou.cn確實(shí)是只對(duì)應(yīng)了一個(gè)IP地址,但是象www.sina.com.cn這樣的網(wǎng)址就對(duì)應(yīng)了大量的IP地址 。
二、在PIX520防火墻上了解當(dāng)前訪(fǎng)問(wèn)列表的使用情況 。
由于我們?cè)赑IX520防火墻上作了限制TELNET訪(fǎng)問(wèn)的限制,只有192.168的網(wǎng)段可以通過(guò)TELNET的方式登錄上去,所以我們要先登錄3層交換機(jī)(192.168.3.1),再?gòu)?層交換機(jī)上登錄過(guò)去,先看一下當(dāng)前配置:
【巧設(shè)防火墻 封殺特定網(wǎng)址】telnet 192.168.201.1Trying 192.168.201.1 ... OpenUser Access VerificationPassword:Type help;or;"?" for a list of available commands.pixfirewall> enPassword: ******pixfirewall# show run: Saved:PIX Version 6.2(2)nameif ethernet0 outside security0nameif ethernet1 inside security100
(以下省略)
出于安全方面的考慮,PIX防火墻的具體配置我就不列出了,把與本文有關(guān)的內(nèi)容列出,重點(diǎn)應(yīng)該看以下兩條:
access-group acl_inside in interface outsideaccess-group acl_inside in interface inside
即當(dāng)前應(yīng)用的訪(fǎng)問(wèn)列表為acl_inside,然后再看acl_inside是如何寫(xiě)的:
access-list acl_inside deny udp any any eq tftpaccess-list acl_inside deny tcp any any eq 135access-list acl_inside deny udp any any eq 135access-list acl_inside deny tcp any any eq 137access-list acl_inside deny udp any any eq netbios-nsaccess-list acl_inside deny tcp any any eq 138access-list acl_inside deny udp any any eq netbios-dgmaccess-list acl_inside deny tcp any any eq netbios-ssnaccess-list acl_inside deny udp any any eq 139access-list acl_inside deny tcp any any eq 445access-list acl_inside deny tcp any any eq 593access-list acl_inside deny tcp any any eq 4444access-list acl_inside permit ip any anyaccess-list acl_inside permit tcp any any eq 1723access-list acl_inside permit gre any any
從中我們可以看到原訪(fǎng)問(wèn)列表只是對(duì)某些端口的使用做了限制,而不涉及對(duì)某個(gè)IP地址進(jìn)行訪(fǎng)問(wèn)的限制,為了穩(wěn)妥起見(jiàn),我們要先清楚的了解訪(fǎng)問(wèn)列表的格式,如下:
pixfirewall(config)# access-list ?Usage:[no] access-list compiled[no] access-listcompiled[no] access-listdeny|permit |object-group| object-group [[] | object-group ]| object-group [[] | object-group ][no] access-listdeny|permit icmp| object-group| object-group [ | object-group ]

推薦閱讀