转载于 http://blog.sina.com.cn/s/blog_6989b83a01012f17.html
网络设备配置中经常使用的access-list(Cisco)或rule(华为设备中使用)网络设备配置中经常使用的访问列表或rule(华为设备中使用)
Cisco(or CLI like cisco device)
access-list 101 deny tcp any any eq chargen access-list 101 deny tcp any any eq echo access-list 101 deny tcp any any eq 135 access-list 101 deny tcp any any eq 136 access-list 101 deny tcp any any eq 137 access-list 101 deny tcp any any eq 138 access-list 101 deny tcp any any eq 139 access-list 101 deny tcp any any eq 389 access-list 101 deny tcp any any eq 445 access-list 101 deny tcp any any eq 593 access-list 101 deny udp any any eq 135 access-list 101 deny udp any any eq 136 access-list 101 deny udp any any eq netbios-ns access-list 101 deny udp any any eq netbios-dgm access-list 101 deny udp any any eq netbios-ss access-list 101 deny udp any any eq 389 access-list 101 deny udp any any eq 445 access-list 101 deny udp any any eq 593 access-list 101 deny udp any any eq 1433 access-list 101 deny udp any any eq 1434 access-list 101 deny udp any eq 2699 any access-list 101 deny tcp any any eq 3389 access-list 101 deny tcp any any eq 4444 access-list 101 deny tcp any any eq 9996 access-list 101 deny tcp any any eq 5554 access-list 101 deny tcp any any eq 1068 access-list 101 deny icmp any any access-list 101 deny 255 any any access-list 101 deny 0 any any access-list 101 permit ip any any
H3C(Just test at ComWare platform)
acl number 3001 rule 10 deny tcp destination-port eq 445 rule 11 deny udp destination-port eq 445 rule 20 deny tcp destination-port eq 135 rule 21 deny udp destination-port eq 135 rule 30 deny tcp destination-port eq 137 rule 31 deny udp destination-port eq netbios-ns rule 40 deny tcp destination-port eq 138 rule 41 deny udp destination-port eq netbios-dgm rule 50 deny tcp destination-port eq 139 rule 51 deny udp destination-port eq netbios-ssn rule 61 deny udp destination-port eq tftp rule 70 deny tcp destination-port eq 593 rule 80 deny tcp destination-port eq 4444 rule 90 deny tcp destination-port eq 707 rule 100 deny tcp destination-port eq 1433 rule 101 deny udp destination-port eq 1433 rule 110 deny tcp destination-port eq 1434 rule 111 deny udp destination-port eq 1434 rule 120 deny tcp destination-port eq 5554 rule 130 deny tcp destination-port eq 9996 rule 141 deny udp source-port eq bootps rule 160 permit icmp icmp-type echo rule 161 permit icmp icmp-type echo-reply rule 162 permit icmp icmp-type ttl-exceeded rule 165 deny icmp rule 204 deny tcp destination-port eq 3389 rule 205 permit ip acl number 3003 rule 10 deny tcp destination-port eq 445 rule 11 deny udp destination-port eq 445 rule 20 deny tcp destination-port eq 135 rule 21 deny udp destination-port eq 135 rule 30 deny tcp destination-port eq 137 rule 31 deny udp destination-port eq netbios-ns rule 40 deny tcp destination-port eq 138 rule 41 deny udp destination-port eq netbios-dgm rule 50 deny tcp destination-port eq 139 rule 51 deny udp destination-port eq netbios-ssn rule 61 deny udp destination-port eq tftp rule 70 deny tcp destination-port eq 593 rule 80 deny tcp destination-port eq 4444 rule 90 deny tcp
destination-port eq 707 rule 100 deny tcp destination-port eq 1433 rule 101 deny udp destination-port eq 1433 rule 110 deny tcp destination-port eq 1434 rule 111 deny udp destination-port eq 1434 rule 120 deny tcp destination-port eq 5554 rule 130 deny tcp destination-port eq 9996 rule 141 deny udp source-port eq bootps rule 160 permit icmp icmp-type echo rule 161 permit icmp icmp-type echo-reply rule 162 permit icmp icmp-type ttl-exceeded rule 165 deny icmp rule 204 deny tcp destination-port eq 3389 rule 205 permit ip
两者有一些差异,但是防御的目标大体相同.这些目标包括"冲击波"及其变种,"蠕虫网"等.
从上面可以看出华为ComWare平台的设备能对ICMP做精确的控制!同样也可以在CISCO平台使用
... access-list 101 deny icmp any any echo-reply access-list 101 deny icmp any any echo access-list 101 deny icmp any any time-exceeded access-list 101 deny icmp any any ...
大家在配置上面的条目后一定要进行测试,确保不影响网络正常业务.比如上面的一些条目会使你通过samba进行文件共享失败,同样的Windows平台上的文件共享,RPC都不会正常工作.所以这些条目一般应用在网络出口或WAN上,而对网络内部交换机上的应用要修改要测试.