[ 永远的UNIX::UNIX技术资料的宝库 ]

首页 > 网管技术 > 网络设备 > 正文

ISDN路由器的高级设置(下)

来源:本文出自:http://comp.zz.ha.cn/ 作者: 叶扬 (2001-08-17 12:00:00)

封锁非法Web站点


互联网上的网站品质良莠不齐,还有很多非法、反动站点。本例即是讲解如何设置过滤器,以达到封锁非法Web站点的目的。


例如,我们想禁止用户访问XXX.XXX.XX.XXX站点,就可以进行如下设置:


1.首先在Menu 21中建立一个过滤项



Menu 21 - Filter Set Configuration
Filter Filter
Set # Comments Set # Comments
1 Block a Web7 7
2 8
3 9
4 10
5 11
6 12
Enter Filter Set Number to Configure= 0
Edit Comments=
Press ENTER to Confirm or ESC to Cancel:



2.然后在过滤项中建立一条过滤规则



Menu 21.1.1 - TCP/IP Filter Rule
Filter #: 1,1
Filter Type= TCP/IP Filter Rule
Active= Yes
IP Protocol= 0 IP Source Route= No
Destination: IP Addr= XXX.XXX.XX.XXX
IP Mask= 255.255.255.255
Port #=
Port # Comp= None
Source: IP Addr= 0.0.0.0
IP Mask= 0.0.0.0
Port #=
Port # Comp= None
TCP Estab= N/A
More= No Log= None
Action Matched= Drop
Action Not Matched= Forward
Press ENTER to Confirm or ESC to Cancel:



3.最后在Menu 3.1的'Input Filter Set'中激活该过滤项就可以了



Menu 3.1 - General Ethernet Setup
Input Filter Sets:
protocol filters=1
device filters=
Output Filter Sets:
protocol filters=
device filters=



设置防火墙


P100IH具有简单的防火墙功能,通过对数据封包的过滤,可以阻挡来自互联网上黑客的攻击。简单的防火墙的端口设置如下:


· 允许 ARP、ICMP、Ping;


· 允许 TCP、UDP > 1023的传输端口;


· 允许 HTTP、SMTP、MNTP、DNS;


· 阻止其它任何来自于Internet的数据包。


设置过滤器过程如下:


1.在Menu 21中建立一个过滤项



Menu 21 - Filter Set Configuration
Filter Filter
Set # Comments Set # Comments
1 Firewall 7 7
2 8
3 9
4 10
5 11
6 12
Enter Filter Set Number to Configure= 0
 Edit Comments=
Press ENTER to Confirm or ESC to Cancel:



2.分别建立四条过滤规则:Menu 21.1.1,Menu 21.1.2,Menu 21.1.3,……



规则1:允许ICMP(包括Ping)



Menu 21.1.1 - TCP/IP Filter Rule
Filter #: 1,1
Filter Type= TCP/IP Filter Rule
Active= Yes
IP Protocol= 1 IP Source Route= No
Destination: IP Addr= 0.0.0.0
IP Mask= 0.0.0.0
Port #= 0
Port # Comp= None
Source: IP Addr= 0.0.0.0
IP Mask= 0.0.0.0
Port #= 0
Port # Comp= None
TCP Estab= No
More= No Log= None
Action Matched= Forward
Action Not Matched= Check Next Rule
Press ENTER to Confirm or ESC to Cancel:



规则2:允许UDP端口>1023



Menu 21.1.2 - TCP/IP Filter Rule
Filter #: 1,1
Filter Type= TCP/IP Filter Rule
Active= Yes
IP Protocol= 17 IP Source Route= No
Destination: IP Addr= 0.0.0.0
IP Mask= 0.0.0.0
Port #= 1023
Port # Comp= Greater
Source: IP Addr= 0.0.0.0
IP Mask= 0.0.0.0
Port #= 0
Port # Comp= None
TCP Estab= No
More= No Log= None
Action Matched= Forward
Action Not Matched= Check Next Rule
Press ENTER to Confirm or ESC to Cancel:



规则3:允许TCP端口>1023



Menu 21.1.3 - TCP/IP Filter Rule
Filter #: 1,1
Filter Type= TCP/IP Filter Rule
Active= Yes
IP Protocol= 6 IP Source Route= No
Destination: IP Addr= 0.0.0.0
IP Mask= 0.0.0.0
Port #= 1023
Port # Comp= Greater
Source: IP Addr= 0.0.0.0
IP Mask= 0.0.0.0
Port #= 0
Port # Comp= None
TCP Estab= No
More= No Log= None
Action Matched= Forward
Action Not Matched= Check Next Rule
Press ENTER to Confirm or ESC to Cancel:



规则4:允许DNS请求,阻止所有其它的数据封包



Menu 21.1.5 - TCP/IP Filter Rule
Filter #: 1,1
Filter Type= TCP/IP Filter Rule
Active= Yes
IP Protocol= 17 IP Source Route= No
Destination: IP Addr= 0.0.0.0
IP Mask= 0.0.0.0
Port #= 53
Port # Comp= Equal
Source: IP Addr= 0.0.0.0
IP Mask= 0.0.0.0
Port #= 0
Port # Comp= None
TCP Estab= No
More= No Log= None
Action Matched= Forward
Action Not Matched= Drop
Press ENTER to Confirm or ESC to Cancel:



以上4条过滤规则的汇总选单Menu 21,如下所示:


3.最后,在Menu 3.1的'Input Filter Set'中激活该过滤项就可以了



Menu 3.1 - General Ethernet Setup
Input Filter Sets:
protocol filters=1
device filters=
Output Filter Sets:
protocol filters=
device filters=



本文介绍了设置P100IH路由器的方法,读者可以照搬,也可以根据以上方法,灵活运用过滤器这个工具。只有加强对ISDN路由器的管理,才能保证ISDN合法用户的使用权。

(http://www.fanqiang.com)


 
 相关文章

★  感谢所有的作者为我们学习技术知识提供了一条捷径  ★
www.fanqiang.com