跳转至

华为防火墙配置

img

HCL

admin/admin

  • 配置IP

    • 主机:192.168.56.1
  • 防火墙:

[FW]interface GigabitEthernet 1/0/1

[FW-GigabitEthernet1/0/1]ip address 192.168.56.2 24

[FW]interface GigabitEthernet 1/0/1

[FW-GigabitEthernet1/0/2]ip address 10.2.2.1 24

  • 路由器

[R2]interface GigabitEthernet 0/0

[R2-GigabitEthernet0/0]ip address 10.2.2.2 24

  • 创建安全域

[FW]security-zone name guanli #创建安全域guanli

[FW-security-zone-guanli]import interface GigabitEthernet 1/0/1 #将接口划入安全域guanli

  • 防火墙初始化

    • 方法一

zone-pair security source guanli destination Local

packet-filter 2000

acl basic 2000

rule 0 permit

  • 方法二

object-group ip address FW

description FW

0 network host address 192.168.56.2

object-group ip address guanli

description guanli

0 network host address 192.168.56.1

object-group service TEST

0 service tcp destination eq 80

10 service tcp destination eq 443

object-policy ip guanli-Local

rule 0 pass source-ip guanli destination-ip FW service TEST logging counting

zone-pair security source guanli destination Local

object-plicy apply ip guanli-Local

  • 添加路由

    • 主机想要访问路由需添加:

route add 10.2.2.0 mask 255.255.255.0 192.168.56.2

  • 防火墙想要访问路由需添加:

[FW]ip route-static 10.2.2.0 24 10.2.2.1

  • 路由想要访问防火墙和主机需添加:

[R2]ip route-static 192.168.56.0 10.2.2.1

  • 配置路由

[R2]telnet server enable

[R2]ssh server enable

[R2]local-user admin

[R2-luser-manage-admin]service-type telnet ssh

[R2-luser-manage-admin]authorization-attribute user-role network-admin

[R2-luser-manage-admin]password simple admin

[R2-luser-manage-admin]qu

[R2]public-key local create rsa

[R2]user-interface vty 0 4

[R2-line-vty0-4]authentication-mode scheme

  • 防火墙策略配置

    • 图形化

登录https://192.168.56.2 #需先在local-user admin 里添加https服务

之后根据需要开通的服务添加guanli域、local域、R2域互相之间的策略

  • 命令行

以全通为例:

[FW]zone-pair security source local destination guanli

[FW]packet-filter 2000

[FW]zone-pair security source guanli destination R2

[FW]packet-filter 2000

[FW]zone-pair security source R2 destination guanli

[FW]packet-filter 2000

[FW]zone-pair security source local destination R2

[FW]packet-filter 2000

限制不同的服务则调整相应的packet-filter或object-group策略