Professional Documents
Culture Documents
HUAWEI
For any packet a router needs to transfer, first obtain its packet header information and then compare it with the set rules.Whether to transfer or to discard a packet depends on the comparison results.The key technology to implement packet filtering is access control list.
OK
WAN
Rule database
www.huawei.com
Refuse some undesired access. Access control list can distinguish packets.
Internet
Headquarters of a company
Internal server
www.huawei.com
HUAWEI
PSTN
Router
Router
www.huawei.com
An IP packet is shown as below (the upper-layer protocol that IP bears in the figure is TCP):
IPh e a d e r
T C Ph e a d e r
Data
www.huawei.com
Identify access control list in numbers Identify the kinds of access control list by means of a number range.
Rangeforanumberto identify 1-99 100199
www.huawei.com
www.huawei.com
Standard access control list uses only the source address description to show whether to enable or to disable
Packets from 202.110.10.0/24 can pass!
Router
www.huawei.com
The command to configure standard access control lis is in the following format:
access-list [normal|special] listnumber { permit | deny } ip-address [ wildcard-mask ]
www.huawei.com
E x t ended ac cess cont rol l i st u s es m or e information description packets besides source address to show whether to enable or to disable.
Packets from 202.110.10.0/24 to 179.100.17.10 which use TCP protocols and gain access via HTTP can pass!
Router
www.huawei.com
HUAWEI
C o n figuretheextendedaccesslistofTC P /UDPprotocols: access-list [norm a l|special]listnum b e r{perm it | d e n y }{tcp|udp} source-addr[source-mask] dest-addr [dest-mask][operator port1 [port2] ] [log] C o n figuretheextendedaccesslist of IC M Pp rotocol: access-list [norm a l|special]listnum b e r{perm it | d e n y } icm psource-addr[source-mask]dest-addr dest-mask [ icm p -type[icm p -code] ] [log] C o n figuretheextendedaccesslistofotherprotocols: access-list [ norm al | special ] listnumber { p e r m it | deny } protocol source-addr [ source-mask ] d e s t - a d d r [ d e s t - m a s k ] [log]
www.huawei.com
HUAWEI
www.huawei.com
1 0 0d e n yicm p1 0 .1.0.00.0.255.255anyhost-redirect TheICMPhostunreachablepacketsfromthenetworksegment10.1.0.0aredisabled topass 100denytcp129.9.0.0 0.0.255.255 202.38.160.0 0.0.0.255eqwwwlog Theruleserialnumberis100.Theconnectionbetweenthehostwithinthenetworksegment129.9.0.0 andthewwwport(80)ofthehostwithinthenetworksegment202.38.160.0 isdisabled. Andanyeventviolatingthisrulewil berecordedinalog. 102denyudp129.9.8.0 0.0.0.255 202.38.160.0 0.0.0.255gt128 Theruleserialnumberis102.Theconnectionbetweenthehostwithinthenetworksegment129.9.8.0 andtheUDP (portnumbermorethan128)ofthehostwithinthenetworksegment202.38.160.0 is disabled.
www.huawei.com
HUAWEI
Access list may be composed of multiple rules Multiple rules use the same serial number The basis to judge a conflicted rule is "depth". That is, the smaller the address range is, the higher priority it will be. The judging of a depth depends on the combined comparison of wildcard-mask with an IP address access-list 4 deny 202.38.0.0 0.0.255.255 access-list 4 perm it 202.38.160.1 0.0.0.255 T h e c o m b ining of two rules m e a n s d i s a b l i n g t h e a c c e s s o f t h e h o s t s w i t h i n a l a r g e n e t w o r k s e g m ent (202.38.0.0), but enabling that of a sm all num b e r o f hosts (202.38.160.0).
www.huawei.com
Use the serial number of access control list Apply access control list to an interface Identify whether it is O U Td irectionorINdirectionatthe interface
The access control list 101 applies to the interface Ethernet0 and is effective in out direction The access control list 3 applies to the interface Serial0 and is effective in in direction
Ethernet0
Serial0
www.huawei.com
HUAWEI
The following steps are basically necessary to configure access control list:
Enable/disableafirewall(thedefaultvalueofQ u idwayseriesroutersistodisablethefirewall function) D e fineaccesscontrollist(standardorextended) Applyaccesscontrollisttoaninterface
HUAWEI
www.huawei.com
W A N
During working hours (8:00 a.m.-- 5:00p.m.), only special sites can be accessed. Other sites can be accessed during other time.
www.huawei.com
timerange
timerange { enable|disable }
[no] settr
settr begin-time end-time [ begin-time end-time ...... ] no settr
show isintr
show isintr
show timerange
show timerange
www.huawei.com
Log function is to enable any firewall operation to be recorded on a special host: logging on is used to start a log system logging host is used to configure relevant attributes
such as log host address and so on show logging is used to display log configuration information
There are abundant log functions. For details, please refer to corresponding configuration manual.
www.huawei.com
Networking diagram
HUAWEI
Company Intranet
PC Internal specified
WAN
www.huawei.com
Configuration steps
HUAWEI
There are the following steps in actual applications: Enable/disable a firewall (the default value of Quidway series routers is to disable the firewall function) Define an extended access control list Apply an access control list to an interface
www.huawei.com
Principles of packet filtering. Configuration principles of a standard access list. Configuration principles of an extended access list. Quote an access control list at a port to implement firewall function
www.huawei.com