分类: 网络与安全
2009-02-23 22:00:20
给你贴一下我们正在用的:
time-range off-work-time1 00:00 to 07:30 daily
time-range off-work-time2 17:01 to 24:00 daily
acl number 3002
description discarding unnecessary packets
rule 10 permit ip time-range off-work-time1
rule 11 permit ip time-range off-work-time2
rule 12 permit udp destination-port eq dns
rule 13 permit tcp destination-port eq www
rule 14 permit tcp destination-port eq 443
rule 15 permit tcp destination-port eq ftp
rule 16 permit tcp destination-port eq pop3
rule 17 permit tcp destination-port eq smtp
rule 18 permit udp destination-port eq 8000
rule 19 permit tcp destination-port eq 1863
rule 20 permit tcp destination-port eq domain
rule 21 permit tcp destination-port eq 5000
rule 30 permit icmp
rule 31 permit tcp destination-port eq telnet
rule 50 deny ip
Interface Ethernet 0/2
firewall packet-filter 3002 outbound
在这里我设了两个时间段,分别是00:00~07:30和17:01~24:00,在这段时间内不限制BT和迅雷。实际效果非常好,迅雷、BT和eMule基本上连不上任何资源。缺点是如果有特殊如股票和网游等需要,需要抓包找出目的端口,再随时向ACL 3002里面添加新规则。
这是我现在使用
acl number 3002
description discarding unnecessary packets
rule 0 permit ip source 192.168.0.14 0
rule 1 permit ip source 192.168.0.97 0
rule 2 permit ip source 192.168.0.95 0
rule 3 permit ip source 192.168.0.9 0
rule 4 permit ip source 192.168.0.2 0
rule 5 permit ip source 192.168.0.118 0
rule 6 permit ip source 192.168.0.68 0
rule 7 permit ip source 192.168.0.8 0
rule 8 permit ip source 192.168.0.17 0
rule 9 permit ip source 192.168.0.119 0
rule 10 permit ip source firewall_ip_address 0
rule 12 permit udp destination-port eq dns
rule 13 permit tcp destination-port eq www
rule 14 permit tcp destination-port eq 443
rule 15 permit tcp destination-port eq ftp
rule 16 permit tcp destination-port eq pop3
rule 17 permit tcp destination-port eq smtp
rule 18 permit tcp destination-port eq 8000
rule 19 permit tcp destination-port eq 1863
rule 20 permit tcp destination-port eq domain
rule 21 permit tcp destination-port eq 5000
rule 23 permit tcp destination-port eq 2046
rule 24 permit tcp destination-port range 8000 8050
rule 25 permit tcp destination-port eq 1433
rule 26 permit tcp destination-port eq 3306
rule 27 permit tcp destination-port eq 1978
rule 28 permit tcp destination-port eq 29000
rule 30 deny tcp destination-port eq 5188
rule 32 permit tcp destination-port range 18000 18999
rule 33 deny tcp destination-port range 22221 22224
rule 100 deny ip
企业是国有企业,不能全部都关闭了,部分领导需要单独打开,rule0---rule9就是不做任何限制,rule10 firewall_ip_address 这个在没有加进来之前,通过公网不能ssh或者telnet防火墙,这样不是很方便,有时候下班也需要登陆下防火墙玩玩的,经过研究发现,加入这条规则之后,就可以在家里远程管理防火墙了。
后面单独打开的部分端口,是给某些游戏打开的。
没有开之前,游戏不能运行。
打开游戏,游戏试图登陆服务器,当然连接不上,开始---运行—输入
1 cmd /k netstat –an > port
2 Notepad port
找到游戏端口,加入规则,ok。其他程序类似,就不用在使用什么抓包工具了。