|
# public区域包含外网接口,private区域包含内网接口, set zone-policy zone public interface eth0
set zone-policy zone private interface eth1
# 防火墙所有端口禁ping
set firewall all-ping disable
# 防火墙初始策略
# 默认丢弃所有包
set firewall name private-public default-action drop
# private -> public 方向的防火墙策略
# 规则1 匹配成功的请求,允许建立与关联
set firewall name private-public rule 1 action accept
set firewall name private-public rule 1 state established enable
set firewall name private-public rule 1 state> # 规则2 匹配失败的请求,记录日志
set firewall name private-public rule 2 action drop
set firewall name private-public rule 2 log enable
set firewall name private-public rule 2 state invalid enable
# 规则9999 匹配失败的请求,记录日志
set firewall name private-public rule 9999 action drop
set firewall name private-public rule 9999 log enable
# 规则100 允许ping
set firewall name private-public rule 100 action accept
set firewall name private-public rule 100 log enable
set firewall name private-public rule 100 protocol icmp
# 规则200 允许http https
set firewall name private-public rule 200 action accept
set firewall name private-public rule 200 destination port 80,443
set firewall name private-public rule 200 log enable
set firewall name private-public rule 200 protocol tcp
# 规则300 允许22(ssh), 29922
set firewall name private-public rule 300 action accept
set firewall name private-public rule 300 destination port 22,29922
set firewall name private-public rule 300 log enable
set firewall name private-public rule 300 protocol tcp
# 规则200 允许来自10.0.1.0/24的dns请求
set firewall name private-public rule 600 action accept
set firewall name private-public rule 600 destination port 53
set firewall name private-public rule 600 log enable
set firewall name private-public rule 600 protocol tcp_udp
set firewall name private-public rule 600 source address 10.0.1.0/24
# private-public规则集作用于从private到public的访问,效果是允许ping外网ip,允许到外网80,443的请求,允许来自10.0.1.0/24子网到外网的dns请求
set zone-policy zone public from private firewall name private-public
# public -> private方向的防火墙策略
set firewall name public-private default-action drop
set firewall name public-private rule 1 action accept
set firewall name public-private rule 1 state established enable
set firewall name public-private rule 1 state> set firewall name public-private rule 2 action drop
set firewall name public-private rule 2 log enable
set firewall name public-private rule 2 state invalid enable
# 规则100 允许80, 443, 22, 29922的请求
set firewall name public-private rule 100 action accept
set firewall name public-private rule 100 destination port 80,443,22,29922
set firewall name public-private rule 100 log enable
set firewall name public-private rule 100 protocol tcp
set firewall name public-private rule 9999 action drop
set firewall name public-private rule 9999 log enable
# public-private规则集作用于从public到private的访问,允许到内网映射端口80,443,22,29922的访问,如ssh -p 29922 10.0.1.100, http://10.0.1.100
set zone-policy zone private from public firewall name public-private |
|