H3C SecPath F100系列防火墙配置教程

H3C SecPath F100-C防火墙安装手册杭州华三通信技术有限公司资料版本：T1-08044M-20070430-C-1.03声明Copyright ©2006-2007 杭州华三通信技术有限公司及其许可者版权所有，保留一切权利。

未经本公司书面许可，任何单位和个人不得擅自摘抄、复制本书内容的部分或全部，并不得以任何形式传播。

H3C、、Aolynk、、H3Care、、TOP G、、IRF、NetPilot、Neocean、NeoVTL、SecPro、SecPoint、SecEngine、SecPath、Comware、Secware、Storware、NQA、VVG、V2G、V n G、PSPT、XGbus、N-Bus、TiGem、InnoVision、HUASAN、华三均为杭州华三通信技术有限公司的商标。

对于本手册中出现的其它公司的商标、产品标识及商品名称，由各自权利人拥有。

除非另有约定，本手册仅作为使用指导，本手册中的所有陈述、信息和建议不构成任何明示或暗示的担保。

如需要获取最新手册，请登录。

技术支持用户支持邮箱：customer_service@技术支持热线电话：800-810-0504（固话拨打）400-810-0504（手机、固话均可拨打）网址：前言相关手册手册名称用途《H3C SecPath系列安全产品操作手册》 该手册介绍了H3C SecPath系列安全网关/防火墙的功能特性、工作原理和配置及操作指导。

《H3C SecPath系列安全产品命令手册》该手册介绍了H3C SecPath系列安全网关/防火墙所涉及的配置和操作命令。

包括命令名、完整命令行、参数、操作视图、使用指导和操作举例。

《H3C SecPath系列安全产品 Web配置手册》指导用户通过Web方式对H3C SecPath系列防火墙进行配置操作。

本书简介本手册各章节内容如下：z第1章产品介绍。

介绍H3C SecPath F100-C防火墙的特点及其应用。

H3C SecPath F100-A-G2 防火墙的透明模式和访问控制。

注意：安全域要在安全策略中执行。

URL 和其他访问控制的策略都需要在安全策略中去执 行。

安全策略逐条检索，匹配执行，不匹配执行下一条，直到匹配到最后，还没有的则丢弃。

配置的步骤如下：一、首先连接防火墙开启WEB 命令为： yssecurity-zone name Trustimport interface GigabitEthernet1/0/0 import interface GigabitEthernet1/0/1 interface GigabitEthernet1/0/0 port link-mode routeip address 100.0.0.1 255.255.255.0 acl advanced 3333 rule 0 permit ipzone-pair security source Trust destination local packet-filter 3333zone-pair security source local destination Trust packet-filter 3333local-user admin class manage password hash adminservice-type telnet terminal http https authorization-attribute user-role level-3authorization-attribute user-role network-admin ip http enable ip https enable详情：将接口划入到域中，例如将G1/0/2、G1/0/3 口变成二层口，并加入到="$=域中□mt1巨加 1出1*T1部世上田口 D 目的电北同声 IES1应用 1 SrfliS 1时向率1卡志^slwsjz I 氏为1倜由=ArvMy 0日n 乎any sn/any- 开启 音 - □ Tmsi rnjtf ［心•伊内部址 any 目的 a ❿ 孙-开启 e - 4 a□ Trust Tiufl 1 AfF芷有勘F访问1翻5 anyiW开启 E -□ Irusit Unlruat-any耐 any 3N 呻开启 舌-□ urenjKFruM0 ftHF any;3叮a 值a*-开售 3 -二、进入WEB ，将接口改为二层模式，在将二层模式的接口划到Trust 安全域中。

设置H3C SecPath F100 系列防火墙的web访问最近集团下属酒店退回一台H3C SecPath F100-S防火墙，自我学习巩固的同时，给大家带来几篇教程，欢迎大家的拍砖。

今天给大家带来的是如何实现通过Web方式访问和配置路由器。

和H3C之前的产品不同，H3C在SecPath F100系列防火墙产品中增加了更加人性化的WEB方式配置界面，用户可以通过WEB方式来访问防火墙并通过图形化界面来配置各种参数，这点改进大大降低了防火墙设置的门槛，让用户可以更快的上手。

下面我们就来看看如何通过WEB方式配置SecPath F100-S防火墙，当然默认情况下WEB方式是关闭的。

第一步：建立与防火墙之间的连接，我们采用console方式进行配置，将防火墙自带console线的RJ45端插入防火墙“console”端口，另一头连接到电脑串口。

在电脑上启动“超级终端”，我们选用默认值：9600/8/无/1/无，然后点击确定。

第一步：建立与防火墙之间的连接，我们采用console方式进行配置，将防火墙自带console 线的RJ45端插入防火墙“console”端口，另一头连接到电脑串口。

在电脑上启动“超级终端”，我们选用默认值：9600/8/无/1/无，然后点击确定。

第二步：插电启动防火墙，我们就会在超级终端界面上清楚的看到防火墙的全部启动过程。

按回车键，进入防火墙命令行配置模式第三步：输入“system-view”命令，进入高级管理模式，我们首先查看一下防火墙默认的配置信息第四步：下面开始配置：启动防火墙的HTTP服务，默认情况下是开启的，我们不用操作。

命令：undo ip http shutdown在防火墙中新建相应的用户，授于用户telnet的权限，管理权限设为最高的3级。

local-user admin (新建用户admin)password simple admin (设置密码为明文的admin)service-type telnet (仅当登录用户具有telnet的服务类型时，才允许登录http服务器，且不同级别的用户在web界面中的可配置选项不同)level3 (权限级别设为最高的3级）给允许提供web访问的接口设置IP地址，我们将eth0/0端口的IP地址配置为192.168.1.1 255.255.255.0，这个IP地址就是web方式登录时键入到浏览器地址栏里面的地址将接口添加到信任区域，同时配置防火墙的默认策略为允许数据通过Zone trustAdd interface Ethernet 0/0QuitPacket-filter default permit第五步：设置计算机的IP地址与要登录防火墙的IP地址在同一网段，在浏览器中输入http://192.168.1.1就看到了防火墙web管理的登录界面。

H3C SecPath F100系列防火墙配置教程初始化配置〈H3C〉system-view开启防火墙功能[H3C]firewall packet-filter enable[H3C]firewall packet-filter default permit分配端口区域[H3C] firewall zone untrust[H3C-zone-trust] add interface GigabitEthernet0/0[H3C] firewall zone trust[H3C-zone-trust] add interface GigabitEthernet0/1工作模式firewall mode transparent 透明传输firewall mode route 路由模式http 服务器使能HTTP 服务器 undo ip http shutdown关闭HTTP 服务器 ip http shutdown添加WEB用户[H3C] local-user admin[H3C-luser-admin] password simple admin[H3C-luser-admin] service-type telnet[H3C-luser-admin] level 3开启防范功能firewall defend all 打开所有防范切换为中文模式 language-mode chinese设置防火墙的名称 sysname sysname配置防火墙系统IP 地址 firewall system-ip system-ip-address [ address-mask ] 设置标准时间 clock datetime time date设置所在的时区 clock timezone time-zone-name { add | minus } time取消时区设置 undo clock timezone配置切换用户级别的口令 super password [ level user-level ] { simple | cipher } password取消配置的口令 undo super password [ level user-level ]缺缺省情况下，若不指定级别，则设置的为切换到3 级的密码。

目录1访问控制 ············································································································································ 1-11.1 概述 ··················································································································································· 1-11.2 配置访问控制····································································································································· 1-11.3 访问控制典型配置举例 ······················································································································ 1-3 2网站过滤 ············································································································································ 2-12.1 概述 ··················································································································································· 2-12.2 网站过滤典型配置举例 ······················································································································ 2-23 MAC地址过滤 ···································································································································· 3-13.1 概述 ··················································································································································· 3-13.2 配置MAC地址过滤····························································································································· 3-13.2.1 配置MAC地址过滤类型··········································································································· 3-13.2.2 配置要过滤的MAC地址··········································································································· 3-23.3 MAC地址过滤典型配置举例 ·············································································································· 3-3 4攻击防范 ············································································································································ 4-14.1 概述 ··················································································································································· 4-14.1.1 黑名单功能······························································································································ 4-14.1.2 入侵检测功能 ·························································································································· 4-14.2 配置黑名单 ········································································································································ 4-34.2.1 配置概述 ································································································································· 4-34.2.2 启用黑名单过滤功能 ··············································································································· 4-44.2.3 手动新建黑名单表项 ··············································································································· 4-44.2.4 查看黑名单······························································································································ 4-54.3 配置入侵检测····································································································································· 4-54.4 攻击防范典型配置举例 ······················································································································ 4-64.4.1 攻击防范典型配置举例 ··········································································································· 4-6 5应用控制 ············································································································································ 5-15.1 概述 ··················································································································································· 5-15.2 配置应用控制····································································································································· 5-15.2.1 配置概述 ································································································································· 5-15.2.2 加载应用程序 ·························································································································· 5-15.2.3 配置自定义应用程序 ··············································································································· 5-25.2.4 使能应用控制 ·························································································································· 5-35.3 应用控制典型配置举例 ······················································································································ 5-41 访问控制1.1 概述访问控制是指通过设置时间段、局域网内计算机的IP地址、端口范围和数据包协议类型，禁止符合指定条件的数据包通过，来限制局域网内的计算机对Internet的访问。

利用ADSL Modem将局域网接入Internet1. 组网需求局域网内的计算机通过SecPathA访问Internet，SecPathA通过ADSL Modem采用永久在线的方式接入DSLAM。

ADSL帐户的用户名为adsluser，密码为123456。

SecPathB作为PPPoE Server通过Eth2/0/0接口连接至DSLAM，提供RADIUS认证、计费功能。

在SecPathA上使能PPPoE Client功能，局域网内的主机不用安装PPPoE客户端软件即可访问Internet。

2. 组网图图3-3 利用ADSL将局域网接入Internet3. 配置步骤(1)配置SecPathA# 配置Dialer接口。

[H3C] dialer-rule 1 ip permit[H3C] interface dialer 1[H3C-Dialer1] dialer user secpathb[H3C-Dialer1] dialer-group 1[H3C-Dialer1] dialer bundle 1[H3C-Dialer1] ip address ppp-negotiate[H3C-Dialer1] ppp pap local-user adsluser password cipher 123456# 配置PPPoE会话。

[H3C] interface ethernet 2/0/0[H3C-Ethernet2/0/0] pppoe-client dial-bundle-number 1# 配置局域网接口及缺省路由。

[H3C] interface ethernet 0/0/0[H3C-Ethernet0/0/0] ip address 192.168.1.1 255.255.255.0[H3C-Ethernet0/0/0] quit[H3C] ip route-static 0.0.0.0 0 dialer 1如果局域网内计算机使用的IP地址为私有地址，就还需要在防火墙上配置NAT （Network Address Translation，网络地址转换）。

H3C SecPath F100系列防火墙配置教程初始化配置〈H3C〉system-view开启防火墙功能[H3C]firewall packet-filter enable[H3C]firewall packet-filter default permit分配端口区域[H3C] firewall zone untrust[H3C-zone-trust] add interface GigabitEthernet0/0[H3C] firewall zone trust[H3C-zone-trust] add interface GigabitEthernet0/1工作模式firewall mode transparent 透明传输firewall mode route 路由模式http 服务器使能HTTP 服务器 undo ip http shutdown关闭HTTP 服务器 ip http shutdown添加WEB用户[H3C] local-user admin[H3C-luser-admin] password simple admin[H3C-luser-admin] service-type telnet[H3C-luser-admin] level 3开启防范功能firewall defend all 打开所有防范切换为中文模式 language-mode chinese设置防火墙的名称 sysname sysname配置防火墙系统IP 地址 firewall system-ip system-ip-address [ address-mask ] 设置标准时间 clock datetime time date设置所在的时区 clock timezone time-zone-name { add | minus } time取消时区设置 undo clock timezone配置切换用户级别的口令 super password [ level user-level ] { simple | cipher } password取消配置的口令 undo super password [ level user-level ]缺缺省情况下，若不指定级别，则设置的为切换到3 级的密码。