防火墙策略设置指导实例! - Anti-Botnet & 云火墙 - 新赛道 心选择 - ...

来源:百度文库 编辑:神马文学网 时间:2024/04/28 16:47:43

防火墙策略设置指导实例!

National Institute of Standards and Technology (NIST)'s Guidelines on Firewalls and Firewall Policy.  The following traffic types should always be blocked:
  • Inbound traffic from a non-authenticated source system with a destination address of the firewall itself
  • Inbound traffic with a source address indicating that the packet originated on a network behind the firewall
  • Inbound traffic containing ICMP
  • Inbound or outbound traffic from a system using a source address that falls within the private address ranges show n in RFC 1918
  • Inbound traffic from a non-authenticated source system containing SNMP
  • Inbound traffic containing IP Source Routing information
  • Inbound or outbound traffic containing a source or destination address of 127.0.0.1
  • Inbound or outbound traffic containing a source or destination address of 0.0.0.0
  • Inbound or outbound traffic containing a directed broadcast address
The whole article can be found at this link:
http://csrc.nist.gov/publications/nistpubs/800-41/sp800-41.pdf

A good "base" ACL for use on Internet facing routers and firewall devices.
Assuming my PubNet range is a block of 32 66.238.29.0 - 31. See below
! no fragments
access-list 100 deny tcp any 66.238.29.0 0.0.0.31 log fragments
access-list 100 deny udp any 66.238.29.0 0.0.0.31 log fragments
access-list 100 deny icmp any 66.238.29.0 0.0.0.31 log fragments
! no snmp inbound from the Internet
access-list 100 deny udp any any eq snmp
access-list 100 deny udp any any eq snmptrap
! RFC 2827 Ingress, RFC 3804 Martian Filtering and RFC 1918 private Address Filtering
access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
access-list 100 deny ip 255.0.0.0 0.255.255.255 any log
access-list 100 deny ip 224.0.0.0 31.255.255.255 any log
access-list 100 deny ip host 0.0.0.0 any log
access-list 100 deny ip 10.0.0.0 0.255.255.255 any log
access-list 100 deny ip 172.16.0.0 0.15.255.255 any log
access-list 100 deny ip 192.0.2.0 0.0.0.255 any log
access-list 100 deny ip 192.168.0.0 0.0.255.255 any log
access-list 100 deny ip 14.0.0.0 0.255.255.255 any log
access-list 100 deny ip 169.254.0.0 0.0.255.255 any log
access-list 100 deny ip 198.18.0.0 0.0.255.255 any log
access-list 100 deny ip 66.238.29.0 0.0.0.31 any log
! no routing protocols inbound (unless needed)
access-list 100 deny tcp any any eq bgp log
access-list 100 deny tcp any eq bgp any log
access-list 100 deny ipinip any any
access-list 100 deny gre any any
access-list 100 deny pim any any
access-list 100 deny 90 any any
access-list 100 deny ospf any any log
access-list 100 deny eigrp any any log
access-list 100 deny udp any eq rip any log
access-list 100 deny udp any any eq rip log
access-list 100 permit now begins your permits...if any
Notes:
192.0.2.0 0.0.0.255 any log (range known to be used exploit default pw on WLA devices)
4.0.0.0 0.255.255.255 any log (Known as Net-14, a Public use network, possibly used by attackers)
69.254.0.0 0.0.255.255 any log (RFC2026 Link Local)
198.18.0.0 0.0.255.255 any log (block for benchmark tests of network interconnect devices, RFC2544)
防火墙策略设置指导实例! - Anti-Botnet & 云火墙 - 新赛道 心选择 - ... Server2008防火墙安全设置_ Win XP SP2防火墙设置 专家指导:新托福备考资料选择有学问 一段使用 iptable 设置防火墙的设置 DLINK无线路由内防火墙设置:如何限制LAN里面的电脑 VLAN设置实例 BIOS快速设置实例 物业公司会计科目设置实例 - 朗读指导策略 使用IPFILTER设置小型企业防火墙系统 Win XP SP2防火墙设置详细讲解 Win XP SP2防火墙设置详细讲解 IPTABLES防火墙--Layer7应用层过滤策略 IPTABLES防火墙--SNAT、DNAT网关策略 SEO入门教程:选择关键词的步骤和实例 - 新加入站长试水区 - 落伍者站长交流平台 VLAN设置实例全程解读 VFP 多用户权限设置实例 价目表:实例和最佳策略 iptables防火墙配置工具ShoreWall的安装和使用实例 关键词选择策略 防火墙 天网防火墙新加模块功能详解 主流国外防火墙设置集合(2.19更新)[【fishの论坛】]