您现在的位置: 万盛学电脑网 >> 网络安全 >> 病毒防治 >> 正文
巧设防火墙 封杀特定网址
作者:佚名 责任编辑:admin 更新时间:2022-06-22
作为一名网管,经常会接收用户反映某个网址有恶意程序,希望我们过滤一下,我们单位上网是通过 PIX520防火墙作NAT的,因此也就涉及到如何在PIX520防火墙上限制对于某些IP地址访问的问题,为此,就结合自己的实际工作经验写了这篇文章。(网络拓扑如图1所示)
图1
一、得到某网址与IP地址的对应关系
比如要封www.ttsou.cn,有两种方法可以得到该网址对应的IP地址,第一是ping该网址,如下所示:
C:>ping www.ttsou.cn
Pinging www.ttsou.cn [58.61.155.44] with 32 bytes of data:
Reply from 58.61.155.44: bytes=32 time=80ms TTL=116
Reply from 58.61.155.44: bytes=32 time=78ms TTL=116
Reply from 58.61.155.44: bytes=32 time=92ms TTL=116
Reply from 58.61.155.44: bytes=32 time=85ms TTL=116
Ping statistics for 58.61.155.44:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 78ms, Maximum = 92ms, Average = 83ms
从中我们可以得到www.ttsou.cn对应的IP地址为58.61.155.44.但是这种方法存在一个缺陷,即如果该网址对应有多个IP地址的话,用ping的方法不可能得到所有对应的IP地址,我们可以用nslookup来解决,如下所示:
C:>nslookup
Default Server: ns.jncatv.net
Address: 222.175.169.91
> www.ttsou.cn
Server: ns.jncatv.net
Address: 222.175.169.91
Non-authoritative answer:
Name: www.ttsou.cn
Address: 58.61.155.44
> www.sina.com.cn
Server: ns.jncatv.net
Address: 222.175.169.91
Non-authoritative answer:
Name: hydra.sina.com.cn
Addresses: 218.30.108.58, 218.30.108.59, 218.30.108.61, 218.30.108.62
218.30.108.64, 218.30.108.65, 218.30.108.66, 218.30.108.67, 218.30.108.68
218.30.108.69, 218.30.108.72, 218.30.108.73, 218.30.108.74, 218.30.108.55
218.30.108.56, 218.30.108.57
Aliases: www.sina.com.cn, jupiter.sina.com.cn
从以上的结果我们可以看出,www.ttsou.cn确实是只对应了一个IP地址,但是象www.sina.com.cn这样的网址就对应了大量的IP地址。
二、在PIX520防火墙上了解当前访问列表的使用情况。
由于我们在PIX520防火墙上作了限制TELNET访问的限制,只有192.168的网段可以通过TELNET的方式登录上去,所以我们要先登录3层交换机(192.168.3.1),再从3层交换机上登录过去,先看一下当前配置:
telnet 192.168.201.1 Trying 192.168.201.1 ... Open User Access Verification Password: Type help;or;'?' for a list of available commands. pixfirewall> en Password: ****** pixfirewall# show run : Saved : PIX Version 6.2(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100
(以下省略)
出于安全方面的考虑,PIX防火墙的具体配置我就不列出了,把与本文有关的内容列出,重点应该看以下两条:
access-group acl_inside in interface outside access-group acl_inside in interface inside
即当前应用的访问列表为acl_inside,然后再看acl_inside是如何写的:
access-list acl_inside deny udp any any eq tftp access-list acl_inside deny tcp any any eq 135 access-list acl_inside deny udp any any eq 135 access-list acl_inside deny tcp any any eq 137 access-list acl_inside deny udp any any eq netbios-ns access-list acl_inside deny tcp any any eq 138 access-list acl_inside deny udp any any eq netbios-dgm access-list acl_inside deny tcp any any eq netbios-ssn access-list acl_inside deny udp any any eq 139 access-list acl_inside deny tcp any any eq 445 access-list acl_inside deny tcp any any eq 593 access-list acl_inside deny tcp any any eq 4444 access-list acl_inside permit ip any any access-list acl_inside permit tcp any any eq 1723 access-list acl_inside permit gre any any
从中我们可以看到原访问列表只是对某些端口的使用做了限制,而不涉及对某个IP地址进行访问的限制,为了稳妥起见,我们要先清楚的了解访问列表的格式,如下:
pixfirewall(config)# access-list ? Usage: [no] access-list compiled [no] access-listcompiled [no] access-list deny|permit |object-group | object-group [ [ ] | object-group ] | object-group [ [ ] | object-group ] [no] access-list deny|permit icmp | object-group | object-group [ | object-group ]
从帮助信息中大致了解到应该先写源IP,后写目标IP,因此对于我们想限制对于某个IP地址的访问就应该写成access-list acl_inside deny ip any host 58.61.155.44
三、具体的操作步骤
为了保障在添加一条对于某个IP地址限制的过程中PIX520的正常工作不受影响,我们应该按照以下步骤来进行操作
1、在内外端口上停掉访问控制列表
pixfirewall# conf t pixfirewall(config)#access-group acl_inside in interface outside pixfirewall(config)#access-group acl_inside in interface inside
2、去掉访问列表acl_inside
pixfirewall# conf t pixfirewall(config)# no access-list acl-inside
3、重写access-list
pixfirewall(config)# access-list acl_inside deny udp any any eq tftp pixfirewall(config)# access-list acl_inside deny tcp any any eq 135 pixfirewall(config)# access-list acl_inside deny udp any any eq 135 pixfirewall(config)# access-list acl_inside deny tcp any any eq 137 pixfirewall(config)# access-list acl_inside deny udp any any eq netbios -ns pixfirewall(config)# access-list acl_inside deny tcp any any eq 138 pixfirewall(config)# access-list acl_inside deny udp any any eq netbios -dgm pixfirewall(config)# access-list acl_inside deny tcp any any eq netbios -ssn pixfirewall(config)# access-list acl_inside deny udp any any eq 139 pixfirewall(config)# access-list acl_inside deny tcp any any eq 445 pixfirewall(config)# access-list acl_inside deny tcp any any eq 593 pixfirewall(config)# access-list acl_inside deny tcp any any eq 4444 pixfirewall(config)# access-list acl_inside permit tcp any any eq 1723 pixfirewall(config)# access-list acl_inside permit gre any any pixfirewall(config)# access-list acl_inside deny ip any host 58.61.155.44 pixfirewall(config)# access-list acl_inside permit ip any any
即保证permit ip any any这条命令是在最后面一行
4、在内外端口上应用访问列表
pixfirewall(config)#access-gropu acl_inside in inter outside pixfirewall(config)#access-gropu acl_inside in inter outside
四、验证是否真正的对某个IP地址进行了限制
1、 进行完配置后肯定要先看一下当前配置:show run
2、可以通过tracert命令来验证,如下所示:
C:>tracert www.ttsou.cn Tracing route to www.ttsou.cn [58.61.155.44] over a maximum of 30 hops: 1 <1 ms <1 ms <1 ms 10.75.0.1 2 * * * Request timed out. 3 * * * Request timed out. 4 * * * Request timed out. 5 * * * Request timed out.
从中可以看出,对于www.ttsou.cn这个网址从三层交换机往上就不通了,证明在PIX520防火墙上已经成功的阻止了对于该网址的访问。
- 上一个网络安全: 小技巧让企业无线安全上一台阶
- 下一个网络安全: 统一规范网络设备 化解无线网络安全威胁
