华为防火墙设置.doc

具体外网IP和内网ARP绑定信息已经用“x”替代，请根据实际情况更换.

”/ /”后面的部分是我导出配置后添加的注释.

防火墙型号为华为Eudemon200，E0/0/0 墙，略加改动也可适用于华为AR系列路由器.

# sysnameEudemon //设置主机名 # superpasswordlevel3simplexxxxxx //Super密码为 XXXXXXXX # firewall packet-filter default permit interzone local trust direction inbound firewallpacket-filter default permit interzonelocal trust direction outbound firewallpacket-filter default permit interzonelocal untrust direction inbound firewall packet-filter default permit interzone local untrust direction outbound firewall packet-filter default permit interzone local dmz direction inbound firewall packet-filter default permit interzone local dmz direction outbound firewall packet-filter default permit interzone trust untrust direction inbound
firewallpacket-filter default permit interzone trust untrust direction outbound firewall packet-filter default permit interzone trust dmz direction inbound firewall packet-filter default permit interzone trust dmz direction outbound firewall packet-filter default permit interzone dmzuntrust direction inbound firewallpacket-filter default permit interzone dmzuntrust direction outbound //设置默认允许数据包通过 # nat address-group 1 x.x.x.x x.x.x.x //将ISP分配的公网I P加入地址池1 nat server global x.x.x.x inside 172.16.20.4 nat server global x.x.x.x inside 172.16.20.3 nat server global x.x.x.x inside 172.16.20.2 nat server global x.x.x.x inside 172.16.20.5 nat server global x.x.x.x inside 172.16.20.35 //将几个公网IP地址映射 到内部服务器 nat alg enableftp
nat alg enable dns nat alg enableicmp nat alg enable netbios undo nat alg enable h323 undo nat alg enable hwcc undo nat alg enable ils undo nat alg enable pptp undo nat alg enable qq undo nat alg enable msn undo nat alg enable user-define undo nat alg enable rtsp firewall permit sub-ip # firewall statisticsystem enable
interface Auxo asyncmodeflow link-protocol ppp # interfaceEtherneto/0/0 ip address x.x.x.x 255.255.255.248 //设置外网端口IP地址，此处 为网通分配的内部私有IP，10.x.x.x # interface Etherneto/0/1 ip address 172.16.20.1 255.255.255.0 //设置内网IP地址，采用 172.16.20.0/24网络地址 interfaceNULLO # acl number 2000 rule 0 permit source 172.16.20.0 0.0.0.255 //ACL2000，目的是只允许 172.16.20.0/24的IP地址NAT出外网
rule1deny # aclnumber3001 rule 0 deny udp destination-port eq 445 rule 1 deny udp destination-port eq netbios-ns rule 2 deny udp destination-port eq netbios-dgm rule 3 deny udp destination-port eq netbios-ssn rule 4 deny udp destination-port eq 1434 rule 5 deny tcp destination-port eq 135 rule 6 deny tcp destination-port eq 139 rule7 deny tcp destination-port eq389 rule 8 deny tcp destination-port eq 445 rule 9 deny tcp destination-port eq 636 rule 10 deny tcp destination-port eq 1025 rule 11 deny tcp destination-port eq 1503