[FW]firewall zone trust //进入trust区域
[FW-zone-trust]add int g1/0/0 //把g1/0/0加入trust区域 undo add int g1/0/0 取消加入
[FW]firewall zone untrust
[FW-zone-untrust]add int g1/0/1
//查看安全区域内容
[FW]dis zone
local
priority is 100
interface of the zone is (0):
#
trust
priority is 85
interface of the zone is (2):
GigabitEthernet0/0/0
GigabitEthernet1/0/0
#
untrust
priority is 5
interface of the zone is (1):
GigabitEthernet1/0/1
#
dmz
priority is 50
interface of the zone is (0):
#
配置安全策略starry
[FW]security-policy
[FW-policy-security]rule name starry //配置一个规则
[FW-policy-security-rule-starry]source-zone trust //源地址
[FW-policy-security-rule-starry]destination-zone untrust //目的地址
[FW-policy-security-rule-starry]source-address 192.168.5.2 32 //表示5.2这个IP地址
[FW-policy-security-rule-starry]source-address 192.168.5.3
[FW-policy-security-rule-starry]action ? //动作
deny Indicate the rule action deny
permit Indicate the rule action permit
[FW-policy-security-rule-starry]action deny //拒绝动作
[FW-policy-security-rule-starry]dis this //查看配置的信息
#
rule name starry
source-zone trust
destination-zone untrust
source-address 192.168.5.2 32
source-address 192.168.5.3 32
action deny
#
return
[FW]security-policy
[FW-policy-security]rule name starry1
[FW-policy-security-rule-starry1]source-zone trust
[FW-policy-security-rule-starry1]destination-zone untrust
[FW-policy-security-rule-starry1]source-address 192.168.5.0 24 //表示5.0这个网段
[FW-policy-security-rule-starry1]action permit
[FW-policy-security-rule-starry1]dis this
#
rule name starry1
source-zone trust
destination-zone untrust
source-address 192.168.5.0 24
action permit
#
return
防火墙默认没有开启ping功能,可以开启
[FW-GigabitEthernet1/0/0]service-manage ?
all ALL service
enable Service manage switch on/off
http HTTP service
https HTTPS service
netconf Netconf service
ping Ping service
snmp SNMP service
ssh SSH service
telnet Telnet service
[FW-GigabitEthernet1/0/0]service-manage ping ?
deny deny
permit permit
[FW-GigabitEthernet1/0/0]service-manage ping permit
