你好,我这里是内蒙古锡林郭勒盟下属自然资源局,现在局域网内有勒索病毒,需要对139,445端口进行封禁,防火墙配置不知怎么配,访问web界面登录后只有白屏无内容,能否给出配置命令行,以下是现有配置及版本
dis cur # sysname xlglm-dwzmqq-F100S-01 # firewall packet-filter enable firewall packet-filter default permit # undo connection-limit enable connection-limit default deny connection-limit default amount upper-limit 50 lower-limit 20 # firewall mode transparent firewall system-ip 10.254.177.252 255.255.255.0 firewall unknown-mac flood # firewall statistic system enable # radius scheme system server-type extended # domain system # local-user admin password simple admin service-type telnet level 3 # acl number 3001 rule 10 permit ip rule 20 permit icmp # interface Aux0 async mode flow # interface Ethernet0/0 promiscuous description Connect to xlglm-dwzmqq-MSR3060-01 firewall packet-filter 3001 inbound # interface Ethernet0/1 promiscuous description Connect to xlglm-dwzmqq-S5100-01 firewall packet-filter 3001 inbound # interface Ethernet0/2 promiscuous # interface Ethernet0/3 promiscuous # interface Encrypt1/0 # interface NULL0 # interface LoopBack0 ip address 10.254.177.252 255.255.255.0 # firewall zone local set priority 100 # firewall zone trust add interface Ethernet0/1 set priority 85 # firewall zone untrust add interface Ethernet0/0 set priority 5 # firewall zone DMZ set priority 50 # firewall interzone local trust # firewall interzone local untrust # firewall interzone local DMZ # firewall interzone trust untrust # firewall interzone trust DMZ # firewall interzone DMZ untrust # ip route-static 0.0.0.0 0.0.0.0 10.254.177.251 preference 60 # user-interface con 0 user-interface aux 0 user-interface vty 0 4 user privilege level 3 set authentication password simple h3c # return
<xlglm-dwzmqq-F100S-01>dis version H3C Comware Software Comware software, Version 3.40, Release 1610 Copyright (c) 2004-2008 Hangzhou H3C Technologies Co., Ltd. All rights reserved. Without the owner's prior written consent, no decompiling nor reverse-engineering shall be allowed. H3C SecPath F100-S uptime is 0 week, 0 day, 0 hour, 12 minutes CPU type: Mips IDT RC32365 150MHz 128M bytes SDRAM Memory 16M bytes Flash Memory Pcb Version:2.0 Logic Version:1.0 BootROM Version:1.14 [SLOT 0] 4FE (Hardware)2.0, (Driver)2.0, (Cpld)1.0 [SLOT 1] 1SE (Hardware)1.0, (Driver)1.0, (Cpld)1.0 <xlglm-dwzmqq-F100S-01>
(0)
最佳答案
acl advanced 3000
rule 10 deny tcp source-port eq 445 counting
rule 13 deny udp source-port eq netbios-ns counting
rule 14 deny tcp source-port eq 137 counting
rule 15 deny udp source-port eq 445 counting
rule 20 deny tcp destination-port eq 445 counting
rule 23 deny udp destination-port eq netbios-ns counting
rule 24 deny tcp destination-port eq 137 counting
rule 25 deny udp destination-port eq 445 counting
rule 30 deny tcp source-port eq 139 counting
rule 33 deny udp source-port eq 136 counting
rule 34 deny tcp source-port eq 136 counting
rule 35 deny udp source-port eq netbios-ssn counting
rule 40 deny tcp destination-port eq 135 counting
rule 43 deny udp destination-port eq 136 counting
rule 44 deny tcp destination-port eq 136 counting
rule 45 deny udp destination-port eq 135 counting
rule 100 permit ip
可以将该ACL应用在外网接口NAT Outbound 3001,具体ACL列表号根据实际情况来
(0)
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论