设置列表
对齐方式
想实现需求:封端全局高危端口,放通访问19.168.0.228的445端口。下面的命令可以吗
acl number 3100
rule 2 deny tcp source 192.168.0.250 0 destination 19.168.0.228 0 destination-port eq 445
rule 6 deny tcp destination-port eq 135
rule 10 deny tcp destination-port eq 137
rule 15 deny tcp destination-port eq 138
rule 20 deny tcp destination-port eq 139
rule 25 deny tcp destination-port eq 445
rule 30 deny udp destination-port eq 135
rule 35 deny udp destination-port eq netbios-ns
rule 40 deny udp destination-port eq netbios-dgm
rule 45 deny udp destination-port eq netbios-ssn
rule 50 deny udp destination-port eq 445
acl number 3200
rule 5 permit tcp destination 19.168.0.228 0 destination-port eq 445
traffic classifier 3100 operator and
if-match acl 3100
traffic classifier 3200 operator and
if-match acl 3200
traffic behavior 3100
ilter permit
traffic behavior 3200
filter permit
qos policy 3100
classifier 3100 behavior 3100
classifier 3200 behavior 3200
(0)
最佳答案
(0)
好的 我加上
全局封堵端口,我想放通某个IP的445端口,上面的命令可以实现吗
用你的acl 添加rule 然后在permit 试试
您好,请知:
关于高危端口的拦截,使用ACL并调用到端口即可,参考命令如下:
1、创建ACL,对高危端口进行拦截:
acl number 3210
rule 0 deny tcp destination-port eq 135
rule 1 deny udp destination-port eq 135
rule 2 deny tcp destination-port eq 137
rule 3 deny udp destination-port eq netbios-ns
rule 4 deny tcp destination-port eq 138
rule 5 deny udp destination-port eq netbios-dgm
rule 6 deny udp destination-port eq netbios-ssn
rule 7 deny tcp destination-port eq 139
rule 8 deny tcp destination-port eq 445
rule 9 deny udp destination-port eq 445
rule 10 deny tcp destination-port eq 3389
rule 11 deny udp destination-port eq 3389
rule 20 deny tcp source-port eq 135
rule 21 deny udp source-port eq 135
rule 22 deny tcp source-port eq 137
rule 23 deny udp source-port eq netbios-ns
rule 24 deny tcp source-port eq 138
rule 25 deny udp source-port eq netbios-dgm
rule 26 deny udp source-port eq netbios-ssn
rule 27 deny tcp source-port eq 139
rule 28 deny tcp source-port eq 445
rule 29 deny udp source-port eq 445
rule 30 deny tcp source-port eq 3389
rule 31 deny udp source-port eq 3389
rule 1500 permit ip
2、将ACL下发到端口:
interface Ten-GigabitEthernet 1/1/1
packet-filter 3210 inbound
packet-filter 3210 outbound
quit
(0)
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明
用你的acl 添加rule 然后在permit 试试