萬盛學電腦網 >> 病毒防治 >> 巧設防火牆 封殺特定網址
巧設防火牆 封殺特定網址
作為一名網管,經常會接收用戶反映某個網址有惡意程序,希望我們過濾一下,我們單位上網是通過 PIX520防火牆作NAT的,因此也就涉及到如何在PIX520防火牆上限制對於某些IP地址訪問的問題,為此,就結合自己的實際工作經驗寫了這篇文章。(網絡拓撲如圖1所示)
圖1
一、得到某網址與IP地址的對應關系
比如要封www.ttsou.cn,有兩種方法可以得到該網址對應的IP地址,第一是ping該網址,如下所示:
C:>ping www.ttsou.cn
Pinging www.ttsou.cn [58.61.155.44] with 32 bytes of data:
Reply from 58.61.155.44: bytes=32 time=80ms TTL=116
Reply from 58.61.155.44: bytes=32 time=78ms TTL=116
Reply from 58.61.155.44: bytes=32 time=92ms TTL=116
Reply from 58.61.155.44: bytes=32 time=85ms TTL=116
Ping statistics for 58.61.155.44:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 78ms, Maximum = 92ms, Average = 83ms
從中我們可以得到www.ttsou.cn對應的IP地址為58.61.155.44.但是這種方法存在一個缺陷,即如果該網址對應有多個IP地址的話,用ping的方法不可能得到所有對應的IP地址,我們可以用nslookup來解決,如下所示:
C:>nslookup
Default Server: ns.jncatv.net
Address: 222.175.169.91
> www.ttsou.cn
Server: ns.jncatv.net
Address: 222.175.169.91
Non-authoritative answer:
Name: www.ttsou.cn
Address: 58.61.155.44
> www.sina.com.cn
Server: ns.jncatv.net
Address: 222.175.169.91
Non-authoritative answer:
Name: hydra.sina.com.cn
Addresses: 218.30.108.58, 218.30.108.59, 218.30.108.61, 218.30.108.62
218.30.108.64, 218.30.108.65, 218.30.108.66, 218.30.108.67, 218.30.108.68
218.30.108.69, 218.30.108.72, 218.30.108.73, 218.30.108.74, 218.30.108.55
218.30.108.56, 218.30.108.57
Aliases: www.sina.com.cn, jupiter.sina.com.cn
從以上的結果我們可以看出,www.ttsou.cn確實是只對應了一個IP地址,但是象www.sina.com.cn這樣的網址就對應了大量的IP地址。
二、在PIX520防火牆上了解當前訪問列表的使用情況。
由於我們在PIX520防火牆上作了限制TELNET訪問的限制,只有192.168的網段可以通過TELNET的方式登錄上去,所以我們要先登錄3層交換機(192.168.3.1),再從3層交換機上登錄過去,先看一下當前配置:
telnet 192.168.201.1 Trying 192.168.201.1 ... Open User Access Verification Password: Type help;or;'?' for a list of available commands. pixfirewall> en Password: ****** pixfirewall# show run : Saved : PIX Version 6.2(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100
(以下省略)
出於安全方面的考慮,PIX防火牆的具體配置我就不列出了,把與本文有關的內容列出,重點應該看以下兩條:
access-group acl_inside in interface outside access-group acl_inside in interface inside
即當前應用的訪問列表為acl_inside,然後再看acl_inside是如何寫的:
access-list acl_inside deny udp any any eq tftp access-list acl_inside deny tcp any any eq 135 access-list acl_inside deny udp any any eq 135 access-list acl_inside deny tcp any any eq 137 access-list acl_inside deny udp any any eq netbios-ns access-list acl_inside deny tcp any any eq 138 access-list acl_inside deny udp any any eq netbios-dgm access-list acl_inside deny tcp any any eq netbios-ssn access-list acl_inside deny udp any any eq 139 access-list acl_inside deny tcp any any eq 445 access-list acl_inside deny tcp any any eq 593 access-list acl_inside deny tcp any any eq 4444 access-list acl_inside permit ip any any access-list acl_inside permit tcp any any eq 1723 access-list acl_inside permit gre any any
從中我們可以看到原訪問列表只是對某些端口的使用做了限制,而不涉及對某個IP地址進行訪問的限制,為了穩妥起見,我們要先清楚的了解訪問列表的格式,如下:
pixfirewall(config)# access-list ? Usage: [no] access-list compiled [no] access-listcompiled [no] access-list deny|permit |object-group | object-group [ [ ] | object-group ] | object-group [ [ ] | object-group ] [no] access-list deny|permit icmp | object-group | object-group [ | object-group ]
從幫助信息中大致了解到應該先寫源IP,後寫目標IP,因此對於我們想限制對於某個IP地址的訪問就應該寫成access-list acl_inside deny ip any host 58.61.155.44
三、具體的操作步驟
為了保障在添加一條對於某個IP地址限制的過程中PIX520的正常工作不受影響,我們應該按照以下步驟來進行操作
1、在內外端口上停掉訪問控制列表
pixfirewall# conf t pixfirewall(config)#access-group acl_inside in interface outside pixfirewall(config)#access-group acl_inside in interface inside
2、去掉訪問列表acl_inside
pixfirewall# conf t pixfirewall(config)# no access-list acl-inside
3、重寫access-list
pixfirewall(config)# access-list acl_inside deny udp any any eq tftp pixfirewall(config)# access-list acl_inside deny tcp any any eq 135 pixfirewall(config)# access-list acl_inside deny udp any any eq 135 pixfirewall(config)# access-list acl_inside deny tcp any any eq 137 pixfirewall(config)# access-list acl_inside deny udp any any eq netbios -ns pixfirewall(config)# access-list acl_inside deny tcp any any eq 138 pixfirewall(config)# access-list acl_inside deny udp any any eq netbios -dgm pixfirewall(config)# access-list acl_inside deny tcp any any eq netbios -ssn pixfirewall(config)# access-list acl_inside deny udp any any eq 139 pixfirewall(config)# access-list acl_inside deny tcp any any eq 445 pixfirewall(config)# access-list acl_inside deny tcp any any eq 593 pixfirewall(config)# access-list acl_inside deny tcp any any eq 4444 pixfirewall(config)# access-list acl_inside permit tcp any any eq 1723 pixfirewall(config)# access-list acl_inside permit gre any any pixfirewall(config)# access-list acl_inside deny ip any host 58.61.155.44 pixfirewall(config)# access-list acl_inside permit ip any any
即保證permit ip any any這條命令是在最後面一行
4、在內外端口上應用訪問列表
pixfirewall(config)#access-gropu acl_inside in inter outside pixfirewall(config)#access-gropu acl_inside in inter outside
四、驗證是否真正的對某個IP地址進行了限制
1、 進行完配置後肯定要先看一下當前配置:show run
2、可以通過tracert命令來驗證,如下所示:
C:>tracert www.ttsou.cn Tracing route to www.ttsou.cn [58.61.155.44] over a maximum of 30 hops: 1 <1 ms <1 ms <1 ms 10.75.0.1 2 * * * Request timed out. 3 * * * Request timed out. 4 * * * Request timed out. 5 * * * Request timed out.
從中可以看出,對於www.ttsou.cn這個網址從三層交換機往上就不通了,證明在PIX520防火牆上已經成功的阻止了對於該網址的訪問。
