2008年7月25日星期五

巧设防火墙 封杀特定网址

作为一名网管,经常会接收用户反映某个网址有恶意程序,希望我们过滤一下,我们单位上网是通过 PIX520防火墙作NAT的,因此也就涉及到如何在PIX520防火墙上限制对于某些IP地址访问的问题,为此,就结合自己的实际工作经验写了这篇文章。(网络拓扑如图1所示)




图1

  一、得到某网址与IP地址的对应关系

  比如要封www.ttsou.cn,有两种方法可以得到该网址对应的IP地址,第一是ping该网址,如下所示:

C:\>ping www.ttsou.cnPinging www.ttsou.cn [58.61.155.44] with 32 bytes of data:Reply from 58.61.155.44: bytes=32 time=80ms TTL=116Reply from 58.61.155.44: bytes=32 time=78ms TTL=116Reply from 58.61.155.44: bytes=32 time=92ms TTL=116Reply from 58.61.155.44: bytes=32 time=85ms TTL=116Ping statistics for 58.61.155.44:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),Approximate round trip times in milli-seconds:Minimum = 78ms, Maximum = 92ms, Average = 83ms


  从中我们可以得到www.ttsou.cn对应的IP地址为58.61.155.44.但是这种方法存在一个缺陷,即如果该网址对应有多个IP地址的话,用ping的方法不可能得到所有对应的IP地址,我们可以用nslookup来解决,如下所示:

C:\>nslookupDefault Server:
ns.jncatv.netAddress:
222.175.169.91> www.ttsou.cnServer:
ns.jncatv.netAddress:
222.175.169.91Non-authoritative answer:Name:
www.ttsou.cnAddress:
58.61.155.44> www.sina.com.cnServer:
ns.jncatv.netAddress:
222.175.169.91Non-authoritative answer:Name:
hydra.sina.com.cnAddresses:
218.30.108.58, 218.30.108.59, 218.30.108.61, 218.30.108.62
218.30.108.64, 218.30.108.65, 218.30.108.66, 218.30.108.67, 218.30.108.68
218.30.108.69, 218.30.108.72, 218.30.108.73, 218.30.108.74, 218.30.108.55
218.30.108.56, 218.30.108.57Aliases:
www.sina.com.cn, jupiter.sina.com.cn


  从以上的结果我们可以看出,www.ttsou.cn确实是只对应了一个IP地址,但是象www.sina.com.cn这样的网址就对应了大量的IP地址。
 二、在PIX520防火墙上了解当前访问列表的使用情况。

  由于我们在PIX520防火墙上作了限制TELNET访问的限制,只有192.168的网段可以通过TELNET的方式登录上去,所以我们要先登录3层交换机(192.168.3.1),再从3层交换机上登录过去,先看一下当前配置:

telnet 192.168.201.1Trying 192.168.201.1 ... OpenUser Access VerificationPassword:Type help or '?' for a list of available commands.pixfirewall> enPassword: ******pixfirewall# show run: Saved:PIX Version 6.2(2)nameif ethernet0 outside security0nameif ethernet1 inside security100



  (以下省略)

  出于安全方面的考虑,PIX防火墙的具体配置我就不列出了,把与本文有关的内容列出,重点应该看以下两条:

access-group acl_inside in interface outsideaccess-group acl_inside in interface inside



  即当前应用的访问列表为acl_inside,然后再看acl_inside是如何写的:

access-list acl_inside deny udp any any eq tftpaccess-list acl_inside deny tcp any any eq 135access-list acl_inside deny udp any any eq 135access-list acl_inside deny tcp any any eq 137access-list acl_inside deny udp any any eq netbios-nsaccess-list acl_inside deny tcp any any eq 138access-list acl_inside deny udp any any eq netbios-dgmaccess-list acl_inside deny tcp any any eq netbios-ssnaccess-list acl_inside deny udp any any eq 139access-list acl_inside deny tcp any any eq 445access-list acl_inside deny tcp any any eq 593access-list acl_inside deny tcp any any eq 4444access-list acl_inside permit ip any anyaccess-list acl_inside permit tcp any any eq 1723access-list acl_inside permit gre any any



  从中我们可以看到原访问列表只是对某些端口的使用做了限制,而不涉及对某个IP地址进行访问的限制,为了稳妥起见,我们要先清楚的了解访问列表的格式,如下:

pixfirewall(config)# access-list ?Usage: [no] access-list compiled[no] access-list compiled[no] access-list deny|permit |object-group | object-group




 三、具体的操作步骤

  为了保障在添加一条对于某个IP地址限制的过程中PIX520的正常工作不受影响,我们应该按照以下步骤来进行操作

  1、在内外端口上停掉访问控制列表

pixfirewall# conf tpixfirewall(config)#access-group acl_inside in interface outsidepixfirewall(config)#access-group acl_inside in interface inside



  2、去掉访问列表acl_inside

pixfirewall# conf tpixfirewall(config)# no access-list acl-inside



  3、重写access-list

pixfirewall(config)# access-list acl_inside deny udp any any eq tftppixfirewall(config)# access-list acl_inside deny tcp any any eq 135pixfirewall(config)# access-list acl_inside deny udp any any eq 135pixfirewall(config)# access-list acl_inside deny tcp any any eq 137pixfirewall(config)# access-list acl_inside deny udp any any eq netbios -nspixfirewall(config)# access-list acl_inside deny tcp any any eq 138pixfirewall(config)# access-list acl_inside deny udp any any eq netbios -dgmpixfirewall(config)# access-list acl_inside deny tcp any any eq netbios -ssnpixfirewall(config)# access-list acl_inside deny udp any any eq 139pixfirewall(config)# access-list acl_inside deny tcp any any eq 445pixfirewall(config)# access-list acl_inside deny tcp any any eq 593pixfirewall(config)# access-list acl_inside deny tcp any any eq 4444pixfirewall(config)# access-list acl_inside permit tcp any any eq 1723pixfirewall(config)# access-list acl_inside permit gre any anypixfirewall(config)# access-list acl_inside deny ip any host 58.61.155.44pixfirewall(config)# access-list acl_inside permit ip any any



  即保证permit ip any any这条命令是在最后面一行

  4、在内外端口上应用访问列表

pixfirewall(config)#access-gropu acl_inside in inter outsidepixfirewall(config)#access-gropu acl_inside in inter outside



  四、验证是否真正的对某个IP地址进行了限制

  1、 进行完配置后肯定要先看一下当前配置:show run

  2、可以通过tracert命令来验证,如下所示:

C:\>tracert www.ttsou.cnTracing route to www.ttsou.cn [58.61.155.44]over a maximum of 30 hops:1<1 ms<1 ms<1 ms10.75.0.12***Request timed out.3***Request timed out.4***Request timed out.5***Request timed out.



  从中可以看出,对于www.ttsou.cn这个网址从三层交换机往上就不通了,证明在PIX520防火墙上已经成功的阻止了对于该网址的访问。
发帖者 时间:

没有评论:

发表评论

订阅: 博文评论 (Atom)