Summary of Huawei router firewall configuration commands (Part 1)

1. access-list is used to create access rules. (1) create a standard access list access-list [normal | special] listnumber1 {permit | deny} source-addr [source-mask] (2) create extended access list access-list [normal | special] listnumber2 {permit | deny} protoco

1. access-list is used to create access rules. (1) create a standard access list access-list [normal | special] listnumber1 {permit | deny} source-addr [source-mask] (2) create extended access list access-list [normal | special] listnumber2 {permit | deny} protoco

1. access-list is used to create access rules.

(1) create a standard access list

Access-list [normal | special] listnumber1 {permit | deny} source-addr [source-mask]

(2) create an extended access list

Access-list [normal | special] listnumber2 {permit | deny} protocol source-addr source-mask [operator port1 [port2] dest-addr dest-mask [operator port1 [port2] | icmp-type [icmp-code] [log]

(3) Delete the access list

No access-list {normal | special} {all | listnumber [subitem]}

[Parameter description]

Normal specifies that the rule is added to the normal time period.

Special specifies that the rule is added to a special time period.

Listnumber1 is a value between 1 and 99, indicating that the rule is a standard access list rule.

Listnumber2 is a value between 100 and 199, indicating that the rule is an extended access list rule.

Permit indicates that packets that meet the conditions are allowed to pass.

Deny indicates that packets that meet the conditions are prohibited from passing through.

Protocol is a protocol type that supports ICMP, TCP, UDP, and other protocols. At this time, there is no port comparison concept. It has a special meaning for IP addresses, representing all IP protocols.

Source-addr is the source address.

Source-mask is the source address configuration bit. It is optional in the standard access list. If it is not input, it indicates that the configuration bit is 0.0.0.0.

Dest-addr is the destination address.

Dest-mask is the wildcard location of the target address.

Operator [Optional] port operator. Port comparison is supported when the protocol type is TCP or UDP. Comparison operations are supported: equal to (eq), greater than (gt), less than (lt), not equal to (neq) or between (range); If the operator is range, it is followed by two ports.

When the protocol type of port1 is TCP or UDP, you can set the default value (such as telnet) or 0 ~ for the keyword ~ A value between 65535.

Port2 appears when the protocol type is TCP or UDP and the operation type is range. It can be a preset value (such as telnet) or 0 ~ A value between 65535.

Icmp-type [Optional] indicates the ICMP Message type when the protocol is ICMP. It can be a preset value set by the keyword (such as echo-reply) or 0 ~ A value between 255.

Icmp-code appears when the protocol is ICMP and the preset value is not selected; it indicates the ICMP code, which is 0 ~ A value between 255.

Log [Optional] indicates that logs are required if the packets meet the conditions.

Listnumber is the sequence number of the deleted rule, which is 1 ~ A value between 199.

Subitem [Optional] specifies the sequence number of the rule in the access list with the delete sequence number as listnumber.

[Default]

No by default ConfigurationAny access rules.

【 CommandMode]

Global ConfigurationMode

[User Guide]

Rules of the same serial number can be considered as a type of rule. The defined rule can be used not only to filter packets on the interface, but also to identify whether a packet is a message of interest, such as DDR, at this time, permit and deny indicate whether they are interested or not.

Use the Extended IP address access list for all IP addresses.

Rules of the same sequence number are arranged and selected according to certain principles. In this order, you can use show access-list CommandSee.

[Example]

Access from WWW with the source address 10.1.1.0 and destination address 10.1.2.0 is allowed, but FTP is not allowed.

Quidway (config) # access-list 100 permit tcp 10.1.1.0 0.0.255 10.1.2.0 0.0.0.255 eq www

Quidway (config) # access-list 100 deny tcp 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 eq ftp

[Related Command]

Ip access-group

2. clear access-list counters clears the statistics of access list rules.

Clear access-list counters [listnumber]

[Parameter description]

Listnumber [Optional] sequence number of the rule for which statistics are to be cleared. If no rule is specified, statistics of all rules are cleared.

[Default]

Statistics are not cleared at any time.

【 CommandMode]

Privileged user mode

[User Guide]

Use this CommandTo clear the statistics of all rules. If no rule number is specified, the statistics of all rules are cleared.

[Example]

Example 1: Clear the statistics of the currently used rule with the serial number 100.

Quidway # clear access-list count 100

Example 2: Clear the statistics of all currently used rules.

Quidway # clear access-list counters

[Related Command]

Access-list

3. enable or disable firewall Firewall.

Firewall {enable | disable}

[Parameter description]

Enable indicates Enabled Firewall.

Disable indicates disabled Firewall.

[Default]

Disabled by default Firewall.

【 CommandMode]

Global ConfigurationMode

[User Guide]

Use this CommandTo enable or disable Firewall, You can use show firewall CommandThe result is displayed. If time packet filtering is adopted FirewallIt will also be closed when it is disabled; this CommandControl Firewall. When using firewall disable CommandClose Firewall, FirewallThe statistics will also be cleared.

[Example]

Enable Firewall.

Quidway (config) # firewall enable

[Related Command]

Access-list, ip access-group

Iv. firewall default Configuration FirewallThe default filtering method is used when no matching access rules are available.

Firewall default {permit | deny}

[Parameter description]

Permit indicates that the default filter attribute is "allowed ".

Deny indicates that the default filter attribute is disabled ".

[Default]

In FirewallWhen enabled, packets are allowed to pass by default.

【 CommandMode]

Global ConfigurationMode

[User Guide]

When none of the rules applied to the interface can determine whether a packet should be allowed or disabled, the default filter attribute will take effect. If the default filter attribute is "Allowed ", the packet can pass, otherwise the packet is discarded.

[Example]

Set the default filter attribute to "allowed ".

Quidway (config) # firewall default permit

5. Use this ip access-group CommandApply the rule to the interface. Use this CommandTo delete the corresponding settings.

Ip access-group listnumber {in | out}

[No] ip access-group listnumber {in | out}

[Parameter description]

Listnumber is the rule serial number, which is 1 ~ A value between 199.

In indicates that the rule is used to filter packets received from interfaces.

Out indicates that the rule is used to filter packets forwarded from the API.

[Default]

No rules apply to the interface.

【 CommandMode]

Interface ConfigurationMode.

[User Guide]

Use this CommandTo apply rules to interfaces. to filter packets received from interfaces, use the in keyword. to filter packets forwarded from interfaces, use the out keyword. Up to 20 different rules can be applied in one direction of an interface. These rules are arranged according to the sequence number, and the sequence number is higher than the rule number, that is, the priority is higher. When a packet is filtered, the filtering result is obtained by finding the matching rules to speed up the filtering. Therefore, we recommend that you ConfigurationWhen configuring rules, try ConfigurationRules are placed in the access list of the same sequence number. In the access list of the same sequence number, you can use show access-list to sort and select rules. Command.

[Example]

Apply Rule 101 to filter packets received from the Ethernet port.

Quidway (config-if-Ethernet0) # ip access-group 101 in

[Related Command]

Access-list