There are no restrictions on accessing external network addresses 192.168.1.0/25
For intranet address 192.168.1.128/25, only sending and receiving emails are allowed, and accessing external networks is not allowed.
#
sysname RouterA
#
firewall enable
firewall default deny �
#
radius scheme system
#
domain system
#
acl number 2000
rule 0 permit source 192.168.1.0 0.0.0.255
rule 1 deny
#
acl number 3001
rule 0 permit ip source 192.168.1.0 0.0.0.127
/ No restrictions are required to access the external network at the intranet address 192.168.1.0/25/
rule 1 permit tcp source 192.168.1.128 0.0.0.127 destination-port eq pop3
rule 2 permit tcp source 192.168.1.128 0.0.0.127 destination-port eq smtp
/Intranet address 192.168.1.128/25 can only send and receive emails/
#
interface Ethernet1/0/0
ip address 192.168.1.1 255.255.255.0
firewall packet-filter 3001 inbound /Use packet filtering for inbound traffic/
#
interface Serial2/0/0
link-protocol ppp
ip address 202.101.1.2 255.255.255.252
nat outbound 2000
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 202.101.1.1 preference 60
#
user-interface con 0
user-interface vty 0 4
#
return
Confirm that the firewall is actually in effect by checking disp firewall-statistics all, disp acl 3001
disp firewall-statistics all
Firewall is enable, default filtering method is 'deny'.
Interface: Ethernet1/0/0
In-bound Policy: acl 3001
Fragments matched normally
From 2006-05-31 5:05:50 to 2006-05-31 6:32:49
198 packets, 24129 bytes, 4% permitted,
0 packets, 0 bytes, 0% denied,
0 packets, 0 bytes, 0% permitted default,
5919 packets, 1021492 bytes, 96% denied default,
Totally 198 packets, 24129 bytes, 4% permitted,
Totally 5919 packets, 1021492 bytes, 96% denied.
disp acl 3001
Advanced ACL 3001, 3 rules
Acl's step is 1
rule 0 permit ip source 192.168.1.0 0.0.0.127 (194 times matched)
rule 1 permit tcp source 192.168.1.128 0.0.0.127 destination-port eq pop3 (9 times matched)
rule 2 permit tcp source 192.168.1.128 0.0.0.127 destination-port eq smtp (0 times matched)
【hint】
1. By default, the system is to prohibit firewall (firewall disable), and the command "firewall enable" is required to enable the firewall function.
2. The default filtering method of firewall is permitted (permit), which can be modified to prohibit pass through "firewall default deny"
3. When using packet filtering in the intranet and using DHCP server to allocate addresses, you need to add a "rule 0 permit ip source 0.0.0.0 0" to acl 3001, otherwise the problem that DHCP Server cannot allocate addresses will occur.
For intranet address 192.168.1.128/25, only sending and receiving emails are allowed, and accessing external networks is not allowed.
#
sysname RouterA
#
firewall enable
firewall default deny �
#
radius scheme system
#
domain system
#
acl number 2000
rule 0 permit source 192.168.1.0 0.0.0.255
rule 1 deny
#
acl number 3001
rule 0 permit ip source 192.168.1.0 0.0.0.127
/ No restrictions are required to access the external network at the intranet address 192.168.1.0/25/
rule 1 permit tcp source 192.168.1.128 0.0.0.127 destination-port eq pop3
rule 2 permit tcp source 192.168.1.128 0.0.0.127 destination-port eq smtp
/Intranet address 192.168.1.128/25 can only send and receive emails/
#
interface Ethernet1/0/0
ip address 192.168.1.1 255.255.255.0
firewall packet-filter 3001 inbound /Use packet filtering for inbound traffic/
#
interface Serial2/0/0
link-protocol ppp
ip address 202.101.1.2 255.255.255.252
nat outbound 2000
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 202.101.1.1 preference 60
#
user-interface con 0
user-interface vty 0 4
#
return
Confirm that the firewall is actually in effect by checking disp firewall-statistics all, disp acl 3001
disp firewall-statistics all
Firewall is enable, default filtering method is 'deny'.
Interface: Ethernet1/0/0
In-bound Policy: acl 3001
Fragments matched normally
From 2006-05-31 5:05:50 to 2006-05-31 6:32:49
198 packets, 24129 bytes, 4% permitted,
0 packets, 0 bytes, 0% denied,
0 packets, 0 bytes, 0% permitted default,
5919 packets, 1021492 bytes, 96% denied default,
Totally 198 packets, 24129 bytes, 4% permitted,
Totally 5919 packets, 1021492 bytes, 96% denied.
disp acl 3001
Advanced ACL 3001, 3 rules
Acl's step is 1
rule 0 permit ip source 192.168.1.0 0.0.0.127 (194 times matched)
rule 1 permit tcp source 192.168.1.128 0.0.0.127 destination-port eq pop3 (9 times matched)
rule 2 permit tcp source 192.168.1.128 0.0.0.127 destination-port eq smtp (0 times matched)
【hint】
1. By default, the system is to prohibit firewall (firewall disable), and the command "firewall enable" is required to enable the firewall function.
2. The default filtering method of firewall is permitted (permit), which can be modified to prohibit pass through "firewall default deny"
3. When using packet filtering in the intranet and using DHCP server to allocate addresses, you need to add a "rule 0 permit ip source 0.0.0.0 0" to acl 3001, otherwise the problem that DHCP Server cannot allocate addresses will occur.