saas.ecloud.10086.cn · web...
TRANSCRIPT
71.1 71.1.1 IP71.1.2 91.2101.2.1 101.2.2 121.2 141.2.1 141.3.2 151.3.3 161.3.4 171.4 171.4.1 HTTP181.4.2 HTTPS191.4.3 FTP211.4.4 221.4.5 241.4.6 24 252.1 WEB252.2 .262.3 272.4 27 283.1 283.2 323.2.1 323.2.2 VLan323.2.3 353.2.5 383.3 393.4 DHCP413.4.1 DHCP413.4.2 DNS413.4.3 DHCP 423.4.4 DHCP 433.5 443.5.1 LACP443.5.2 LACP443.5.3 LACP453.5.4 LACP46 VDOM474.1 VDOM474.1.1 VDOM474.1.2 VDOM484.1.3 VDOM484.2 VDOM link52 HA545.1 HA545.1.1 HA545.1.2 HA555.1.3 HA555.2 HA595.2.1 HA595.2.2 HA595.2.3 HA605.2.4 HA615.3 HA 635.4 HA Ping Server675.5 HA69 746.1 746.2756.3 776.3.1 RIP776.3.2 OSPF80 867.1 867.1.1 ADSL867.1.2 907.1.3 DHCP937.2 967.2.1 967.2.2 1017.2.3 ADSL1067.3IP 1097.3.1 1097.3.2 ()1117.3.3 (1)1137.3.4 1177.4 DDOS1217.5 1267.6 session-ttl131 1338.1 1338.1.1 1338.1.2 ARP1358.1.3 WEB1378.2 1398.2.1 1398.2.2 IPS1438.2.3 IPS1458.3 1488.3.1 1488.3.2 1528.4 WEB1558.4.1 URL 1558.5 1588.5.1 1587.5.2 1618.61628.6.1 1628.6.2 QQP2P1638.7 1658.7.1 1658.7.2 1668.8 ARP1698.9 IPMAC 171 VPN1759.1 VPN 1759.1.1 IPSec VPN1759.1.2 SSL VPN 1789.1.3 L2TP 1799.1.4 GRE 1809.2 IPSecVPN 1819.2.1 VPN1819.2.2 VPN1929.2.4 2029.3 SSL VPN2139.3.1 2139.2.2 2219.4 L2TP/PPTP2259.4 l2tp over ipsec2319.4.1 2329.4.2 Android2379.4.3 iphone2379.4.4 Windows102399.5 GRE242 24810.1 24810.2 24810.3 24910.4 25110.5 syslog251 25211.1 25211.2 25411.3 25611.4 257 25812.1 25812.2 26012.3 sniffer263
KFW
1.1
>>IP
1.1.1 IP
IPIPIP10IP
1) IP
IP
510152010
10-240
2) IP
3) IP
4) IP
5) IP
1.1.2
1)
Comment by :
2) IP
3) IP
4) IP
5)
6) 602430
1.2
1.2.1
ID
1)
2)
3)
4)
5)
6)
7)
8)
9)
10)
11)
12)
13) ID
14) ID
tcpudpicmpgreespahospf"
IDID
TCP
1.2.2
IP
1)
IP
510152010
10-2400
2)
3)
4)
5) IPIP
1.2
1.2.1
8.3
1)
2)
3)
4)
5)
6)
1.3.2
8.3
1)
2)
3)
4)
5)
6)
1.3.3
8.2
1)
2)
3)
10-240
4)
5)
6)
1.3.4
208.2
1)
2)
3)
4)
5)
6)
1.4
HTTPHTTPSFTP
1.4.1 HTTP
HTTP96HTTPURL
1) HTTP
2) HTTPHTTP
3) HTTP
4) HTTP
http
1.4.2 HTTPS
HTTPS96HTTPSHTTPSURL
1) HTTPS
2) HTTPSHTTPS
3) HTTPS
4) HTTPS
https
1.4.3 FTP
FTP96FTPFTP
1) FTPFTP
2) FTPFTP
3) FTPFTP
4) FTPFTP
ftp
1.4.4
96
1)
2)
3)
4)
IMAP POP3 SMTP
1.4.5
208.5
1)
2)
3)
4)
1.4.6
208.6
1)
2)
3)
4)
2.1 WEB
1 10.58.1.99/255.255.255.0httpswebadminIP10.58.1.1/24Port1chrome/Firefox/IE https://10.58.1.99 admin IPIP
chromeFirefoxIE10360
2 Port 1port1---- port1IP
2.2 .
Baud rate115200Data bits8Paritynone flow controlnoneSecureCRT
httpsSSHTelnetSSHTelnet
2.3
1.
2. 15maintainer bcpb+SN
login: maintainer
Passwordbcpb
15console
3 .
# define system admin
# edit admin
# set pass ()
# end
2.4
Port110.58.1.99.
run factoryrest"y"
# run factoryreset
This operation will reset the system to factory default!
Do you want to continue? (y/n) y
3.1
NATNATInternet
1
NATDHCPNAT
2
181.191.1.0/24 ip181.191.1.10181.191.1.1 DNS202.106.196.115
Port 2: ip
Port1: IP 192.168.1.254/24
"lan"192.168.1.0/24
port1port2NAT
3>>Port2IP: ip
202.1.1.8/29 2202.1.1.8202.1.1.15 202.1.1.9202.1.1.9---202.1.1.14 IPport 2202.1.1.10
4port1 IP192.168.1.254/255.255.255.0https ,ssh, ping
5---- ""
IP/ 0.0.0.0/0.0.0.0
port2
ip port2ip
10
0.
6----"""lan""192.168.1.0/24"
7---- ""
port1
"lan"
Port 2
: all
always
: ALL
ACCEPT
NAT "NAT" lanipport 1
""
""
3.2 3.2.1
-- IP
IPIPIPport1
define system interface
edit port1
set allowaccess http https ssh telnet ping snmp
end
3.2.2 VLan
vlantrunkvlanvlan
Vlan
1)
2) Vlan
----vlan
4vlanport1port2vlan10 vlan20,vlan
3 CLI
define system interface
(interface) #edit vlan10
(vlan10)#set forward-domain 10
(vlan10)#next
(interface) #edit w-vlan10
(w-vlan10)#set forward-domain 10 // wanvlan10 invlan10
(invlan10)#next
(interface) #edit vlan20
(vlan20)#set forward-domain 20
(vlan20)#next
(interface) #edit w-vlan20
(w-vlan20)#set forward-domain 20
(w-vlan20)#end
3)
vlan10
vlan20
3.2.3
1.VDOM 2.vdomProt3 3.prot3IP
1
IP/192.168.2.100/24 IP)
192.168.2.1IP
2VDOM
VDOMVDOM VDOM out-line
port3VDOM 'out-line'---
1 IPIP
2 pinghttpsssh
3.2.5
1BPDUSTPBPDUstpforward
define system interface
edit port1
set stpforwad enable #
next
2forward domainforward domain
3Ethernet IIl2forward
define system interface
edit port1
set l2forward enable #
next
4
define system settings
set multicast-skip-policy enable #
end
5VDOM
6mac
# dump netlink brctl name host root.b
7ipsec vpnipsecssl vpnDHCP
3.3
DDoSIPS
port1snifferport1
IPS
IPSport3
IPS
1
define system interface
edit port1
set ips-sniffer-mode enable
end
2IPSDDoS
3
3.4 DHCP3.4.1 DHCP
""--""--""--DHCP--"DHCP"""
IP IP
DHCPip
DNSDNS
"DHCP""DHCP"
IPsecIPsecip
3.4.2 DNS
DNS3
DNSDNS
IP
IPDNS
3.4.3 DHCP
DHCP192.168.1.0/24192.168.1.254mac68:F7:28:AF:4B:2Aip 192.168.1.110
1
2DHCP
1
2DHCP
DHCP
3IP
define system dhcp server
define reserved-address //IP
edit 1 // 123
set ip 192.168.1.110 // MACIP
set mac 68:F7:28:AF:4B:2A // MAC
next
end
IPmac 68:F7:28:AF:4B:2A 192.168.1.110
3.4.4 DHCP
dhcpDHCP
1
2DHCPDHCP
1
2DHCPDHCP
"--"DHCP"--""Port1DHCPIP
3.5 3.5.1 LACP
1n
2
3.5.2 LACP
LACPstaticpassiveactive
passiveLACPDULACP
ActiveLACPDULACP
2active passive
3.5.3 LACP
>>>>
802.3ad
LACP
# define system interface
(interface) # edit linkgroup
(lacp) # set lacp-mode static //LACP:
(lacp) # set algorithm L3 //L3 IPL4
(lacp) # end
WEB/CLI
# display system interface linkgroup
define system interface
edit "linkgroup"
set vdom "root"
set type aggregate
set member "port4" "port5"
set lacp-mode static
set algorithm L3
next
end
3.5.4 LACP
APW1KMB001000004 # dump netlink aggregate list
1 name linkgroup status down algorithm L3 lacp-mode static #
APW1KMB001000004 # dump netlink aggregate name linkgroup
status: down
ports: 2
distribution algorithm: L3
LACP mode: static
slave: port4
status: down
link failure count: 0
permanent MAC addr: 00:60:e0:61:b3:ef
slave: port5
status: down
link failure count: 0
permanent MAC addr: 00:60:e0:61:b3:f0
VDOM4.1 VDOM4.1.1 VDOM
(VDOM)VDOMNAT/VPNVDOMVDOMnatnatVDOM"
4.1.2 VDOM
1VDOM
2VDOM
3VDOM
4VDOM
5VDOM
4.1.3 VDOM
1VDOM
2VDOM
VDOMVDOMvdomvdomvdom
rootroot ""VDOM
3VDOM
port3newvdom
4VDOM
VDOM VDOMvpnVDOMVDOMnewvdom""
VDOM0
VDOM""10VDOM10
VDOM""10VDOM10
5VDOM
super_admin
6VDOM
7
VDOMvdomIPCLIVDOM
# define vdom
(vdom) # edit newvdom
CPUglobal
# define global
4.2 VDOM link
Vdomvdom2vdomVlink2Vdom
1vlink
----""
v-interfaceIP
vdom222v-interface0v-interface1
HA5.1 HA5.1.1 HA
1Active-PassiveA-P
HAA-PHA
2Active-ActiveA-A
A-AipsvoipHTTP,HTTPS,FTP,IMAP,IMAPS,POP3,SMTP,SMTPS,IM,NNTP,SIP,SIMPLE, SCCPA-AA-AUTMTCP
A-AarpAAAP
5.1.2 HA
HA
1) ;
2) ,CPU ;
3) ;
4) DHCP,PPPOE IP""
HAHA
5.1.3 HA
1
HA
2
HAport3,port4port3down
# define system ha
(ha)# set monitor "port3" "port4"
(ha)# end
3
0
age
age0age0.
5
4HA
128HAHA
# define system ha
(ha)# set priority 200
(ha)# end
run ha manage
5SN
SN number
6Override
HAoverride
# define system ha
(ha)# set override disable/enable
(ha)# end
CLIdisable.
overide
overide
1.A200, override enable, B100, override disable
2.AB
3.AHA200, override enable
4.B
5.B
override
5.2 HA5.2.1 HA
HA
5.1
5.2 ,CPU ;
;
DHCP,PPPOE IP""
5.2.2 HA
11HA
22HA
3HA
4HA
5.2.3 HA
1)HA
2)HA
3)
4).set session-pickup enable()WEB""
5) overrideoverrideHA
6)HAGroup IDHAMAC
7)vdomclustercluster
8)ping serverHA
9)stp portfastUp/Downstp
5.2.4 HA
HA2
1
" ----"-"200/""
--HA"IP"""PPPOEDHCP
A-PA-A
"The system may run in HA A-A or HA A-P mode only when all interfaces are NOT using DHCP/PPPoE as an addressing mode."
HA
aHAHAport3port4port5port6
bport7port8
HA
a''''''
b
cHA
dHA
eport7port8
fport3port4port6port7
g
2
1
3HA
aport7port8port7port8
bHA HAMACarparp -d
c
dHAIP
HA"HA"
4HA
" ----"HA
5.3 HA
HAIPIPslave
HAHA
1HA
2""
3IP
4
5SNMP
1HA
"HA"HA
2" "
""port2
3IP
1IP
----port2
port2IP.
2IP
HA
A
# run ha manage
please input peer box index.
xxxxxxxx
# run ha manage 1 //
port2ip
#define system interface
(interface)#edit internal5
(internal5)#set ip 192.168.1.22/24
(internal5)#set allowaccess https ping snmp
(internal5)#end
Bconsole
port2ip
#define system interface
(interface)#edit port2
(internal5)#set ip 192.168.1.22/24
(internal5)#set allowaccess https ping snmp
(internal5)#end
4
#define system ha
(ha)#set ha-mgmt-interface-gateway 192.168.1.1
(ha)#end
5SNMP
#define system snmp community
(community)#edit 1
(1)#define hosts
(hosts)#edit 1
(1)#set ha-direct enable / /
(1)#set ip 192.168.1.100 255.255.255.255
(1)#next
(hosts)#end
(community)#set name public
(community)#next
#define system ha
(ha)#set ha-mgmt-interface-gateway 192.168.1.1
(ha)#end
2https SNMP
5.4 HA Ping Server
Ping Server
Ping server ''ping
------
""ping server
wan1
ip IPIP
Ping
ICMP ping, TCP echo, UDP echo.
Ping5 5
5
HA1 HAHA(0)1.
define router gwdetect
edit "wan1" //
set failtime 3 // 3
set ha-priority 5 // pingHA5
set interval 2 // 2ping
set server 202.1.1.5 // 2
end
HA
pingHAwan1 pingserverHA
# define system ha
(ha)# set pingserver-monitor-interface port3 //port3pingserver
(ha)# set pingserver-failover-threshold 0 //ha,0
(ha)# set pingserver-flip-timeout 60 //2ping serverHA
HA
set ha-priority 1pingserver-failover-threshold 0wan1pingserver10HA
pingserver-failover-threshold 2wan1pingserverset ha-priority 1 pingserver-failover-threshold 2 , HA
5.5 HA
HA
HAdefine system ha
1) set group-id 0
HAID,ID.IDMACHAID,MAC.
2)set group-name "-HA"
3)set mode standalone/a-a/a-p
HAa-pAAHAHA,,,AAUTM,UTMAP
4)set password
5)set hbdev "port1" 50 "port2" 50
50
6)unset session-sync-dev
7)set route-ttl 10
HA
8)set route-wait 0
x
9)set route-hold 10
10) set sync-define enable
11) set encryption disable
AES-128SHA1
12) set authentication disable
SHA1
13) set hb-interval 2
100ms.2,200ms
14) set hb-lost-threshold 6
15) set helo-holddown 20
HelloHAHa
16) set arps 5
arpMACMAC
17) set arps-interval 8
arp
18) set session-pickup enable/disable
disable
19) set session-pickup-delay{enable | disable}
3030HA
20) set link-failed-signal disable
HAshutdownMAC
21) set uninterruptable-upgrade enable
22) set ha-uptime-diff-margin 300
HA300
23) set override disable
disable,>>HA>Enable> HA>>
24) set priority 128
HA200,100
25) set monitor port3 port4
26) unset pingserver-monitor-interface
pingserver
27) set pingserver-failover-threshold 0
pingserver0pingserverHA
28) set pingserver-flip-timeout 60
pingserverAB. B60A
29) set ha-mgmt-status enable HA
set ha-mgmt-interface port1
set ha-mgmt-interface-gateway x.x.x.x
6.1
1
---- ""
IP/ 0.0.0.0/0.0.0.0
wan1
ip wan1ip
10
0.
2
# define router static
(static) # edit 1
(1) # set gateway 202.1.1.1 //dst0.0.0.0/0.0.0.0
(1) # set device wan1
(1) # next
# define router static
(static) # edit 2
(2) # set dst 1.24.0.0 255.248.0.0
(2) # set gateway 202.1.1.1
(2) # set device wan1
(2) # next
---- get router info routing-table static
ping 202.1.1.1 ,
6.2
-----192.168.1.0/29port3
---- port1192.168.1.0 255.255.255.2480.0.0.0 0.0.0.0port3202.2.2.2
06 tcp,17 udp,132
1-65536
6.3 6.3.1 RIP
16RIP16OSPF16RIP
RIP
1
2
3
1
"----"
2RIP
----RIP
1
RIP 2.
2 RIP
""ip/:192.168.1.0/255.255.255.010.1.1.0/24
3 RIP
>>RIPRIPport22 none
3
interface FastEthernet 0/1
ip address 192.168.2.1 255.255.255.0
interface FastEthernet 0/2
ip address 10.1.1.254 255.255.255.0
RIP
router rip
version 2
network 192.168.2.0
network 10.1.1.0
no auto-summary
----RIP
6.3.2 OSPF
16OSPF1616RIPRIP
OSPF
1
2
3OSPF
4
1
"----":
2OSPF
----OSPF
1
IDID1.1.1.1
OSPF
2OSPF
""
0.0.0.1area 1
3OSPF
""
10.1.1.0/24192.168.1.0/24OSPF0.0.0.1
4
""
IP IP
OSPFMD5MD5 txt none
CostOSPF costSPF
MD5 key keyID key
Hello hello10OSPf
Dead 40OSPf
6
IP
interface FastEthernet 0/0
ip address 10.1.1.254 255.255.255.0
interface FastEthernet 0/1
ip address 192.168.2.254 255.255.255.0
OSPF
router ospf 10
network 10.1.1.0 0.0.0.255 area 1
network 192.168.2.0 0.0.0.255 area 1 //
>>OSPFOSPF
snapshot route info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
C 10.1.1.0/24 is directly connected, port2
C 192.168.1.0/24 is directly connected, port1
O 192.168.2.0/24 [110/2] via 10.1.1.254, port2, 00:08:40Ipv6
7.1 7.1.1 ADSL
ADSL192.168.1.0/24
1
Port2: ADSL, "" ADSL
Port1: IP 192.168.1.68/24
2"lan"192.168.1.0/24
3port1port2NAT
1
----Port2
PPPOE
ADSL
ADSL
DiscPPPoE
PADTPPPoEPADTISP
DNS: DNS
internal192.168.1.99/24https ,ssh, ping
--""--""--""PPPOE
2
------"""lan""192.168.1.0/24"
3
---- ""
port1
"lan"
port2
: all
always
: ALL
ACCEPT
NAT "NAT" lanipport1
""
""
IP192.168.1.10/24,192.168.1.99DNS202.106.196.115/8.8.8.8DNS
7.1.2
192.168.1.0/24
202.1.1.8/29 ip202.1.1.10202.1.1.9 DNS202.106.196.115
1
Port2: ip
Port1: IP 192.168.1.68/24
2
3"lan"192.168.1.0/24
4port1port2NAT
1
------port2
202.1.1.8/29 2202.1.1.8202.1.1.15 202.1.1.9202.1.1.9---202.1.1.14 IP
port2202.1.1.10
port1192.168.1.68/24
https ,ssh, ping
2
---- "",
IP/ 0.0.0.0/0.0.0.0
port1
ip port1ip
10
0.
3
----","lan""192.168.1.0/24".
4
Port1port2NAT
---- ""
port1
"lan"
port2
: all
always
: ALL
ACCEPT
NAT "NAT" lanipport2
""
""
IP192.168.1.10/24,192.168.1.99DNS202.106.196.115 / 8.8.8.8DNS
7.1.3 DHCP
DHCP192.168.1.0/24
1
Port2: "" dhcp
Port1: IP 192.168.1.68/24
2 "lan"192.168.1.0/24
3port1port2NAT
1
------port2
DHCP
DNS: DNS.
port1192.168.1.68/24
https ,ssh, ping
--""--""--""
2
------,"lan""192.168.1.0/24"
3
port1port2NAT
---- "".
port1
"lan"
port2
: all
always
: ALL
ACCEPT
NAT "NAT" lanipwan1
""
""
IP192.168.1.10/24,192.168.1.68DNS202.106.196.115/8.8.8.8DNS
7.2 7.2.1
1port2 202.1.1.2/30202.1.1.1
2port3 202.1.1.6/30202.1.1.5
Port1
nat nat
1IP
2
3zoneuntrust trust
4
5
1IP
------ port2,ip202.1.1.2/30202.1.1.1
------port3, 202.1.1.6/30202.1.1.5
2
---- ""2
IP/ 0.0.0.0/0.0.0.0
port2/port3
ip port2/port3 ip
10 .
0.
1 .
2
3
-- """"
untrust trust
4
---- "
trust
"lan"
untrust
: all
always
: ALL
ACCEPT
NAT "NAT" lanipuntrustport2/port3
""
""
5ECMP
ip
Port2 50 port3 500 21:1
port2 50 port3 1001:2
Define system setting
set v4-ecmp-mode
source-ip-based select nexthop based on source IP
usage-based select nexthop based on usage
weight-based select nexthop based on weight
end
port2
define system interface
edit "port2"
set weight 50
next
end
"IP"IPIPport2/port3NATIPuserIP
7.2.2
ipport2ipport3
port2 202.1.1.2/30202.1.1.1 NAT 100.0.0.1-10
port3 202.1.1.6/30202.1.1.5 NAT 200.0.0.1-10
port1
1IP
2
3
4
1IP
------ port2ip202.1.1.2/30
------ port3, IP202.1.1.6/30
2
port2
----"" IP/ 0.0.0.0/0.0.0.0
port2
ip port2ip
10 .
0.
3
--ipippool ""
2
telcom100.0.0.1-10
IP/100.0.0.1-100.0.0.10
unicom200.0.0.1-10
IP/200.0.0.1-200.0.0.10
4
2port1---port2 port1---port3.
---- ""port1-port2
port1
"lan"
port2
: all
always
: ALL
ACCEPT
NAT "NAT" " IP" telecom100.0.0.1-10
""
port1-port3
port1
"lan"
port2
: all
always
: ALL
ACCEPT
NAT "NAT" " IP" unicom200.0.0.1-10
""
tracert
7.2.3 ADSL
ADSL192.168.1.0/24192.168.1.128/25ADSL2.
1
port2,port3: ADSL, "" ADSL
port1: IP 192.168.1.68/24
2"lan"192.168.1.0/24 "lan1": 192.168.1.128/25
3port1port2NAT
4port1port3NAT
5 lan1port3
1
------port2
PPPOE
ADSL
ADSL
DNS: DNS
port32ADSLpppoe_user_2
port1192.168.1.99/24
https ,ssh, ping
--""--""--""2
2
----"""lan""192.168.1.0/24""lan1""192.168.1.128/25"
3
port1port2NAT
---- ""
port1
"lan"
port2
: all
always
: ALL
ACCEPT
NAT "NAT" lanipport2
""
4port1port3NAT
5 lan1port3
06 tcp,17 udp,132 sctp
port1
192.168.1.128/25
,
1-65536
port3
ppp pppoeIP
IP192.168.1.10/24,192.168.1.68DNS202.106.196.1158.8.8.8DNSport2port3
IP192.168.1.168/24port3
tracert
7.3IP 7.3.1
IP
----NAT--------NAT--
NAT
NAT
211.1.1.1202.2.2.3
aIP211.1.1.1202.2.2.38080NATIP192.168.1.1 80
bIP192.168.1.180211.1.1.1NATIP202.2.2.38080
7.3.2 ()
web192.168.1.1202.2.2.3
1
2ipDNAT
3
1
"----",IP
2IPDNAT
--IP--IP""IPwebserverport2
"ip""IP"ip202.2.2.3-202.2.2.10IP192.168.1.2ip192.168.1.9202.1.1.3192.168.1.2202.1.14192.168.1.3
3
----
port2
all
port1
: webserver //IP
: http // http
http://202.1.1.11 ping
7.3.3 (1)
web192.168.1.2 80 202.2.2.3 8080 email192.168.1.325202.2.2.325
DNAT>>>>>>NAT
1
2ipDNAT
3
1
"----",IP
2IPDNAT
--IP--IP VIP
IP1webserver:80http
IP2emailserver:25smtp
"ip""IP"ip202.1.1.3-202.1.1.10IP192.168.1.2ip192.168.1.9202.1.1.3192.168.1.2202.1.14192.168.1.3
3
---- ""
"" ""2IP"" ""httpsmtp
port2
all
port1
: webserver80 smtpserver25
: httpsmtp
http://202.2.2.3
7.3.4
WEBIP
WEB 192.168.1.2/24 192.168.1.68
: 202.2.2.2/29 , 202.1.1.1 202.1.1.3
: 101.1.1.2/29 , 101.1.1.1 101.1.1.3
192.168.1.0/24
1
2
3IPDNAT
4
5
1IP
"----"IP
2
3IP
IPweb1IP
IPwebserver2IP
"ip""IP"ip202.1.1.3-202.1.1.10IP192.168.1.2ip192.168.1.9202.1.1.3 192.168.1.2202.1.14 192.168.1.3
4
----"""lan2""192.168.1.0/24"
5
4
1 port2port1IP
2 port3port1VIP
3 port1port2ipport2
4 port1 port3ipport3
2202.1.1.3 100.1.1.3 2IP80
7.4 DDOS
DOSDOSTearDropLandJoltIGMP NukerBoinkSmurfBonkOOBTCP/UDP
DDOSCPUSYN Floodsyn cookieSYN FloodDDOS,""IPSDDOS
web192.168.1.2202.2.2.3HTTPDDOSDDOS
1
2 DDOS
1
""--""--"""""server"ip/"202.2.2.3/29"""
2DDoS
""--""--"DDoS""""DDoS"tcp_syn_floodudp_flood
3DDOS
""--""--"DDOS" ""
/: port2 port2port2DDOS
all.
http 80
DDoS DDoS
DOS
DOS
Jolt2Jolt265535 Jolt2Jolt2
Land-BaseLand-Base Land-BaseLand-Base
PING of deathPING of death65535ICMP PING of deathPING of death
Syn flagSyn-flagTCP Syn-flagSyn-flag
Tear dropTear-drop Tear-drop Tear-drop
WinnukeWinnuke13913813711353TCPURG1 WinnukeWinnukeTCP0
SmurfIPICMPSmurfICMP(PING)ICMP
TCPTCPTCP IP 1TCP SYNIP IPTCP SCANTCP SYN TCP
UDPUDPUDP SCAN IP 1UDPIP IPUDP SCANUDP UDP
PINGPINGPING IP1ICMP ICMP ( ) ICMP IPICMP PING
20
7.5
20
192.168.1.10
192.168.1.50-10015Mbps1Mbps
IP192.168.1.203M
1
2
3
4
""""""
1
"----"ip
2
manager 192.168.1.10
sip 192.168.1.20
staff192.168.1.50-100
----"ip"manager",ip192.168.1.10sipip"sip",ip192.168.1.20ip"staff",ip192.168.1.50-100
2
----""15M
1015M15M
1015M15M1015M
6FIFO0-5,050 vpn0traffic shaper1,2,3123VOIPhttp, pop3,sntpOA
kBps 0
0
23M
31M IP
--IP
ip125KBps
3
1)
2)SIP
3
15M15M
FTP
per-ip
per-ip4M-6M
7.6 session-ttl
session-ttl
3600ttl3600TCPsession-ttl3 session-ttl session-ttl session-ttl
1)session-ttl
#define system session-ttl
(session-ttl) # set default 604800 //300-604800(7)
(session-ttl) #end
2)session-ttl
# define firewall policy
(policy) # edit 1
(1) #set srcintf port1
(1) #set dstintf port2
(1) #set srcaddr all
(1) #set dstaddr all
(1) #set action accept
(1) #set schedule always
(1) #set service ANY
(1) # set session-ttl 604800
(1) #set nat enable
(1) #next
(policy) # end
session ttl
session-ttl < session-ttl < session-ttl session-ttl
8.1 8.1.1
(IPS)
DOSDOS syn floodicmp floodudp flood TearDropLandJoltIGMP NukerBoinkSmurfBonkOOB TCP/UDP
DDOSCPU
SYN Floodsyn cookieSYN FloodDDOS,
ibei DOSDOS
ipsipsips
8.1.2 ARP
IP+MAC
IPARPARP IP+MACIPMACIPIParpARP
ARP
IPIPIP+MACARPIP+MAC
arp
arp
1arp
2ARP
ARP ARP1
ARP
ARPARP
ARPIPMACARPARPARPIPMACARPARPARPARP ARPARPMACMACIPIPARPARP
8.1.3 WEB
URL
""
InternetJava AppletCookieScriptObject
(IPS)IPS
TCPUDPICMPHTTPFTPSMTPPOP3IMAP
WebHTTP
SMTPPOP3IMAP
WEBHTTP WEBHTTPURLHTTPHTTP
URL URLwebURL
URLdenyacceptURLURL
8.2 8.2.1
web192.168.1.2,202.2.2.3HTTP
webHTTPIPSIPS
1
2VIPDNAT
3IPS
4IPS
5
1
"----"
IP
2IPDNAT
--IP--IP""IPwebserverport2
3IPS
IPSwindowshttp
1) ----IPS ""
IPS
webserver
OS OSwindows
http
2306
4IPS
port2
all
port1
: webserverIP
: HTTPhttp
IPS: ips
8.2.2 IPS
IPSIPS
IPS
# define ips global
(global) #set algorithm {high | low | engine-pick} //
high
low
engine-pick
IPS
IPSIPS0
#define ips global
(global) #set engine-count 0
(global) #end
IPS
IPSbypass IPS
# define ips global
(global) # set fail-open {enable | disable}
(global) # end
IPS
1 to 64 M. .
#define ips global
(global) #set socket-size //
(global) #end
8.2.3 IPS
IPSIPSIPSIPS
IPS/Eicar.Virus.Test.File
IPSIPShttp----IPShttp
eicareicar
Eicar.Virus.Test.File
OK,
OK
Eicar.Virus.Test.File
8.3 8.3.1
(IPS).
TCPUDPICMPHTTPFTPSMTPPOP3IMAP
,
1
2
3
4
1
""--""--"""
2
----
httpsmtppop3imapmapiftp
.com
IP
3
default
"default"
http80808080 .
() 10 10
:()1
/ 10M
""
4
1
"" """AV"default
1.http
http://www.eicar.org/85-0-Download.html
8.3.2
(GreywareGrayware)1. (Spyware) 2. (Adware) 3. (Dialer) 4. (Joke program) 5. ("Hacker" tools) 6. (Remote access tools)
#define antivirus settings
(settings) # set grayware enable //
(settings) end
# define antivirus heuristic
(heuristic) # set mode
pass Enable heuristics but detected files are passed. //
block Enable heuristics and detected files are blocked. //
disable Turn off heuristics. //
(heuristic) # set mode pass
(heuristic) #end
#define antivirus service http //http ftpsmtp
(http)#set uncompsizelimit 10//10M
(http)#end
#define antivirus service http
(http)#set uncompnestlimit 12 // 2-100
12
(http)#end
Webhttp
# define antivirus profile
(profile) #edit default
(default) #define http
(http) # set options scan avmonitor //
(http) # end //end
ftpimappop3smtpmapinntpimhttp avmonitorset options scan
8.4 WEB8.4.1 URL
url
163
1
2web
3web
1
""--""--"""
2URL
WebURL163-baidu
URL163*.163.com
baidu*.baidu.com
*
URL*
3web
---web---WebwebURLWebWeb Web URL
163-baidu-blockallwebweb urlhttphttpsoptionURL
4web
163-baidu-blockall
www.baidu.comwww.hao123.com,
8.5 8.5.1
@qq.com
1
2
3
4
1
""--""--"""
2
EmailE-mailspam-qq
*@qq.com
3
Emailmail-filterspam-qq
4
qq spamqq spam pop3 smtp
7.5.2
IP
IPEmailIP//
Hello DNS
SMTPHELODNSSMTP
Email//
DNS
DNSAMX
CLI
8.68.6.1
IM(SKYPEQQ)P2P(BitTorrenteMule)PPLiveQQLiveIMP2P
aQQGtalkSkypeIM
bBitTorrenteMuleP2P
cPPLiveQQLive
d
QQQQIMP2P
TCPUDPICMP
8.6.2 QQP2P
IM
1
2
a
bp2p
3
1
""--""--"""
2
1 ----""im-p2p
2IM
IM
3p2p
p2p
2Mbps2Mbps
4
3
8.7 8.7.1
.exe.exe.txt
.zip.zip.txt
8.7.2
1
2DLP
3
4
1
port1- port2NAT
2
1
: file
B
exe
C
2: --
http
file
3
: --
http-block-exe,
4
httpexe
8.8 ARP
ARP
1VIP
2VIParp
3arp
1VIP
--IP--IP
2VIParp
# define firewall vip
(vip) # edit arp_b
(Gratuitousarp_99) # set gratuitous-arp-interval 10 //arp
(Gratuitousarp_99) # end
3arp
arp -s 192.168.1.68 00-09-0f-d8-a2-c4
arparp
8.9 IPMAC
IP-MAC2
1 MAC-IPARP
2MAC-IPMAC
1 MAC/IP
IPMACIPMACIPMACIPMAC
MAC
IPMACIP-MACIPMACIPMAC
IPMAC
binding
#define firewall ipmacbinding setting
(setting) #set bindthroughfw enable //disable
(setting) #set bindtofw enable //disable
(setting) #set undefinedhost block //ipmacMACblock
(setting) #end
ipmac
# define firewall ipmacbinding table
(table) #edit 1
(1) #set ip 192.168.1.1 //IP
(1) #set mac 00:31:cd:4c:5d:6e //MAC
(1) #set name "test" //
(1) #set status enable //
(1) #next
(table) #end
IPMACIPMAC
#define system interface
(interface)#edit port1 //
(internal)#set ipmac enable //
(internal)#end
dump debug flowlog
# dump debug enable debug
# dump debug flow show console enableflow
# dump debug flow filter add 192.168.1.1
# dump debug flow filter
# dump debug flow trace start 10
# id=13 trace_id=1 msg="vd-root received a packet(proto=1, 192.168.1.168:1->8.8.8.8:8) from Port1. code=8, type=" id=13 trace_id=1 msg="allocate a new session-000a5db6" id=13 trace_id=1 msg="find a route: flags=00000000 gw-192.168.118.1 via port2" id=13 trace_id=1 msg= "HWaddr-f0:de:f1:0f:85:c2 is in black list, drop" // IPMACf0:de:f1:0f:85:c2
# id=13 trace_id=11 msg="vd-root received a packet(proto=1, 192.168.1.168:1->192.168.1.200:8) from internal. code=8," id=13 trace_id=11 msg="allocate a new session-000a5f04" id=13 trace_id=11 msg= "HWaddr-f0:de:f1:0f:85:c2 is in black list, drop" // IPMACf0:de:f1:0f:85:c2
VPN9.1 VPN 9.1.1 IPSec VPN
InternetInternetIPSec VPN
IPSEC VPN
IPSecInternetIP IPSec
1 -IPSec
2 -IPSec
3 -IPSec
4 -IPSecIP
IPSecIPSecVPN
IPSec"ESP""AH"
ESPISAKMP SPDBIPSecSA
IPsec IKE RFC()3
Digital Certificate Digital ID Internet CACertificate Authority Internet
IPsec ()3
IP
ispecvpnIKE
1IKESAIDSAID
2IPIPVPNVPN
IKEIPIP
IPADSLIPNATVPN
9.1.2 SSL VPN
PCInternetInternet SSL VPN
SSL VPN
SSLVPNSSLSSLVPNSSLSSL VPNWEBSSLVPNIPSec VPNIPSec VPNIPSec VPNNAT
SSL VPN
1webWebHTTPSWeb
2TunnelSSLIP. SSL
9.1.3 L2TP
Internet PC l2tp VPNL2TPVPNVPNVPDN(Virtual Private Dial Network)VPDNPPTPL2FL2TPL2TPLayer Two Tunneling ProtocolPPTP/L2TP VPNMicrosoft Windows 98/2000/XP/2003PPTPL2TP PPTPL2TPVPN
L2TPL2TP
VPNL2TPL2FPPTPVPNL2TPPPPIPATM
(Layer 2 Tunneling Protocol),,RFC 2661.VPN,L2TP3VPN(IPSec\GRE),L2TPPPP,VPNIPL2TPPPP,UDP
L2TP VPNL2TP VPNIPSecVPNVPNIP
9.1.4 GRE
GRETCP/IPGRE
GREGeneric Routing Encapsulation GRE TunnelGRE Cisco IP-in-IPRFC 2784deliver protocolPayloadGRE tunnel multicast IPv6
GREGREGRE GREGREIP
9.2 IPSecVPN 9.2.1 VPN
VPN2192.168.0.0/24192.168.1.0/24
1beijing
1
1----Port1
2OKPort2
3OK----
4OK----
5OK----NAT
2IKE1
1VPN--IPsec--(IKE)11IPsec
IKEto-tianjin-01
VPNIP
IPVPN101.1.1.2
Port2
(ID)
2OK1
3IKE2
122
IKE2to-tianjin-02
1to-tianjin-01
192.168.1.0/24192.168.2.0/24
2OK2
4VPN
1----VPNIP192.168.2.0/24to-tianjin-01
2OKVPN
5
1----VPN
2OK----VPN
3VPNVPN
4OKbeijing
2tianjin
1tianjin----Port1
2OKPort2
3OK----
4OK----
5OK----NAT
2IKE1
1VPN--IPsec--(IKE)11IPsec
IKEto-beijing-01
VPNIP
IPVPN101.1.1.1
Port2
(ID)
2OK1
3IKE2
122
IKE2"to-beijing-02
1to-beijing-01
192.168.2.0/24192.168.1.0/24
2OK2
4VPN
1----VPNIP192.168.2.0/24to-beijing-01
2OKVPN
5
1----VPN
2OK----VPN
3VPN
4OKtianjin
IPsec VPN
VPNVPN--IPsec--VPN
9.2.2 VPN
VPN2192.168.1.0/24192.168.2.0/24
11
1
2IKE1
3IKE2
4
22
1
2IKE1
3IKE2
4
IPsec VPN
1beijing
1
1----Port1
2OKPort2
3OK----
4OK----
5OK----NAT
2IKE1
1VPN--IPsec--(IKE)11
IKEto-tianjin-01
VPNIP
IPVPN101.1.1.2
Port2
(ID)
2OK1
3IKE2
122
IKE2to-tianjin-02
1to-tianjin-01
2OK2
4
1----VPN
2OK----VPN
IPsec
VPNto-tianjin-01
3OKVPN
4OKbeijing
2tianjin
1tianjin----Port1
2OKPort2
3OK----
4OK----
5OK----NAT
2IKE1
1VPN--IPsec--(IKE)11
IKEto-beijing-01
VPNIP
IPVPN101.1.1.1
Port2
(ID)
2OK1
3IKE2
122
IKE2"to-beijing-02
1to-beijing-01
2OK2
4VPN
1----VPNIP192.168.1.0/24to-beijing-01
2OKVPN
5
1----VPN
2OK----VPNIPsecVPNto-beijing-01
3OKVPN
4OKtianjin
IPsec VPN
VPNVPN--IPsec--VPN
Ping192.168.1.0/24192.168.0.0/24IPsecinbound,outbound
9.2.4
Shrew VPNIPSec VPNIPSec VPNShrew VPN
https://www.shrew.net/download/vpn/vpn-client-2.2.2-release.exe
1 IPSec1
define vpn ipsec phase1-interface
edit "p1"
set type dynamic
set interface "internal"
set proposal 3des-sha1 aes128-sha1
set mode aggressive
set psksecret XXXXXX //
next
end
2) IPSec2
define vpn ipsec phase2-interface
edit "p2"
set phase1name "p1"
set proposal 3des-sha1 aes128-sha1
next
end
12SHREW
3
VPN
P1IPsec1VPNVPN
define firewall policy
edit 0
set srcintf "p1"
set dstintf "internal"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
next
end
SHREW IPSec VPN
1
Shrew VPN15
2
ShrewAddVPNGeneral
IPSec VPNIPAuto ConfigurationdisableIPAdapter ModeIPVPNIPIP
IPVPNIPIP
Name ResolutionDNSWINEnable DNSEnable WINSDNSWINS
AuthenticationAuthentication MethodMutual PSK
Credentials
Phase 1
1 VPN1
Phase 2
2 VPN2saveVPN
VPN->IPSec->
VPNIPPCIP
IP
Mode configVPNIP1()
define vpn ipsec phase1-interface
edit "p1"
set type dynamic
set interface "internal"
set proposal 3des-sha1 aes128-sha1
set mode aggressive
set mode-cfg enable
set ipv4-start-ip 10.1.1.1
set ipv4-end-ip 10.1.1.100
set psksecret xxxxxxx
next
end
ShrewGeneral
DNSDNS
define vpn ipsec phase1-interface
edit "p1"
set mode-cfg enable
set ipv4-start-ip 10.1.1.1
set ipv4-end-ip 10.1.1.100
set ipv4-dns-server1 1.1.1.1
end
Name Resolution
VPNIPIP
Xauth
VPNXauth
define user local
edit "test"
set type password
set passwd xxxxxx
end
define user group
edit "group"
set member "test" "test1"
next
end
IPSec VPN1Xauth
define vpn ipsec phase1-interface
edit "p1"
set xauthtype pap
set authusrgrp "group"
end
ShrewAuthentication
VPN
9.3 SSL VPN9.3.1
1"ssl "a.sslvpnb.sslvpn
2"ssl "sslvpnweb""
3ssl-vpnweb
asslvpnsslvpn
bsslvpnall
cssl-vpnssl-vpnssl-vpnssl-vpn
dsslvpnwebsslvpnsslvpnwebweb
OASSL VPN,OA
1
2
3sslvpn
4
5PC ssl
1
"----"
2
1
----""
testtest
2
----""
: ttestSSL-VPNSSL VPNfull-access
3sslvpn
1SSL VPN
---- ""
SSLVPN_TUNNEL_ADDR1
2SSL
--SSL--
SSL-VPNSSL VPN
IPSSL
""
DNSWINSIPDNSWINS
3SSL
--SSL--full-accessSsl vpnSsl-vpn
IP
SSLVPN
IPIPIP radiusip
IPIP
SSL VPNvpnSSL VPN
4 SSL
1SSLVPN
"----"
SSL
allipSSL
/SSLVPN
ssl vpn
2SSLt
4
sslvpnaccept
5
sslssl.root
IP/10.0.0.0/24SSL
ssl.root
""
SSL
1SSL VPN
3264WINDOWSVPN--
2IP
3
4
Pcroute print
9.2.2
OAwebSSL VPN,OA
1
2
3sslvpn
4
1
"----"
2
1
----""
testtest
2
----""
: t,testweb-access
3sslvpn
1sslvpn
--SSL--ssl-vpn
IP
""
SSL VPN443httpshttps 4430DNSWINSDNS
2SSL
--SSL-- SSLweb-access
4 SSL
1
"----"
SSL
allipSSL
SSLVPN
SSL-VPNCreate New
vpnt
ALL
https://202.1.1.10:4430testtest172.16.1.33OA
9.4 L2TP/PPTP
PPTP VPN pc
OApptp vpn,OAl2tp vpn PPTP vpn
1
2PPTP /l2tp
3
4PC client
5 PPTPDNSL2TPDNS
1
">>"
2
1
----"": test: 123456
2
----"": ttest
3PPTP/L2TP VPNCLI
# define vpn pptp //pptpl2tppptp
(pptp) # set status enable // vpn
(pptp) # set sip 10.1.1.100 // ip ip
(pptp) # set eip 10.1.1.120 // ip ip
(pptp) # set usrgrp t // VPN
(pptp) # end
# define vpn l2tp
(l2tp) # set status enable
(l2tp) # set sip 192.168.1.230
(l2tp) # set eip 192.168.1.240
(l2tp) # set usrgrp t
(l2tp) # end
vpn
4
(1)
2
----"
port2
pptp_ip
port1
192.168.1.0/24
ALL
PC
1
2""
3","
4"internet"
5VPNIP
6
,ping192.168.1.10
Androidpptp http://jingyan.baidu.com/article/3a2f7c2e55dc6926afd611f8.html
IPHONE PPTP http://jingyan.baidu.com/article/86fae3469769403c48121a71.html
VPN
dump debug enable
dump debug application ppp -1
L2TP
L2TPL2TP over IPsec L2TP L2TP over ipsecL2TP
TXTipsec.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\Parameters]
"ProhibitIpSec"=dword:00000001
windowsVPNl2tp/IpsecPAP CHAP MS-CHAPv2
9.4 l2tp over ipsec
9.4.1
test, tttest
l2tp
define vpn l2tp
set eip 10.1.1.10
set sip 10.1.1.1
set status enable
set usrgrp "tt"
end
sipIPeipIP
IPSec1
1
3DES-SHA1 (Windows)AES256MD5(AndroidiPhone)
DH2(Androidiphone) 14(windows10)
IPSec2
2
AES256+MD5
PFS
()
define vpn ipsec phase2
edit "phase2"
set encapsulation transport-mode ()
set keylife-type both
set pfs disable
set phase1name "phase1"
set proposal 3des-sha1 aes256-md5
set keylifekbs 4608000
set keylifeseconds 3600
next
end
IPSecall
L2tpIP
IPsec
port2port1(192.168.100.0/24)all, VPNl2tpvp
port1port2, ip10.1.1.0/24
9.4.2 Android
VPN
AndroidVPN>>VPN
l2tp/IPSec PSKIPsec
VPN
AndroidVPNVPN>IPsec>
9.4.3 iphone
iphonel2tp over ipsec>
>VPNl2tp
IP
test
ipsec
IPhone
9.4.4 Windows10
>
Internet
VPNIP
VPNL2TP/IPsec
IPsec
vpnvpn
ipconfigroute printIP
9.5 GRE
VPN2192.168.0.0/24192.168.1.0/24
11
1
2GRE
3
4
5
22
1
2GRE
3
4
5
11
1
"----"
2GRE CLI
# define system gre-tunnel
(gre-tunnel) # edit gre1
(gre1) # set interface port2
(gre1) # set remote-gw 101.1.1.1 //
(gre1) # set local-gw 202.2.2.2 //
(gre1) # end
3
# define system interface
(interface)#edit gre1
(gre1) #set vdom root
(gre1) #set ip 1.1.1.1 255.255.255.255 // tunnel
(gre1) #set type tunnel
(gre1) #set remote-ip 1.1.1.2 // tunnel
(gre1) #set snmp-index 8
(gre1) #set interface port2
(gre1) #set mtu 1476 //MTU 1500MTU-20IP-4GRE=1476
(gre1) #next
(interface)#end
4
----""
IP/ ,192.168.1.0/24
: VPNgre1
5
---- ""
21 Port1
2
22
1
"----"
2GRE
# define system gre-tunnel
(gre-tunnel) # edit gre1
(gre1) # set interface port2
(gre1) #set remote-gw 100.1.1.2 //
(gre1) #set local-gw 200.1.1.2 //
(gre1) #next
3
# define system interface
(interface) # edit gre1
(gre1) #set vdom root
(gre1) #set ip 1.1.1.2 255.255.255.255 // tunnel
(gre1) #set type tunnel
(gre1) #set remote-ip 1.1.1.1 // tunnel
(gre1) #set snmp-index 8
(gre1) #set interface port2
(tunnel1) #set mtu-override enable
(tunnel1) #set mtu 1476 //MTU 1500MTU-20IP-4GRE=1476
(tunnel1) #next
(interface)#end
4
----""
IP/ ,192.168.0.0/24
: VPNgre1
5
---- ""
21 Port1
2
ping192.168.1.0/24192.168.0.0/24
10.1
1.2.3.()
10.2
define system interface
edit "port1"
set log enable
next
end
10.3
IPS
Web
10.4
define log memory filter
set traffic disable
end
10.5 syslog
Syslog
# define log syslogd setting
(setting) # set status enable
(setting) # set server 192.168.1.117
(setting) # set port 514
(setting) # end
syslog watchersyslog
Kiwi Syslog Daemon
11.1
1
nat
2nat()
ipsecvpnsslvpnl2tppptpgre
3
VDOM
4VDOM
(VDOM)VDOM
NAT/VPNVDOMVDOM
NAT/VDOM
5
snifferips
11.2
1NATNATipNAT
NATNATNATipNAT
NATip
ipipipip
NATNATNATNAT
2ip
ipvipipipip
2NAT
NATvipvip
3NAT
vipNATipNAT
4
5
6HA
7sslvpnsslvpnsite-to-site
1B/Shttphttps
2
3
4site-to-site
8vpn
Ipsecvpniosandroidiosandroid
9 802.3ad
802.3ad
10
dump sys checkused system.interface.name xxxx internal
#dump sys checkused system.interface.name internal
entry used by table system.dhcp.server:name 'internal_dhcp_server'
entry used by table firewall.policy:policyid '1'
entry used by table router.static:seq-num '1'
11.3
1
2
MD5MD5
11.4
1cpu
webcpusnapshot system performance status
2SNMP
a.SNMP-->-->SNMP
b.SNMP SNMP MIBMIBMIB BrowserPRTG Network MonitorCactiMIB
c.MIBCPUMEM MIB OID
3
web""
4
web""
5
web""
12.1
1
2
3()
4any
5
//
1 / any
2any
3/any
4ip
5always
6any
7ACCEPTDENYIPSECipsecSSL-VPNsslvpn
8
9NAT:NATSNAT
10
11:
12""
12.2
dump debug flow
dump debug enable debug
dump debug flow show console enable flow
dump debug flow filter add 119.253.62.131
dump debug flow filter
dump debug flow trace start 6
# dumpdebug flow filter
addr IP address. // ip
clear Clear filter. //
daddr Destination IP address. //
dport Destination port. //
negate Inverse filter. //
port port // port1
proto Protocol number. // 6tcp 17 udp 1 icmp
saddr Source IP address. //
sport Source port. //
vd Index of virtual domain. //vdom
# id=36871 trace_id=1 msg="vd-root received a packet(proto=6, 192.168.
1.110:51661->119.253.62.131:80) from port1."id=36871 trace_id=1 msg="allocate a new session-00016920" //port1
id=36871 trace_id=1 msg="find a route: gw-192.168.118.1 via port2" //
id=36871 trace_id=1 msg="find SNAT: IP-192.168.118.28, port-43333" //NAT
id=36871 trace_id=1 msg="Allowed by Policy-1: SNAT" // ,ID1
id=36871 trace_id=1 msg="SNAT 192.168.1.110->192.168.118.28:43333" //NAT
id=36871 trace_id=3 msg="vd-root received a packet(proto=6, 119.253.62.131:80->1
92.168.118.28:43333) from port2." // Wan1
id=36871 trace_id=3 msg="Find an existing session, id-00016920, reply direction" //id-0001692
id=36871 trace_id=3 msg="DNAT 192.168.118.28:43333->192.168.1.110:51661" //
id=36871 trace_id=3 msg="find a route: gw-192.168.1.110 via port1" //port1
id=36871 trace_id=5 msg="vd-root received a packet(proto=6, 192.168.1.110:51661-
>119.253.62.131:80) from Port1." //Port1
id=36871 trace_id=5 msg="Find an existing session, id-00016920, original direction" //id-0001692
id=36871 trace_id=5 msg="enter fast path" //
id=36871 trace_id=5 msg="SNAT 192.168.1.110->192.168.118.28:43333" //NAT
# id=36871 trace_id=23 msg="vd-root received a packet(proto=6, 192.168
.1.110:51768->119.253.62.131:80) from Port1"
id=36871 trace_id=23 msg="allocate a new session-00017537"
id=36871 trace_id=23 msg="find a route: gw-192.168.118.1 via Port2"
id=36871 trace_id=23 msg="Denied by forward policy check" //
debug flow
,,msg="iprope_in_check() check failed, drop"
,, msg="Denied by forward policy check"
,msg="reverse path check fail, drop"
session-helper msg="run helper-ftp(dir=original)"
12.3 sniffer
dump sniffer packet
1interface
VLAN "any"
dump sniffer packet port1 //port1
dump sniffer packet any //
dump sniffer packet port1-v10 //VLAN port1-v10port1-v10
2verbose
46
1: print header of packets, //IPSequence numbers
2: print header and data from ip of packets, //IPTCPUDPpayload
3: print header and data from ethernet of packets) //EtherIPTCPUDPpayload Ethereal
4:print header of packets with interface name //
5: print header and data from ip of packets with interface name //
6: print header and data from ethernet of packets (if available) with intf name //
3count
4filter
;
dump sniffer packet wan1 icmp 1 10
dump sniffer packet any 'host 192.168.1.11' 4 2
dump sniffer packet wan1 'icmp and host 8.8.8.8' 1 10
4.1none
None
# dump sniffer packet wan1 none 1 3
interfaces=[wan1]
filters=[none]
0.726021 arp who-has 192.168.118.64 tell 192.168.118.1
0.726054 arp who-has 192.168.118.207 tell 192.168.118.1
0.907046 192.168.118.55.3975 -> 255.255.255.255.2654: udp 312
4.2Tcp, udp, icmp,arp
# dump sniffer packet wan1 tcp 1 3
interfaces=[wan1]
filters=[tcp]
5.854756 192.168.118.28.41972 -> 74.125.31.138.443: 1918013413 ack 2189770725
10.680845 192.168.118.28.37644 -> 106.120.151.51.80: syn 1554494232
10.681300 106.120.151.51.80 -> 192.168.118.28.37644: syn 199984742 ack 15544943
# dump sniffer packet port2 udp 1 3
interfaces=[port2]
filters=[udp]
0.851497 192.168.118.39.58839 -> 234.34.23.234.33674: udp 20
0.880828 192.168.118.28.38299 -> 8.8.8.8.53: udp 37
0.951063 192.168.118.55.4045 -> 255.255.255.255.2654: udp 312
# dump sniffer packet wan1 icmp 1 3
interfaces=[wan1]
filters=[icmp]
5.831862 192.168.118.28 -> 119.254.12.21: icmp: echo request
5.833274 119.254.12.21 -> 192.168.118.28: icmp: echo reply
6.836748 192.168.118.28 -> 119.254.12.21: icmp: echo request
# dump sniffer packet port2 arp 1 3
interfaces=[port2]
filters=[port2]
0.835697 arp who-has 192.168.118.211 tell 192.168.118.1
0.955753 arp who-has 192.168.118.64 tell 192.168.118.1
0.955780 arp who-has 192.168.118.207 tell 192.168.118.1
4.3src,dst
IP IP
# dump sniffer pa any 'src 192.168.118.45 and dst 4.2.2.1' 4
interfaces=[any]
filters=[src 192.168.118.45 and dst 4.2.2.1]
3.053283 SE in 192.168.118.45 -> 4.2.2.1: icmp: echo request
4.055621 SE in 192.168.118.45 -> 4.2.2.1: icmp: echo request
5.057185 SE in 192.168.118.45 -> 4.2.2.1: icmp: echo request
6.059751 SE in 192.168.118.45 -> 4.2.2.1: icmp: echo request
4.4host
host IP
# dump sniffer packet port2 'host 8.8.8.8 ' 1 10
interfaces=[port2]
filters=[host 8.8.8.8]
5.793921 192.168.118.28 -> 8.8.8.8: icmp: echo request //
5.833691 8.8.8.8 -> 192.168.118.28: icmp: echo reply //
4.5port
# dump sniffer packet wan1 ' port 80 ' 1 3
interfaces=[wan1]
filters=[port 80]
5.391804 192.168.118.28.8977 -> 83.145.92.172.80: syn 3438827760
5.392339 83.145.92.172.80 -> 192.168.118.28.8977: syn 4238988927 ack 3438827761
5.392842 192.168.118.28.8977 -> 83.145.92.172.80: ack 4238988928
4.6proto
1:ICMP, 6:TCP , 17:UDP, 89: OSPF
# dump sniffer packet wan1 ' proto 1 ' 1 10
interfaces=[wan1]
filters=[proto 1]
5.193085 192.168.118.28 -> 8.8.8.8: icmp: echo request
5.233840 8.8.8.8 -> 192.168.118.28: icmp: echo reply
6.193968 192.168.118.28 -> 8.8.8.8: icmp: echo request
6.234911 8.8.8.8 -> 192.168.118.28: icmp: echo reply
# dump sniffer packet port2proto 17 ' 1 10
interfaces=[port2]
filters=[proto 17]
1.291398 192.168.118.48.1786 -> 255.255.255.255.2654: udp 312
1.307764 192.168.118.48.1787 -> 255.255.255.255.2654: udp 322
2.813556 192.168.118.55.3735 -> 255.255.255.255.2654: udp 312
2.815426 192.168.118.55.3736 -> 255.255.255.255.2654: udp 324
4.7and or
and ""or ""2
# dump sniffer packet port2 ' host 8.8.8.8 and udp and port 5 3' 1 10
interfaces=[port2]
filters=[host 8.8.8.8 and udp and port 53]
9.161057 192.168.118.28.25758 -> 8.8.8.8.53: udp 30
9.200929 8.8.8.8.53 -> 192.168.118.28.25758: udp 273
# dump sniffer packet port2 ' host 8.8.8.8 or udp ' 1 6
interfaces=[port2]
filters=[host 8.8.8.8 or udp]
0.406682 192.168.118.28 -> 8.8.8.8: icmp: echo request
0.446384 8.8.8.8 -> 192.168.118.28: icmp: echo reply
1.408758 192.168.118.28 -> 8.8.8.8: icmp: echo request
1.447828 192.168.118.48.2345 -> 255.255.255.255.2654: udp 312
1.448329 8.8.8.8 -> 192.168.118.28: icmp: echo reply
1.467194 192.168.118.48.2346 -> 255.255.255.255.2654: udp 324
4.8TCP
# dump sniff packet any 'tcp[13]==2' 4 10
interfaces=[any]
filters=[tcp[13]==2]
0.566163 SE in 192.168.118.44.51011 -> 118.67.120.53.80: syn 1443461665
0.566253 port13 out 59.108.29.180.65483 -> 118.67.120.53.80: syn 1443461665
0.566476 SE in 192.168.118.44.51012 -> 118.67.120.37.80: syn 2381613524
0.566569 port13 out 59.108.29.180.65484 -> 118.67.120.37.80: syn 2381613524
TCP132, 00 000010 0,13FlagSYNsyn1flag0
dump sniffer packet any "tcp[13] & 4 != 0" 3 10 FIN1
FIN1ACK1,tcp[13] & 4 != 00.FIN1,
dump sniffer packet any "tcp[13] & 2 != 0" 4 10SYN1(SYN,SYN ACK)
4.9IP
16 0x5989IP989OSPF.
# dump sniffer packet any "ip[9]==0x59" 1 10
interfaces=[any]
filters=[ip[9]==0x59]
0.601194 192.168.118.28 -> 224.0.0.5: ip-proto-89 44
11.601206 192.168.118.28 -> 224.0.0.5: ip-proto-89 44
2 packets received by filter
0 packets dropped by kernel
# dump sniffer packet any "ip[9]==89" 1 10
interfaces=[any]
filters=[ip[9]==89]
2.601194 192.168.118.28 -> 224.0.0.5: ip-proto-89 44
12.601208 192.168.118.28 -> 224.0.0.5: ip-proto-89 44
4.10Ethernet
64MACMAC0x00090fdf
# dump sniffer packet SE "(ether[6:4]=0x00090fdf) and (ether[10:2]=0xe8e3)" 3 3
interfaces=[SE]
filters=[(ether[6:4]=0x00090fdf) and (ether[10:2]=0xe8e3)]
0.632650 192.168.118.45.62528 -> 192.168.118.1.22: ack 2277714159
0x0000 0009 0fcd 9f48 0009 0fdf e8e3 0800 4500 .....H........E.
0x0010 0028 2383 4000 7f06 6acd c0a8 762d c0a8 .(#[email protected]..
0x0020 7601 f440 0016 16b9 4e62 87c3 28ef 5010 [email protected]..(.P.
0x0030 3fa0 f88f 0000 ?.....
0.633263 192.168.118.45.62528 -> 192.168.118.1.22: ack 2277714383
0x0000 0009 0fcd 9f48 0009 0fdf e8e3 0800 4500 .....H........E.
0x0010 0028 2384 4000 7f06 6acc c0a8 762d c0a8 .(#[email protected]..
0x0020 7601 f440 0016 16b9 4e62 87c3 29cf 5010 [email protected]..).P.
0x0030 3ec0 f88f 0000 >.....
MAC = 00:09:0f:cd:9f:48
# dump sniffer packet SE "(ether[0:4]=0x00090fcd) and (ether[4:2]=0x9f48)" 3 3
interfaces=[SE]
filters=[(ether[6:4]=0x00090fdf) and (ether[10:2]=0xe8e3)]
0.632650 192.168.118.45.62528 -> 192.168.118.1.22: ack 2277714159
0x0000 0009 0fcd 9f48 0009 0fdf e8e3 0800 4500 .....H........E.
0x0010 0028 2383 4000 7f06 6acd c0a8 762d c0a8 .(#[email protected]..
0x0020 7601 f440 0016 16b9 4e62 87c3 28ef 5010 [email protected]..(.P.
0x0030 3fa0 f88f 0000 ?.....