Router(Config)# interface eth 0/2
2 q7 j5 J0 y2 A& MRouter(Config-if)# ip address 192.168.1.254 255.255.255.0 Z7 ^% i6 H# H8 l! C
Router(Config-if)# ip access-group 107 in
+ U" j4 ?9 S8 {- d) s8 q: B4、 Smurf进攻的防范。
0 h: N0 V5 d! Q* @* ^: Z# zRouter(Config)# access-list 108 deny ip any host 192.168.1.255) J0 ?' X. h, Y: x6 p
Router(Config)# access-list 108 deny ip any host 192.168.1.0
" Z5 c- C0 P! u7 m, k) KRouter(Config)# access-list 108 permit ip any any& y% [3 b+ B+ x( \" i
Router(Config-if)# ip access-group 108 in
]) T5 P4 |2 g! Q" l3 P6 ^5、 ICMP协议的安全配置。对于进入ICMP流,我们要禁止ICMP协议的ECHO、Redirect、Mask request。也需要禁止TraceRoute命令的探测。对于流出的ICMP流,我们可以允许ECHO、Parameter Problem、Packet too big。还有TraceRoute命令的使用。; H) ^9 m1 s4 P4 q% C6 J- m2 C
! outbound ICMP Control0 `8 n; m. X7 [- @' [" u
Router(Config)# access-list 110 deny icmp any any echo8 Z( P( u) m! Z# }
Router(Config)# access-list 110 deny icmp any any redirect( o* `- u! F! r0 A$ d. `
Router(Config)# access-list 110 deny icmp any any mask-request
, H9 W" V; M5 {Router(Config)# access-list 110 permit icmp any any; i- N- ?( V" E, e" i4 |1 w
! Inbound ICMP Control
9 |# G' n+ E- H% m1 nRouter(Config)# access-list 111 permit icmp any any echo1 v" r( u% w- u! U
Router(Config)# access-list 111 permit icmp any any Parameter-problem
4 s* h" U( x, e* d6 I7 v/ TRouter(Config)# access-list 111 permit icmp any any packet-too-big5 A3 U/ r& ~7 N* M
Router(Config)# access-list 111 permit icmp any any source-quench4 A: E# X0 d7 \& g- Q* X
Router(Config)# access-list 111 deny icmp any any& L" g4 j3 e9 ]$ E4 H8 }( f# n
! Outbound TraceRoute Control: M+ b8 q( U G6 `, y' B
Router(Config)# access-list 112 deny udp any any range 33400 34400" V% N* a6 i' u$ x) T Y
! Inbound TraceRoute Control2 z; g& ~: S9 s+ J2 Z7 L3 Y
Router(Config)# access-list 112 permit udp any any range 33400 34400 |