tailieunhanh - Firewall Management Interface

This section provides an overview and some examples of these interfaces. Managing Firewalls with a CLI A CLI enables you to use a specific instruction set to configure the firewall | Firewall Management Interface Modern firewalls come with two administrative interfaces The CLI The GUI typically but not necessarily web based This section provides an overview and some examples of these interfaces. Managing Firewalls with a CLI A CLI enables you to use a specific instruction set to configure the firewall. Most firewalls require the end user to do the initial configuration of the firewall inputting in the basic network information such as IP address net mask default gateway and possibly an administrative password via CLI before the end user can switch over to the GUI. Linux s NetFilter is for the most part configured through a CLI although there do exist several products that allow for configuration of NetFilter-based firewalls through a GUI. CLIs require knowledge of the command set in the firewall product. For example to configure NetFilter use the IPTables CLI to allow inbound Secure Shell SSH e-mail and web traffic using TCP ports 22 25 and 80 respectively and deny all other traffic requires the configuration in Example 11-1. Example 11-1. Configuring NetFilter with IPTables View full width iptables -P INPUT DENY iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p tcp -s 0 -d --dport 22 -m state -state NEW - j ACCEPT iptables -A INPUT -p tcp -s 0 -d --dport 25 -m state -state NEW -j ACCEPT iptables -A INPUT -p tcp -s 0 -d --dport 80 -m state -state NEW -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED RELATED -j ACCEPT iptables -A INPUT --reject-with icmp-host-prohibited -j REJECT Example 11-2 provides a similar configuration with the PIX command set. Example 11-2. Configuring a PIX gandalf config access-list acl_test permit tcp any host eq ssh gandalf config access-list acl_test permit tcp any host eq smtp gandalf config access-list acl_test permit tcp any host eq 80 gandalf config