巧设防火墙 封杀特定网址

作为一名网管,经常会接收用户反映某个网址有恶意程序,希望我们过滤一下,我们单位上网是通过 PIX520防火墙作NAT的,因此也就涉及到如何在PIX520防火墙上限制对于某些IP地址访问的问题,为此,就结合自己的实际工作经验写了这篇文章 。(网络拓扑如图1所示)
图1
一、得到某网址与IP地址的对应关系
比如要封www.ttsou.cn,有两种方法可以得到该网址对应的IP地址,第一是ping该网址,如下所示:
C:>ping www.ttsou.cnPinging www.ttsou.cn [58.61.155.44] with 32 bytes of data:Reply from 58.61.155.44: bytes=32 time=80ms TTL=116Reply from 58.61.155.44: bytes=32 time=78ms TTL=116Reply from 58.61.155.44: bytes=32 time=92ms TTL=116Reply from 58.61.155.44: bytes=32 time=85ms TTL=116Ping statistics for 58.61.155.44:Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),Approximate round trip times in milli-seconds:Minimum = 78ms, Maximum = 92ms, Average = 83ms
从中我们可以得到www.ttsou.cn对应的IP地址为58.61.155.44.但是这种方法存在一个缺陷,即如果该网址对应有多个IP地址的话,用ping的方法不可能得到所有对应的IP地址,我们可以用nslookup来解决,如下所示:
C:>nslookupDefault Server:ns.jncatv.netAddress:222.175.169.91> www.ttsou.cnServer:ns.jncatv.netAddress:222.175.169.91Non-authoritative answer:Name:www.ttsou.cnAddress:58.61.155.44> www.sina.com.cnServer:ns.jncatv.netAddress:222.175.169.91Non-authoritative answer:Name:hydra.sina.com.cnAddresses:218.30.108.58, 218.30.108.59, 218.30.108.61, 218.30.108.62218.30.108.64, 218.30.108.65, 218.30.108.66, 218.30.108.67, 218.30.108.68218.30.108.69, 218.30.108.72, 218.30.108.73, 218.30.108.74, 218.30.108.55218.30.108.56, 218.30.108.57Aliases:www.sina.com.cn, jupiter.sina.com.cn
从以上的结果我们可以看出,www.ttsou.cn确实是只对应了一个IP地址,但是象www.sina.com.cn这样的网址就对应了大量的IP地址 。
二、在PIX520防火墙上了解当前访问列表的使用情况 。
由于我们在PIX520防火墙上作了限制TELNET访问的限制,只有192.168的网段可以通过TELNET的方式登录上去,所以我们要先登录3层交换机(192.168.3.1),再从3层交换机上登录过去,先看一下当前配置:
【巧设防火墙 封杀特定网址】telnet 192.168.201.1Trying 192.168.201.1 ... OpenUser Access VerificationPassword:Type help;or;"?" for a list of available commands.pixfirewall> enPassword: ******pixfirewall# show run: Saved:PIX Version 6.2(2)nameif ethernet0 outside security0nameif ethernet1 inside security100
(以下省略)
出于安全方面的考虑,PIX防火墙的具体配置我就不列出了,把与本文有关的内容列出,重点应该看以下两条:
access-group acl_inside in interface outsideaccess-group acl_inside in interface inside
即当前应用的访问列表为acl_inside,然后再看acl_inside是如何写的:
access-list acl_inside deny udp any any eq tftpaccess-list acl_inside deny tcp any any eq 135access-list acl_inside deny udp any any eq 135access-list acl_inside deny tcp any any eq 137access-list acl_inside deny udp any any eq netbios-nsaccess-list acl_inside deny tcp any any eq 138access-list acl_inside deny udp any any eq netbios-dgmaccess-list acl_inside deny tcp any any eq netbios-ssnaccess-list acl_inside deny udp any any eq 139access-list acl_inside deny tcp any any eq 445access-list acl_inside deny tcp any any eq 593access-list acl_inside deny tcp any any eq 4444access-list acl_inside permit ip any anyaccess-list acl_inside permit tcp any any eq 1723access-list acl_inside permit gre any any
从中我们可以看到原访问列表只是对某些端口的使用做了限制,而不涉及对某个IP地址进行访问的限制,为了稳妥起见,我们要先清楚的了解访问列表的格式,如下:
pixfirewall(config)# access-list ?Usage:[no] access-list compiled[no] access-listcompiled[no] access-listdeny|permit |object-group| object-group [[] | object-group ]| object-group [[] | object-group ][no] access-listdeny|permit icmp| object-group| object-group [ | object-group ]

推荐阅读