Packet-filter firewall configuration example

Network requirements

As shown in , the internal network of a company is connected to Ethernet 1/1 of the router, and the internal users access the Internet through Serial 2/0 of the router.

The company provides WWW, FTP and Telnet services to the outside. The internal subnet of the company is 129.1.1.0, on which the internal FTP server address is 129.1.1.1, the Telnet server address is 129.1.1.2, and the internal WWW server address is 129.1.1.3. The public address of the company is 20.1.1.1. NAT is enabled on the router so that hosts on the internal network can access the Internet and external hosts can access the internal servers.

Configure the firewall feature so that only specific users on external networks can access the internal servers, and that only specific hosts on the internal network can access external networks. This example permits access of the external user at 20.3.3.3.

Figure 114: Network diagram

Configuration procedure

# Enable the firewall function on the router.

<Router> system-view
[Router] firewall enable

# Create advanced ACL 3001.

[Router] acl number 3001

# Configure rules to permit specific hosts to access external networks and permit internal servers to access external networks.

[Router-acl-adv-3001] rule permit ip source 129.1.1.1 0
[Router-acl-adv-3001] rule permit ip source 129.1.1.2 0
[Router-acl-adv-3001] rule permit ip source 129.1.1.3 0
[Router-acl-adv-3001] rule permit ip source 129.1.1.4 0

# Configure a rule to prohibit all IP packets from passing the firewall.

[Router-acl-adv-3001] rule deny ip
[Router-acl-adv-3001] quit

# Create advanced ACL 3002.

[Router] acl number 3002

# Configure a rule to allow a specific external user to access internal servers.

[Router-acl-adv-3002] rule permit tcp source 20.3.3.3 0 destination 129.1.1.0 0.0.0.255

# Configure a rule to permit specific data (only packets of which the port number is greater than 1024) to get access to the internal network.

[Router-acl-adv-3002] rule permit tcp destination 20.1.1.1 0 destination-port gt 1024
[Router-acl-adv-3002] rule deny ip
[Router-acl-adv-3002] quit

# Apply ACL 3001 to packets that come in through Ethernet 1/1.

[Router] interface ethernet 1/1
[Router-Ethernet1/1] firewall packet-filter 3001 inbound

# Apply ACL 3002 to packets that come in through Serial 2/0.

[Router-Ethernet1/1] quit
[Router] interface serial 2/0
[Router-Serial2/0] firewall packet-filter 3002 inbound