Statskontoret 1995:6

Brandväggar vid anslutning till Internet

Skydd mot obehörigt intrång

[Tillbaka till bilagan] [Föregående bilaga] [Innehåll]

Konfigurering av router F

Exempel på konfigurering av router Rf enligt rapportens avsnitt 8.4.3 (bild 8).

Konfigurationen är kompletterad med en dator D som är ansluten till LAN-segmentet mellan Ra och Rf (till det s.k. LAN-DMZ, vilket utgör gränsen mellan Internet-operatören och myndigheten).

Konfigureringen beskrivs först med ett "högnivåspråk" och sedan med Cisco's konfigureringsspråk.

Rad med kommentar inleds med !


!;As comments a description of the access-lists in a more higher language
!;than the real configs.
!;
!; multicast 224.0.0.0 15.255.255.255
!; loopback 127.0.0.0 0.255.255.255
!; Myndighet 	 193.0.1.0/24,	Dator A 193.0.1.1
!; Rf-Dator B	 193.0.2.0/24,	Dator B 193.0.2.1
!; DMZ (Rf-Ra)	 193.0.3.0/24,	Dator D 193.0.3.1 (NNTP host)
!; NTP servers	 192.36.143.150, 192.36.143.2
!;
!;Ref till bild 8 enligt 8.4.3
!;output interface from Rf to dator B
!;list 160
!deny ip multicast any
!deny ip B any
!deny ip loopback any
!permit tcp any B established
!permit tcp any B eq dns
!permit udp any B eq dns
!permit udp ntp-peers B eq ntp
!permit tcp any B eq www
!permit tcp any B eq smtp
!permit tcp any B eq gopher
!permit tcp nntp-peers B eq nntp
!permit tcp any B gt 1023 
!
!;output interface from Rf towards dator A (and the agency)
!;Dator B is external DNS server, FTP proxy, nntp server,
! and SMTP relay to dator A
!;list 161
!permit tcp B agency established
!permit udp B A eq dns
!permit udp B any eq ntp
!permit tcp B A eq dns
!permit tcp B A eq smtp
!permit tcp B agency gt 1023
!
!;output interface from Rf towards DMZ
!;only allow packets relayed from dator B
!;list 162
!permit tcp B any established
!permit tcp B any smtp
!permit tcp B any dns
!permit udp B any dns
!permit tcp B external-nntp nntp
!permit udp B nntp-peers ntp
!permit tcp B any www
!permit tcp B any gt 1023
!
!;input interface from DMZ
!;stop IP address spoofing and block anything not going to B
!;list 163
!deny ip agency any
!deny ip loopback any
!deny ip multicast any
!permit ip any B
!
!------------------------------------------------------------
!
!Här börjar konfigureringen av Rf baserad på Cisco's
!konfigureringsspråk
!
!------------------------------------------------------------
version 10.3
no service finger
no service pad
service timestamps debug uptime
service password-encryption
no service tcp-small-servers
!
hostname rf
!
boot system flash 
enable password 7 060506324F41
!
no ip source-route
!
interface Ethernet0
 description ethernet till dator B
 ip address 193.0.2.254 255.255.255.0
 ip access-group 160 out
 no ip redirects
 no ip proxy-arp
!
interface Ethernet2
 description ethernet till myndigheten
 ip address 193.0.1.254 255.255.255.0
 ip access-group 161 out
 no ip redirects
 no ip proxy-arp
!
interface Ethernet1
 description ethernet till DMZ och router Ra
 ip address 193.0.3.253 255.255.255.0
 ip access-group 163 in
 ip access-group 162 out
 no ip redirects
 no ip proxy-arp
 bandwidth 64
!
router rip
 network 193.0.1.0
 redist static
 default-metric 1
 distance 240
!
ip domain-name Myndigheten.Se
ip name-server 192.36.143.3
ip route 0.0.0.0 0.0.0.0 193.0.3.254
!
access-list 160 deny   ip 224.0.0.0 15.255.255.255 any
access-list 160 deny   ip 127.0.0.0 0.255.255.255 any
access-list 160 deny   ip host 193.0.2.1 any
access-list 160 permit tcp any host 193.0.2.1 established
access-list 160 permit tcp any host 193.0.2.1 eq domain
access-list 160 permit udp any host 193.0.2.1 eq domain
access-list 160 permit udp host 192.36.143.150 host 193.0.2.1 eq ntp
access-list 160 permit udp host 192.36.143.2 host 193.0.2.1 eq ntp
access-list 160 permit tcp any host 193.0.2.1 eq www
access-list 160 permit tcp any host 193.0.2.1 eq smtp
access-list 160 permit tcp any host 193.0.2.1 eq gopher
access-list 160 permit tcp host 193.0.3.1 host 193.0.2.1 eq nntp
access-list 160 permit tcp any host 193.0.2.1 gt 1023
access-list 161 permit tcp host 193.0.2.1 193.0.1.0 0.0.0.255 established
access-list 161 permit udp host 193.0.2.1 host 193.0.1.1 eq domain
access-list 161 permit udp host 193.0.2.1 any eq ntp
access-list 161 permit tcp host 193.0.2.1 host 193.0.1.1 eq domain
access-list 161 permit tcp host 193.0.2.1 host 193.0.1.1 eq smtp
access-list 161 permit tcp host 193.0.2.1 193.0.1.0 0.0.0.255 gt 1023
access-list 162 permit tcp host 193.0.2.1 any established
access-list 162 permit tcp host 193.0.2.1 any eq smtp
access-list 162 permit tcp host 193.0.2.1 any eq domain
access-list 162 permit tcp host 193.0.2.1 any eq www
access-list 162 permit tcp host 193.0.2.1 any eq gopher
access-list 162 permit tcp host 193.0.2.1 any gt 1023
access-list 162 permit tcp host 193.0.2.1 host 193.0.3.1 eq nntp
access-list 162 permit udp host 193.0.2.1 host 192.36.143.150 eq ntp
access-list 162 permit udp host 193.0.2.1 host 192.36.143.2 eq ntp
access-list 163 deny   ip 193.0.1.0 0.0.0.255 any
access-list 163 deny   ip 127.0.0.0 0.255.255.255 any
access-list 163 deny   ip 224.0.0.0 15.255.255.255 any
access-list 163 permit ip any host 193.0.2.1
!
line con 0
 password 7 045802150C2E
 login
!
end

[Tillbaka till bilagan] [Nästa bilaga] [Innehåll]

Jan Berner Statskontoret/Stattel,
Peo Haettner FMV/TelekomS,
Peter Löthberg STUPI

Senast uppdaterad: 1995-05-25
Anpassning till HTML: ulla@stupi.se