众至防火墙说明

防火墙使用和维护规定一、引言随着现代网络的快速发展，网络安全问题日益突出。

为了保护企业机密信息和个人隐私数据，防火墙作为一种网络安全设备被广泛应用。

本文将介绍防火墙的使用和维护规定，旨在帮助企业建立安全可靠的网络环境。

二、防火墙的使用规定1. 安全策略定义：企业应根据实际情况制定具体的安全策略，明确允许和禁止的网络通信规则，并将其配置到防火墙中。

2. 过滤规则设置：防火墙应按照安全策略进行配置，对进出企业网络的数据包进行过滤。

限制对非授权服务和协议的访问，并严格审查和阻断恶意攻击。

3. 网络分区设置：根据企业的网络结构和需求，将网络划分为不同的安全区域，并为每个区域分配相应的访问控制策略，实现网络隔离和流量控制。

4. 日志记录与监控：防火墙应具备完善的日志记录和监控功能，及时发现和处理异常行为。

管理员应定期查看日志，并进行分析和处理有关的安全事件。

5. 保密措施：防火墙的配置信息应妥善保管，只有授权人员才能进行配置和管理操作。

管理员应定期更换密码，并注意定期备份和更新防火墙的配置文件。

三、防火墙的维护规定1. 定期更新安全策略：随着企业网络环境的变化，安全策略需要不断调整和更新。

管理员应定期评估和优化安全策略，确保其与企业的需求保持一致。

2. 硬件和软件维护：防火墙设备的硬件和软件需要定期进行检查和维护。

管理员应密切关注厂商发布的安全补丁和更新，并及时进行安装和升级。

3. 性能监测和优化：定期监测防火墙的性能指标，如处理速度、负载情况等。

根据监测结果，进行相应的调整和优化，确保防火墙的正常运行。

4. 事件响应与处理：及时响应和处理防火墙相关的安全事件。

一旦发现异常行为或入侵尝试，应立即采取措施进行应对，防止安全事件进一步扩大。

5. 培训和意识提升：管理员和员工应接受相关的培训，提高防火墙使用和维护的技能和意识。

定期组织安全意识教育活动，加强员工对网络安全的重视。

四、总结防火墙的使用和维护规定对于建立安全可靠的网络环境至关重要。

DCFW-1800G/E/S系列防火墙简易使用手册神州数码网络集团客服中心技术支持部第1章硬件说明 (4)第2章安装前准备 (4)2.1通过控制台接入防火墙（CLI） (4)2.2SSH远程管理方法 (4)2.3WEB页面管理方法 (5)2.4防火墙密码恢复方法 (6)2.5恢复出厂配置方法 (7)2.6防火墙升级方法 (8)2.7恢复备份版本方法 (10)2.8更改逻辑端口同物理端口对应关系方法 (11)2.9防火墙当前运行配置下载方法 (12)2.10防火墙出厂默认配置 (13)第3章功能配置 (13)3.1防火墙接口IP地址更改方法 (14)3.2防火墙默认网关配置方法 (15)3.3防火墙静态路由添加方法 (15)3.4服务（端口）添加方法（3.6及之前版本） (16)3.5安全规则添加方法（3.6及之前版本） (16)3.6动态NAT配置方法（3.6及之前版本） (18)3.7静态NAT配置方法（3.6及之前版本） (18)3.8端口映射配置方法（3.6及之前版本） (19)3.9日志记录方法（3.6及之前版本） (19)3.10源地址路由配置方法（3.6及之前版本） (26)第4章典型应用 (31)4.1常用路由模式的配置（3.6及之前版本） (31)4.2防火墙做PPTP拨号服务器的配置（3.6及之前版本） (42)4.3如何封堵病毒端口（3.6及之前版本） (48)关于本手册本手册主要介绍DCFW-1800G/E/S防火墙的常用配置方法，并举例进行说明，希望能够帮助用户快速的了解和使用DCFW-1800G/E/S防火墙。

如果系统升级，本手册内容进行相应更新，恕不事先通知。

第1章硬件说明无第2章安装前准备2.1 通过控制台接入防火墙（CLI）z将DCFW-1800防火墙console线缆一端和防火墙控制台端口相连，另一端与计算机的串口相连。

z打开计算机超级终端，将串口设置为如下模式：9600波特率，8个数据位，无奇偶校验位，1个停止位，无流控。

信息技术选修2粤教版简易防火墙的设置及使用一、概述信息技术的发展给我们的生活带来了很多便利，但同时也伴随着一些安全隐患。

学会如何保护个人或组织的网络安全显得尤为重要。

而防火墙作为网络安全的重要组成部分，其设置和使用对于保护我们的网络安全起着至关重要的作用。

本文将介绍信息技术选修2中，粤教版简易防火墙的设置及使用方法。

二、背景知识1. 什么是防火墙？防火墙是一种用来保护计算机和网络安全的技术，它可以监控数据流量，控制进出网络的访问，并且根据事先设定的规则来过滤信息。

防火墙能够阻止一些网络攻击，保护计算机和网络的安全。

2. 粤教版简易防火墙粤教版简易防火墙是一种比较容易设置和使用的防火墙软件，适用于小型网络或个人使用。

它提供了一定的网络安全保护功能，可以帮助用户防止一些常见的网络攻击，比如黑客入侵、病毒攻击等。

三、粤教版简易防火墙的设置方法1. 下载并安装我们需要在冠方全球信息站上下载粤教版简易防火墙的安装包，并按照提示进行安装。

安装完成后，将在桌面上生成一个快捷方式图标，双击该图标即可打开防火墙软件。

2. 设置网络连接在打开软件后，我们需要点击“网络连接”选项，在弹出的对话框中选择需要保护的网络连接，然后点击“确定”按钮。

3. 设置防火墙规则在软件的主界面中，我们可以点击“防火墙规则”选项，然后根据需要添加规则。

可以根据具体情况设置允许或者拒绝特定的访问。

4. 开启防火墙保护设置好规则后，我们可以点击“启动防火墙”按钮，使防火墙开始保护我们的网络安全。

四、粤教版简易防火墙的使用方法1. 查看防火墙日志在软件主界面中，我们可以点击“防火墙日志”选项，查看防火墙工作时记录的日志信息。

这些信息可以帮助我们了解网络攻击情况，及时采取相应的防护措施。

2. 更新防火墙规则防火墙的规则需要根据实际情况进行及时更新，以保证网络安全。

我们可以点击“更新规则”选项，下载最新的规则库并进行更新。

3. 关闭防火墙在一些特殊情况下，我们可能需要临时关闭防火墙。

防火墙操作手册防火墙操作手册提供了防火墙的基本配置和管理指南，以帮助用户保护网络安全和防止未经授权的访问。

以下是一些通用的防火墙操作手册步骤：1. 了解防火墙基础知识：防火墙是在计算机网络中起到保护网络安全的关键设备。

在进行防火墙的操作和配置之前，首先需要了解防火墙的基础概念、类型和工作原理。

2. 确定安全策略：为了保护网络安全，需要制定合适的安全策略。

安全策略定义了哪些网络流量是允许的，哪些是被阻止的。

这些策略可以基于端口、IP地址、协议等进行配置，并且应该针对网络中的不同角色（例如内部和外部网络）进行细分。

3. 发现并关闭未使用的端口：未使用的端口是网络攻击的潜在入口，应该通过关闭或屏蔽这些端口来减少风险。

4. 配置访问控制列表（ACL）：ACL是一组定义哪些网络流量被允许或被阻止的规则。

可以根据需要创建ACL，并将其应用到特定的网络接口上。

5. 设置入站和出站规则：入站规则用于控制从外部网络进入内部网络的网络流量，而出站规则用于控制从内部网络进入外部网络的流量。

确保只有经过授权的流量能够通过防火墙。

6. 定期更新防火墙规则：随着网络的变化，防火墙规则也需要进行定期更新和优化。

监控网络流量，并相应地更新防火墙规则，同时也要定期审查并关闭不再需要的规则。

7. 进行日志和监控：启用防火墙的日志和监控功能，可以记录和监控网络流量，以便及时检测和应对潜在的网络攻击和安全事件。

8. 进行实时更新和维护：及时更新防火墙的软件和固件版本，以确保兼容性和安全性。

定期进行安全审核和漏洞扫描，以发现和修复潜在的安全漏洞。

以上是一般的防火墙操作手册步骤，具体的操作细节可能根据不同的防火墙品牌和型号有所不同。

因此，在实际进行防火墙操作之前，还应参考相应的产品手册和文档进行详细了解和指导。

Eaton Electric Limited,Great Marlings, Butterfield, Luton Beds, LU2 8DL, UK.Tel: + 44 (0)1582 723633 Fax: + 44 (0)1582 422283E-mail:********************© 2016 EatonAll Rights ReservedPublication No. EPS 937x-FB-Px-SS Rev 5November 2016The 937x-FB Fieldbus Barriers are field-mounted wiring hubs that create up to twelve intrinsically safe spur connections from a high-energy trunk, for connection to suitably certified F oundation ™ fieldbus H1 instruments. Capable of supporting heavily loaded fieldbus segments and long trunk cable lengths, 937x-FB barriers may be installed in Zone 1 (gas) or Zone 21 (dust) hazardous areas, with the trunk wiringimplemented using suitably protected cable and increased safety (Ex e) connection facilities.Each intrinsically safe spur is capable of supporting aFISCO or ‘Entity’ certified fieldbus device located in a Zone 0 or 1 hazardous area. The short-circuit protected spurs are galvanically isolated from the trunk and require no protective ground connection in the field.Unlike conventional Fieldbus Barrier products that are based on stand-alone modules, the 937x-FB-Px-SS units are supplied as complete, factory-assembled enclosure systems in stainless steel material that do not require additional wiring, customised housings or complex ancillary components. Electrical and mechanical aspects of the design are integrated, providing the industry’s first complete, ergonomic solution for ‘High Energy Trunk’ applications in hazardous areas combined with an enclosure ‘footprint’ up to 40% smaller than existing implementations.937x-FB-Px-SS rangeMTL fieldbus barrier, 6 and 12 spur, stainless steel enclosuresUniquely, the key modular components of the system (Fieldbus Barrier, Terminator and Surge Protectors) may be ‘hot-plugged’ by design and without gas-clearance procedures or separate isolating switches. This virtually eliminates the risk associated with hazardous area maintenance activities, speeds modulereplacement and avoids the need for specialist operator training.Optional features include pluggable surge protection components for the fieldbus trunk and individual spurs.Connection facilities with generous room for cable management are provided within the Fieldbus Barrier enclosure for the trunk and spur wiring. Where appropriate, the trunk wiring may be extended from one Fieldbus Barrier enclosure to another.For added flexibility , a 12-way enclosure can be specified part-populated with 6-spurs (model no. 9374-FB). This permits future expansion from six to twelve spurs simply by plugging in an additional Fieldbus Barrier module.The 937x-FB Fieldbus Barrier is bus-powered and requires no additional power supply in the field. When used with a fieldbus host control system, power for the trunk may be provided by MTL power supplies in redundant or non-redundant format.• For F oundation ™ fieldbus networks in hazardous areas• Complete enclosure systems for 6 or 12 intrinsically safe spur connections • Mount in Zone 1 (gas) or 21 (dust) with spurs connected into Zone 0• Compatible with FISCO and Entity-certified fieldbus instruments• Compact, modular construction • Ergonomic mechanical design • Pluggable system components, without ‘gas free’ constraints• Optional, integrated surge protectionfor trunk and spurs1(Surge protection and cable glands shown are not included as standard)2Fieldbus terminatorPlug-in module (part number 9378-FT) supplied with each 937x-FB enclosure.Provides 100Ω + 1μF according to IEC 61158-2 - see separate specification Trunk surge protectionPlug-in module (part number 9376-SP) - see separate specification Reverse polarity protectionYesELECTRICAL CONNECTIONSTrunk wiring terminalsType: Ex e Spur field wiring terminalsType: 3-way, pluggable Grounding of cable screens (trunk & spurs)(Configured with wire connections in the Trunk Terminal Assembly)Trunk and spur cable shields are not interconnected within 9377-FB-R module itself.Equipotential earth/ground connection facilityM10 earth/grounding stud on side wall of enclosureBARRIER LED INDICATORSTrunk Power (PWR)Spurs (tri-colour, per spur)SPECIFICATIONSPURSNo. of spurs 612 6 (+6)No. of 9377-FB-Rmodules installed 12 1 (+1)Current per spur 0 - 32mA 0 - 32mA 0 - 32mA Total currentall spurs (max.)192mA 384mA 192 (+192)mACurrent limit per spur (max.) 45mA Spur short circuit current (max.) 4.5mA Spur voltage @ 20°C ≥ 10V @ 40mA No-load voltage 12V min.Number of field devices1 per spurMaximum spur length120m (depending on the number of spurs per fieldbus segment)Galvanic isolation (to EN 60079-11)Trunk to spurs: 1.5kV (test voltage)Spur to spur: no isolation Module to module: 30VSpur surge protectionPlug-in module (part number FS32) - see separate specification* See ordering informationTRUNKData rate31.25kBaudData transmission between trunk and spurspassive, no repeater function Number of trunk connections2 (in & out), internally connectedMaximum number of 9377-FB-R modules per segment3 (total 18 spurs)Input voltage range (trunk)16–32V DCVoltage drop (trunk in to trunk out)0VMaximum rated current (trunk in to trunk out)5A Low voltage monitoringInput voltage < 16V, spurs de-energized DC current consumption for6 spur (9371-FB) and 12 spur (9373-FB) units (mA)Power dissipation (max.)All spurs at 32mA9371-F B9373-F B9374-F B *(ex pa n d ab l e )PHYSICAL NETWORKSIEC61158-2F oundation ™ fieldbus H1Profile type (according to FF-816)Type 163 (isolated device coupler)Designed to comply with FF-846HAZARDOUS AREA APPROVALSLocation of equipmentSafe area or Zone 1 IIC T4 or Zone 21 hazardous area Location of connected spur equipmentSafe area or Zone 0 IIC hazardous area Certification codesE II 2(1) GDEx d e ib mb [ia Ga] IIC T4 Gb Ex tb IIIC T80°C Db Certificate numbersBaseefa 09 ATEX0185X IECEx BAS09.0082XSafety description (spurs)U o= 17.5V I o peak = 249.5mA I o continuous = 113mA P o = 982mW U i = 17.5V C i = 0 L i = 0Spurs in accordance with FISCO specificationENVIRONMENTALAmbient temperature (system)Ambient temperature (9377-FB-R module)–40°C ... +75°C Relative humidity< 95%, non-condensing Electromagnetic compatibilityEN 61326 – 1:2006NAMUR NE 21Shock & VibrationVibration:BS EN 60068-2-6: 2008 Test Fc: 1g BS EN 60068-2-64: 1995 Test Fh: 1g Shock:BS EN 60068-2-27: 1993 Test Ea: 15gMECHANICALEnclosure Materials 316L Stainless SteelMounting position (recommended)On vertical plane, with glands and breather on underside Cable/Breather entriesTrunk: 2 x M20Spurs: 6 or 12 (depending on model) x M20Breather 1 x M20Enclosures are pre-fitted with an Ex e nickel-plated breather and Ex e nickel-plated brass plugs in all cable gland holes. The gland plugs must be replaced only with Ex e equipment certified cable glands capable of maintaining the IP level of the enclosure type. See ordering information for gland options.Ingress ProtectionStainless steel enclosures (937x-FB-xx-SS): IP66Intrinsically safe terminals : IP20Ex e terminals: IP30Enclosure sizes - see dimension drawings for detailsStainless steel, 6 spurs 291 x 271x 130mm Stainless steel, 12 spurs 428 x 271x 130mm Enclosure Weights†9373-FB-xx-SS 8.439374-FB-xx-SS7.48† excludes any cable glands or surge protection itemsORDERING INFORMATIONOrder as:9371-FB-xx-SS 6-spur Fieldbus Barrier enclosure system with one 6-spur 9377-FB-R module installed.9373-FB-xx-SS12-spur Fieldbus Barrier enclosure system withtwo 6-spur 9377-FB-R modules installed.9374-FB-xx-SS12-spur Fieldbus Barrier enclosure system withone 6-spur 9377-FB-R module installed. (Expandable to 12-spur by addition of a second 9377-FB module)Where xx =PS (pluggable screw terminal connectors) PC (pluggable spring clamp connectors)(Note: All enclosures are pre-wired and include a 9378-FT Fieldbus terminator module)9377-FB-R Fieldbus Barrier 6-spur, pluggable module 9378-FT Fieldbus terminator9376-SP Trunk surge protection module FS32Spur surge protection moduleCABLE GLANDSThe following M20 cable glands are Ex e equipment certified, better than IP66 rated and suitable for use with the 9370-F B F ieldbus Barriers. They can be supplied separately and are available toorder individually using the following part numbers.FCS-1000-C20Nickel-plated brass glandFCS-1000-A20Armoured nickel-plated brass gland FCS-1000-S20Stainless steel glandFCS-1000-R20Armoured stainless steel glandASSOCIATED LITERATUREInstruction Manual - stainless steel enclosures INM937x-SSEUROPE (EMEA): +44 (0)1582 723633 ********************THE AMERICAS: +1 800 835 7075*********************ASIA-PACIFIC: +65 6 645 9888***********************The given data is only intended as a productdescription and should not be regarded as a legal warranty of properties or guarantee. In the interest of further technical developments, we reserve the right to make design changes.Eaton Electric Limited,Great Marlings, Butterfield, Luton Beds, LU2 8DL, UK.Tel: + 44 (0)1582 723633 Fax: + 44 (0)1582 422283E-mail:********************© 2016 EatonAll Rights ReservedPublication No. EPS 937x-FB-Px-SS Rev 5 071116November 2016DIMENSIONS (mm)Mounting holes: SSmodels:- Ø 10.8mm.9373-FB-xx-SS 9374-FB-xx-SS。

众至UR-3500 UTM+记录器1. 主机型号：UR-35002. 支持6个10/100/1000千兆口，4WAN、1LAN、1DMZ（DMZ可以转换为WAN口）。

无使用人数限制。

3. 支持LED显示功能，独有的LED显示屏。

通过手动操作对设备进行维护，如：关机、重启、查看各种服务运行状态、关闭开启各种服务、查看Ip等等。

4. 内存、硬盘可以增加，SATA 250G硬盘5. 支持IPV4/IPV66. 最大处理速度(NAT双向)达到2000Mbps.7. 支持NAT、路由模式、透明模式。

8. 支持多网段，时间化、群组化、自定义等管理，严格的条例管制功能。

9. 可设置登入、首页、浏览器标题、可更新LOGO。

提升单位形象。

10. 最多支持次管理员64位，读、写、查看、all权限。

11. 在系统还原时，可以针对WAN的设置进行保留操作。

12. 支持HTTP、HTTPS远程管理，超时自动退出。

管理IP地址限制。

13. 支持LAN、DMZ、WAN互相管制功能。

14. 支持IP与ＭＡＣ自定义、服务端口自定义、时间自定义功能。

15. 支持网页管制、虚拟服务器、ＩＰ对应功能。

16. 支持LAN和DMZ分别启用DHCP功能、指定获取固定IP。

17. 支持DNS服务器功能。

18. 支持SPI的防火墙功能及HTTP及FTP在线扫毒功能，自动侦测和阻挡SYN Flood (DOS或DDOS)、Ping of Death(ICMP)、UDPFlood、Port Scan等黑客攻击方法，并将攻击者及被攻击的对象IP 地址、Port 列表，不论是黑客还是病毒，统统现形。

19. 详细记录WEB、FTP、MSN、IM、邮件内容详细记录每一使用者(以计算机名称、IP地址、MAC地址、流量)浏览网站起始时间、笔数与网站地址。

使用者以FTP下载，可详细记录其下载地址(以计算机名称、IP地址、MAC地址)与下载内容。

使用者使用MSN聊天(聊天对象、聊天起始时间…)、传文件完整纪录，并且可以搜寻个人使用者MSN清单上所有联络人员名称。

六大主流防火墙正确设置技巧最近，果冻接到了好几个同事的“投诉”，他们反映无法通过网上邻居对草莓的共享文件夹进行访问，果冻在自己的电脑上试了一下，确实如此。

然而，在草莓的电脑上访问其他计算机又专门正常。

只是，果冻看到了草莓新安装的天网防火墙，这时他恍然大悟。

确实是这防火墙把大伙挡在了“门外”。

原来草莓担心自己的电脑被病毒侵扰，就安装了防火墙，没想到给不人造成了苦恼。

应草莓这帮菜鸟的要求，果冻对各种常用的防火墙软件在局域网内的正确设置进行了讲解。

天网防火墙首先要介绍的因此是天网防火墙（2.60版）那个“肇事者”了。

在这款防火墙刚安装完成后就会弹出一个设置向导。

然而，专门多用户都没有注意到那个设置向导，随意点击几下便完成了安装（草莓便是这种“大马虎”），结果不正确的配置引起了网络故障。

假如要解决这种因为初始设置不正确而导致的网络故障，我们能够重新调出向导进行设置。

在天网防火墙的主面板上点击“系统设置”按钮，在弹出的“系统设置”窗口中，点击“规则设定”中的“向导”（图1），就会弹出设置向导。

在“安全级不设置”对话框中选择好安全级不（局域网内的用户能够选择“低”）后再点击“下一步”按钮，进入“局域网信息设置”窗口。

勾选“我的电脑在局域网中使用”，软件便会自动探测本机的IP地址并显示在下方。

接下来，一路点击“下一步”按钮即可完成设置了。

果冻提示我们也能够只同意局域网内的某台电脑访问自己的共享资料，以达到保密的目的。

在防火墙主面板上点击“IP 规则治理”按钮，在弹出的IP规则列表中找到和局域网访问相关的规则并双击它，进入“IP规则修改”对话框，按照图2所示进行设置即可。

诺顿个人防火墙在软件的主界面左侧点击“Internet区域操纵”选项，在右侧窗口进入“信任区域”选项卡，点击“添加”按钮，打开“指定计算机”对话框。

在该对话框中选择“使用范围”，然后在下面输入同意访问的起始地址和结束地址即可。

例如，果冻办公室的IP地址范围是172.22.1.2～172.22.1.253，现在只要将起止IP地址输入，点击“确定”按钮使设置生效之后，在那个区段内的所有IP就都能够正常访问草莓的电脑了。

UR-500多功能UTM（整合式威胁管理）设备，除了具有一般市场上防火墙（Firwall）功能外，在加上频宽管理功能、负载平衡功能（Load Balance）、应用程序管制、内容过滤、虚拟私有网络功能（IPSec VPN）等多项。

众至资讯UR-500适合于不同规模中、小型企业及办公环境。

可以一次满足中小企业对于网络安全防御的需求。

协助中小企业在网络网关第一线就可以即时的拦截各式黑客攻击的威胁，同时还可以保证网络的正常运行，达到令人惊奇的优异效果。

产品规格介绍♦详细的首页资讯显示系统时间(包含日期、时间、时区、伺服器开机时间)、伺服器系统资源(包含CPU、记忆体、Flash)、伺服器资讯(包含型号与软体版本)、伺服器服务(DHCP、DDNS、IPSec VPN服务)、网路介面(包含连线状态、IP位址、封包、流量)一览无遗完整显现。

♦防火墙UR-500內建 SPI技术，主动拦截、阻挡骇客攻击，不论是 SYN、ICMP、UDP等攻击方式都可以阻挡。

ShareTech主要是套用合理流量的观念，认为每个来源不会同时产生太多封包 / 秒，万一超过设定的合理封包数时，防火墙会要求将多余的封包阻挡。

♦内容过滤提供 Web Filter(网页过滤)功能，能阻挡工作端存取不当网页(如色情、暴力)和攻击性网页(如骇客、病毒)，且能自设过滤条件，阻挡不当网站。

♦负载平衡UR-500具有负载平衡的功能，可藉由多条专线及 ISP 之连线服务，改善对外网路连取效能。

负载平衡主要可提供当某条专线或某个 ISP 连线出了问题时，可自动切换有问题的线路，转到其他正常线路继续服务。

UR-500具有对外负载平衡(Outbound balance)，提供自动分配与手动分配等平衡模式供企业选择。

♦认证（Authentication）提供本机使用者/AD/POP3的认证授权机制，可协助网管人员，监控企业内部所有使用者帐号，在确认使用者的ID是有效授权之后，才能允许其使用网络，让企业可以有效管理网络使用♦应用程序管制网络软件千变万化，靠传统的IP及Port Base的机制，无法管制现在的软件，但是每一个网络应用软件在起始沟通过程中会出现一定的特征，这类的特征可能是要求输入帐号密码，或是Client跟Server沟通的程序，它会反映在网络封包上，藉由抓取前2000bytes的网络封包分析，就可以成功辨识出使用的软件，这样避免全面的封包截取，增加网络，又能正确地分辨使用的软件。

Application GuideTable of ContentsChapter 1. Introduction (1)Chapter 2. System Design (2)Chapter 3. Application Architecture (4)3.1. Static Mode (4)3.2. Interactive Mode (5)Chapter 4. DOCA Libraries (9)Chapter 5. Configuration Flow (10)Chapter 6. Running Application (11)Chapter 7. Arg Parser DOCA Flags (13)Chapter 8. References (14)Chapter 1.IntroductionA firewall application is a network security application that leverages the DPU's hardware capability to monitor incoming and outgoing network traffic and allow or block packets based on a set of preconfigured rules.The firewall application is based on DOCA Flow gRPC, used for remote programming of the DPU's hardware.The firewall can operate in two modes:‣Static mode – the firmware application gets 5-tuple traffic from the user with a JSON file for packets to be dropped. The packets that do not match any of the 5-tuple are forwarded by a hairpin pipe.‣Interactive mode – the user can add rules from the command line in real time to execute different firewall rulesChapter 2.System DesignThe firewall application is designed to run on the host and to use DOCA Flow gRPC client to send instructions to a server that runs on the BlueField DPU instance. The DPU intercepts ingress traffic from the wire and either drops it or forwards it to the egress port using a hairpin. The decision is made using traffic classification.System DesignChapter 3.Application Architecture The firewall runs on top of DOCA Flow gRPC to classify packets.3.1. Static Mode1.The firewall application builds 3 pipes for each port (two drop pipes and a hairpin pipe).2.The drop pipes match only 5-tuple traffic with specific source and destination IPs andsource and destination ports. One of the drop pipes matches TCP traffic and the other matches UDP. The hairpin pipe matches every packet (no misses). The drop pipes serve as root pipes and the hairpin pipe serves as a forwarding miss component to the drop pipe. Therefore, every received packet is checked first against the drop pipes. If there is a match, then it is dropped, otherwise, it is forwarded to the hairpin pipe and is then matched.3.2. Interactive ModeRunning in interactive mode initializes 2 ports, and the user then configures the pipes and entries.‣When adding a pipe or an entry, one must run commands to create the relevant structs beforehand‣Optional parameters must be specified by the user in the command line. Otherwise, NULL is used.‣After a pipe or an entry is created successfully, the relevant ID is printed for future use Available commands:‣create pipe port_id=[port_id][,<optional_parameters>]‣Available optional parameters: name=<pipe-name>, root_enable=[1|0],monitor=[1|0], match_mask=[1|0], fwd=[1|0], fwd_miss=[1|0],type=[basic|control]‣add entrypipe_id=<pipe_id>,pipe_queue=<pipe_queue>[,<optional_parameters>]‣Available optional parameters: monitor=[1|0], fwd=[1|0]‣add control_pipe entrypriority=[priority],pipe_id=<pipe_id>,pipe_queue=<pipe_queue>[,<optional_parameters>]‣Available optional parameters: match_mask=[1|0], fwd=[1|0]‣destroy pipe port_id=[port_id],pipe_id=<pipe_id>‣rm entry pipe_queue=<pipe_queue>,entry_id=[entry_id]‣port pipes flush port_id=[port_id]‣port pipes dump port_id=[port_id],file=[file_name]‣query entry_id=[entry_id]‣create [struct] [field=value,…]‣Struct options: pipe_match, entry_match, match_mask, actions, monitor, fwd,fwd_miss‣Match struct fields:‣‣‣Monitor struct fields:‣flags‣id‣cir‣cbs‣agingThe following is an example for creating a pipe and adding an entry:create pipe_matchout_l4_type=udp,out_src_ip_type=ipv4,out_src_ip_addr=0xffffffff,out_dst_ip_type=ipv4,out_dst_ip_ad create fwd type=dropcreate fwd_miss type=pipe,next_pipe_id=1create pipe port_id=0,name=drop,root_enable=1,fwd=1,fwd_miss=1create pipe succeed with pipe id: 2create entry_matchout_src_ip_type=ipv4,out_src_ip_addr=10.1.20.208,out_dst_ip_type=ipv4,out_dst_ip_addr=10.1.3.216 add entry pipe_id=2,pipe_queue=0add entry succeed with entry id: 0Chapter 4.DOCA Libraries This application leverages the DOCA Flow library.Chapter 5.Configuration Flow1.Parse application argument.doca_argp_init();a).Initialize the arg parser resources.b).Register DOCA general flags.register_firewall_params();c).Register firewall application params.doca_argp_start();d).Parse application flags.2.Firewall initialization.firewall_ports_init();a).Create a new gRPC channel and initialize a stub.b).Initialize DOCA Flow and DOCA Flow ports.3.Configure firewall rules.url_filter_init();‣When opearting in static mode:a).Initialize drop packets array from the input JSON file.init_drop_packets();b).Create hairpin pipe for both ports. This pipe includes one entry that matches everytype of packet (no misses) which is then forwarded to the egress port through ahairpin.firewall_pipes_init();c).Creates TCP and UDP drop pipes that serve as root pipes for both ports. The builtpipes have a 5-tuple match and entries from the processed JSON file that aredropped. In addition, the hairpin pipe serves as forwarding if the drop entries do notmatch.‣When opearting in interactive mode:a).Initialize the firewall's interactive command line.interactive_cmdline();b).Free allocated resources.interactive_mode_cleanup();Chapter 6.Running Application1.Refer to the following documents:‣NVIDIA DOCA Installation Guide for details on how to install BlueField-related software.‣NVIDIA DOCA Troubleshooting Guide for any issue you may encounter with the installation, compilation, or execution of DOCA applications.2.The firewall example binary is located under /opt/mellanox/doca/applications/url_filter/bin/doca_url_filter.Note: Before building the application, make sure that gRPC support is enabled. Set theenable_grpc_support flag in /opt/mellanox/doca/applications/meson_option.txtto true.To build all the applications together, run:cd /opt/mellanox/doca/applications/meson buildninja -C build3.To build the firewall application only:a).Edit the following flags in /opt/mellanox/doca/applications/meson_option.txt:‣Set enable_all_applications to false‣Set enable_firewall to trueb).Run the commands in step 2.Application usage:Usage: doca_firewall [DOCA Flags] [Program Flags]DOCA Flags:-h, --help Print a help synopsis-v, --version Print program version information-l, --log-level Set the log level for the app <CRITICAL=0, DEBUG=4>--grpc-address ip_address[:port] Set the IP address for the grpc serverProgram Flags:-m, --mode Set running mode {static, interactive}-r, --firewall-rules <path> Path to the JSON file with 5-tuple rules when running with static modeNote: For additional information on the app use -h:/opt/mellanox/doca/applications/firewall/bin/doca_firewall -hRunning Application4.Running the application on the host:‣For instructions on running the DOCA Flow gRPC server on the BlueField, refer to NVIDIA DOCA gRPC Infrastructure User Guide.‣CLI example for running the app in interactive mode:/opt/mellanox/doca/applications/firewall/bin/doca_firewall --grpc-address192.168.101.2 -l 3 -m interactive‣CLI example for running the app in static mode:/opt/mellanox/doca/applications/firewall/bin/doca_firewall --grpc-address192.168.101.2 -l 3 -m static -d firewall_rules.json5.To run doca_firewall using a JSON file:doca_firewall --json [json_file]For example:cd /opt/mellanox/doca/applications/firewall/bin./doca_firewall --json firewall_params.jsonChapter 7.Arg Parser DOCA Flags Refer to NVIDIA DOCA Arg Parser User Guide for more information.Chapter 8.References‣/opt/mellanox/doca/applications/firewall/src/firewall.cNoticeThis document is provided for information purposes only and shall not be regarded as a warranty of a certain functionality, condition, or quality of a product. NVIDIA Corporation nor any of its direct or indirect subsidiaries and affiliates (collectively: “NVIDIA”) make no representations or warranties, expressed or implied, as to the accuracy or completeness of the information contained in this document and assume no responsibility for any errors contained herein. NVIDIA shall have no liability for the consequences or use of such information or for any infringement of patents or other rights of third parties that may result from its use. This document is not a commitment to develop, release, or deliver any Material (defined below), code, or functionality.NVIDIA reserves the right to make corrections, modifications, enhancements, improvements, and any other changes to this document, at any time without notice. Customer should obtain the latest relevant information before placing orders and should verify that such information is current and complete.NVIDIA products are sold subject to the NVIDIA standard terms and conditions of sale supplied at the time of order acknowledgement, unless otherwise agreed in an individual sales agreement signed by authorized representatives of NVIDIA and customer (“Terms of Sale”). NVIDIA hereby expressly objects to applying any customer general terms and conditions with regards to the purchase of the NVIDIA product referenced in this document. No contractual obligations are formed either directly or indirectly by this document.NVIDIA products are not designed, authorized, or warranted to be suitable for use in medical, military, aircraft, space, or life support equipment, nor in applications where failure or malfunction of the NVIDIA product can reasonably be expected to result in personal injury, death, or property or environmental damage. NVIDIA accepts no liability for inclusion and/or use of NVIDIA products in such equipment or applications and therefore such inclusion and/or use is at customer’s own risk. NVIDIA makes no representation or warranty that products based on this document will be suitable for any specified use. Testing of all parameters of each product is not necessarily performed by NVIDIA. It is customer’s sole responsibility to evaluate and determine the applicability of any information contained in this document, ensure the product is suitable and fit for the application planned by customer, and perform the necessary testing for the application in order to avoid a default of the application or the product. Weaknesses in customer’s product designs may affect the quality and reliability of the NVIDIA product and may result in additional or different conditions and/or requirements beyond those contained in this document. NVIDIA accepts no liability related to any default, damage, costs, or problem which may be based on or attributable to: (i) the use of the NVIDIA product in any manner that is contrary to this document or (ii) customer product designs.No license, either expressed or implied, is granted under any NVIDIA patent right, copyright, or other NVIDIA intellectual property right under this document. Information published by NVIDIA regarding third-party products or services does not constitute a license from NVIDIA to use such products or services or a warranty or endorsement thereof. Use of such information may require a license from a third party under the patents or other intellectual property rights of the third party, or a license from NVIDIA under the patents or other intellectual property rights of NVIDIA.Reproduction of information in this document is permissible only if approved in advance by NVIDIA in writing, reproduced without alteration and in full compliance with all applicable export laws and regulations, and accompanied by all associated conditions, limitations, and notices.THIS DOCUMENT AND ALL NVIDIA DESIGN SPECIFICATIONS, REFERENCE BOARDS, FILES, DRAWINGS, DIAGNOSTICS, LISTS, AND OTHER DOCUMENTS (TOGETHER AND SEPARATELY, “MATERIALS”) ARE BEING PROVIDED “AS IS.” NVIDIA MAKES NO WARRANTIES, EXPRESSED, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT TO THE MATERIALS, AND EXPRESSLY DISCLAIMS ALL IMPLIED WARRANTIES OF NONINFRINGEMENT, MERCHANTABILITY, AND FITNESS FOR A PARTICULAR PURPOSE. TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT WILL NVIDIA BE LIABLE FOR ANY DAMAGES, INCLUDING WITHOUT LIMITATION ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES, HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF ANY USE OF THIS DOCUMENT, EVEN IF NVIDIA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Notwithstanding any damages that customer might incur for any reason whatsoever, NVIDIA’s aggregate and cumulative liability towards customer for the products described herein shall be limited in accordance with the Terms of Sale for the product.TrademarksNVIDIA, the NVIDIA logo, and Mellanox are trademarks and/or registered trademarks of Mellanox Technologies Ltd. and/or NVIDIA Corporation in the U.S. and in other countries. The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world¬wide basis. Other company and product names may be trademarks of the respective companies with which they are associated.Copyright© 2022 NVIDIA Corporation & affiliates. All rights reserved.NVIDIA Corporation | 2788 San Tomas Expressway, Santa Clara, CA 95051。

使⽤中控WebSight发布的防⽕墙ASA5510配置说明使⽤WebSight发布的防⽕墙配置说明⼀、综述在某项⽬中⽤户要求利⽤DCS数据服务站将⼯艺装置的数据通过WEB发布，在⼚长办公室的办公电脑上可以实时查看控制装置的信息，同时为了防⽌⼯⼚管理⽹的病毒等侵⼊控制⽹，在两者之间设置了⼀个防⽕墙。

⼆、硬件配置2.1 DCS控制室1）历史数据服务器电脑⼀台。

配置4块⽹卡，其中3块连接DCS内部的控制⽹和操作⽹；第四块⽹卡作为web发布端⼝。

操作系统WINDOWS XP。

2）思科防⽕墙ASA5510⼀台。

3）⽹络双绞线若⼲。

2.2 ⼚长办公室1）办公电脑⼀台。

此电脑有⼀块单独⽤于和DCS通讯的⽹卡接⼝。

操作系统WINDOWS XP，安装了IE浏览器。

2）若有⼚长办公室内有多台电脑需要连接查看控制装置信息需要配置交换机。

2.3连接附件1）根据CCR中央控制室和⼚长办公室距离的不同，需要配置相应的光纤，光纤尾纤，光纤跳线和光纤接续盒等。

三、软件配置2.1 DCS控制室1）WINDOWS XP，并安装IIS（Internet 信息服务）组件。

2）AdvanTrol Pro2.5 SP06。

3）PIMS WebSight 发布软件2.2⼚长办公室1）WINDOWS XP，并安装了IE6.0以上的版本。

四、参考⽂件1)《中控WebSight监控软件Web发布软件使⽤⼿册》及《Internet 信息服务组件IIS安装规范》2）《ASA5510 User Manual》五、⽹络拓扑图整个⽹络拓扑结构如下图所⽰：第 2 页共10 页六、连接步骤6.1 在历史数据服务器HS140上安装IIS服务组件，websight发布软件。

设置第四块⽹卡的IP地址为：172.30.1.140，⼦⽹掩码为：255.255.255.0，默认⽹关为：172.30.1.1。

注意默认⽹关不能忘记设置。

如下图所⽰做好组态，点击web发布命令，启动监控软件，为DCS数据web发布做好准备。