|
|
本帖最后由 1503123 于 2018-1-11 17:09 编辑
这个是网御神州导出的配置,因为机器坏了,只有以前备份的配置,主要用到VPN部分,爱快能否实现,
# hardware version: SecGate 3600 F2
# software version: 4.0.9.0
# hostname: SecGate
# serial number: 6a68ec908b4efd1c
defaddr delalladdr
defaddr add DMZ 0.0.0.0/0.0.0.0 comment "DMZ"
defaddr add Trust 0.0.0.0/0.0.0.0 comment "Trust"
defaddr add Untrust 0.0.0.0/0.0.0.0 comment "Untrust"
vpn set default prekey legendsec ikelifetime 28800 ipseclifetime 3600 vpnstatus on vpnbak off
vpn on
vpn add remote static main psk name jingeng_wst addr 61.158.222.114 prekey legendsec ike 3des-sha1-dh5,aes-sha1-dh5 initiate on obey off nat_t on ikelifetime 28800 dpddelay 0 dpdtimeout 0
vpn add tunnel name jingeng_wst local 222.85.37.158 remote jingeng_wst auth esp ipsec des-md5 pfs on dh_group 2 ipseclifetime 3600 lifebyte 0 proxy_localip 0.0.0.0 proxy_localmask 0.0.0.0 proxy_remoteip 0.0.0.0 proxy_remotemask 0.0.0.0
vpndev add jingeng_wst jingeng_wst ""
anti synflood lan 200
anti icmpflood lan 1000
anti pingofdeath lan 800
anti udpflood lan 1000
anti pingsweep lan 10
anti tcpportscan lan 10
anti udpportscan lan 10
anti synflood wan 200
anti icmpflood wan 1000
anti pingofdeath wan 800
anti udpflood wan 1000
anti pingsweep wan 10
anti tcpportscan wan 10
anti udpportscan wan 10
sysif set lan speed auto mtu 1500 ipmac off macpolicy permit mode route sroute off log off anti off nonip deny idsblock off vlan off
sysif set wan speed auto mtu 1500 ipmac off macpolicy permit mode route sroute off log off anti off nonip deny idsblock off vlan off
sysip add wan 10.50.10.45 255.255.255.0 ping off admin on adminping on traceroute on
sysip add wan 222.85.37.158 255.255.255.192 ping on admin on adminping on traceroute on
sysip add lan 192.168.1.1 255.255.255.0 ping on admin on adminping on traceroute on
sysip add lan 172.16.164.1 255.255.255.240 ping on admin on adminping on traceroute on
vrrpbunch delay 10
route add droute any 222.85.37.129
route add droute 172.16.0.0/255.255.0.0 jingeng_wst
route add droute 192.170.0.0/255.255.0.0 jingeng_wst
route add droute 10.192.0.0/255.255.0.0 jingeng_wst
mngglobal set rcomm "public" wcomm "private" trapc "public" username "snmpuser" level "AuthnoPriv" authpass "12345678" crypt "MD5"
mngmode ssh on
mngacct set admin password "lic@123,."
mngacct multi on
mngacct failtime 5 blocktime 30 period 120
dns set sysname SecGate
ipcftcheck off
longconn set 1800
statetable udp 20 icmp 5
statetable overtime establish 1800 syn 120
rdweb srcaddr any dstaddr any
rdweb dstport 80
vpn set dhcp active off dhcpserver 127.0.0.1 interface lo
defurl add taobao type blacklist port 80 log none
defurl addkey taobao "www.taobao.com"
timeout set web 600
bandwidth add p2p_band priority 3 minbw 600 maxbw 1600 comment "建议仅用于P2P带宽限制"
bandwidth on
ftpactive port20 keep off
tcpmss set 1460
defsvc set ftp ftp 21
defsvc set h323 h323 1720
defsvc set sqlnet sqlnet 1521
defsvc set sip sip 5060
defsvc set rtsp rtsp 554
defsvc set mms mms 1755
defsvc set pptp pptp 1723
defsvc set gk gk 1719
defsvc set tftp tftp 69
defsvc set ftp comment "文件传输协议"
defsvc set h323 comment "Netmeeting服务"
defsvc set sqlnet comment "oracle数据库网络连接"
defsvc set sip comment "基于sip协议的动态服务"
defsvc set rtsp comment "RTSP服务"
defsvc set mms comment "MMS服务"
defsvc set pptp comment "点到点隧道协议的动态服务"
defsvc set gk comment "H.323网守服务"
defsvc set tftp comment "TFTP协议"
defsvc set icmp icmp comment "ICMP服务"
defsvc set ping icmp type 8 comment "PING请求"
defsvc set pong icmp type 0 comment "PING回应"
defsvc set tcp proto tcp any any comment "tcp协议的所有服务"
defsvc set udp proto udp any any comment "udp协议的所有服务"
defsvc set gre proto 47 comment "封装协议"
defsvc set esp proto 50 comment "VPN加密认证协议"
defsvc set ah proto 51 comment "加密协议"
defsvc set vrrp proto 112 comment "HA负载均衡协议"
defsvc set ssh proto tcp any 22 comment "远程加密登录"
defsvc set telnet proto tcp any 23 comment "远程登录协议"
defsvc set smtp proto tcp any 25 comment "邮件发送服务"
defsvc set http proto tcp any 80 comment "www服务"
defsvc set pop3 proto tcp any 110 comment "邮件接收服务"
defsvc set ntp proto tcp any 123 comment "时间服务器服务"
defsvc set netbios proto tcp any 137 proto tcp any 139 proto udp any 137 proto udp any 138 comment "windows文件共享"
defsvc set dhcp proto udp any 67:68 proto tcp any 67:68 comment "dhcp & bootp"
defsvc set https proto tcp any 443 comment "https服务"
defsvc set pptp_server proto tcp any 1723 proto 47 comment "点到点隧道协议(用于防火墙作为PPTP服务器)"
defsvc set dns proto tcp any 53 proto udp any 53 comment "域名解析服务"
defsvc set snmp proto udp any 161 comment "简单网络管理协议"
defsvc set snmptrap proto udp any 162 comment "snmp trap发送服务"
defsvc set syslog proto udp any 514 comment "日志传输协议"
defsvc set oicqc proto udp any 4000 comment "QQ客户端打开端口"
defsvc set oicqs proto udp any 8000 comment "QQ服务器打开端口"
defsvc set secgate_auth proto tcp any 9998 proto udp any 9998 comment "SecGate安全网关用户认证"
defsvc set secgate_global proto tcp any 161 proto udp any 161 comment "SecGate安全网关集中管理"
defsvc set secgate_https proto tcp any 8889 proto tcp any 8888 comment "SecGate安全网关WEB管理"
defsvc set secgate_ha_conf proto tcp any 9223 proto udp any 9455 comment "SecGate安全网关HA功能配置同步服务"
defsvc set virus_blaster proto tcp any 135:139 proto udp any 135:139 proto tcp any 4444 proto udp any 69 comment "冲击波影响端口"
defsvc set virus_sasser proto tcp any 445 proto tcp any 1025 proto tcp any 1068 proto tcp any 5554 proto tcp any 9995:9996 proto udp any 9995:9996 comment "震荡波影响端口"
defsvc set virus_sqlworm proto udp any 1434 comment "SQL蠕虫影响端口"
defsvc set pcanywhere proto tcp any 5631:5632 proto udp any 5631:5632 comment "pcanywhere"
defsvc set lotusnote proto tcp any 1352 proto udp any 1352 comment "lotus notes"
defsvc set ike proto udp any 500 proto udp any 4500 comment "Internet密钥交换协议"
defsvc set l2tp proto udp any 1701 comment "第二层隧道协议"
defsvc set thunder proto tcp any 3075:3079 proto tcp 3075:3079 any comment "迅雷端口"
defsvc add tcp_8000 proto tcp any 8000
defsvc add 251 proto tcp any 251
defsvc add 3389 proto tcp any 3389
limitp2p set apple deny
limitp2p set ares deny
limitp2p set bt deny
limitp2p set dc deny
limitp2p set edonkey deny
limitp2p set gnu deny
limitp2p set kazaa deny
limitp2p set msn deny
limitp2p set qq permit
limitp2p set skype deny
limitp2p set soul deny
limitp2p set winmx deny
limitp2p set bandwidth p2p_band
defdomain detect off
policy add permit id 1 name p1 from 0.0.0.0/0.0.0.0 to 0.0.0.0/0.0.0.0 in any out any service ike time none active on
policy add portmap id 2 name 252 from 0.0.0.0/0.0.0.0 sat 192.168.1.1 pa 222.85.37.158 ia 192.168.1.251 in any out any ps 251 is http time none active on
policy add portmap id 3 name 252 from 0.0.0.0/0.0.0.0 sat 192.168.1.1 pa 222.85.37.158 ia 192.168.1.252 in any out any ps tcp is tcp time none active on
policy add permit id 4 name p2 from 172.16.0.0/255.255.0.0 to 172.16.0.0/255.255.0.0 in any out any time none active on
policy add permit id 5 name p3 from 172.16.0.0/255.255.0.0 to 10.192.0.0/255.255.0.0 in any out any time none active on
policy add permit id 6 name p4 from 10.192.0.0/255.255.0.0 to 172.16.0.0/255.255.0.0 in any out any time none active on
policy add permit id 7 name p5 from 172.16.0.0/255.255.0.0 to 192.170.0.0/255.255.0.0 in any out any time none active on
policy add permit id 8 name p6 from 192.170.0.0/255.255.0.0 to 172.16.0.0/255.255.0.0 in any out any time none active on
policy add nat id 9 name p7 from 0.0.0.0/0.0.0.0 sat 222.85.37.158 to 0.0.0.0/0.0.0.0 in any out any time none active on
policy add permit id 10 name p8 from 192.168.1.0/255.255.255.0 to 172.16.164.0/255.255.255.240 in any out any time none active on
wormfilter set sobig ignore
wormfilter set ramen ignore
wormfilter set welchia ignore
wormfilter set agobot ignore
wormfilter set opaserv ignore
wormfilter set blaster ignore
wormfilter set sadmind ignore
wormfilter set slapper ignore
wormfilter set novarg ignore
wormfilter set slammer ignore
wormfilter set zafi ignore
wormfilter set bofra ignore
wormfilter set dipnet ignore
wormfilter off
policy stateless off
mnghost add 10.50.10.44 "出厂默认管理主机"
mnghost limitless on
authsrv local 9998 9998
authsrv radius 1.1.1.1 1812 1813 123456
authsrv on local
syncfg set if none state backup backupif off
stp set priority 32768
stp start
router rip interface lan auth off
router rip interface wan auth off
router rip set version 2 metric 16 update 30 garbage 120 timeout 180
router ospf interface lan auth off mode text passwd none cost 10
router ospf interface wan auth off mode text passwd none cost 10
router ospf set routerid 1 rfc1583 on
|
|
/1 
|小黑屋|手机版|Archiver|论坛规章制度|iKuai Inc.
( 京ICP备13042604号 )
发表于 2018-1-11 17:08:03
QQ好友和群
QQ空间
腾讯微博
腾讯朋友
收藏
支持
反对
发表于 2018-1-12 16:59:21
