Configuring system firewall can control the packets that go through the management port of the device so that unauthorized operators cannot access the system through the inband or outband channel. Context Firewall includes the following items: l Blacklist: The blacklist function can be used to screen the packets sent from a specific IP address. ma!or feature of the blacklist function is that entries can be dynamically added or deleted. "hen firewall detects the attack attempt of a specific IP address according to the characteristics of packets# firewall actively adds an entry to the blacklist and then filters the packets from this IP address. l C$%Packet filtering firewall: Configure an C$ to filter data packets. To set a port to allow only one type of packets to go through# use the C$ to implement the packet filtering function. &or e'ample# to allow only the packets from source IP address (.(.(.( to go through a port in the inbound direction# do as follows: (. Configure an C$ rule1# which allows the packets with source IP address (.(.(.( to pass. ). Configure an C$ rule2# which denies all packets. *. +un the firewall ac!et"filter command# and bind rule) first and then rule( to the inbound direction. #$%& ,n the -./*(%-./*)# an C$ can be activated in two modes. In two modes# the e'ecution priorities on the sub0rules in one C$ are different. l +un the firewall ac!et"filter command to activate an C$. This mode is mainly applied to the 1-2. &or the sub0rules in one C$# the e'ecution priority is implemented by software. The earlier the e'ecution priority of the sub0rules in one C$ is configured# the higher the priority. l +un the ac!et"filter command to activate an C$. &or the sub0rules in one C$# the e'ecution priority is implemented by hardware. The later the e'ecution priority of the sub0 rules in one C$ is configured# the higher the priority. 1 CA'%($# To ensure device security# firewall must be configured. This is to control the packets that go through the management port of the device. )rocedure l Configure a firewall blacklist. Two modes are supported: configuring a firewall blacklist by using C$s or by adding the source IP addresses of untrusted packets. Choose either mode# or both. "hen two modes are configured# the priority of the firewall blacklist function is higher than the priority of C$s. That is# the system checks the firewall blacklist first# and then matches C$s. #$%& The firewall blacklist function only takes effect to the service packets that are sent from the user side. 3 Configure the firewall blacklist function by using advanced C$s. (. +un the acl command to create an C$. ,nly advanced C$s can be used when the black list function is enabled. Therefore# the range of the C$ I4 is *5550*666. ). +un the rule*ad+ acl, command to create an advanced C$. *. +un the -uit command to return to the global config mode. 7. +un the firewall .lac!list ena.le acl"num.er acl-number command to enable the firewall blacklist function. 3 Configure the firewall blacklist function by adding the source IP addresses of untrusted packets. (. +un the firewall .lac!list item command to add the source IP addresses of untrusted packets to the blacklist. ). +un the firewall .lac!list ena.le command to enable the firewall blacklist function. l Configure the firewall 8filtering packets based on the C$9. (. +un the acl command to create an C$. ,nly basic C$s and advanced C$s can be used when packet filtering by firewall is configured. Therefore# the range of the C$ I4 is )5550*666. ). +un different commands to create different types of C$s. 3 Basic C$: +un the rule*.asic acl, command. 3 dvanced C$: +un the rule*ad+ acl, command. *. +un the -uit command to return to the global config mode. 7. +un the firewall ena.le command to enable the firewall blacklist function. By default# the firewall blacklist function is disabled. To filter the packets of a port based on the basic C$# enable the firewall blacklist 2 function. .. +un the firewall ac!et"filter command to apply firewall packet filtering rules to an interface. """"&nd &xamle To add IP address (6).(/:.(5.(: to the firewall blacklist with the aging time of (55 min# do as follows: huawei8config9;firewall .lac!list item 1/20161010011 timeout 100 huawei8config9;firewall .lac!list ena.le To add the IP addresses in network segment (5.(5.(5.5 to the firewall blacklist and bind C$ *555 to these IP addresses# do as follows: huawei8config9;acl 2000 huawei8config0acl0adv0*5559;rule den3 i source 1001001000 000000255 destination 10010010020 0 huawei8config0acl0adv0*5559;-uit huawei8config9;firewall .lac!list ena.le acl"num.er 2000 To deny the users in network segment (<).(/.)..5 to access the maintenance =thernet port with IP address (<).(/.)..): on the device# do as follows: huawei8config9;acl 2001 huawei8config0acl0adv0*55(9;rule 5 den3 icm source 14201602500 000000255 destin ation 142016025021 0 huawei8config0acl0adv0*55(9;-uit huawei8config9;firewall ena.le huawei8config9;interface meth 0 huawei8config0if0meth59;firewall ac!et"filter 2001 in.ound C$ applied successfully More related: T>= B2IC C,1&I?@+TI,1 ,& ,$T ?P,1 A2 =P,1: C,2T C,-P+I2I,1 4=P$,B-=1T 2C=1+I,2 ,& >@"=I -./55T -./55%-./5*: C,1&I?@+I1? T>= $IC=12= &@1CTI,1 -./55T% -./5*T: 2=+AIC= B,+4 I2 I1 T>= &I$=4 2TT= More Huawei roducts and 5e+iews 3ou can +isit: http://www.huanetwork.com/blog Huanetwork.com is a world leading Huawei networking products distributor, we wholesale original new Huawei networking equipments, including Huawei switches, Huawei routers, Huaweisymantec security products, Huawei IA, Huawei !"# and other Huawei networking $ products. %ur customers include telecom operators, Huawei resellers, I!# and system integrators. &ight now most o' our sales are contributed by regular customers. In Huanetwork (ab, also we ha)e Huawei %(*, +,, !(A+ and switch 'or customer do remote testing, any potential customer are welcome to login to our lab. I' you need a total Huawei "**- solution or Huawei A!( solution 'or your network, also you may 'eel 'ree to contact us. %ur website: http://www.huanetwork.com *elephone: ./021$2021342 5mail: sales6huanetwork.com Address: 2$/" (ucky #la7a, $101$21 (ockhart &oad, 8anchai, Hongkong 4