Перейти к содержанию

Листинг команд#

NumaEdge_FW#

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
set filter Bogon rule 10 protocol 'all'
set filter Bogon rule 10 source address-group 'Bogon'
set filter Bogon description 'Не маршрутизируемые сети не должны быть источником пакетов во внешней сети'
set filter DNS_flood_1 rule 10 protocol 'udp'
set filter DNS_flood_1 rule 10 source address-group '!DNS'
set filter DNS_flood_1 rule 10 source port '53'
set filter DNS_flood_1 description 'Ограничение на получение трафика DNS только для выбранных серверов'
set filter DNS_flood_2 rule 10 limit packet-rate burst '10'
set filter DNS_flood_2 rule 10 limit packet-rate rate '5/second'
set filter DNS_flood_2 rule 10 protocol 'udp'
set filter DNS_flood_2 rule 10 source address-group 'DNS'
set filter DNS_flood_2 rule 10 source port '53'
set filter DNS_flood_2 description 'Ограничение по скорости получения пакетов сервиса DNS'
set filter HTTP-flood rule 10 destination port '80,443'
set filter HTTP-flood rule 10 limit connection-rate group-by 'source-address'
set filter HTTP-flood rule 10 limit connection-rate above '10'
set filter HTTP-flood rule 10 limit connection-rate burst '20'
set filter HTTP-flood rule 10 limit connection-rate source-mask '32'
set filter HTTP-flood rule 10 protocol 'tcp'
set filter HTTP-flood rule 20 destination port '80,443'
set filter HTTP-flood rule 20 limit connection-rate group-by 'source-address'
set filter HTTP-flood rule 20 limit connection-rate above '30'
set filter HTTP-flood rule 20 limit connection-rate burst '50'
set filter HTTP-flood rule 20 limit connection-rate source-mask '0'
set filter HTTP-flood rule 20 protocol 'tcp'
set filter HTTP-flood description 'Правило на ограничение количества подключений по HTTP портам'
set filter ICMP_1 rule 10 length layer 'layer3'
set filter ICMP_1 rule 10 length value '!1-1400'
set filter ICMP_1 rule 10 protocol 'icmp'
set filter ICMP_1 description 'Запрет по размеру пакета для ICMP'
set filter ICMP_2 rule 10 icmp type 'echo-request'
set filter ICMP_2 rule 10 limit packet-rate burst '1'
set filter ICMP_2 rule 10 limit packet-rate rate '10/second'
set filter ICMP_2 rule 10 protocol 'icmp'
set filter ICMP_2 rule 20 limit packet-rate burst '1'
set filter ICMP_2 rule 20 limit packet-rate rate '30/second'
set filter ICMP_2 rule 20 protocol 'icmp'
set filter ICMP_2 description 'Ограничение скорости для ICMP'
set filter SSH rule 10 destination address '1.2.3.4'
set filter SSH rule 10 destination port '22'
set filter SSH rule 10 protocol 'tcp'
set filter SSH rule 10 source address '1.2.3.40'
set filter SSH description 'Разрешающее правило для подключения'
set filter SSH-flood rule 10 destination port '22'
set filter SSH-flood rule 10 limit connections above '5'
set filter SSH-flood rule 10 limit connections group-by 'source'
set filter SSH-flood rule 10 limit connections mask '0'
set filter SSH-flood rule 10 protocol 'tcp'
set filter SSH-flood description 'Запрет более 5 подключений'
set filter SYN-Flood_1 rule 10 description 'Лимитирование поступающих TCP пакетов с флагом SYN'
set filter SYN-Flood_1 rule 10 limit packet-rate burst '50'
set filter SYN-Flood_1 rule 10 limit packet-rate rate '20/second'
set filter SYN-Flood_1 rule 10 log 'enable'
set filter SYN-Flood_1 rule 10 protocol 'tcp'
set filter SYN-Flood_1 rule 10 tcp flags 'SYN'
set filter TCP-Flood_1 rule 10 protocol 'tcp'
set filter TCP-Flood_1 rule 10 state new 'enable'
set filter TCP-Flood_1 rule 10 tcp flags '!SYN'
set filter TCP-Flood_1 description 'Новые TCP пакеты без флага SYN'
set filter TCP-Flood_2 rule 10 limit connection-rate group-by 'source-address'
set filter TCP-Flood_2 rule 10 limit connection-rate above '30/second'
set filter TCP-Flood_2 rule 10 limit connection-rate burst '50'
set filter TCP-Flood_2 rule 10 limit connection-rate source-mask '32'
set filter TCP-Flood_2 rule 10 protocol 'tcp'
set filter TCP-Flood_2 description 'Правило для ограничения количества подключений TCP'
set filter TCP-Flood_3 rule 10 limit packet-rate burst '50'
set filter TCP-Flood_3 rule 10 limit packet-rate rate '20/second'
set filter TCP-Flood_3 rule 10 protocol 'tcp'
set filter TCP-Flood_3 rule 10 tcp flags '!SYN'
set filter TCP-Flood_3 description 'Правило для ограничения скорости TCP пакетов'
set filter UDP-flood_1 rule 10 limit packet-rate burst '1000'
set filter UDP-flood_1 rule 10 limit packet-rate rate '2000/second'
set filter UDP-flood_1 rule 10 protocol 'udp'
set filter UDP-flood_1 description 'Ограничение скорости пакетов UDP'
set filter UncomMSS rule 10 protocol 'tcp'
set filter UncomMSS rule 10 tcp mss '0-500'
set filter UncomMSS description 'Некорректное значение TCP MSS'
set filter UnusedPorts rule 10 destination port '1024-65535'
set filter UnusedPorts rule 10 protocol 'tcp_udp'
set filter UnusedPorts description 'Блокирование неиспользуемых портов'
set filter WEB-SERV rule 10 destination address '192.168.10.200'
set filter WEB-SERV rule 10 destination port '80,443'
set filter WEB-SERV rule 10 protocol 'tcp_udp'
set filter WEB-SERV description 'Разрешающие правила для HTTP/HTTPS портов'

set policy firewall WAN-IN rule 100 action 'drop'
set policy firewall WAN-IN rule 100 match filter 'Bogon'
set policy firewall WAN-IN rule 110 action 'drop'
set policy firewall WAN-IN rule 110 match filter 'UncomMSS'
set policy firewall WAN-IN rule 120 action 'accept'
set policy firewall WAN-IN rule 120 match filter 'SYN-Flood_1'
set policy firewall WAN-IN rule 130 action 'drop'
set policy firewall WAN-IN rule 130 match filter 'TCP-Flood_1'
set policy firewall WAN-IN rule 140 action 'drop'
set policy firewall WAN-IN rule 140 match filter 'TCP-Flood_2'
set policy firewall WAN-IN rule 150 action 'accept'
set policy firewall WAN-IN rule 150 match filter 'TCP-Flood_3'
set policy firewall WAN-IN rule 160 action 'accept'
set policy firewall WAN-IN rule 160 match filter 'UDP-flood_1'
set policy firewall WAN-IN rule 170 action 'drop'
set policy firewall WAN-IN rule 170 match filter 'HTTP-flood'
set policy firewall WAN-IN rule 500 action 'accept'
set policy firewall WAN-IN rule 500 match filter 'WEB-SERV'
set policy firewall WAN-IN default-action 'accept'

set policy firewall WAN-LOCAL rule 100 action 'drop'
set policy firewall WAN-LOCAL rule 100 match filter 'SSH-flood'
set policy firewall WAN-LOCAL rule 110 action 'drop'
set policy firewall WAN-LOCAL rule 110 match filter 'Bogon'
set policy firewall WAN-LOCAL rule 120 action 'drop'
set policy firewall WAN-LOCAL rule 120 match filter 'DNS_flood_1'
set policy firewall WAN-LOCAL rule 130 action 'accept'
set policy firewall WAN-LOCAL rule 130 match filter 'DNS_flood_2'
set policy firewall WAN-LOCAL rule 140 action 'drop'
set policy firewall WAN-LOCAL rule 140 match filter 'UncomMSS'
set policy firewall WAN-LOCAL rule 150 action 'drop'
set policy firewall WAN-LOCAL rule 150 match filter 'UnusedPorts'
set policy firewall WAN-LOCAL rule 160 action 'drop'
set policy firewall WAN-LOCAL rule 160 match filter 'SSH-flood'
set policy firewall WAN-LOCAL rule 170 action 'accept'
set policy firewall WAN-LOCAL rule 170 match filter 'SYN-Flood_1'
set policy firewall WAN-LOCAL rule 180 action 'drop'
set policy firewall WAN-LOCAL rule 180 match filter 'TCP-Flood_1'
set policy firewall WAN-LOCAL rule 190 action 'accept'
set policy firewall WAN-LOCAL rule 190 match filter 'UDP-flood_1'
set policy firewall WAN-LOCAL rule 200 action 'drop'
set policy firewall WAN-LOCAL rule 200 match filter 'ICMP_1'
set policy firewall WAN-LOCAL rule 210 action 'accept'
set policy firewall WAN-LOCAL rule 210 match filter 'ICMP_2'
set policy firewall WAN-LOCAL rule 500 action 'accept'
set policy firewall WAN-LOCAL rule 500 match filter 'SSH'
set policy firewall WAN-LOCAL default-action 'drop'

set system dns name-server 77.88.8.1 proto 'dns'
set system dns name-server 77.88.8.8 proto 'dns'
set system gateway-address 1.2.3.200

set interfaces ethernet eth1 policy in firewall 'WAN-IN'
set interfaces ethernet eth1 policy local firewall 'WAN-LOCAL'
set interfaces ethernet eth1 address '1.2.3.4/24'
set interfaces ethernet eth1 description 'Внешний интерфейс'
set interfaces ethernet eth2 address '192.168.10.100/24'
set interfaces ethernet eth2 description 'Внутренний интерфейс'

set service https x509-cert 'edge_web_cert'
set service ssh address 0.0.0.0 port '22'
set service ssh cipher 'kuznechik-ofb'
set service ssh hmac 'hmac-stribog-256'
set service ssh hmac 'hmac-stribog-512'
set service ssh key-exchange-algo 'ecdh-gost2012-256-cpa'
set service ssh active 'on'

set service nat ipv4 rule 10 description 'Трансляция входящего HTTP/HTTPS трафика на сервер'
set service nat ipv4 rule 10 destination address '1.2.3.4'
set service nat ipv4 rule 10 destination port '80,443'
set service nat ipv4 rule 10 inbound-interface 'eth1'
set service nat ipv4 rule 10 inside-address address '192.168.10.200'
set service nat ipv4 rule 10 protocol 'tcp'
set service nat ipv4 rule 10 type 'destination'
set service nat ipv4 rule 100 outbound-interface 'eth1'
set service nat ipv4 rule 100 type 'masquerade'

set groups address-group Bogon address '0.0.0.0/8'
set groups address-group Bogon address '10.0.0.0/8'
set groups address-group Bogon address '100.64.0.0/10'
set groups address-group Bogon address '127.0.0.0/8'
set groups address-group Bogon address '169.254.0.0/16'
set groups address-group Bogon address '172.16.0.0/12'
set groups address-group Bogon address '192.0.0.0/24'
set groups address-group Bogon address '192.0.2.0/24'
set groups address-group Bogon address '192.88.99.0/24'
set groups address-group Bogon address '192.168.0.0/16'
set groups address-group Bogon address '198.18.0.0/15'
set groups address-group Bogon address '198.51.100.0/24'
set groups address-group Bogon address '203.0.113.0/24'
set groups address-group Bogon address '224.0.0.0/3'
set groups address-group Bogon description 'Не маршрутизируемые подсети'
set groups address-group DNS address '77.88.8.8'
set groups address-group DNS address '77.88.8.1'
set groups address-group DNS description 'Доверенные DNS сервера'
commit

DDoS_node#

1
2
3
4
5
auto ens4
iface ens4 inet static
        address 1.2.3.30
        netmask 255.255.255.0
        gateway 1.2.3.4

Web_server#

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
set interfaces ethernet eth1 address '192.168.10.200/24'
set service https address 192.168.10.200 https-port '443'
set service https address 192.168.10.200 www-port '80'
set service https x509-cert 'web-cert-rsa'
set service ssh address 0.0.0.0 port '22'
set system gateway-address '192.168.10.100'
set system host-name 'web-server'
set pki ca web-ca certificate web-cert-rsa cn 'WebCertRSA'
set pki ca web-ca certificate web-cert-rsa expires-on 'Sun Jul 20 17:17:39 2025'
set pki ca web-ca cn 'WebCA'
set pki ca web-ca expires-on 'Wed Jan 21 17:17:38 2026'
set pki ca web-ca key-size '4096'
set pki ca web-ca key-type 'rsa'
set pki ca web-ca last-update 'Tue Jan 21 17:17:38 2025'
set pki ca web-ca next-update 'Wed Jan 21 17:17:38 2026'

Server#

1
set interfaces ethernet eth1 address '1.2.3.40/24'

Internet#

1
2
3
4
5
set interfaces ethernet eth1 address '1.2.3.200/24'
set interfaces loopback lo address 8.8.8.8/32
set interfaces loopback lo address 8.8.4.4/32
set interfaces loopback lo address 77.88.8.1/32
set interfaces loopback lo address 77.88.8.8/32

Client#

1
2
3
IP          1.2.3.20
MASK   255.255.255.0
GW       1.2.3.4

LocalWebClient#

1
2
3
IP          192.168.10.33
MASK   255.255.255.0
GW       192.168.10.100