3Com Switch 8800 Family Firewall Module Configuration and Command Reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

171

172

173

174

175

176

177

178

179

180

Attack Prevention and Packet Statistics Configuration Example 171

# Add the sub-interface of the external network to the untrust zone.

[secblade] firewall zone untrust

[secblade-zone-untrust] add interface GigabitEthernet 0/0.2

[secblade-zone-untrust] quit

# Add GigabitEthernet0/0.3 sub-interface to the DMZ.

[secblade] firewall zone DMZ

[secblade-zone-DMZ] add interface GigabitEthernet 0/0.3

[secblade-zone-DMZ] quit

# Configure the static route.

[secblade] ip route-static 10.0.0.0 24 30.0.0.1

# Enable the inbound IP statistics function in the DMZ zone.

[secblade] firewall zone DMZ

[secblade-zone-DMZ] statistics enable ip inzone

[secblade-zone-DMZ] quit

# Enable the SYN Flood attack prevention function in the global scope.

[secblade] firewall defend syn-flood enable

# Enable the SYN Flood attack prevention function on the server at 60.0.0.1, set

the maximum connection rate of SYN packets to 500 packets per second, the

maximum number of semi-connections to 2,000 and enable the TCP proxy

manually.

[secblade] firewall defend syn-flood ip 60.0.0.1 max-rate 500

max-number 2000 tcp-proxy on

Enabling the Address

Scanning Attack

Prevention Function

Network requirements

On the Firewall module, add GigabitEthernet 0/0.1, GigabitEthernet 0/0.2 and

GigabitEthernet 0/0.3 sub-interfaces to the trust zone, untrust zone and DMZ

respectively. You are required to enable the address scanning attack prevention

function on the server in the untrust zone.

Network diagram

Refer to Figure 31.

Network procedure

Switch 8807 (SecBlade)

# Divide VLANs.

<SW8800> system-view

[SW8800] vlan 10

[3Com-vlan10] quit

[SW8800] vlan 30

[3Com-vlan30] quit

[SW8800] vlan 50

[3Com-vlan50] quit