Shulou(Shulou.com)06/01 Report--

Because the setting method of the filtering function of the firewall is too cumbersome, many people do not want to use its function, but after careful study, you will find that the filtering function of the firewall is so powerful, and controllable, very detailed.

The following are all passed by the actual case test

1. Plan the IP segments that need to be filtered first

Object-group network url_filter_group

Network-object 172.16.10.0 255.255.255.128

Network-object 172.16.10.128 255.255.255.192

Network-object 172.16.10.192 255.255.255.224

two。 Then define the time period:

Time-range url_range

Periodic weeddays 8:30 to 17:30

3. Define ACL merging into time control

Access-list url_filter_list extended permit tcp object-group url_filter_group any eq www time-range url_range

The main reason why any any is not used is that only the keywords in http traffic are filtered, except for a little bit of IP that does not need to be filtered.

4. Next, write the website keywords that need to be filtered, and use regular expressions to match multiple keywords (regular expressions can be searched by themselves, which belongs to mathematical content. )

Regex url_filter1\ .youku\ .com

Regex url_filter2\ .tudou\ .com

……

5. Create a normal class-map to match the ACL.

Class-map url_class

Match access-list url_filter_list

Exit

6. Create a class-map of the formal expression type to associate the formal expression keywords to be filtered.

Class-map type regex match-any url_class_regex

Match regex url_filter1

Match regex url_filter2

Exit

Description: class-map can establish two types, one is review, the other is regular expression. Class-map of the review type can only be called by the review type. Regular expressions can only be matched by class-map of regular expression types. The class-map of the regular expression type can be matched by any type of map. The review type can review DNS, FTP, HTTP, etc., and you can choose whether the match request or reply message (rquest and response). The sub-options of the reply message and the request message are different. We want to filter the keywords of the website, select the demand message here, and choose header. (if you want to censor the content, select body, so that the site containing keywords will also be discarded. )

7. Establish a class-map of type review to associate the class-map of a regular expression

Class-map type inspect http match-all url_class_inspect

Match request header host regex class url_class_regex

The header contains a lot of words, such as the following figure, we select the host item and choose to review the regular expression class-map content, if you enter match not request header host regex class url_class_regex here will only allow access to certain sites.

8. Establish the policy-map of the review type to match the class-map of the audit type and take the corresponding action

Policy-map type inspect http url_policy_inspect

Class url_class_inspect

Drop-connection log

Exit

Note: there are only two types of policy-map: normal and censorship. Policy-map of censorship type can only call class-map of censorship type. Similarly, a normal type of policy-map can only call a normal type of class-map. However, the interface can only apply a normal type of policy-map, so you have to create a normal type of policy-map to call a normal type of class-map. Then call the review type policy-map in the ordinary type of class-map (polci-map has the function to execute the action only after calling class-map. Class-map does not have the function to perform the action alone, and policy-map does not have the function alone. Although policy-map can also match the regular expression or the class-map of the regular expression, it does not have the function to perform the action. After the ordinary policy-map calls the ordinary class-map, the audit inspect function can be performed, and the traffic bandwidth can be set with the drop function, but the inspect does not, so the drop function needs to be performed after the review type policy-map calls the review type class-map. )

9. Finally, a normal policy-map is established to associate the ordinary class-map and call the policy-map of the review type to discard the regular expression content.

Policy-map url_policy

Class url_class

Inspect http url_policy_inspect

Exit

The next step is to apply it to the interface. Because we are reviewing the demand traffic, it is applied to the interface close to the data source.

Service-policy url_policy interface inside

Through the above command, you can review the http traffic in the relevant IP groups to find the demand traffic containing .you.com or .tudou.com and lose it, so as to block these two URLs.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.