1、域基本分为:local、trust、dmz、untrust这四个是系统自带不能删除,除了这四个域之外,还可以自定义域。
2、域等级local>trust>dmz>untrust,自定义的域的优先级是可以自己调节的。
3、域与域之间如果不做策略默认是deny的,即任何数据如果不做策略是通不过的,如果是在同一区域的就相当于二层交换机一样直接转发。
4、当域与域之间有inbound和outbound区分,那怎么样方向的算是inbound,什么方向算是outbound呢?华为定义了优先级地的域向优先级高的域方向就是inbound,反之就是outbound,举个例子:
假如我要在untrust和trust这两个域之间做inbound和outbound策略:
policy interzone trust untrust inbound //untrust是源,trust是目标(低优先级向高优先级)
policy 1
action permit
policy service service-set permitport
policy 1
action permit
policy service service-set permitport
policy 2
action permit
policy service service-set ping
action permit
policy service service-set ping
policy 3
action deny
#
policy interzone trust untrust outbound//trust是源,untrust是目标(高优先级向低优先级)
policy 1
action permit
policy service service-set permitport
action deny
#
policy interzone trust untrust outbound//trust是源,untrust是目标(高优先级向低优先级)
policy 1
action permit
policy service service-set permitport
policy 2
action permit
policy service service-set ping
action permit
policy service service-set ping
为什么要定义inbound和outbound呢?因为有时候你想单向限制某些行为!这是防火墙比路由器能做到更细化的策略。呵呵