注册 登录  
 加关注
查看详情
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

CCIE那点事-李萧明

博客已转移到www.jdccie.com CCIE那点事敬请期待

 
 
 

日志

 
 

Juniper防火墙命令行查错工具(debug flow basic)  

2011-01-18 16:49:00|  分类: Juniper |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
相对于其他防火墙而言,Juniper防火墙提供许多有效的查错工具,其中之一就是debug flow basic, 应用方式举例如下:

1. 先设置过滤列表,使得防火墙只对需要的数据包进行分析. 即set ffilter命令:
ns208-> set ffilter ?
<return>
dst-ip         flow filter dst ip
dst-port     flow filter dst port
ip-proto     flow filter ip proto
src-ip         flow filter src ip
src-port     flow filter src port

ns208-> set ffilter src-ip 192.168.1.10
filter added

ns208-> get ff
Flow filter based on:
id:0 src ip 192.168.1.10

ns208-> set ffilter src-ip 192.168.1.11
filter added

ns208-> get ff
Flow filter based on:
id:0 src ip 192.168.1.10
id:1 src ip 192.168.1.11

看出来了吗? 设置两次ffilter的结果是两个过滤列表之间是OR的关系. 如果直接设

set ffilter src-ip 192.168.1.11 dst-ip 194.73.82.242 就是AND的关系了.

2. 开启debug
ns208-> debug flow basic

3. 发送测试数据包或让小部分流量穿越防火墙

4. 停止debug
ns208-> undebug all

5. 检查防火墙对所转发的符合过滤条件的数据包的分析结果:
ns208-> get db stream

****** 12553.0: <Trust/ethernet1> packet received [60]****** Packet arrived on the eth1 interface
ipid = 29503(733f), @d7806910 IP id
packet passed sanity check.
ethernet1:192.168.1.10/1280->194.73.82.242/512,1(8/0)<Root> Src IP, Port, Dst IP, port incl Protocol 1
chose interface ethernet1 as incoming nat if. Int eth1 is placed in NAT mode
search route to (192.168.1.10->194.73.82.242) in vr trust-vr for vsd-0/flag-0/ifp-null Route lookup in trust-vr
route 194.73.82.242->1.1.1.2, to ethernet3 route found to gateway 1.1.1.2 exiting interface int eth3
routed (194.73.82.242, 0.0.0.0) from ethernet1 (ethernet1 in 0) to ethernet3 packet routed
policy search from zone 2-> zone 1 Policy lookup performed from Trust (2) to Untrust (1)
Permitted by policy 3 matched policy ID 3
choose interface ethernet3 as outgoing phy if choose physical interface eth3
no loop on ifp ethernet3.
session application type 0, name None, timeout 60sec session time created as 60 seconds for ICMP
service lookup identified service 0. service lookup performed
existing vector list 1-559ef00.
Session (id:76) created for first pak 1 Create session with ID 76
route to 1.1.1.2 Routed packet to 1.1.1.2
arp entry found for 1.1.1.2 Already had ARP entry for 1.1.1.2
nsp2 wing prepared, ready
cache mac in the session Cached MAC address in the session
flow got session.
flow session id 76
post addr xlation: 1.1.1.1->194.73.82.242. Translate src address to egress interface IP
packet send out to 0010db103041 through ethernet3 Packet sent out on the wire

6. 清除防火墙缓存的debug结果:
ns208-> clear db

7. 清除防火墙的过滤设置
ns208->unset ffilter 0
ns208->get ffilter【
  评论这张
 
阅读(10)| 评论(0)
推荐 转载

历史上的今天

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2018