a, protecting the local computer, firewall must monitor the links to the local network address, only by some shall have the right to host and service connection is allowed, the work can be set in the forward, in order to compare match decided by routing all connections to the local network interface the destination address of the packet.
(2) protect routing to avoid no access authentication, firewall must monitor the connection to the routing, can only allow certain host to the routing certain TCP port access, this work can be set in the input, and to compare match by routing all connection interface to the routing destination address of the packet.
3, using NAT to local hidden behind a public IP network, all of the local network connection is disguised as routing itself from the public network address.The job can be done by enabling behavior of disguise the source address translation rules.
four, forced the local network connection to the public access principle of firewall must monitor the connection from the local network address.The job can be set in the forward, or done by camouflage which allowed the connection.Data filtering will cause certain influence to the performance of the router, in order to minimize the impact, the filtering rules must be placed on top of each chain, in the transmission control protocol (TCP) option in the non - syn - only.
five, the network attack the attack data traffic in when you arrive at the final target, data traffic can be very large, in order to protect the system from collapse of attack, we can take the following two strategies:
1, in the final target of network border router using access control lists, refused to host ping attack packets to be attacked.But this is a rough's method, because when you are on the router completely limits to be attacked host ping packets, after other hope through normal ping packets will fail.
2, on the border routers use access control list filtering ping data, although can protect the router to connect the internal network from attacks, but the attack data would still be poured into the router, router interface block.
3, in the final target of network border router to use the CAR limit is a preferable method.By CAR can flow into the network one type of packet traffic will be limited to a certain range, which can ensure normal by other data.
to introduce today's content is here now, want to better set the router, then learn more knowledge is a must, if you have interest to learn more, you can view about H3C router Settings.