beautypg.com

Configuring the blacklist function – H3C Technologies H3C SecBlade LB Cards User Manual

Page 261

background image

250

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Configure TCP proxy

operating mode.

Unidirectional mode:

tcp-proxy mode unidirection

Bidirectional mode:

undo tcp-proxy mode

Optional.
By default, the TCP proxy operates in
bidirectional mode.

3.

Enter VD system view.

switchto vd vd-name

Required for a non-default VD.

4.

Configure an IP address
protected by TCP proxy.

tcp-proxy protected-ip
destination-ip-address port

[ port-number | any ]

Optional.
By default, no IP address is protected
by TCP proxy.

5.

Enter security zone view.

zone name zone-name id zone-id

N/A

6.

Enable the TCP proxy
function for the security

zone.

tcp-proxy enable

By default, TCP proxy is disabled for
a security zone.

Configuring the blacklist function

You can configure a device to filter packets from certain IP addresses by configuring the blacklist

function.
The blacklist configuration includes enabling the blacklist function and adding blacklist entries. When
adding a blacklist entry, you can also configure the entry aging time. If you do not configure the aging

time, the entry never ages out and thus always exist until you delete it manually.
To configure the blacklist function:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter VD system view.

switchto vd vd-name

Required for a non-default VD.

3.

Enable the blacklist function.

blacklist enable

Disabled by default.

4.

Add a blacklist entry.

blacklist ip
source-ip-address [ timeout

minutes ]

Optional.
The scanning attack protection function

can add blacklist entries automatically.

You can add blacklist entries manually, or configure the device to automatically add the IP addresses of

detected scanning attackers to the blacklist. For the latter purpose, enable the blacklist function for the

device, the scanning attack protection function, and the blacklist function for scanning attack protection.

The blacklist entries added by the scanning attack protection function will be aged after the aging time,
which is configurable.
For the configuration of scanning attack protection, see "

Configuring a scanning attack protection

policy

."

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: