H3C SecPath F1800-A Operation Manual page 401

Operation Manual - Security Defence
H3C SecPath F1800-A Firewall
II. Enabling the SYN Flood Attack Defence
1) Networking requirements
Adopt the SecPath F1800-A in the network and add the Ethernet 0/0/0 to the trust
zone, the Ethernet 0/1/0 to the untrust zone and the Ethernet 1/0/0 to the DMZ zone.
You should enable the SYN Flood attack defence on the server in the DMZ zone.
2) Networking diagram
Refer to Figure
3) Configuration procedures
# Configure the Ethernet 0/0/0 on the firewall.
[SecPath] interface Ethernet 0/0/0
[SecPath-Ethernet0/0/0] ip address 192.168.1.1 255.255.255.0
# Configure the Ethernet 0/1/0 on the firewall.
[SecPath] interface Ethernet 0/1/0
[SecPath-Ethernet0/1/0] ip address 202.1.0.1 255.255.0.0
# Configure the Ethernet 1/0/0 on the firewall.
[SecPath] interface Ethernet 1/0/0
[SecPath-Ethernet1/0/0] ip address 10.0.0.1 255.0.0.0
# Add the Ethernet 0/0/0 to the trust zone.
[SecPath] firewall zone trust
[SecPath-zone-trust] add interface Ethernet 0/0/0
# Add the Ethernet 0/1/0 to the untrust zone.
[SecPath] firewall zone untrust
[SecPath-zone-untrust] add interface Ethernet 0/1/0
# Add the Ethernet 1/0/0 to the DMZ zone.
[SecPath] firewall zone dmz
[SecPath-zone-dmz] add interface Ethernet 1/0/0
# Enable the inbound IP statistics in the DMZ zone.
[SecPath] firewall zone dmz
[SecPath-zone-dmz] statistic enable ip inzone
# Enable the global SYN Flood attack defence.
[SecPath-zone-trust] quit
[SecPath] firewall defend syn-flood enable
# Enable the SYN Flood attack defence on the server at 10.110.1.1, set the maximum
connection rate of SYN packets to 500 packets per second, and enable the TCP proxy
manually.
[SecPath] firewall defend syn-flood ip 10.110.1.1 max-rate 500 tcp-proxy on
2-4.
6-49
Chapter 2 Security Policy