首页
留言板
关于本站
Search
1
实现网站页面秒开-预加载JS脚本instant.page
56,547 阅读
2
解决Windows连接PPTP/L2TP时无法连接上外网Internet的困扰
55,615 阅读
3
Typecho通过阿里邮件推送和LoveKKComment插件实现评论邮件通知
39,412 阅读
4
如何做到网页性能的极致优化?
29,682 阅读
5
回村无网络之-《无线网桥使用记》
29,588 阅读
路由交换
华为笔记
华三笔记
Mikrotik笔记
中兴笔记
Linux
Nginx
数据库
typecho
WordPress
资源分享
网站技术
Windows
other
未分类
登录
Search
标签搜索
路由交换
运维
linux
ROS
mikrotik
华为
软路由
WordPress
ospf
路由
网站
centos
php
ARP
交换
nssa
typecho
广播风暴
Nginx
dns
Ledo
累计撰写
61
篇文章
累计收到
1,024
条评论
首页
栏目
路由交换
华为笔记
华三笔记
Mikrotik笔记
中兴笔记
Linux
Nginx
数据库
typecho
WordPress
资源分享
网站技术
Windows
other
未分类
页面
留言板
关于本站
搜索到
1
篇与
的结果
2013-06-02
RouterOS 官方防火墙脚本
#使用方法:将此文本文件扩展名改为 .rsc #登录你的ROS的FTP,上传此文件 #在控制台(可用winbox 里的New Terminal)执行命令: # /import ROSofficial.rsc#注意这里的设置中假定你的外网网卡的名字是 internet #需要视情况修改(查找 / 替换)。#关于TCP连接的一些设置,主要是减少连接的存活时间 / ip firewall connection tracking set enabled=yes tcp-syn-sent-timeout=1m tcp-syn-received-timeout=1m \ tcp-established-timeout=1d tcp-fin-wait-timeout=10s \ tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s \ tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s \ udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m#删除已有的防火墙(如果有的话) :foreach i in [/ip firewall filter find] do {/ip firewall filter remove $i}#导入 RouterOS 官方防火墙脚本,这是神仙在bbs.router.net.cn上看到的。 #http://www.router.net.cn/softrouter/RouterOS/200602/3807.html #参考manual.pdf P383/615 , 396/628 # TCP/UDP packets with different destination ports coming from the same host would be treated as port scan sequence #在短时间内从同一地址用不断变化的端口向本机发送大量数据包,视为端口扫描 #短时间内同时建立大量TCP连接(超过10) ,视为 DoS 拒绝服务攻击, 进黑名单一天! #黑名单上的只能建立三个并发连接, tarpit,是不是打太极 :-) #内网的数据包不转发 #禁止从路由主机ping外网/ ip firewall filter#针对路由主机的,input add chain=input connection-state=established action=accept comment="accept established connection packets" disabled=no add chain=input connection-state=related action=accept comment="accept related connection packets" disabled=no add chain=input connection-state=invalid action=drop comment="drop invalid packets" disabled=no add chain=input protocol=tcp psd=21,3s,3,1 action=drop comment="detect and drop port scan connections" disabled=no add chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list action=tarpit comment="suppress DoS attack" disabled=no add chain=input protocol=tcp connection-limit=10,32 action=add-src-to-address-list address-list=black_list address-list-timeout=1d comment="detect DoS attack" disabled=no add chain=input dst-address-type=!local action=drop comment="drop all that is not to local" disabled=no add chain=input src-address-type=!unicast action=drop comment="drop all that is not from unicast" disabled=no add chain=input protocol=icmp action=jump jump-target=ICMP comment="jump to chain ICMP" disabled=no add chain=input action=jump jump-target=services comment="jump to chain services" disabled=no add chain=input action=log log-prefix="input" comment="log everything else" disabled=yes add chain=input action=drop comment="drop everything else" disabled=no#针对ICMP数据包 add chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept comment="0:0 allow ping and limit for 5pac/s" disabled=no add chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept comment="3:3 allow trace and limit for 5pac/s" disabled=no add chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept comment="3:4 allow MTU discovery and limit for 5pac/s" disabled=no add chain=ICMP protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept comment="8:0 and limit for 5pac/s" disabled=no add chain=ICMP protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept comment="11:0 allow TTL exceeded and limit for 5pac/s" disabled=no add chain=ICMP protocol=icmp action=drop comment="Drop everything else" disabled=no#路由主机上开启的一些端口,用于路由器上的网络服务。默认没有启用几个 add chain=services src-address=127.0.0.1 dst-address=127.0.0.1 action=accept comment="accept localhost" disabled=no add chain=services protocol=tcp dst-port=20-21 action=accept comment="allow ftp" disabled=no add chain=services protocol=tcp dst-port=22 action=accept comment="allow sftp, ssh" disabled=no add chain=services protocol=tcp dst-port=23 action=accept comment="allow telnet" disabled=no add chain=services protocol=tcp dst-port=80 action=accept comment="allow http, webbox" disabled=no add chain=services protocol=tcp dst-port=8291 action=accept comment="Allow winbox" disabled=no add chain=services protocol=udp dst-port=20561 action=accept comment="allow MACwinbox " disabled=no add chain=services src-address=159.148.172.205 protocol=tcp dst-port=7828 action=accept comment="..." disabled=no # add chain=services protocol=tcp dst-port=2000 action=accept comment="Bandwidth server" disabled=yes add chain=services protocol=udp dst-port=5678 action=accept comment=" MT Discovery Protocol" disabled=yes add chain=services protocol=tcp dst-port=53 action=accept comment="allow DNS request" disabled=yes add chain=services protocol=udp dst-port=53 action=accept comment="Allow DNS request" disabled=yes add chain=services protocol=udp dst-port=1701 action=accept comment="allow L2TP" disabled=yes add chain=services protocol=tcp dst-port=1723 action=accept comment="allow PPTP" disabled=yes add chain=services protocol=gre action=accept comment="allow PPTP and EoIP" disabled=yes add chain=services protocol=ipencap action=accept comment="allow IPIP" disabled=yes add chain=services protocol=udp dst-port=1900 action=accept comment="UPnP" disabled=yes add chain=services protocol=tcp dst-port=2828 action=accept comment="UPnP" disabled=yes add chain=services protocol=udp dst-port=67-68 action=accept comment="allow DHCP" disabled=yes add chain=services protocol=tcp dst-port=8080 action=accept comment="allow Web Proxy" disabled=yes add chain=services protocol=tcp dst-port=123 action=accept comment="allow NTP" disabled=yes add chain=services protocol=tcp dst-port=161 action=accept comment="allow SNMP" disabled=yes add chain=services protocol=tcp dst-port=443 action=accept comment="allow https for Hotspot" disabled=yes add chain=services protocol=tcp dst-port=1080 action=accept comment="allow Socks for Hotspot" disabled=yes add chain=services protocol=udp dst-port=500 action=accept comment="allow IPSec connections" disabled=yes add chain=services protocol=ipsec-esp action=accept comment="allow IPSec" disabled=yes add chain=services protocol=ipsec-ah action=accept comment="allow IPSec" disabled=yes add chain=services protocol=tcp dst-port=179 action=accept comment="Allow BGP" disabled=yes add chain=services protocol=udp dst-port=520-521 action=accept comment="allow RIP" disabled=yes add chain=services protocol=ospf action=accept comment="allow OSPF" disabled=yes add chain=services protocol=udp dst-port=5000-5100 action=accept comment="allow BGP" disabled=yes add chain=services protocol=tcp dst-port=1720 action=accept comment="allow Telephony" disabled=yes add chain=services protocol=udp dst-port=1719 action=accept comment="allow Telephony" disabled=yes add chain=services protocol=vrrp action=accept comment="allow VRRP " disabled=yes#丢弃已知的病毒特征包 virus add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop Blaster Worm" disabled=no add chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop Messenger Worm" disabled=no add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster Worm" disabled=no add chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster Worm" disabled=no add chain=virus protocol=tcp dst-port=593 action=drop comment="________" disabled=no add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="________" disabled=no add chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop MyDoom" disabled=no add chain=virus protocol=tcp dst-port=1214 action=drop comment="________" disabled=no add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester" disabled=no add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server" disabled=no add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast" disabled=no add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx" disabled=no add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid" disabled=no add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm" disabled=no add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus" disabled=no add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y" disabled=no add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Beagle" disabled=no add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop Beagle.C-K" disabled=no add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop MyDoom" disabled=no add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor OptixPro" disabled=no add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm" disabled=no add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm" disabled=no add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser" disabled=no add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B" disabled=no add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop Dabber.A-B" disabled=no add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop Dumaru.Y" disabled=no add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop MyDoom.B" disabled=no add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus" disabled=no add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2" disabled=no add chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop SubSeven" disabled=no add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot, Gaobot" disabled=no#转发的数据包 forward add chain=forward connection-state=established action=accept comment="accept established packets" disabled=no add chain=forward connection-state=related action=accept comment="accept related packets" disabled=no add chain=forward connection-state=invalid action=drop comment="drop invalid packets" disabled=no add chain=forward src-address-type=!unicast action=drop comment="drop all that is not from unicast" disabled=no add chain=forward in-interface=internet src-address-list=not_in_internet action=drop comment="drop data from bogon IP's" disabled=no add chain=forward in-interface=!internet dst-address-list=not_in_internet action=drop comment="drop data to bogon IP's" disabled=no add chain=forward protocol=icmp action=jump jump-target=ICMP comment="jump to chain ICMP" disabled=no add chain=forward action=jump jump-target=virus comment="jump to virus chain" disabled=no add chain=forward action=accept comment="Accept everything else" disabled=no#从路由主机访问外网的数据包 output add chain=output connection-state=invalid action=drop comment="drop invalid packets" disabled=no add chain=output connection-state=related action=accept comment="accept related packets" disabled=no add chain=output connection-state=established action=accept comment="accept established packets" disabled=no add chain=output action=drop comment="Drop all connections from this router" disabled=no#定义内网特殊地址列表 bogon IP / ip firewall address-list add list=not_in_internet address=0.0.0.0/8 comment="" disabled=no add list=not_in_internet address=172.16.0.0/12 comment="" disabled=no add list=not_in_internet address=192.168.0.0/16 comment="" disabled=no add list=not_in_internet address=10.0.0.0/8 comment="" disabled=no add list=not_in_internet address=169.254.0.0/16 comment="" disabled=no add list=not_in_internet address=127.0.0.0/8 comment="" disabled=no add list=not_in_internet address=224.0.0.0/3 comment="" disabled=no#默认设置,没什么改变 connection helper / ip firewall service-port set ftp ports=21 disabled=no set tftp ports=69 disabled=no set irc ports=6667 disabled=no set h323 disabled=yes set quake3 disabled=no set mms disabled=no set gre disabled=yes set pptp disabled=yes
2013年06月02日
6,319 阅读
0 评论
0 点赞