hfwangfei 发表于 2007-9-10 16:18:38

防火墙导致网上银行不能使用

防火墙导致网上银行不能使用
我用的ROS2.927,加了一些防火墙的脚本,上网一切正常,但是什么银行的网上银行登陆后就打不开网页了,我在没有办法的情况下,我就防火墙脚本全删除了就好了,但是我还要用防火墙,又不知道是哪一条搞的鬼,希望大家能否帮帮我看看!谢谢,先!!
以下是我目前使用的脚本


# sep/10/2007 15:31:26 by RouterOS 2.9.27
# software id = TY0C-IGN
#
/ ip firewall filter
add chain=output protocol=icmp action=drop comment="Drop outside Ping" \
    disabled=no
add chain=input in-interface=WAN protocol=icmp action=drop comment="NO DDOS" \
    disabled=no
add chain=forward src-mac-address=00:F4:28:60:70:03 action=drop comment="禁止 \
    mac 00-f4-60-70-03IP172.16.0.201因为ping 值188ms 不正常" disabled=no
add chain=input connection-state=invalid action=drop \
    comment="丢弃非法连接packets" disabled=no
add chain=input protocol=tcp psd=21,3s,3,1 action=drop \
    comment="探测并丢弃端口扫描连接" disabled=no
add chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list \
    action=tarpit comment="压制DoS攻击" disabled=no
add chain=input protocol=tcp connection-limit=10,32 \
    action=add-src-to-address-list address-list=black_list \
    address-list-timeout=1d comment="探测DoS攻击" disabled=no
add chain=input dst-address-type=!local action=drop comment="丢弃掉非本地数据" \
    disabled=no
add chain=input src-address-type=!unicast action=drop \
    comment="丢弃掉所有非单播数据" disabled=no
add chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept \
    comment="Ping应答限制为每秒5个包" disabled=no
add chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept \
    comment="Traceroute限制为每秒5个包" disabled=no
add chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept \
    comment="MTU线路探测限制为每秒5个包" disabled=no
add chain=ICMP protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept \
    comment="Ping请求限制为每秒5个包" disabled=no
add chain=ICMP protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept \
    comment="Trace TTL限制为每秒5个包" disabled=no
add chain=forward connection-state=established action=accept \
    comment="接受以连接的数据包" disabled=no
add chain=forward connection-state=related action=accept \
    comment="接受相关数据包" disabled=no
add chain=forward connection-state=invalid action=drop \
    comment="丢弃非法数据包" disabled=no
add chain=forward src-address-type=!unicast action=drop \
    comment="丢弃掉所有非单播数据" disabled=no
add chain=input dst-address-type=!local action=drop comment="drop all that is \
    not to local" disabled=no
add chain=forward protocol=icmp action=jump jump-target=ICMP \
    comment="跳转到ICMP链表" disabled=no
add chain=input connection-state=established action=accept \
    comment="本机数据安全" disabled=no
add chain=input connection-state=related action=accept comment="" disabled=no
add chain=input connection-state=invalid action=drop comment="丢弃明显异常包" \
    disabled=no
add chain=input dst-address-type=!local action=drop \
    comment="丢弃目标非本机的包" disabled=no
add chain=input src-address-type=!unicast action=drop comment="丢弃多播包" \
    disabled=no
add chain=input protocol=tcp psd=21,3s,3,1 action=drop comment="屏蔽黑名单" \
    disabled=no
add chain=input protocol=tcp connection-limit=10,32 \
    action=add-src-to-address-list address-list=black_list \
    address-list-timeout=1d \
    comment="短时间内同时建立大量TCP连接\(超过10\),视为DoS拒绝服务攻击,进黑名单\
    一天" disabled=no
add chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list \
    action=tarpit comment="黑名单上的只能建立3个并发连接" disabled=no
add chain=forward dst-address=62.241.53.15 action=drop comment="垃圾网站" \
    disabled=no
add chain=forward action=jump jump-target=virus comment="跳转到病毒链表" \
    disabled=no
add chain=input protocol=udp dst-port=134-139 action=drop comment="NO 3B" \
    disabled=no
add chain=forward protocol=udp dst-port=134-139 action=drop comment="" \
    disabled=no
add chain=input protocol=tcp dst-port=134-139 action=drop comment="" \
    disabled=no
add chain=forward protocol=tcp dst-port=134-139 action=drop comment="" \
    disabled=no
add chain=forward protocol=tcp dst-port=445 action=drop comment="" disabled=no
add chain=forward protocol=udp dst-port=500 action=drop comment="" disabled=no
add chain=input protocol=tcp dst-port=445 action=drop comment="" disabled=no
add chain=input protocol=udp dst-port=500 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=5031 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=5321 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=2774 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=1234 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=6711-6713 action=drop comment="" \
    disabled=no
add chain=virus protocol=tcp dst-port=8011 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=7626 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=5714 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=2004-2005 action=drop comment="" \
    disabled=no
add chain=virus protocol=tcp dst-port=5598 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=5698 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=3586 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="" \
    disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=5554 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=9996 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=9995 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=1092 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=1363-1364 action=drop comment="" \
    disabled=no
add chain=virus protocol=tcp dst-port=1373 action=drop comment="" disabled=no
add chain=virus protocol=udp dst-port=8998 action=drop comment="" disabled=no
add chain=virus protocol=udp dst-port=123 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="" \
    disabled=no
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm" \
    disabled=no
add chain=virus protocol=tcp dst-port=10080 action=drop comment="" disabled=no

tpy372 发表于 2007-9-10 16:28:26

大懒,你不会一条一条禁用啊,聪明一点一半一半禁

hfwangfei 发表于 2007-9-10 16:34:23

还用你说啊

关键是我把全部都启用后就正常,明白不是启用后就会立马看到症状的..郁闷

tpy372 发表于 2007-9-10 18:13:05

你不会清除连接么???立马生效???

zooyo 发表于 2007-9-10 19:26:23

没事用什么防火墙。

hfwangfei 发表于 2007-9-12 09:53:12

这话大家不爱听

版主老兄:您说的大家不爱听了,ROS友们出现问题了,是来请救大家帮助的,大家共同学习,共同进步,您的这番话,是网友们不爱听,例如"没事用什么防火墙?"类似与这样的话,没事干嘛说一句没有用的话!!?当然我只是针对我发的问题说的,同时我也看到您对其他ROS发烧友也有同样的处理方式.

相比www.routerbbs.com ,的windowsxp2000版主,会让人,感叹!!

bullfog6 发表于 2007-9-12 11:36:31

没事顶什么版主,嘿嘿:lol :lol

a249424746 发表于 2007-9-12 11:42:15

新手无畏

a123123 发表于 2007-9-12 14:18:34

这话你不爱听

常识啊

add chain=forward protocol=tcp dst-port=445 action=drop comment="" disabled=no


不只是网上银行用不了


唉,不懂就虚心点,没有谁对谁好是必然的!!!!

tpy372 发表于 2007-9-13 02:00:03

还是楼上有耐心。。。
版主说的对,没事用什么防火墙。而且是乱用规则...
建议新手,不理解的规则宁可不写..

hfwangfei 发表于 2007-9-24 12:39:04

终于有结果了,经过一个多月的时间,不是防火墙的原因
页: [1]
查看完整版本: 防火墙导致网上银行不能使用