官方防火墙脚本?
H3C ER5100路由器中有安全相关的设置如下:状态数据包检查
防止TCP sync扫描
防止Stealth FIN扫描
防止Xmas Tree扫描
防止Null扫描
防止UDP扫描功能
防止Land 攻击功能
防止Smurf攻击功能
防止WinNuke攻击功能
防止Ping of Death攻击
防止SYN Flood攻击功能
防止UDP Flood攻击功能
防止ICMP Flood攻击功能
防止IP Spoofing功能
防止碎片包攻击
防止TearDrop攻击
防止Fraggle攻击功能
routeros使用官方的防火墙脚本,能不能防止H3C路由器提到的攻击???
/ ip firewall filter
add chain=input connection-state=invalid action=drop \
comment="丢弃非法连接数据" disabled=no
/ip firewall filter
add action=drop chain=forward comment="机器狗目标地址过滤" disabled=no dst-address-list=Robotdog
add action=jump chain=forward comment="跳转机器狗过域名滤规则" disabled=no jump-target=Robotdog
add chain=input protocol=tcp dst-port=80 connection-limit=20,0 action=drop \
comment="限制总http连接数为20" disabled=no
add chain=input protocol=tcp psd=21,3s,3,1 action=drop \
comment="探测并丢弃端口扫描连接" disabled=no
add chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list \
action=tarpit comment="压制DoS攻击" disabled=no
add chain=input protocol=tcp connection-limit=10,32 \
action=add-src-to-address-list address-list=black_list \
address-list-timeout=1d comment="探测DoS攻击" disabled=no
add chain=input dst-address-type=!local action=drop comment="丢弃掉非本地数据" \
disabled=no
add chain=input protocol=icmp action=jump jump-target=ICMP \
comment="跳转到ICMP链表" disabled=no
add chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept \
comment="Ping应答限制为每秒5个包" disabled=no
add chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept \
comment="Traceroute限制为每秒5个包" disabled=no
add chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept \
comment="MTU线路探测限制为每秒5个包" disabled=no
add chain=ICMP protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept \
comment="Ping请求限制为每秒5个包" disabled=no
add chain=ICMP protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept \
comment="Trace TTL限制为每秒5个包" disabled=no
add chain=ICMP protocol=icmp action=drop comment="丢弃掉任何ICMP数据" \
disabled=no
add chain=forward connection-state=invalid action=drop \
comment="丢弃非法数据包" disabled=no
add chain=forward protocol=tcp connection-limit=80,32 action=drop \
comment="限制每个主机TCP连接数为80条" disabled=no
add chain=forward src-address-type=!unicast action=drop \
comment="丢弃掉所有非单播数据" disabled=no
add chain=forward protocol=icmp action=jump jump-target=ICMP \
comment="跳转到ICMP链表" disabled=no
add chain=forward action=jump jump-target=virus comment="跳转到病毒链表" \
disabled=no 碰到大型的DDOS,ISP也怕
页:
[1]