smile787 发表于 2004-12-8 20:26:58

建议大家不要向现在官方的这样设置~cpu占用过高,特别在200左右主频如果1g以上的主频和大内存到可以考虑~不建议官方设置如下:/ ip firewall set input name="input" policy=accept comment="" set forward name="forward" policy=accept comment="" set output name="output" policy=accept comment="" add name="virus" policy=none comment="" / ip firewall rule forward add connection-state=invalid action=drop comment="Drop invalid \    connections" disabled=no add connection-state=established action=accept comment="Established \    connections" disabled=no add connection-state=related action=accept comment="Related connections" \    disabled=no add action=jump jump-target=virus comment="!!! Check for well-known \    viruses !!!" disabled=no add protocol=udp action=accept comment="UDP" disabled=no add protocol=icmp limit-count=50 limit-burst=2 limit-time=5s \    action=accept comment="Allow limited pings" disabled=no add protocol=icmp action=drop comment="Drop excess pings" disabled=no / ip firewall rule input add connection-state=invalid action=drop comment="Drop invalid \    connections" disabled=no add tcp-options=non-syn-only connection-state=established action=accept \    comment="Accept established connections" disabled=no add connection-state=related action=accept comment="Accept related \    connections" disabled=no add action=jump jump-target=virus comment="!!! Check for well-known \    viruses !!!" disabled=no add protocol=udp action=accept comment="UDP" disabled=no add protocol=icmp limit-count=50 limit-burst=2 limit-time=5s \    action=accept comment="Allow limited pings" disabled=no add protocol=icmp action=drop comment="Drop excess pings" disabled=no add dst-address=:22 protocol=tcp action=accept comment="SSH for demo \    purposes" disabled=no add dst-address=:23 protocol=tcp action=accept comment="Telnet for demo \    purposes" disabled=no add dst-address=:80 protocol=tcp action=accept comment="http for demo \    purposes" disabled=no add dst-address=:3987 protocol=tcp action=accept comment="winbox for \    demo purposes" disabled=no add src-address=159.148.172.192/28 action=accept comment="From \    Mikrotikls network" disabled=no add src-address=10.0.0.0/8 action=accept comment="From Mikrotikls \    network" disabled=no add action=drop log=yes comment="Log and drop everything else" \    disabled=no / ip firewall rule output add protocol=tcp tcp-options=syn-only action=drop log=yes comment="" \    disabled=no / ip firewall rule virus add dst-address=:135-139 protocol=tcp action=drop comment="Drop Blaster \    Worm" disabled=no add dst-address=:135-139 protocol=udp action=drop comment="Drop \    Messenger Worm" disabled=no add dst-address=:445 protocol=tcp action=drop comment="Drop Blaster \    Worm" disabled=no add dst-address=:445 protocol=udp action=drop comment="Drop Blaster \    Worm" disabled=no add dst-address=:593 protocol=tcp action=drop comment="________" \    disabled=no add dst-address=:1024-1030 protocol=tcp action=drop comment="________" \    disabled=no add dst-address=:1080 protocol=tcp action=drop comment="Drop MyDoom" \    disabled=no add dst-address=:1214 protocol=tcp action=drop comment="________" \    disabled=no add dst-address=:1363 protocol=tcp action=drop comment="ndm requester" \    disabled=no add dst-address=:1364 protocol=tcp action=drop comment="ndm server" \    disabled=no add dst-address=:1368 protocol=tcp action=drop comment="screen cast" \    disabled=no add dst-address=:1373 protocol=tcp action=drop comment="hromgrafx" \    disabled=no add dst-address=:1377 protocol=tcp action=drop comment="cichlid" \    disabled=no add dst-address=:1433-1434 protocol=tcp action=drop comment="Worm" \    disabled=no add dst-address=:2745 protocol=tcp action=drop comment="Bagle Virus" \    disabled=no add dst-address=:2283 protocol=tcp action=drop comment="Drop Dumaru.Y" \    disabled=no add dst-address=:2535 protocol=tcp action=drop comment="Drop Beagle" \    disabled=no add dst-address=:2745 protocol=tcp action=drop comment="Drop Beagle.C-K" \    disabled=no add dst-address=:3127-3128 protocol=tcp action=drop comment="Drop \    MyDoom" disabled=no add dst-address=:3410 protocol=tcp action=drop comment="Drop Backdoor \    OptixPro" disabled=no add dst-address=:4444 protocol=tcp action=drop comment="Worm" \    disabled=no add dst-address=:4444 protocol=udp action=drop comment="Worm" \    disabled=no add dst-address=:5554 protocol=tcp action=drop comment="Drop Sasser" \    disabled=no add dst-address=:8866 protocol=tcp action=drop comment="Drop Beagle.B" \    disabled=no add dst-address=:9898 protocol=tcp action=drop comment="Drop Dabber.A-B" \    disabled=no add dst-address=:10000 protocol=tcp action=drop comment="Drop Dumaru.Y" \    disabled=no add dst-address=:10080 protocol=tcp action=drop comment="Drop MyDoom.B" \    disabled=no add dst-address=:12345 protocol=tcp action=drop comment="Drop NetBus" \    disabled=no add dst-address=:17300 protocol=tcp action=drop comment="Drop Kuang2" \    disabled=no add dst-address=:27374 protocol=tcp action=drop comment="Drop SubSeven" \    disabled=no add dst-address=:65506 protocol=tcp action=drop comment="Drop PhatBot, \    Agobot, Gaobot" disabled=no

jk0wg 发表于 2004-12-8 21:08:00

支持楼主~~

比目鱼 发表于 2004-12-8 22:37:39

既然不推荐官方配置,那楼主能否推荐一下自己的配置??

harck 发表于 2004-12-10 22:37:58

我p4 2.4c的,不怕

sblive 发表于 2004-12-10 22:38:44

我用的C667+64MB,用的官方的,没感觉什么啊
页: [1]
查看完整版本: os 官方演示demo的firewall设置不合理~