madlife
发表于 2005-2-23 14:00:28
有没有提供一下在网吧应用的ROS的防火墙配置想将网吧的代理改用ROS的,但对ROS的防火墙设置不知怎么办看了几天论坛,如不设防火墙,ROS的安全有很大的问题有没有人可以共享一下你在网吧中应用ROS的防火墙配置??谢谢
liu00901
发表于 2005-2-23 14:36:40
!!我的防火墙!!!!(不断调整中,要考虑CPU频率)本机IP:192.168.0.125外网IP:XXX.XXX.XXX.XXXip firewall rule input add connection-state=invalid action=drop comment="Drop invalid connections"add protocol=tcp tcp-options=no-sys-only connection-state=established action=accept comment="Established TCP connections" add connection-state=related action=accept comment="Related connections" add dst-address=:22-52 protocol=tcp action=drop add dst-address=:22-52 protocol=udp action=drop add dst-address=:69 protocol=tcp action=drop add dst-address=:69 protocol=udp action=drop add dst-address=:134-139 protocol=tcp action=drop add dst-address=:134-139 protocol=udp action=drop add dst-address=:445 protocol=tcp action=drop add dst-address=:445 protocol=udp action=drop add dst-address=:554 protocol=tcp action=dropadd dst-address=:554 protocol=udp action=drop add dst-address=:593 protocol=tcp action=drop add dst-address=:593 protocol=udp action=drop add dst-address=:1025 protocol=tcp action=drop add dst-address=:1025 protocol=udp action=drop add det-address=:1068 protocol=tcp action=drop add dst-address=:1068 protocol=udp action=drop add dst-address=:2000 protocol=tcp action=dropadd dst-address=:2000 protocol=udp action=dropadd dst-address=:3127-3198 protocol=tcp action=dropadd dst-address=:3127-3198 protocol=udp action=dropadd dst-address=:3389 protocol=tcp action=dropadd dst-address=:3389 protocpl=udp action=dropadd dst-address=!192.168.0.0/24:3987 protocol=tcp action=drop comment="dont link me" add dst-address=:4444 protocol=tcp action=drop add dst-address=:4444 protocol=udp action=dropadd dst-address=:5354 protocol=tcp action=dropadd dst-address=:5354 protocol=udp action=drop add dst-address=:5554 protocol=tcp action=dropadd dst-address=:5554 protocol=udp action=dropadd dst-address=:6881-6899 protocol=tcp action=drop comment="drop drop Bt download" add dst-address=:6881-6899 protocol=udp action=drop comment="drop drop Bt download" add dst-address=:8881-8899 protocol=tcp action=drop comment="drop drop Bt download" add dst-address=:8881-8899 protocol=udp action=drop comment="drop drop Bt download" add dst-address=:39213 protocol=tcp action=drop comment="drop worm" add dst-address=:39213 protocol=tcp action=drop comment="drop worm" add protocol=udp action=accept comment="udp" add dst-address=XXX.XXX.XXX.XXX/32 protocol=icmp action=dropcomment="don't ping me" add protocol=icmp limit-count=50 limit-burst=2 limit-time=5s action=accept comment="allow limited pings" disabled=0add src-address=192.168.0.0/24 dst-address=192.168.0.125/32 action=accept comment="from lan admin" add action=drop log=yes comment="Log and drop everything else"ip firewall rule forward(禁止某些网站IP)add dst-address=:134-139 protocol=tcp action=drop add dst-address=:134-139 protocol=tcp action=drop add dst-address=:5678 protocol=udp action=drop add dst-address=61.240.246.41/32 action=DROP comment="DROP WWW. CY07.COM"
madlife
发表于 2005-3-1 10:15:38
还有没有人啊,先谢谢楼上的下面是我的,很简单,我只会这些0-5 是同意一些固定IP的外网控制 6 src-address=!192.168.0.0/24 protocol=icmp action=drop7 src-address=!192.168.0.0/24 action=drop8 dst-address=:135-139 protocol=tcp action=drop9 dst-address=:135-139 protocol=udp action=drop 10 dst-address=:445 protocol=udp action=drop (只在rule中的input中设置了一下)
页:
[1]