yasy 发表于 2005-3-12 10:48:19

CODE
/firewallip firewall rule forward add dst-address=:137-139 protocol=tcp action=drop comment="" disabled=no add dst-address=:137-139 protocol=udp action=drop comment="" disabled=no add protocol=tcp tcp-options=non-syn-only connection-state=established \    action=accept comment="Established TCP connections." disabled=no add protocol=tcp tcp-options=non-syn-only connection-state=related \    action=accept comment="Related TCP connections" disabled=no add dst-address=:135-139 protocol=tcp action=drop comment="Drop Blaster \    Worm." disabled=no add dst-address=:445 protocol=tcp action=drop comment="Drop Blaster Worm" \    disabled=no add dst-address=:135-139 protocol=udp action=drop comment="Drop Messenger \    Worm" disabled=no add protocol=udp action=accept comment="UDP" disabled=no add protocol=icmp limit-count=100 limit-burst=2 limit-time=5s action=accept \    comment="Allow limited pings" disabled=no add protocol=icmp action=drop comment="Drop excess pings" disabled=no add dst-address=:22 protocol=tcp action=accept comment="SSH for demo \    purposes" disabled=no add dst-address=:23 protocol=tcp action=accept comment="Telnet for demo \    purposes" disabled=no add dst-address=:80 protocol=tcp action=accept comment="http for demo \    purposes" disabled=no add dst-address=:3987 protocol=tcp action=accept comment="winbox for demo \    purposes" disabled=no add action=drop log=yes comment="Log and drop everything else" disabled=no add p2p=all-p2p action=drop comment="" disabled=no add dst-address=:5354 protocol=tcp action=drop comment="" disabled=no add dst-address=:135-139 protocol=tcp action=drop log=yes comment="" \    disabled=no add dst-address=:445 protocol=tcp action=drop log=yes comment="" disabled=no add dst-address=:445 protocol=udp action=drop log=yes comment="" disabled=no ip firewall rule input add protocol=tcp tcp-options=non-syn-only connection-state=established \    action=accept comment="Established TCP connections." disabled=no add protocol=tcp tcp-options=non-syn-only connection-state=related \    action=accept comment="Related TCP connections" disabled=no add dst-address=:135-139 protocol=tcp action=drop comment="Drop Blaster \    Worm." disabled=no add dst-address=:445 protocol=tcp action=drop comment="Drop Blaster Worm" \    disabled=no add dst-address=:135-139 protocol=udp action=drop comment="Drop Messenger \    Worm" disabled=no add protocol=udp action=accept comment="UDP" disabled=no add protocol=icmp limit-count=100 limit-burst=2 limit-time=5s action=accept \    comment="Allow limited pings" disabled=no add protocol=icmp action=drop comment="Drop excess pings" disabled=no add dst-address=:22 protocol=tcp action=accept comment="SSH for demo \    purposes" disabled=no add dst-address=:23 protocol=tcp action=accept comment="Telnet for demo \    purposes" disabled=no add dst-address=:80 protocol=tcp action=accept comment="http for demo \    purposes" disabled=no add dst-address=:3987 protocol=tcp action=accept comment="winbox for demo \    purposes" disabled=no add src-address=10.0.0.0/8 action=accept comment="From Mikrotikls network" \    disabled=no /deny qqip ipsec policy add src-address=0.0.0.0/0:any dst-address=219.133.40.0/24:any protocol=all \    action=drop level=require ipsec-protocols=esp tunnel=yes \    sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \    manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=61.152.100.0/24:any protocol=all \    action=drop level=require ipsec-protocols=esp tunnel=yes \    sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \    manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=219.133.41.0/24:any protocol=all \    action=drop level=require ipsec-protocols=esp tunnel=yes \    sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \    manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=61.144.238.0/24:any protocol=all \    action=drop level=require ipsec-protocols=esp tunnel=yes \    sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \    manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=202.104.129.0/24:any protocol=all \    action=drop level=require ipsec-protocols=esp tunnel=yes \    sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \    manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=61.141.194.0/24:any protocol=all \    action=drop level=require ipsec-protocols=esp tunnel=yes \    sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \    manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=218.17.209.0/24:any protocol=all \    action=drop level=require ipsec-protocols=esp tunnel=yes \    sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \    manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=218.18.95.0/24:any protocol=all \    action=drop level=require ipsec-protocols=esp tunnel=yes \    sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \    manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=202.96.170.0/24:any protocol=all \    action=drop level=require ipsec-protocols=esp tunnel=yes \    sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \    manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=202.103.190.0/24:any protocol=all \    action=drop level=require ipsec-protocols=esp tunnel=yes \    sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \    manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=202.103.149.0/24:any protocol=all \    action=encrypt level=require ipsec-protocols=esp tunnel=yes \    sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \    manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=218.18.95.0/24:any protocol=all \    action=encrypt level=require ipsec-protocols=esp tunnel=yes \    sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \    manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=61.135.131.0/24:any protocol=all \    action=drop level=require ipsec-protocols=esp tunnel=yes \    sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \    manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=216.239.33.0/24:any protocol=all \    action=drop level=require ipsec-protocols=esp tunnel=yes \    sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \    manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=202.104.129.0/24:any protocol=all \    action=drop level=require ipsec-protocols=esp tunnel=yes \    sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \    manual-sa=none dont-fragment=clear disabled=no

hzkane 发表于 2005-3-12 11:28:46

我做过类似的实验。觉得。封qq的功能还是不如意。缺乏应用层的功能。我曾经做封闭某个ip上qq的实验。觉得行不通啊。。。不能象封某个ip上网那么方便。

yasy 发表于 2005-3-12 17:42:00

我这里就是封得很死,除非用代理。但是学生还没有那么牛,会找代理。原理:用IPSEC吧QQ服务的所有服务器做DROP处理。在几个计算机房试了一下,没有问题,上课的时候看不到学生在QQ了。

goodfellow 发表于 2005-3-13 09:25:41

QUOTE (yasy @ Mar 12 2005, 10:48 AM)
add protocol=tcp tcp-options=non-syn-only connection-state=established \    action=accept comment="Established TCP connections." disabled=no add protocol=tcp tcp-options=non-syn-only connection-state=related \    action=accept comment="Related TCP connections" disabled=no add protocol=icmp limit-count=100 limit-burst=2 limit-time=5s action=accept \    comment="Allow limited pings" disabled=no add protocol=icmp action=drop comment="Drop excess pings" disabled=no   
能比较详细地解释一下这几段命令的意思吗?

madlife 发表于 2005-3-31 17:13:53

封QQ这个比精华区的好多了精华区的没用的

jack_i5 发表于 2005-3-31 17:18:55

腾讯的服务器群在不断发展壮大,这些需要不断的充实和完善才能行。另外:QQ游戏封了嘛?

madlife 发表于 2005-4-1 08:36:44

我们这只有人隐蔽的上QQ上班时间公开玩QQ游戏、边锋、联众的还是没有的所以,我也就没有去管QQ游戏请教一下ip ipsec policy 这个功能在什么模块中的??一台我所全部安装的,就有这个功能我在另外一台电脑中只装了system\sdv-tool\ppp\dhcp其它的都没有安装,就没有ip ipsec policy这个功能因为这台电脑很垃圾的,所以我尽量少装模块了。能解释一下ip ipsec policy 这是功能是什么意思吗

madlife 发表于 2005-4-1 08:46:19

security是建立安全连接,ipsec,ssh用虚拟机试了一下,原来在选到security时就有ipsec提示的看样子以后就是最小安装也要装上这个systemadv-tooldhcp相关的上网方式及security

zhgx 发表于 2005-4-1 09:58:00

这样搞的话管理员自己也很难上QQ了,怎么给自己留个口?

madlife 发表于 2005-4-1 14:11:52

QUOTE (zhgx @ Apr 1 2005, 09:58 AM)
这样搞的话管理员自己也很难上QQ了,怎么给自己留个口?
呵呵,我自己在一台托管的服务器做代理

yasy 发表于 2005-4-3 07:54:22

说明一下,这个IP SEC是不能封会员的,现在学生也聪明了,前几天在机房又发现有学生在用了。听说ISA 2004可以封,现在还不知道原理是什么。单一机房好管理点。用活动目录做软件限制策略。学生是不能安装和启动QQ软件的就可以了。

madlife 发表于 2005-4-3 16:40:28

QUOTE (yasy @ Apr 3 2005, 07:54 AM)
说明一下,这个IP SEC是不能封会员的,现在学生也聪明了,前几天在机房又发现有学生在用了。听说ISA 2004可以封,现在还不知道原理是什么。单一机房好管理点。用活动目录做软件限制策略。学生是不能安装和启动QQ软件的就可以了。
封会员??会员是指什么?你的学生是怎么上网的?是不是用代理的?
页: [1]
查看完整版本: 看看我的防火墙和封QQ设置