madlife 发表于 2005-3-18 10:51:45
这是我的/ip firewall rule input print > /ip firewall rule input printFlags: X - disabled, I - invalid, D - dynamic 0-2条加了几个固定IP管理ros 3 ;;; Drop invalid connections connection-state=invalid action=drop4 ;;; Accept established connections syn tcp-options=non-syn-only connection-state=established action=accept5 ;;; Accept related connections connection-state=related action=accept6 ;;; virus\Drop Blaster Worm dst-address=:135-139 protocol=tcp action=drop7 ;;; Drop Messenger Worm dst-address=:135-139 protocol=udp action=drop8 ;;; Drop Blaster Worm dst-address=:445 protocol=tcp action=drop9 dst-address=:445 protocol=udp action=drop 10 ;;; UDP protocol=udp action=accept 11 X ;;; drop icmp src-address=!192.168.0.0/24 protocol=icmp action=drop 12 ;;; Allow limited pings , protocol=icmp limit-count=50 limit-burst=2 limit-time=5s action=accept 13 ;;; Drop excess pings protocol=icmp action=drop 14 dst-address=:21 protocol=tcp action=accept 15 dst-address=:23 protocol=tcp action=accept 16 dst-address=:80 protocol=tcp action=accept 17 dst-address=:3987 protocol=tcp action=accept 18 X dst-address=:4899 protocol=tcp action=accept (这一条,我用了端口映射后,这里停了也能用)19 X ;;; syn ddos protocol=tcp tcp-options=syn-only limit-count=3000 limit-burst=2 limit-time=5s action=accept 20 X protocol=tcp tcp-options=syn-only action=reject (这两条停了,有点感觉与我的防火思路(官方的)有重复,摘于本论坛中,)21 ;;; drop src-address=!192.168.0.0/24 action=drop 22 X ;;; From zx network src-address=192.168.0.0/24 action=accept 23 X ;;; Log and drop everything else action=drop log=yes (22-23条是按官方的,但是,我自认为只要用于21条就行了,也许官方的效果要高点这当中可能与算法相关,尽管逻辑上是相同的,就好在编程中,用乘法时,有时还是用加法效率高,尽管乘法看起来简洁,呵呵,这只是猜想)madlife 发表于 2005-3-18 11:05:06
MikroTik RouterOS 2.8.18 ?1999-2004 http://www.mikrotik.com/Terminal vt102 detected, using multiline input mode > /ip firewall rule forward input output > /ip firewall rule forward print Print values of item properties in different formats. briefDisplays brief description bytesPrint bytes' counters count-onlyShows only the count of rules detailDisplays detailed information filePrint the content of the submenu into specific file fromRule number obtained from print command intervalDisplays information and refreshes it in selected time interval packetsPrint packets' counterswithout-pagingDisplays information in one piece > /ip firewall rule forward print Flags: X - disabled, I - invalid, D - dynamic0 ;;; Drop invalid connections connection-state=invalid action=drop1 ;;; Established connections connection-state=established action=accept2 ;;; Related connections connection-state=related action=accept3 ;;; Drop Blaster Worm dst-address=:135-139 protocol=tcp action=drop log=yes4 ;;; Drop Messenger Worm dst-address=:135-139 protocol=udp action=drop5 ;;; Drop Blaster Worm dst-address=:445 protocol=tcp action=drop log=yes6 dst-address=:445 protocol=udp action=drop log=yes7 ;;; virus dst-address=:5354 protocol=tcp action=drop8 ;;; UDP protocol=udp action=accept9 ;;; Allow limited pings protocol=icmp limit-count=50 limit-burst=2 limit-time=5s action=accept 10 ;;; Drop excess pings protocol=icmp action=drop 11 ;;; www.qq.com content=www.qq.com action=drop 12 ;;; www.168tom.com content=www.168tom.com action=drop 13 X ;;; p2p p2p p2p=all-p2p action=drop 开了第13条后bt就无法下载了,因为我的bt下载对我的网络没影响,也就没管它了我的只是很简单的应用,因为网络内的用户单纯对病毒的防,自行加些,我的很少的其它的应用的,如vpn,认证等,我暂用不上不过这个论坛的资料很全了,我的学习试用论坛中内容基本上都能成功不行,自己理解一下,问一下也基本解决了有些不解,那是网络的基础知识不行要成高手,要对tcp等的协议,对unix,linux等有一定的了解,对网络的架构要了解routeros始终只是一个软件,我想我目前的知识应付一下自己的应用已足够了如有什么新的需要求,基本上来这找一下旧贴就能解决问题呵呵,还有我们热心 的版主,网友。。。。madlife 发表于 2005-3-18 11:06:30
output的我手打一下,就一行protocol=tcp tcp-options=syn-only action=drop log=yeslog=yes也可以不设madlife 发表于 2005-3-18 11:08:05
晕死,怎么会发了一个这样的标题本想打共享我的防火墙对fierwall有了初步认识后
页:
[1]