(求助)RouterOS的VRRP来配置路由器热备份和防火墙的问题
(求助)RouterOS的VRRP来配置路由器热备份和防火墙的问题按照VRRP的教程配置双机热备份成功。
但是当我导入配置好的防火墙后发现VRRP热备份失效(在2台机器上的VRRP都显示master)。
我的主ROS IP为192.168.1.2 备份ROS IP为192.168.1.3 虚拟IP为192.168.1.4
防火墙规则如下:(请大大们帮忙看看是哪里的问题)
/ ip firewall
set input name="input" policy=accept comment=""
set forward name="forward" policy=accept comment=""
set output name="output" policy=accept comment=""
add name="virus" policy=none comment=""
/ ip firewall rule forward
add connection-state=invalid action=drop comment="Drop invalid connections" \
disabled=no
add connection-state=established action=accept comment="Established \
connections" disabled=no
add connection-state=related action=accept comment="Related connections" \
disabled=no
add action=jump jump-target=virus comment="!!! Check for well-known viruses \
!!!" disabled=no
add protocol=udp action=accept comment="UDP" disabled=no
add protocol=icmp limit-count=50 limit-burst=2 limit-time=5s action=accept \
comment="Allow limited pings" disabled=no
add protocol=icmp action=drop comment="Drop excess pings" disabled=no
/ ip firewall rule input
add connection-state=invalid action=drop comment="Drop invalid connections" \
disabled=no
add tcp-options=non-syn-only connection-state=established action=accept \
comment="Accept established connections" disabled=no
add connection-state=related action=accept comment="Accept related \
connections" disabled=no
add action=jump jump-target=virus comment="!!! Check for well-known viruses \
!!!" disabled=no
add protocol=udp action=accept comment="UDP" disabled=no
add protocol=icmp limit-count=50 limit-burst=2 limit-time=5s action=accept \
comment="Allow limited pings" disabled=no
add protocol=icmp action=drop comment="Drop excess pings" disabled=no
add dst-address=:22 protocol=tcp action=accept comment="SSH for demo \
purposes" disabled=no
add dst-address=:23 protocol=tcp action=accept comment="Telnet for demo \
purposes" disabled=no
add dst-address=:80 protocol=tcp action=accept comment="http for demo \
purposes" disabled=no
add dst-address=:3987 protocol=tcp action=accept comment="winbox for demo \
purposes" disabled=no
add action=drop log=yes comment="Log and drop everything else" disabled=no
/ ip firewall rule virus
add dst-address=:135-139 protocol=tcp action=drop comment="Drop Blaster Worm" \
disabled=no
add dst-address=:135-139 protocol=udp action=drop comment="Drop Messenger \
Worm" disabled=no
add dst-address=:445 protocol=tcp action=drop comment="Drop Blaster Worm" \
disabled=no
add dst-address=:445 protocol=udp action=drop comment="Drop Blaster Worm" \
disabled=no
add dst-address=:593 protocol=tcp action=drop comment="________" disabled=no
add dst-address=:1024-1030 protocol=tcp action=drop comment="________" \
disabled=no
add dst-address=:1080 protocol=tcp action=drop comment="Drop MyDoom" \
disabled=no
add dst-address=:1214 protocol=tcp action=drop comment="________" disabled=no
add dst-address=:1363 protocol=tcp action=drop comment="ndm requester" \
disabled=no
add dst-address=:1364 protocol=tcp action=drop comment="ndm server" \
disabled=no
add dst-address=:1368 protocol=tcp action=drop comment="screen cast" \
disabled=no
add dst-address=:1373 protocol=tcp action=drop comment="hromgrafx" \
disabled=no
add dst-address=:1377 protocol=tcp action=drop comment="cichlid" disabled=no
add dst-address=:1433-1434 protocol=tcp action=drop comment="Worm" \
disabled=no
add dst-address=:2745 protocol=tcp action=drop comment="Bagle Virus" \
disabled=no
add dst-address=:2283 protocol=tcp action=drop comment="Drop Dumaru.Y" \
disabled=no
add dst-address=:2535 protocol=tcp action=drop comment="Drop Beagle" \
disabled=no
add dst-address=:2745 protocol=tcp action=drop comment="Drop Beagle.C-K" \
disabled=no
add dst-address=:3127-3128 protocol=tcp action=drop comment="Drop MyDoom" \
disabled=no
add dst-address=:3410 protocol=tcp action=drop comment="Drop Backdoor \
OptixPro" disabled=no
add dst-address=:4444 protocol=tcp action=drop comment="Worm" disabled=no
add dst-address=:4444 protocol=udp action=drop comment="Worm" disabled=no
add dst-address=:5554 protocol=tcp action=drop comment="Drop Sasser" \
disabled=no
add dst-address=:8866 protocol=tcp action=drop comment="Drop Beagle.B" \
disabled=no
add dst-address=:9898 protocol=tcp action=drop comment="Drop Dabber.A-B" \
disabled=no
add dst-address=:10000 protocol=tcp action=drop comment="Drop Dumaru.Y" \
disabled=no
add dst-address=:10080 protocol=tcp action=drop comment="Drop MyDoom.B" \
disabled=no
add dst-address=:12345 protocol=tcp action=drop comment="Drop NetBus" \
disabled=no
add dst-address=:17300 protocol=tcp action=drop comment="Drop Kuang2" \
disabled=no
add dst-address=:27374 protocol=tcp action=drop comment="Drop SubSeven" \
disabled=no
add dst-address=:65506 protocol=tcp action=drop comment="Drop PhatBot, \
Agobot, Gaobot" disabled=no 去掉 /ip firewall rule input add action=drop log=yes comment="Log and drop everything else" disabled=no这条规则就可以了 谢谢了啊 这个到底是为什么? 官方防火墙里也是把input 最后一条全部drop掉的。
页:
[1]