2.92的防火策略,请高手指导一下
ip firewall filtervirus:
add chain=virus protocol=tcp dst-port=134-139 action=drop comment="drop blaster worm"
add chain=virus protocol=udp dst-port=134-139 action=drop comment="drop messenger worm"
add chain=virus protocol=tcp dst-port=593 action=drop comment="---------"
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment"---------"
add chain=virus protocol=tcp dst-prot=1080 action=drop comment"drop mydoom"
add chain=virus protocol=tcp dst-port=1214 action=drop comment="---------"
add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester"
add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server"
add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast"
add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx"
add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid"
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="worm"
add chain=virus protocol=tcp dst-port=3410 action=drop comment="drop backdoor optixpro"
add chain=virus protocol=tcp dst-port=4444 action=drop comment="worm"
add chain=virus protocol=udp dst-port=4444 action=drop comment="worm"
add chain=virus protocol=tcp dst-port=5554 action=drop comment="drop sasser"
add chain=virus protocol=tcp dst-port=8866 action=drop comment="drop beagle.b"
add chain=virus protocol=tcp dst-port=9898 action=drop comment="drop dabber.a-b"
add chain=virus protocol=tcp dst-port=10000 action=drop comment="drop dumaru.y"
add chain=virus protocol=tcp dst-port=10080 action=drop comment="drop mydoom.b"
add chain=virus protocol=tcp dst-port=12345 action=drop comment="drop netbus"
add chain=virus protocol=tcp dst-port=17300 action=drop comment="drop kuang2"
add chain=virus protocol=tcp dst-port=27374 action=drop comment="drop sbuseven"
add chain=virus protocol=tcp dst-port=65506 action=drop comment="drop phatbot,agobot,gaobot"
add chain=virus protocol=tcp dst-port=445action=drop
add chain=virus protocol=udp dst-port=445action=drop
add chain=virus protocol=tcp dst-port=134-139 action=drop
add chain=virus protocol=udp dst-port=134-139 action=drop
forward:
add chain=forward protocol=tcp connection-state=invalid action=drop comment="drop invalid connections"
add chain=forward connection-state=establishedaction=accept
add chain=forward connection-state=related action=accept
add chain=forward src-address=0.0.0.0/8 action=drop
add chain=forward dst-address=0.0.0.0/8 action=drop
add chain=forward src-address=127.0.0.0/8 action=drop
add chain=forward dst-address=127.0.0.0/8 action=drop
add chain=forward src-address=224.0.0.0/3 action=drop
add chain=forward dst-address=224.0.0.0/3 action=drop
add chain=forward protocol=tcp action=jump jump-target=tcp
add chain=forward protocol=udp action=jump jump-target=udp
add chain=forward protocol=icmp action=jump jump-target=icmp
add chain=forward action=jump jump-target=virus
input:
add chain=input connection-state=invalidaction=drop
add chain=input connection-state=established action=accept
add chain=input action=jump jump-target=virus
add chain=input protocol=udp action=accept
add chain=input protocol=icmp action=accept
add chain=input action=drop log=yes
add chain=input protocol=tcp dst-port=500 in-interface=wan action=drop
add chain=input protocol=udp dst-port=500 in-interface=wan action=drop
tcp:
add chain=tcp protocol=tcp dst-port=69 action=drop
add chain=tcp protocol=tcp dst-port=111 action=drop
add chain=tcp protocol=tcp dst-port=135 action=drop
add chain=tcp protocol=tcp dst-port=137-139 action=drop
add chain=tcp protocol=tcp dst-port=445 action=drop
add chain=tcp protocol=tcp dst-port=2049 action=drop
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop
add chain=tcp protocol=tcp dst-port=20034 action=drop
add chain=tcp protocol=tcp dst-port=3133 action=drop
add chain=tcp protocol=tcp dst-port=67-68 action=drop
udp:
add chain=udp protocol=udp dst-port=69 action=drop
add chain=udp protocol=udp dst-port=111 action=drop
add chain=udp protocol=udp dst-port=135 action=drop
add chain=udp protocol=udp dst-port=137-139 action=drop
add chain=udp protocol=udp dst-port=2049 action=drop
add chain=udp protocol=udp dst-port=3133 action=drop
icmp:
add chain=icmp protocol=icmp icmp-options=0:0 action=accept
add chain=icmp protocol=icmp icmp-options=3:0 action=accept
add chain=icmp protocol=icmp icmp-options=3:1 action=accept
add chain=icmp protocol=icmp icmp-options=4:0 action=accept
add chain=icmp protocol=icmp icmp-options=8:0 action=accept
add chain=icmp protocol=icmp icmp-options=11:0 action=accept
add chain=icmp protocol=icmp icmp-options=12:0 action=accept
add chain=icmp action=drop
ip firewall mangle
add chain=prerouting action=accept
add chain=forward p2p=all-p2p action=mark-connection new-connection-mark=p2p_conn
add chain=forward connection-mark=p2p_conn action=mark-packet new-packet-mark=p2p
add chain=forward packet-mark=!p2p_conn action=mark-packet new-packet-mark=other
nat:
add chain=srcnat action=masquerade
queue simple
add name="queue1" dst-address=0.0.0.0/0 interface=all parent=none priority=8 \
queue=default/default limit-at=0/0 max-limit=4096000/4096000 \
total-queue=default
queue tree:
add name="queue1" parent=wan packet-mark=p2p limit-at=1000000 queue=default \
priority=8 max-limit=10000000 burst-limit=0 burst-threshold=0 \
burst-time=0s
add name="queue2" parent=255lan packet-mark=p2p limit-at=1000000 queue=default \
priority=8 max-limit=10000000 burst-limit=0 burst-threshold=0 \
burst-time=0s
add name="queue3" parent=wan packet-mark=other limit-at=1000000 queue=default \
priority=1 max-limit=10000000 burst-limit=0 burst-threshold=0 \
burst-time=0s
add name="queue4" parent=255lan packet-mark=other limit-at=1000000 \
queue=default priority=1 max-limit=10000000 burst-limit=0 \
burst-threshold=0 burst-time=0s up 谢谢!!!兄台、、、、
页:
[1]