找回密码
 注册

QQ登录

只需一步,快速开始

搜索
查看: 9607|回复: 14

[其它] [原创]ROS防火墙设置!

[复制链接]
发表于 2005-6-21 09:35:50 | 显示全部楼层 |阅读模式

马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。

您需要 登录 才可以下载或查看,没有账号?注册

×
这里把ros的端口改成81了
大家之间可以下载附件然后重
/sys backup
中添加

# jun/21/2005 09:31:38 by routeros 2.8.26
# software id = 42TB-UEN
#
/ ip firewall
set input name="input" policy=accept comment=""
set forward name="forward" policy=accept comment=""
set output name="output" policy=accept comment=""
add name="virus" policy=none comment=""
/ ip firewall rule forward
add connection-state=invalid action=drop comment="" disabled=no
add connection-state=established action=accept comment="" disabled=no
add connection-state=related action=accept comment="" disabled=no
add action=jump jump-target=virus comment="" disabled=no
add protocol=udp action=accept comment="" disabled=no
add protocol=icmp limit-count=50 limit-burst=2 limit-time=5s action=accept \
    comment="" disabled=no
add protocol=icmp action=drop comment="" disabled=no
/ ip firewall rule input
add connection-state=invalid action=drop comment="" disabled=no
add connection-state=established action=accept comment="" disabled=no
add connection-state=related action=accept comment="" disabled=no
add action=jump jump-target=virus comment="" disabled=no
add protocol=udp action=accept comment="" disabled=no
add protocol=icmp limit-count=50 limit-burst=2 limit-time=5s action=accept \
    comment="" disabled=no
add protocol=icmp action=drop comment="" disabled=no
add dst-address=:3987 protocol=tcp action=accept comment="" disabled=no
add dst-address=:23 protocol=tcp action=accept comment="" disabled=no
add dst-address=:21 protocol=tcp action=accept comment="" disabled=no
add dst-address=:81 protocol=tcp action=accept comment="" disabled=no
add action=drop comment="" disabled=no
/ ip firewall rule virus
add dst-address=:25 protocol=tcp action=drop comment="" disabled=no
add dst-address=:69 protocol=udp action=drop comment="" disabled=no
add dst-address=:79 protocol=tcp action=drop comment="" disabled=no
add dst-address=:113 protocol=udp action=drop comment="" disabled=no
add dst-address=:113 protocol=tcp action=drop comment="" disabled=no
add dst-address=:123 protocol=tcp action=drop comment="" disabled=no
add dst-address=:123 protocol=udp action=drop comment="" disabled=no
add dst-address=:134-139 protocol=udp action=drop comment="" disabled=no
add dst-address=:134-139 protocol=tcp action=drop comment="" disabled=no
add dst-address=:143 protocol=tcp action=drop comment="" disabled=no
add dst-address=:161-162 protocol=udp action=drop comment="" disabled=no
add dst-address=:161-162 protocol=tcp action=drop comment="" disabled=no
add dst-address=:445 protocol=tcp action=drop comment="" disabled=no
add dst-address=:445 protocol=udp action=drop comment="" disabled=no
add dst-address=:500 protocol=tcp action=drop comment="" disabled=no
add dst-address=:500 protocol=udp action=drop comment="" disabled=no
add dst-address=:593 protocol=tcp action=drop comment="" disabled=no
add dst-address=:1024-1030 protocol=tcp action=drop comment="" disabled=no
add dst-address=:1024-1030 protocol=udp action=drop comment="" disabled=no
add dst-address=:1043 protocol=tcp action=drop comment="" disabled=no
add dst-address=:1043 protocol=udp action=drop comment="" disabled=no
add dst-address=:1080 protocol=tcp action=drop comment="" disabled=no
add dst-address=:1214 protocol=tcp action=drop comment="" disabled=no
add dst-address=:1363 protocol=tcp action=drop comment="" disabled=no
add dst-address=:1364 protocol=tcp action=drop comment="" disabled=no
add dst-address=:1368 protocol=tcp action=drop comment="" disabled=no
add dst-address=:1373 protocol=tcp action=drop comment="" disabled=no
add dst-address=:1377 protocol=tcp action=drop comment="" disabled=no
add dst-address=:1433-1434 protocol=tcp action=drop comment="" disabled=no
add dst-address=:1524 protocol=tcp action=drop comment="" disabled=no
add dst-address=:1723 protocol=tcp action=drop comment="" disabled=no
add dst-address=:1723 protocol=udp action=drop comment="" disabled=no
add dst-address=:1900 protocol=udp action=drop comment="" disabled=no
add dst-address=:1900 protocol=tcp action=drop comment="" disabled=no
add dst-address=:1999-2001 protocol=tcp action=drop comment="" disabled=no
add dst-address=:1999-2001 protocol=udp action=drop comment="" disabled=no
add dst-address=:2140 protocol=tcp action=drop comment="" disabled=no
add dst-address=:2140 protocol=udp action=drop comment="" disabled=no
add dst-address=:2283 protocol=tcp action=drop comment="" disabled=no
add dst-address=:2535 protocol=tcp action=drop comment="" disabled=no
add dst-address=:2745 protocol=tcp action=drop comment="" disabled=no
add dst-address=:2745 protocol=udp action=drop comment="" disabled=no
add dst-address=:3127-3128 protocol=tcp action=drop comment="" disabled=no
add dst-address=:3150 protocol=tcp action=drop comment="" disabled=no
add dst-address=:3150 protocol=udp action=drop comment="" disabled=no
add dst-address=:3306 protocol=tcp action=drop comment="" disabled=no
add dst-address=:3306 protocol=udp action=drop comment="" disabled=no
add dst-address=:3389 protocol=tcp action=drop comment="" disabled=no
add dst-address=:3389 protocol=udp action=drop comment="" disabled=no
add dst-address=:3410 protocol=tcp action=drop comment="" disabled=no
add dst-address=:3801 protocol=udp action=drop comment="" disabled=no
add dst-address=:4444 protocol=tcp action=drop comment="" disabled=no
add dst-address=:4444 protocol=udp action=drop comment="" disabled=no
add dst-address=:4500 protocol=tcp action=drop comment="" disabled=no
add dst-address=:4500 protocol=udp action=drop comment="" disabled=no
add dst-address=:5000 protocol=tcp action=drop comment="" disabled=no
add dst-address=:5000 protocol=udp action=drop comment="" disabled=no
add dst-address=:5354 protocol=tcp action=drop comment="" disabled=no
add dst-address=:5354 protocol=udp action=drop comment="" disabled=no
add dst-address=:5554 protocol=tcp action=drop comment="" disabled=no
add dst-address=:5800 protocol=tcp action=drop comment="" disabled=no
add dst-address=:5800 protocol=udp action=drop comment="" disabled=no
add dst-address=:5880-5882 protocol=udp action=drop comment="" disabled=no
add dst-address=:5888-5889 protocol=udp action=drop comment="" disabled=no
add dst-address=:5900 protocol=udp action=drop comment="" disabled=no
add dst-address=:5900 protocol=tcp action=drop comment="" disabled=no
add dst-address=:6000 protocol=udp action=drop comment="" disabled=no
add dst-address=:6000 protocol=tcp action=drop comment="" disabled=no
add dst-address=:6129 protocol=tcp action=drop comment="" disabled=no
add dst-address=:6129 protocol=udp action=drop comment="" disabled=no
add dst-address=:6267 protocol=tcp action=drop comment="" disabled=no
add dst-address=:6667 protocol=tcp action=drop comment="" disabled=no
add dst-address=:6667 protocol=udp action=drop comment="" disabled=no
add dst-address=:6678 protocol=udp action=drop comment="" disabled=no
add dst-address=:6678 protocol=tcp action=drop comment="" disabled=no
add dst-address=:6711 protocol=tcp action=drop comment="" disabled=no
add dst-address=:6711 protocol=udp action=drop comment="" disabled=no
add dst-address=:7070 protocol=udp action=drop comment="" disabled=no
add dst-address=:7070 protocol=tcp action=drop comment="" disabled=no
add dst-address=:7306-7308 protocol=tcp action=drop comment="" disabled=no
add dst-address=:7306-7308 protocol=udp action=drop comment="" disabled=no
add dst-address=:7511 protocol=udp action=drop comment="" disabled=no
add dst-address=:7626 protocol=tcp action=drop comment="" disabled=no
add dst-address=:7511 protocol=tcp action=drop comment="" disabled=no
add dst-address=:8011 protocol=tcp action=drop comment="" disabled=no
add dst-address=:8011 protocol=udp action=drop comment="" disabled=no
add dst-address=:8225 protocol=tcp action=drop comment="" disabled=no
add dst-address=:8225 protocol=udp action=drop comment="" disabled=no
add dst-address=:8311 protocol=tcp action=drop comment="" disabled=no
add dst-address=:8311 protocol=udp action=drop comment="" disabled=no
add dst-address=:8866 protocol=tcp action=drop comment="" disabled=no
add dst-address=:8998 protocol=tcp action=drop comment="" disabled=no
add dst-address=:9898 protocol=tcp action=drop comment="" disabled=no
add dst-address=:9898 protocol=tcp action=drop comment="" disabled=no
add dst-address=:10000 protocol=tcp action=drop comment="" disabled=no
add dst-address=:10000 protocol=udp action=drop comment="" disabled=no
add dst-address=:10080 protocol=tcp action=drop comment="" disabled=no
add dst-address=:12345-12346 protocol=tcp action=drop comment="" disabled=no
add dst-address=:12345-12346 protocol=udp action=drop comment="" disabled=no
add dst-address=:17027 protocol=udp action=drop comment="" disabled=no
add dst-address=:17027 protocol=tcp action=drop comment="" disabled=no
add dst-address=:17300 protocol=tcp action=drop comment="" disabled=no
add dst-address=:20162 protocol=tcp action=drop comment="" disabled=no
add dst-address=:20162 protocol=udp action=drop comment="" disabled=no
add dst-address=:20168 protocol=tcp action=drop comment="" disabled=no
add dst-address=:20168 protocol=udp action=drop comment="" disabled=no
add dst-address=:27374 protocol=tcp action=drop comment="" disabled=no
add dst-address=:27374 protocol=udp action=drop comment="" disabled=no
add dst-address=:23444 protocol=udp action=drop comment="" disabled=no
add dst-address=:23444 protocol=tcp action=drop comment="" disabled=no
add dst-address=:30100 protocol=tcp action=drop comment="" disabled=no
add dst-address=:31337-34338 protocol=tcp action=drop comment="" disabled=no
add dst-address=:31337-34338 protocol=udp action=drop comment="" disabled=no
add dst-address=:31789-31790 protocol=tcp action=drop comment="" disabled=no
add dst-address=:31789-31790 protocol=udp action=drop comment="" disabled=no
add dst-address=:34555 protocol=tcp action=drop comment="" disabled=no
add dst-address=:35555 protocol=tcp action=drop comment="" disabled=no
add dst-address=:39243 protocol=tcp action=drop comment="" disabled=no
add dst-address=:39243 protocol=udp action=drop comment="" disabled=no
add dst-address=:45576 protocol=udp action=drop comment="" disabled=no
add dst-address=:45576 protocol=tcp action=drop comment="" disabled=no
add dst-address=:54320-54321 protocol=tcp action=drop comment="" disabled=no
add dst-address=:54320-54321 protocol=udp action=drop comment="" disabled=no
add dst-address=:65506 protocol=tcp action=drop comment="" disabled=no
/ ip firewall service-port
set ftp ports=21 disabled=no
set pptp disabled=yes
set gre disabled=yes
set h323 disabled=yes
set mms disabled=no
set irc ports=6667 disabled=no
set quake3 disabled=no
set tftp ports=69 disabled=no
/ ip firewall src-nat
add action=masquerade comment="vip" disabled=no
add action=masquerade comment="all" disabled=no
/ ip firewall dst-nat
add action=accept to-dst-address=192.168.1.3 to-dst-port=80 comment="contrl" \
    disabled=yes
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=50s tcp-syn-received-timeout=30s \
    tcp-established-timeout=5d tcp-fin-wait-timeout=2m \
    tcp-close-wait-timeout=1m tcp-last-ack-timeout=30s \
    tcp-time-wait-timeout=2m tcp-close-timeout=10s udp-timeout=30s \
    udp-stream-timeout=3m icmp-timeout=30s generic-timeout=10m
routeros
 楼主| 发表于 2005-6-21 09:37:26 | 显示全部楼层
附件
由于不能上传 rsc文件
所以我把文件名字改成了 f.txt
大家下载后直接改成  f.rsc  文件
然后上传到 FTP://路由IP:

/import

f.txt

11.3 KB, 下载次数: 193

routeros
回复

使用道具 举报

发表于 2005-6-22 09:58:11 | 显示全部楼层
请问一下.怎么把端口改成81呢.有什么用么.用80不好么.不明白.望指教
routeros
回复

使用道具 举报

发表于 2005-7-2 02:05:09 | 显示全部楼层
请问楼主,网吧用这个会不会有个别游戏用不了的。
routeros
回复

使用道具 举报

发表于 2005-7-2 03:29:26 | 显示全部楼层
我说两句,不一定对,
我认为ros中的防火墙的设置思路应该这样:
1.对下边的客户机的端口能开多少开多少。现在网络游戏天天翻新。封端口可能会弄的大家忙的要死,毕竟现在不装保护软件的好像没有了
2.对内网服务器的封堵,应该用啥开啥。不用的统统关。安全是第一要求
3.大家都知道的恶意网站,和各种木马程序。还有恶性的病毒。决不姑息。我想大家可不想让顾客投诉天天丢号吧

基本上的思路是尽量能让服务器的资源占用上少点,大家的ros的服务器估计都是网把的淘汰机器。还是让它不要太累了,
routeros
回复

使用道具 举报

发表于 2005-7-2 07:16:10 | 显示全部楼层
那个10000的端口好象就是热血武林还是武林外史用的。
routeros
回复

使用道具 举报

发表于 2005-7-2 13:07:10 | 显示全部楼层
规则过于简单了。呵呵.
routeros
回复

使用道具 举报

发表于 2005-7-2 19:49:27 | 显示全部楼层
老虎能把你的防火墙规则贴出来让我们学习一下吗
routeros
回复

使用道具 举报

发表于 2005-7-5 15:40:43 | 显示全部楼层
QUOTE(hzkane @ Jul 2 2005, 01:07 PM)
规则过于简单了。呵呵.
[right][snapback]52847[/snapback][/right]


能不能把你的规则看看?让我们这些新手学习学习!先谢谢了!
routeros
回复

使用道具 举报

发表于 2005-7-5 16:36:06 | 显示全部楼层
1433端口尽量不要封闭,因为跑MS SQL Server需要这个端口,别为了封病毒把数据库服务器也给封了,肯定有人找你拼命不可,哈哈
routeros
回复

使用道具 举报

发表于 2005-9-14 04:05:50 | 显示全部楼层
原帖由 lovejing 于 2005-6-22 09:58 AM 发表
请问一下.怎么把端口改成81呢.有什么用么.用80不好么.不明白.望指教



/ip services set www port=81

你的意思是这样吗?
routeros
回复

使用道具 举报

发表于 2005-9-14 10:58:50 | 显示全部楼层
/ip service set www port=81
不是services,是service

不使用80,这可在一定程度对它进行保密吧
使用80,很容易让人访问到,因为端口是自定的,一般人不会知道你用什么端口

[ 本帖最后由 madlife 于 2005-9-14 11:01 AM 编辑 ]
routeros
回复

使用道具 举报

发表于 2005-9-21 09:53:13 | 显示全部楼层

用了

顶了
routeros
回复

使用道具 举报

发表于 2005-9-21 11:24:30 | 显示全部楼层
不错,借鉴一下。
routeros
回复

使用道具 举报

发表于 2005-9-26 20:06:26 | 显示全部楼层
用了你的防火墙 现在用winbox连接后出现“ 连接100.100.100.5:3986” 然后连接不上,断开,winbox也无法使用,请问会是什么原因? 我看了你的f.rsc,里面未涉及到3986端口。。。。。 怎么解决?
routeros
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|Archiver|手机版|小黑屋|软路由 ( 渝ICP备15001194号-1|渝公网安备 50011602500124号 )

GMT+8, 2024-11-17 19:47 , Processed in 0.112072 second(s), 7 queries , Gzip On, Redis On.

Powered by Discuz! X3.5 Licensed

© 2001-2024 Discuz! Team.

快速回复 返回顶部 返回列表