|
马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有账号?注册
×
防火墙导致网上银行不能使用
我用的ros2.927,加了一些防火墙的脚本,上网一切正常,但是什么银行的网上银行登陆后就打不开网页了,我在没有办法的情况下,我就防火墙脚本全删除了就好了,但是我还要用防火墙,又不知道是哪一条搞的鬼,希望大家能否帮帮我看看!谢谢,先!!
以下是我目前使用的脚本
# sep/10/2007 15:31:26 by routeros 2.9.27
# software id = TY0C-IGN
#
/ ip firewall filter
add chain=output protocol=icmp action=drop comment="Drop outside Ping" \
disabled=no
add chain=input in-interface=WAN protocol=icmp action=drop comment="NO DDOS" \
disabled=no
add chain=forward src-mac-address=00:F4:28:60:70:03 action=drop comment="禁止 \
mac 00-f4-60-70-03 IP172.16.0.201因为ping 值188ms 不正常" disabled=no
add chain=input connection-state=invalid action=drop \
comment="丢弃非法连接packets" disabled=no
add chain=input protocol=tcp psd=21,3s,3,1 action=drop \
comment="探测并丢弃端口扫描连接" disabled=no
add chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list \
action=tarpit comment="压制DoS攻击" disabled=no
add chain=input protocol=tcp connection-limit=10,32 \
action=add-src-to-address-list address-list=black_list \
address-list-timeout=1d comment="探测DoS攻击" disabled=no
add chain=input dst-address-type=!local action=drop comment="丢弃掉非本地数据" \
disabled=no
add chain=input src-address-type=!unicast action=drop \
comment="丢弃掉所有非单播数据" disabled=no
add chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept \
comment="Ping应答限制为每秒5个包" disabled=no
add chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept \
comment="Traceroute限制为每秒5个包" disabled=no
add chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept \
comment="MTU线路探测限制为每秒5个包" disabled=no
add chain=ICMP protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept \
comment="Ping请求限制为每秒5个包" disabled=no
add chain=ICMP protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept \
comment="Trace TTL限制为每秒5个包" disabled=no
add chain=forward connection-state=established action=accept \
comment="接受以连接的数据包" disabled=no
add chain=forward connection-state=related action=accept \
comment="接受相关数据包" disabled=no
add chain=forward connection-state=invalid action=drop \
comment="丢弃非法数据包" disabled=no
add chain=forward src-address-type=!unicast action=drop \
comment="丢弃掉所有非单播数据" disabled=no
add chain=input dst-address-type=!local action=drop comment="drop all that is \
not to local" disabled=no
add chain=forward protocol=icmp action=jump jump-target=ICMP \
comment="跳转到ICMP链表" disabled=no
add chain=input connection-state=established action=accept \
comment="本机数据安全" disabled=no
add chain=input connection-state=related action=accept comment="" disabled=no
add chain=input connection-state=invalid action=drop comment="丢弃明显异常包" \
disabled=no
add chain=input dst-address-type=!local action=drop \
comment="丢弃目标非本机的包" disabled=no
add chain=input src-address-type=!unicast action=drop comment="丢弃多播包" \
disabled=no
add chain=input protocol=tcp psd=21,3s,3,1 action=drop comment="屏蔽黑名单" \
disabled=no
add chain=input protocol=tcp connection-limit=10,32 \
action=add-src-to-address-list address-list=black_list \
address-list-timeout=1d \
comment="短时间内同时建立大量TCP连接\(超过10\),视为DoS拒绝服务攻击,进黑名单\
一天" disabled=no
add chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list \
action=tarpit comment="黑名单上的只能建立3个并发连接" disabled=no
add chain=forward dst-address=62.241.53.15 action=drop comment="垃圾网站" \
disabled=no
add chain=forward action=jump jump-target=virus comment="跳转到病毒链表" \
disabled=no
add chain=input protocol=udp dst-port=134-139 action=drop comment="NO 3B" \
disabled=no
add chain=forward protocol=udp dst-port=134-139 action=drop comment="" \
disabled=no
add chain=input protocol=tcp dst-port=134-139 action=drop comment="" \
disabled=no
add chain=forward protocol=tcp dst-port=134-139 action=drop comment="" \
disabled=no
add chain=forward protocol=tcp dst-port=445 action=drop comment="" disabled=no
add chain=forward protocol=udp dst-port=500 action=drop comment="" disabled=no
add chain=input protocol=tcp dst-port=445 action=drop comment="" disabled=no
add chain=input protocol=udp dst-port=500 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=5031 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=5321 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=2774 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=1234 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=6711-6713 action=drop comment="" \
disabled=no
add chain=virus protocol=tcp dst-port=8011 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=7626 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=5714 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=2004-2005 action=drop comment="" \
disabled=no
add chain=virus protocol=tcp dst-port=5598 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=5698 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=3586 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="" \
disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=5554 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=9996 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=9995 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=1092 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=1363-1364 action=drop comment="" \
disabled=no
add chain=virus protocol=tcp dst-port=1373 action=drop comment="" disabled=no
add chain=virus protocol=udp dst-port=8998 action=drop comment="" disabled=no
add chain=virus protocol=udp dst-port=123 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="" \
disabled=no
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm" \
disabled=no
add chain=virus protocol=tcp dst-port=10080 action=drop comment="" disabled=no |
|