官方防火墙脚本？

泽雄

H3C ER5100路由器中有安全相关的设置如下：
状态数据包检查
防止TCP sync扫描
防止Stealth FIN扫描
防止  Xmas Tree扫描
防止Null扫描
防止UDP扫描功能
防止Land 攻击功能
防止Smurf攻击功能
防止WinNuke攻击功能
防止Ping of Death攻击
防止SYN Flood攻击功能
防止UDP Flood攻击功能
防止ICMP Flood攻击功能
防止IP Spoofing功能
防止碎片包攻击
防止TearDrop攻击
防止Fraggle攻击功能

routeros使用官方的防火墙脚本，能不能防止H3C路由器提到的攻击？？？

/ ip firewall filter
add chain=input connection-state=invalid action=drop \
    comment="丢弃非法连接数据" disabled=no
/ip firewall filter
add action=drop chain=forward comment="机器狗目标地址过滤" disabled=no dst-address-list=Robotdog
add action=jump chain=forward comment="跳转机器狗过域名滤规则" disabled=no jump-target=Robotdog
add chain=input protocol=tcp dst-port=80 connection-limit=20,0 action=drop \
    comment="限制总http连接数为20" disabled=no
add chain=input protocol=tcp psd=21,3s,3,1 action=drop \
    comment="探测并丢弃端口扫描连接" disabled=no
add chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list \
    action=tarpit comment="压制DoS攻击" disabled=no
add chain=input protocol=tcp connection-limit=10,32 \
    action=add-src-to-address-list address-list=black_list \
    address-list-timeout=1d comment="探测DoS攻击" disabled=no
add chain=input dst-address-type=!local action=drop comment="丢弃掉非本地数据" \
    disabled=no
add chain=input protocol=icmp action=jump jump-target=ICMP \
    comment="跳转到ICMP链表" disabled=no
add chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept \
    comment="Ping应答限制为每秒5个包" disabled=no
add chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept \
    comment="Traceroute限制为每秒5个包" disabled=no
add chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept \
    comment="MTU线路探测限制为每秒5个包" disabled=no
add chain=ICMP protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept \
    comment="Ping请求限制为每秒5个包" disabled=no
add chain=ICMP protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept \
    comment="Trace TTL限制为每秒5个包" disabled=no
add chain=ICMP protocol=icmp action=drop comment="丢弃掉任何ICMP数据" \
    disabled=no
add chain=forward connection-state=invalid action=drop \
    comment="丢弃非法数据包" disabled=no
add chain=forward protocol=tcp connection-limit=80,32 action=drop \
    comment="限制每个主机TCP连接数为80条" disabled=no
add chain=forward src-address-type=!unicast action=drop \
    comment="丢弃掉所有非单播数据" disabled=no
add chain=forward protocol=icmp action=jump jump-target=ICMP \
    comment="跳转到ICMP链表" disabled=no
add chain=forward action=jump jump-target=virus comment="跳转到病毒链表" \
    disabled=no

pxyq

碰到大型的DDOS，ISP也怕