本人使用的防火墙脚本

WGHBOY

# sep/12/2010 11:06:27 by routeros 3.30
# software id = Q462-U3FF
#
/ip firewall filter
add action=drop chain=forward comment=XL disabled=no port=15000 protocol=udp
add action=drop chain=forward comment=PPS disabled=no port=17788 protocol=udp
add action=drop chain=forward comment=pplive disabled=no port=5041 protocol=\
    udp
add action=drop chain=forward comment="" disabled=no p2p=all-p2p
add action=drop chain=forward comment="" disabled=no dst-address=\
    121.15.207.0/24 out-interface=pppoe-out1
add action=drop chain=forward comment="" disabled=no dst-address=\
    121.15.207.0/24 out-interface=pppoe-out2
add action=drop chain=forward comment="" disabled=no dst-address=\
    121.15.207.0/24 out-interface=pppoe-out3
add action=drop chain=forward comment="" disabled=no dst-address=\
    121.15.207.0/24 out-interface=pppoe-out4
add action=drop chain=forward comment="" connection-limit=80,32 disabled=no \
    protocol=tcp tcp-flags=syn
add action=drop chain=forward comment="Bloqueio do Ares" disabled=no \
    dst-port=0 protocol=udp
add action=drop chain=forward comment="" disabled=no protocol=udp src-port=0
add action=jump chain=input comment="\CC\F8\D7\AA\B5\BDICMP\C1\B4\B1\ED" \
    disabled=no jump-target=ICMP protocol=icmp
add action=accept chain=ICMP comment=\
    "Ping\D3\A6\B4\F0\CF\DE\D6\C6\CE\AA\C3\BF\C3\EB5\B8\F6\B0\FC" disabled=no \
    icmp-options=0:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment=\
    "Traceroute\CF\DE\D6\C6\CE\AA\C3\BF\C3\EB5\B8\F6\B0\FC" disabled=no \
    icmp-options=3:3 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment=\
    "MTU\CF\DF\C2\B7\CC\BD\B2\E2\CF\DE\D6\C6\CE\AA\C3\BF\C3\EB5\B8\F6\B0\FC" \
    disabled=no icmp-options=3:4 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment=\
    "Ping\C7\EB\C7\F3\CF\DE\D6\C6\CE\AA\C3\BF\C3\EB5\B8\F6\B0\FC" disabled=no \
    icmp-options=8:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment=\
    "Trace TTL\CF\DE\D6\C6\CE\AA\C3\BF\C3\EB5\B8\F6\B0\FC" disabled=no \
    icmp-options=11:0-255 limit=5,5 protocol=icmp
add action=drop chain=ICMP comment=\
    "\B6\AA\C6\FA\B5\F4\C8\CE\BA\CEICMP\CA\FD\BE\DD" disabled=no protocol=\
    icmp
add action=jump chain=forward comment="\CC\F8\D7\AA\B5\BDICMP\C1\B4\B1\ED" \
    disabled=no jump-target=ICMP protocol=icmp
add action=drop chain=forward comment=\
    "\B6\AA\C6\FA\B7\C7\B7\A8\CA\FD\BE\DD\B0\FC" connection-state=invalid \
    disabled=no
add action=drop chain=forward comment=\
    "\B6\AA\C6\FA\B5\F4\CB\F9\D3\D0\B7\C7\B5\A5\B2\A5\CA\FD\BE\DD" disabled=\
    no src-address-type=!unicast
add action=accept chain=input comment=dns disabled=no port=53 protocol=udp
add action=accept chain=input comment=snmp disabled=no port=161 protocol=udp
add action=accept chain=input comment=pop3 disabled=no port=25 protocol=tcp
add action=accept chain=input comment=web disabled=no port=80 protocol=tcp
add action=accept chain=input comment=ddns disabled=no port=443 protocol=tcp
add action=accept chain=input comment=dude disabled=no port=81,2210,2211 \
    protocol=tcp
add action=accept chain=input comment=winbox disabled=no port=8291 protocol=\
    tcp
add action=accept chain=input comment=btest disabled=no port=2000-2010 \
    protocol=tcp
add action=accept chain=input comment=radius disabled=no port=1812-1814 \
    protocol=udp
add action=accept chain=input comment=radius disabled=no port=1700 protocol=\
    udp
add action=drop chain=input comment="" disabled=no
以上只做参考,开放部份端口,剩下的全禁止

imxch

我导入试试猛男的防火墙

kenyloveg

猛男这个是单线的吧？
有没有带多线PCC的？

WGHBOY

中文标记的,如须开其它端口,可以在最后一条前加入,这个可以防部份攻击了

广东林001

多谢分享

WGHBOY

哦

chicalor

先支持下了，顶你 啊

网中$漫步

先支持下了

广东林001

先支持下了，顶你 啊

cooljay

先谢一个，然后拿个铜板。

wszf1993

泡杯茶慢慢品尝！

老树昏鸦

看不懂，先导进去看 下，有没有什么发现

weith

这个收下来慢慢研究~

sony1208

这个收下来慢慢研究~