找回密码
 注册

QQ登录

只需一步,快速开始

搜索
查看: 2268|回复: 0

[其它] 问个firewall 问题

[复制链接]
发表于 2004-12-21 10:32:20 | 显示全部楼层 |阅读模式

马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。

您需要 登录 才可以下载或查看,没有账号?注册

×
问个问题,这个官方firewall setting 能防SYN Flood 吗?[CODE]# dec/21/2004 04:23:48 by routeros 2.8.21# software id = 97W1-X0N#/ ip firewall set input name="input" policy=accept comment="" set forward name="forward" policy=accept comment="" set output name="output" policy=accept comment="" add name="virus" policy=none comment="" / ip firewall rule forward add connection-state=invalid action=drop comment="Drop invalid connections" disabled=no add connection-state=established action=accept comment="Established connections" disabled=no add connection-state=related action=accept comment="Related connections" disabled=no add action=jump jump-target=virus comment="!!! Check for well-known viruses !!!" disabled=no add protocol=udp action=accept comment="UDP" disabled=no add protocol=icmp limit-count=50 limit-burst=2 limit-time=5s action=accept comment="Allow limited \    pings" disabled=no add protocol=icmp action=drop comment="Drop excess pings" disabled=no / ip firewall rule input add connection-state=invalid action=drop comment="Drop invalid connections" disabled=no add tcp-options=non-syn-only connection-state=established action=accept comment="Accept \    established connections" disabled=no add connection-state=related action=accept comment="Accept related connections" disabled=no add action=jump jump-target=virus comment="!!! Check for well-known viruses !!!" disabled=no add protocol=udp action=accept comment="UDP" disabled=no add protocol=icmp limit-count=50 limit-burst=2 limit-time=5s action=accept comment="Allow limited \    pings" disabled=no add protocol=icmp action=drop comment="Drop excess pings" disabled=no add dst-address=:22 protocol=tcp action=accept comment="SSH for demo purposes" disabled=no add dst-address=:23 protocol=tcp action=accept comment="Telnet for demo purposes" disabled=no add dst-address=:80 protocol=tcp action=accept comment="http for demo purposes" disabled=no add dst-address=:3987 protocol=tcp action=accept comment="winbox for demo purposes" disabled=no add src-address=159.148.172.192/28 action=accept comment="From Mikrotikls network" disabled=no add src-address=10.0.0.0/8 action=accept comment="From Mikrotikls network" disabled=no add action=drop log=yes comment="Log and drop everything else" disabled=no / ip firewall rule output add protocol=tcp tcp-options=syn-only action=drop log=yes comment="" disabled=no / ip firewall rule virus add dst-address=:135-139 protocol=tcp action=drop comment="Drop Blaster Worm" disabled=no add dst-address=:135-139 protocol=udp action=drop comment="Drop Messenger Worm" disabled=no add dst-address=:445 protocol=tcp action=drop comment="Drop Blaster Worm" disabled=no add dst-address=:445 protocol=udp action=drop comment="Drop Blaster Worm" disabled=no add dst-address=:593 protocol=tcp action=drop comment="________" disabled=no add dst-address=:1024-1030 protocol=tcp action=drop comment="________" disabled=no add dst-address=:1080 protocol=tcp action=drop comment="Drop MyDoom" disabled=no add dst-address=:1214 protocol=tcp action=drop comment="________" disabled=no add dst-address=:1363 protocol=tcp action=drop comment="ndm requester" disabled=no add dst-address=:1364 protocol=tcp action=drop comment="ndm server" disabled=no add dst-address=:1368 protocol=tcp action=drop comment="screen cast" disabled=no add dst-address=:1373 protocol=tcp action=drop comment="hromgrafx" disabled=no add dst-address=:1377 protocol=tcp action=drop comment="cichlid" disabled=no add dst-address=:1433-1434 protocol=tcp action=drop comment="Worm" disabled=no add dst-address=:2745 protocol=tcp action=drop comment="Bagle Virus" disabled=no add dst-address=:2283 protocol=tcp action=drop comment="Drop Dumaru.Y" disabled=no add dst-address=:2535 protocol=tcp action=drop comment="Drop Beagle" disabled=no add dst-address=:2745 protocol=tcp action=drop comment="Drop Beagle.C-K" disabled=no add dst-address=:3127-3128 protocol=tcp action=drop comment="Drop MyDoom" disabled=no add dst-address=:3410 protocol=tcp action=drop comment="Drop Backdoor OptixPro" disabled=no add dst-address=:4444 protocol=tcp action=drop comment="Worm" disabled=no add dst-address=:4444 protocol=udp action=drop comment="Worm" disabled=no add dst-address=:5554 protocol=tcp action=drop comment="Drop Sasser" disabled=no add dst-address=:8866 protocol=tcp action=drop comment="Drop Beagle.B" disabled=no add dst-address=:9898 protocol=tcp action=drop comment="Drop Dabber.A-B" disabled=no add dst-address=:10000 protocol=tcp action=drop comment="Drop Dumaru.Y" disabled=no add dst-address=:10080 protocol=tcp action=drop comment="Drop MyDoom.B" disabled=no add dst-address=:12345 protocol=tcp action=drop comment="Drop NetBus" disabled=no add dst-address=:17300 protocol=tcp action=drop comment="Drop Kuang2" disabled=no add dst-address=:27374 protocol=tcp action=drop comment="Drop SubSeven" disabled=no add dst-address=:65506 protocol=tcp action=drop comment="Drop PhatBot, Agobot, Gaobot" disabled=no / ip firewall service-port set ftp ports=21 disabled=no set pptp disabled=no set gre disabled=no set h323 disabled=yes set mms disabled=no set irc ports=6667 disabled=no set quake3 disabled=no set tftp ports=69 disabled=no / ip firewall mangle add in-interface=wlan1 p2p=all-p2p action=accept mark-flow=p2p-in comment="" disabled=no add in-interface=ether1 p2p=all-p2p action=accept mark-flow=p2p-out comment="" disabled=no add in-interface=ether2 p2p=all-p2p action=accept mark-flow=p2p-out comment="" disabled=no add dst-address=:80 protocol=tcp action=passthrough mark-flow=http-in comment="" disabled=no add src-address=:80 protocol=tcp action=passthrough mark-flow=http-out comment="" disabled=no add src-address=10.5.17.123/32 action=accept comment="" disabled=no add src-address=1.1.1.1/32 action=accept comment="" disabled=no add src-address=159.148.172.204/32 action=accept comment="" disabled=no / ip firewall src-nat add src-address=10.4.0.0/24 out-interface=wlan1 action=masquerade comment="" disabled=no add src-address=10.4.1.0/24 out-interface=wlan1 action=masquerade comment="" disabled=no / ip firewall connection tracking set enabled=yes tcp-syn-sent-timeout=2m tcp-syn-received-timeout=1m tcp-established-timeout=5d \    tcp-fin-wait-timeout=2m tcp-close-wait-timeout=1m tcp-last-ack-timeout=30s \    tcp-time-wait-timeout=2m tcp-close-timeout=10s udp-timeout=30s udp-stream-timeout=3m \    icmp-timeout=30s generic-timeout=10m [CODE]
routeros
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|Archiver|手机版|小黑屋|软路由 ( 渝ICP备15001194号-1|渝公网安备 50011602500124号 )

GMT+8, 2024-11-5 20:23 , Processed in 0.121508 second(s), 5 queries , Gzip On, Redis On.

Powered by Discuz! X3.5 Licensed

© 2001-2024 Discuz! Team.

快速回复 返回顶部 返回列表