找回密码
 注册

QQ登录

只需一步,快速开始

搜索
查看: 4946|回复: 11

[其它] 看看我的防火墙和封QQ设置

[复制链接]
发表于 2005-3-12 10:48:19 | 显示全部楼层 |阅读模式

马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。

您需要 登录 才可以下载或查看,没有账号?注册

×
CODE
/firewallip firewall rule forward add dst-address=:137-139 protocol=tcp action=drop comment="" disabled=no add dst-address=:137-139 protocol=udp action=drop comment="" disabled=no add protocol=tcp tcp-options=non-syn-only connection-state=established \    action=accept comment="Established TCP connections." disabled=no add protocol=tcp tcp-options=non-syn-only connection-state=related \    action=accept comment="Related TCP connections" disabled=no add dst-address=:135-139 protocol=tcp action=drop comment="Drop Blaster \    Worm." disabled=no add dst-address=:445 protocol=tcp action=drop comment="Drop Blaster Worm" \    disabled=no add dst-address=:135-139 protocol=udp action=drop comment="Drop Messenger \    Worm" disabled=no add protocol=udp action=accept comment="UDP" disabled=no add protocol=icmp limit-count=100 limit-burst=2 limit-time=5s action=accept \    comment="Allow limited pings" disabled=no add protocol=icmp action=drop comment="Drop excess pings" disabled=no add dst-address=:22 protocol=tcp action=accept comment="SSH for demo \    purposes" disabled=no add dst-address=:23 protocol=tcp action=accept comment="Telnet for demo \    purposes" disabled=no add dst-address=:80 protocol=tcp action=accept comment="http for demo \    purposes" disabled=no add dst-address=:3987 protocol=tcp action=accept comment="winbox for demo \    purposes" disabled=no add action=drop log=yes comment="Log and drop everything else" disabled=no add p2p=all-p2p action=drop comment="" disabled=no add dst-address=:5354 protocol=tcp action=drop comment="" disabled=no add dst-address=:135-139 protocol=tcp action=drop log=yes comment="" \    disabled=no add dst-address=:445 protocol=tcp action=drop log=yes comment="" disabled=no add dst-address=:445 protocol=udp action=drop log=yes comment="" disabled=no ip firewall rule input add protocol=tcp tcp-options=non-syn-only connection-state=established \    action=accept comment="Established TCP connections." disabled=no add protocol=tcp tcp-options=non-syn-only connection-state=related \    action=accept comment="Related TCP connections" disabled=no add dst-address=:135-139 protocol=tcp action=drop comment="Drop Blaster \    Worm." disabled=no add dst-address=:445 protocol=tcp action=drop comment="Drop Blaster Worm" \    disabled=no add dst-address=:135-139 protocol=udp action=drop comment="Drop Messenger \    Worm" disabled=no add protocol=udp action=accept comment="UDP" disabled=no add protocol=icmp limit-count=100 limit-burst=2 limit-time=5s action=accept \    comment="Allow limited pings" disabled=no add protocol=icmp action=drop comment="Drop excess pings" disabled=no add dst-address=:22 protocol=tcp action=accept comment="SSH for demo \    purposes" disabled=no add dst-address=:23 protocol=tcp action=accept comment="Telnet for demo \    purposes" disabled=no add dst-address=:80 protocol=tcp action=accept comment="http for demo \    purposes" disabled=no add dst-address=:3987 protocol=tcp action=accept comment="winbox for demo \    purposes" disabled=no add src-address=10.0.0.0/8 action=accept comment="From Mikrotikls network" \    disabled=no /deny qqip ipsec policy add src-address=0.0.0.0/0:any dst-address=219.133.40.0/24:any protocol=all \    action=drop level=require ipsec-protocols=esp tunnel=yes \    sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \    manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=61.152.100.0/24:any protocol=all \    action=drop level=require ipsec-protocols=esp tunnel=yes \    sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \    manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=219.133.41.0/24:any protocol=all \    action=drop level=require ipsec-protocols=esp tunnel=yes \    sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \    manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=61.144.238.0/24:any protocol=all \    action=drop level=require ipsec-protocols=esp tunnel=yes \    sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \    manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=202.104.129.0/24:any protocol=all \    action=drop level=require ipsec-protocols=esp tunnel=yes \    sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \    manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=61.141.194.0/24:any protocol=all \    action=drop level=require ipsec-protocols=esp tunnel=yes \    sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \    manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=218.17.209.0/24:any protocol=all \    action=drop level=require ipsec-protocols=esp tunnel=yes \    sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \    manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=218.18.95.0/24:any protocol=all \    action=drop level=require ipsec-protocols=esp tunnel=yes \    sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \    manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=202.96.170.0/24:any protocol=all \    action=drop level=require ipsec-protocols=esp tunnel=yes \    sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \    manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=202.103.190.0/24:any protocol=all \    action=drop level=require ipsec-protocols=esp tunnel=yes \    sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \    manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=202.103.149.0/24:any protocol=all \    action=encrypt level=require ipsec-protocols=esp tunnel=yes \    sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \    manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=218.18.95.0/24:any protocol=all \    action=encrypt level=require ipsec-protocols=esp tunnel=yes \    sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \    manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=61.135.131.0/24:any protocol=all \    action=drop level=require ipsec-protocols=esp tunnel=yes \    sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \    manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=216.239.33.0/24:any protocol=all \    action=drop level=require ipsec-protocols=esp tunnel=yes \    sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \    manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=202.104.129.0/24:any protocol=all \    action=drop level=require ipsec-protocols=esp tunnel=yes \    sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \    manual-sa=none dont-fragment=clear disabled=no
routeros
发表于 2005-3-12 11:28:46 | 显示全部楼层
我做过类似的实验。觉得。封qq的功能还是不如意。缺乏应用层的功能。我曾经做封闭某个ip上qq的实验。觉得行不通啊。。。不能象封某个ip上网那么方便。
routeros
回复

使用道具 举报

 楼主| 发表于 2005-3-12 17:42:00 | 显示全部楼层
我这里就是封得很死,除非用代理。但是学生还没有那么牛,会找代理。原理:用IPSEC吧QQ服务的所有服务器做DROP处理。在几个计算机房试了一下,没有问题,上课的时候看不到学生在QQ了。
routeros
回复

使用道具 举报

发表于 2005-3-13 09:25:41 | 显示全部楼层
QUOTE (yasy @ Mar 12 2005, 10:48 AM)
add protocol=tcp tcp-options=non-syn-only connection-state=established \    action=accept comment="Established TCP connections." disabled=no add protocol=tcp tcp-options=non-syn-only connection-state=related \    action=accept comment="Related TCP connections" disabled=no add protocol=icmp limit-count=100 limit-burst=2 limit-time=5s action=accept \    comment="Allow limited pings" disabled=no add protocol=icmp action=drop comment="Drop excess pings" disabled=no   
  能比较详细地解释一下这几段命令的意思吗?
routeros
回复

使用道具 举报

发表于 2005-3-31 17:13:53 | 显示全部楼层
封QQ这个比精华区的好多了精华区的没用的
routeros
回复

使用道具 举报

发表于 2005-3-31 17:18:55 | 显示全部楼层
腾讯的服务器群在不断发展壮大,这些需要不断的充实和完善才能行。另外:QQ游戏封了嘛?
routeros
回复

使用道具 举报

发表于 2005-4-1 08:36:44 | 显示全部楼层
我们这只有人隐蔽的上QQ上班时间公开玩QQ游戏、边锋、联众的还是没有的所以,我也就没有去管QQ游戏请教一下ip ipsec policy 这个功能在什么模块中的??一台我所全部安装的,就有这个功能我在另外一台电脑中只装了system\sdv-tool\ppp\dhcp其它的都没有安装,就没有ip ipsec policy这个功能因为这台电脑很垃圾的,所以我尽量少装模块了。能解释一下ip ipsec policy 这是功能是什么意思吗
routeros
回复

使用道具 举报

发表于 2005-4-1 08:46:19 | 显示全部楼层
security是建立安全连接,ipsec,ssh用虚拟机试了一下,原来在选到security时就有ipsec提示的看样子以后就是最小安装也要装上这个systemadv-tooldhcp相关的上网方式及security
routeros
回复

使用道具 举报

发表于 2005-4-1 09:58:00 | 显示全部楼层
这样搞的话管理员自己也很难上QQ了  ,怎么给自己留个口?
routeros
回复

使用道具 举报

发表于 2005-4-1 14:11:52 | 显示全部楼层
QUOTE (zhgx @ Apr 1 2005, 09:58 AM)
这样搞的话管理员自己也很难上QQ了  ,怎么给自己留个口?  
  呵呵,我自己在一台托管的服务器做代理
routeros
回复

使用道具 举报

 楼主| 发表于 2005-4-3 07:54:22 | 显示全部楼层
说明一下,这个IP SEC是不能封会员的,现在学生也聪明了,前几天在机房又发现有学生在用了。听说ISA 2004可以封,现在还不知道原理是什么。单一机房好管理点。用活动目录做软件限制策略。学生是不能安装和启动QQ软件的就可以了。
routeros
回复

使用道具 举报

发表于 2005-4-3 16:40:28 | 显示全部楼层
QUOTE (yasy @ Apr 3 2005, 07:54 AM)
说明一下,这个IP SEC是不能封会员的,现在学生也聪明了,前几天在机房又发现有学生在用了。听说ISA 2004可以封,现在还不知道原理是什么。单一机房好管理点。用活动目录做软件限制策略。学生是不能安装和启动QQ软件的就可以了。  
  封会员??会员是指什么?你的学生是怎么上网的?是不是用代理的?
routeros
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|Archiver|手机版|小黑屋|软路由 ( 渝ICP备15001194号-1|渝公网安备 50011602500124号 )

GMT+8, 2024-11-22 00:18 , Processed in 0.121345 second(s), 4 queries , Gzip On, Redis On.

Powered by Discuz! X3.5 Licensed

© 2001-2024 Discuz! Team.

快速回复 返回顶部 返回列表