看看我的防火墙和封QQ设置

yasy · 发表于 2005-3-12 10:48:19

马上注册，结交更多好友，享用更多功能，让你轻松玩转社区。

您需要登录才可以下载或查看，没有账号？注册

×

CODE
/firewallip firewall rule forward add dst-address=:137-139 protocol=tcp action=drop comment="" disabled=no add dst-address=:137-139 protocol=udp action=drop comment="" disabled=no add protocol=tcp tcp-options=non-syn-only connection-state=established \ action=accept comment="Established TCP connections." disabled=no add protocol=tcp tcp-options=non-syn-only connection-state=related \ action=accept comment="Related TCP connections" disabled=no add dst-address=:135-139 protocol=tcp action=drop comment="Drop Blaster \ Worm." disabled=no add dst-address=:445 protocol=tcp action=drop comment="Drop Blaster Worm" \ disabled=no add dst-address=:135-139 protocol=udp action=drop comment="Drop Messenger \ Worm" disabled=no add protocol=udp action=accept comment="UDP" disabled=no add protocol=icmp limit-count=100 limit-burst=2 limit-time=5s action=accept \ comment="Allow limited pings" disabled=no add protocol=icmp action=drop comment="Drop excess pings" disabled=no add dst-address=:22 protocol=tcp action=accept comment="SSH for demo \ purposes" disabled=no add dst-address=:23 protocol=tcp action=accept comment="Telnet for demo \ purposes" disabled=no add dst-address=:80 protocol=tcp action=accept comment="http for demo \ purposes" disabled=no add dst-address=:3987 protocol=tcp action=accept comment="winbox for demo \ purposes" disabled=no add action=drop log=yes comment="Log and drop everything else" disabled=no add p2p=all-p2p action=drop comment="" disabled=no add dst-address=:5354 protocol=tcp action=drop comment="" disabled=no add dst-address=:135-139 protocol=tcp action=drop log=yes comment="" \ disabled=no add dst-address=:445 protocol=tcp action=drop log=yes comment="" disabled=no add dst-address=:445 protocol=udp action=drop log=yes comment="" disabled=no ip firewall rule input add protocol=tcp tcp-options=non-syn-only connection-state=established \ action=accept comment="Established TCP connections." disabled=no add protocol=tcp tcp-options=non-syn-only connection-state=related \ action=accept comment="Related TCP connections" disabled=no add dst-address=:135-139 protocol=tcp action=drop comment="Drop Blaster \ Worm." disabled=no add dst-address=:445 protocol=tcp action=drop comment="Drop Blaster Worm" \ disabled=no add dst-address=:135-139 protocol=udp action=drop comment="Drop Messenger \ Worm" disabled=no add protocol=udp action=accept comment="UDP" disabled=no add protocol=icmp limit-count=100 limit-burst=2 limit-time=5s action=accept \ comment="Allow limited pings" disabled=no add protocol=icmp action=drop comment="Drop excess pings" disabled=no add dst-address=:22 protocol=tcp action=accept comment="SSH for demo \ purposes" disabled=no add dst-address=:23 protocol=tcp action=accept comment="Telnet for demo \ purposes" disabled=no add dst-address=:80 protocol=tcp action=accept comment="http for demo \ purposes" disabled=no add dst-address=:3987 protocol=tcp action=accept comment="winbox for demo \ purposes" disabled=no add src-address=10.0.0.0/8 action=accept comment="From Mikrotikls network" \ disabled=no /deny qqip ipsec policy add src-address=0.0.0.0/0:any dst-address=219.133.40.0/24:any protocol=all \ action=drop level=require ipsec-protocols=esp tunnel=yes \ sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \ manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=61.152.100.0/24:any protocol=all \ action=drop level=require ipsec-protocols=esp tunnel=yes \ sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \ manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=219.133.41.0/24:any protocol=all \ action=drop level=require ipsec-protocols=esp tunnel=yes \ sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \ manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=61.144.238.0/24:any protocol=all \ action=drop level=require ipsec-protocols=esp tunnel=yes \ sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \ manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=202.104.129.0/24:any protocol=all \ action=drop level=require ipsec-protocols=esp tunnel=yes \ sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \ manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=61.141.194.0/24:any protocol=all \ action=drop level=require ipsec-protocols=esp tunnel=yes \ sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \ manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=218.17.209.0/24:any protocol=all \ action=drop level=require ipsec-protocols=esp tunnel=yes \ sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \ manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=218.18.95.0/24:any protocol=all \ action=drop level=require ipsec-protocols=esp tunnel=yes \ sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \ manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=202.96.170.0/24:any protocol=all \ action=drop level=require ipsec-protocols=esp tunnel=yes \ sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \ manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=202.103.190.0/24:any protocol=all \ action=drop level=require ipsec-protocols=esp tunnel=yes \ sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \ manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=202.103.149.0/24:any protocol=all \ action=encrypt level=require ipsec-protocols=esp tunnel=yes \ sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \ manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=218.18.95.0/24:any protocol=all \ action=encrypt level=require ipsec-protocols=esp tunnel=yes \ sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \ manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=61.135.131.0/24:any protocol=all \ action=drop level=require ipsec-protocols=esp tunnel=yes \ sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \ manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=216.239.33.0/24:any protocol=all \ action=drop level=require ipsec-protocols=esp tunnel=yes \ sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \ manual-sa=none dont-fragment=clear disabled=no add src-address=0.0.0.0/0:any dst-address=202.104.129.0/24:any protocol=all \ action=drop level=require ipsec-protocols=esp tunnel=yes \ sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default \ manual-sa=none dont-fragment=clear disabled=no

hzkane · 发表于 2005-3-12 11:28:46

我做过类似的实验。觉得。封qq的功能还是不如意。缺乏应用层的功能。我曾经做封闭某个ip上qq的实验。觉得行不通啊。。。不能象封某个ip上网那么方便。

yasy · 发表于 2005-3-12 17:42:00

我这里就是封得很死，除非用代理。但是学生还没有那么牛，会找代理。原理：用IPSEC吧QQ服务的所有服务器做DROP处理。在几个计算机房试了一下，没有问题，上课的时候看不到学生在QQ了。

goodfellow · 发表于 2005-3-13 09:25:41

QUOTE (yasy @ Mar 12 2005, 10:48 AM)
add protocol=tcp tcp-options=non-syn-only connection-state=established \ action=accept comment="Established TCP connections." disabled=no add protocol=tcp tcp-options=non-syn-only connection-state=related \ action=accept comment="Related TCP connections" disabled=no add protocol=icmp limit-count=100 limit-burst=2 limit-time=5s action=accept \ comment="Allow limited pings" disabled=no add protocol=icmp action=drop comment="Drop excess pings" disabled=no
能比较详细地解释一下这几段命令的意思吗？

madlife · 发表于 2005-3-31 17:13:53

封QQ这个比精华区的好多了精华区的没用的

jack_i5 · 发表于 2005-3-31 17:18:55

腾讯的服务器群在不断发展壮大，这些需要不断的充实和完善才能行。另外：QQ游戏封了嘛？

madlife · 发表于 2005-4-1 08:36:44

我们这只有人隐蔽的上QQ上班时间公开玩QQ游戏、边锋、联众的还是没有的所以，我也就没有去管QQ游戏请教一下ip ipsec policy 这个功能在什么模块中的？？一台我所全部安装的，就有这个功能我在另外一台电脑中只装了system\sdv-tool\ppp\dhcp其它的都没有安装，就没有ip ipsec policy这个功能因为这台电脑很垃圾的，所以我尽量少装模块了。能解释一下ip ipsec policy 这是功能是什么意思吗

madlife · 发表于 2005-4-1 08:46:19

security是建立安全连接,ipsec,ssh用虚拟机试了一下，原来在选到security时就有ipsec提示的看样子以后就是最小安装也要装上这个systemadv-tooldhcp相关的上网方式及security

zhgx · 发表于 2005-4-1 09:58:00

这样搞的话管理员自己也很难上QQ了，怎么给自己留个口？

madlife · 发表于 2005-4-1 14:11:52

QUOTE (zhgx @ Apr 1 2005, 09:58 AM)
这样搞的话管理员自己也很难上QQ了，怎么给自己留个口？
呵呵，我自己在一台托管的服务器做代理

yasy · 发表于 2005-4-3 07:54:22

说明一下，这个IP SEC是不能封会员的，现在学生也聪明了，前几天在机房又发现有学生在用了。听说ISA 2004可以封，现在还不知道原理是什么。单一机房好管理点。用活动目录做软件限制策略。学生是不能安装和启动QQ软件的就可以了。

madlife · 发表于 2005-4-3 16:40:28

QUOTE (yasy @ Apr 3 2005, 07:54 AM)
说明一下，这个IP SEC是不能封会员的，现在学生也聪明了，前几天在机房又发现有学生在用了。听说ISA 2004可以封，现在还不知道原理是什么。单一机房好管理点。用活动目录做软件限制策略。学生是不能安装和启动QQ软件的就可以了。
封会员？？会员是指什么？你的学生是怎么上网的？是不是用代理的？

账号		自动登录	找回密码
密码			注册

[其它] 看看我的防火墙和封QQ设置

马上注册，结交更多好友，享用更多功能，让你轻松玩转社区。