最新500用户单位自用防火墙脚本，集成P2P流量控制

w8788 · 发表于 2012-11-2 10:54:29

马上注册，结交更多好友，享用更多功能，让你轻松玩转社区。

您需要登录才可以下载或查看，没有账号？注册

×

最新500用户单位自用防火墙脚本，集成P2P流量控制

firewall.rar (1.42 KB, 下载次数: 106, 售价: 5 铜板)

gdlin · 发表于 2012-11-2 14:30:40

不下载

whg8208 · 发表于 2012-11-2 15:47:52

不下，大家要考虑哦！

goodluck1981 · 发表于 2012-11-2 16:07:52

也是，没有介绍如何让人花钱啊？

linsman · 发表于 2012-11-2 16:46:52

不看广告，看疗效。。

houhaiwei · 发表于 2012-11-3 10:11:17

先下来看看,也是比较简单的脚本,不知道效果如何!

heicat · 发表于 2012-11-3 21:11:19

呵呵，上当了，果然很简单呀。。。俺的铜版呀。。。。

# nov/02/2012 10:51:03 by RouterOS 5.20
# software id = W5EY-LHT9
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=30s tcp-close-timeout=10s \
tcp-close-wait-timeout=0ms tcp-established-timeout=5h \
tcp-fin-wait-timeout=2m tcp-last-ack-timeout=30s \
tcp-syn-received-timeout=1m tcp-syn-sent-timeout=2m tcp-syncookie=no \
tcp-time-wait-timeout=2m udp-stream-timeout=3m udp-timeout=30s
/ip firewall filter
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="Port scanners to list " \
disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="NMAP FIN Stealth scan" \
disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="SYN/FIN scan" disabled=no \
protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="SYN/RST scan" disabled=no \
protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="FIN/PSH/URG scan" disabled=\
no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="ALL/ALL scan" disabled=no \
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="NMAP NULL scan" disabled=no \
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment=" port scanners " disabled=no \
src-address-list="port scanners"
add action=drop chain=input comment=" Black list " disabled=no \
src-address-list=black_list
add action=drop chain=input comment="drop invalid packets" connection-state=\
invalid disabled=no
add action=accept chain=input comment="accept related packets" \
connection-state=related disabled=no
add action=accept chain=input comment="accept established packets" \
connection-state=established disabled=no
add action=drop chain=input comment="detect and drop port scan connections" \
disabled=no protocol=tcp psd=21,3s,3,1
add action=tarpit chain=input comment="suppress DoS attack" connection-limit=\
3,32 disabled=no protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=1d chain=input comment="detect DoS attack" \
connection-limit=10,32 disabled=no protocol=tcp
add action=drop chain=input comment="drop all that is not to local" disabled=\
no dst-address-type=!local
add action=jump chain=input comment="jump to chain ICMP" disabled=no \
jump-target=ICMP protocol=icmp
add action=jump chain=input comment="Jump to service" disabled=no \
jump-target=services
add action=accept chain=ICMP comment="0:0 and limit for 5pac/s" disabled=no \
icmp-options=0:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:3 and limit for 5pac/s" disabled=no \
icmp-options=3:3 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" disabled=no \
icmp-options=3:4 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="8:0 and limit for 5pac/s" disabled=no \
icmp-options=8:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="11:0 and limit for 5pac/s" disabled=no \
icmp-options=11:0-255 limit=5,5 protocol=icmp
add action=accept chain=services comment="Allow winbox" disabled=no dst-port=\
8291 protocol=tcp
add action=accept chain=services comment="allow ftp" disabled=no dst-port=\
20-21 protocol=tcp
add action=accept chain=services comment="allow Web Proxy" disabled=no \
dst-port=8080 protocol=tcp
add action=accept chain=services comment="accept localhost" disabled=no \
dst-address=127.0.0.1 src-address=127.0.0.1
add action=accept chain=services comment="allow sftp, ssh" disabled=no \
dst-port=22 protocol=tcp
add action=accept chain=services comment="allow telnet" disabled=no dst-port=\
23 protocol=tcp
add action=accept chain=services comment="allow http, webbox" disabled=no \
dst-port=80 protocol=tcp
add action=accept chain=services comment="allow MACwinbox " disabled=no \
dst-port=20561 protocol=udp
add action=accept chain=services comment=" MT Discovery Protocol" disabled=no \
dst-port=5678 protocol=udp
add action=accept chain=services comment="allow DNS request" disabled=no \
dst-port=53 protocol=tcp src-address=172.16.0.0/24
add action=accept chain=services comment="Allow DNS request" disabled=no \
dst-port=53 protocol=udp src-address=172.16.0.0/24
add action=accept chain=services comment="allow L2TP" disabled=no dst-port=\
1701 protocol=udp
add action=accept chain=services comment="allow PPTP" disabled=no dst-port=\
1723 protocol=tcp
add action=accept chain=services comment="allow PPTP and EoIP" disabled=no \
protocol=gre
add action=accept chain=services comment="allow IPIP" disabled=no protocol=\
ipencap
add action=accept chain=services comment=UPnP disabled=no dst-port=1900 \
protocol=udp
add action=accept chain=services comment=UPnP disabled=no dst-port=2828 \
protocol=tcp
add action=accept chain=services comment="allow DHCP" disabled=no dst-port=\
67-68 protocol=udp
add action=accept chain=services comment="allow NTP" disabled=no dst-port=123 \
protocol=tcp
add action=accept chain=services comment="allow SNMP" disabled=no dst-port=\
161 protocol=tcp
add action=accept chain=services comment="allow https for Hotspot" disabled=\
no dst-port=443 protocol=tcp
add action=accept chain=services comment="allow Socks for Hotspot" disabled=\
no dst-port=1080 protocol=tcp
add action=accept chain=services comment="allow IPSec connections" disabled=\
no dst-port=500 protocol=udp
add action=accept chain=services comment="allow IPSec" disabled=no protocol=\
ipsec-esp
add action=accept chain=services comment="allow IPSec" disabled=no protocol=\
ipsec-ah
add action=accept chain=services comment="Allow BGP" disabled=no dst-port=179 \
protocol=tcp
add action=accept chain=services comment="allow RIP" disabled=no dst-port=\
520-521 protocol=udp
add action=accept chain=services comment="allow OSPF" disabled=no protocol=\
ospf
add action=accept chain=services comment="allow BGP" disabled=no dst-port=\
5000-5100 protocol=udp
add action=accept chain=services comment="allow Telephony" disabled=no \
dst-port=1720 protocol=tcp
add action=accept chain=services comment="allow Telephony" disabled=no \
dst-port=1719 protocol=udp
add action=accept chain=services comment="allow VRRP " disabled=no protocol=\
vrrp
add action=drop chain=forward comment="drop invalid packets" \
connection-state=invalid disabled=no
add action=drop chain=output comment="drop invalid packets" connection-state=\
invalid disabled=no
add action=drop chain=input comment="Drop All input" disabled=no
/ip firewall mangle
add action=mark-connection chain=forward disabled=no new-connection-mark=\
p2pCOM p2p=all-p2p passthrough=yes
add action=mark-packet chain=forward connection-mark=p2pCOM disabled=no \
new-packet-mark=p2p passthrough=yes

gsnp · 发表于 2013-5-17 09:54:23

不错呀嘿嘿学习学习

lovellh · 发表于 2013-5-17 14:16:32

不错呀嘿嘿学习学习

fangod · 发表于 2013-5-18 14:22:26

啊.曝光了....

lxgit · 发表于 2013-5-20 21:52:14

拿铜版走人。。

adsl1000 · 发表于 2013-5-20 22:38:04

看了共享直接无视~

lgso · 发表于 2013-5-21 15:56:22

过来围观下

稀泥吧 · 发表于 2013-5-21 16:32:33

看了下，学11楼，拿铜板走人

conanli0727 · 发表于 2013-5-22 08:53:47

看了下，学14楼，拿铜板走人

账号		自动登录	找回密码
密码			注册

[策略设置] 最新500用户单位自用防火墙脚本，集成P2P流量控制

马上注册，结交更多好友，享用更多功能，让你轻松玩转社区。