找回密码
 注册

QQ登录

只需一步,快速开始

搜索
查看: 24432|回复: 43

[策略设置] 最新500用户单位自用防火墙脚本,集成P2P流量控制

  [复制链接]
发表于 2012-11-2 10:54:29 | 显示全部楼层 |阅读模式

马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。

您需要 登录 才可以下载或查看,没有账号?注册

×
最新500用户单位自用防火墙脚本,集成P2P流量控制 firewall.rar (1.42 KB, 下载次数: 106, 售价: 5 铜板)

routeros
发表于 2012-11-2 14:30:40 | 显示全部楼层
不下载
routeros
回复

使用道具 举报

发表于 2012-11-2 15:47:52 | 显示全部楼层
不下,大家要考虑哦!
routeros
回复

使用道具 举报

发表于 2012-11-2 16:07:52 | 显示全部楼层
也是,没有介绍如何让人花钱啊?
routeros
回复

使用道具 举报

发表于 2012-11-2 16:46:52 | 显示全部楼层
不看广告,看疗效。。
routeros
回复

使用道具 举报

发表于 2012-11-3 10:11:17 | 显示全部楼层
先下来看看,也是比较简单的脚本,不知道效果如何!
routeros
回复

使用道具 举报

发表于 2012-11-3 21:11:19 | 显示全部楼层
呵呵,上当了,果然很简单呀。。。俺的铜版呀。。。。

# nov/02/2012 10:51:03 by RouterOS 5.20
# software id = W5EY-LHT9
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=30s tcp-close-timeout=10s \
    tcp-close-wait-timeout=0ms tcp-established-timeout=5h \
    tcp-fin-wait-timeout=2m tcp-last-ack-timeout=30s \
    tcp-syn-received-timeout=1m tcp-syn-sent-timeout=2m tcp-syncookie=no \
    tcp-time-wait-timeout=2m udp-stream-timeout=3m udp-timeout=30s
/ip firewall filter
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=1d chain=input comment="Port scanners to list " \
    disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=1d chain=input comment="NMAP FIN Stealth scan" \
    disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=1d chain=input comment="SYN/FIN scan" disabled=no \
    protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=1d chain=input comment="SYN/RST scan" disabled=no \
    protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=1d chain=input comment="FIN/PSH/URG scan" disabled=\
    no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=1d chain=input comment="ALL/ALL scan" disabled=no \
    protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=1d chain=input comment="NMAP NULL scan" disabled=no \
    protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="  port scanners " disabled=no \
    src-address-list="port scanners"
add action=drop chain=input comment=" Black list " disabled=no \
    src-address-list=black_list
add action=drop chain=input comment="drop invalid packets" connection-state=\
    invalid disabled=no
add action=accept chain=input comment="accept related packets" \
    connection-state=related disabled=no
add action=accept chain=input comment="accept established packets" \
    connection-state=established disabled=no
add action=drop chain=input comment="detect and drop port scan connections" \
    disabled=no protocol=tcp psd=21,3s,3,1
add action=tarpit chain=input comment="suppress DoS attack" connection-limit=\
    3,32 disabled=no protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list \
    address-list-timeout=1d chain=input comment="detect DoS attack" \
    connection-limit=10,32 disabled=no protocol=tcp
add action=drop chain=input comment="drop all that is not to local" disabled=\
    no dst-address-type=!local
add action=jump chain=input comment="jump to chain ICMP" disabled=no \
    jump-target=ICMP protocol=icmp
add action=jump chain=input comment="Jump to service" disabled=no \
    jump-target=services
add action=accept chain=ICMP comment="0:0 and limit for 5pac/s" disabled=no \
    icmp-options=0:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:3 and limit for 5pac/s" disabled=no \
    icmp-options=3:3 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" disabled=no \
    icmp-options=3:4 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="8:0 and limit for 5pac/s" disabled=no \
    icmp-options=8:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="11:0 and limit for 5pac/s" disabled=no \
    icmp-options=11:0-255 limit=5,5 protocol=icmp
add action=accept chain=services comment="Allow winbox" disabled=no dst-port=\
    8291 protocol=tcp
add action=accept chain=services comment="allow ftp" disabled=no dst-port=\
    20-21 protocol=tcp
add action=accept chain=services comment="allow Web Proxy" disabled=no \
    dst-port=8080 protocol=tcp
add action=accept chain=services comment="accept localhost" disabled=no \
    dst-address=127.0.0.1 src-address=127.0.0.1
add action=accept chain=services comment="allow sftp, ssh" disabled=no \
    dst-port=22 protocol=tcp
add action=accept chain=services comment="allow telnet" disabled=no dst-port=\
    23 protocol=tcp
add action=accept chain=services comment="allow http, webbox" disabled=no \
    dst-port=80 protocol=tcp
add action=accept chain=services comment="allow MACwinbox " disabled=no \
    dst-port=20561 protocol=udp
add action=accept chain=services comment=" MT Discovery Protocol" disabled=no \
    dst-port=5678 protocol=udp
add action=accept chain=services comment="allow DNS request" disabled=no \
    dst-port=53 protocol=tcp src-address=172.16.0.0/24
add action=accept chain=services comment="Allow DNS request" disabled=no \
    dst-port=53 protocol=udp src-address=172.16.0.0/24
add action=accept chain=services comment="allow L2TP" disabled=no dst-port=\
    1701 protocol=udp
add action=accept chain=services comment="allow PPTP" disabled=no dst-port=\
    1723 protocol=tcp
add action=accept chain=services comment="allow PPTP and EoIP" disabled=no \
    protocol=gre
add action=accept chain=services comment="allow IPIP" disabled=no protocol=\
    ipencap
add action=accept chain=services comment=UPnP disabled=no dst-port=1900 \
    protocol=udp
add action=accept chain=services comment=UPnP disabled=no dst-port=2828 \
    protocol=tcp
add action=accept chain=services comment="allow DHCP" disabled=no dst-port=\
    67-68 protocol=udp
add action=accept chain=services comment="allow NTP" disabled=no dst-port=123 \
    protocol=tcp
add action=accept chain=services comment="allow SNMP" disabled=no dst-port=\
    161 protocol=tcp
add action=accept chain=services comment="allow https for Hotspot" disabled=\
    no dst-port=443 protocol=tcp
add action=accept chain=services comment="allow Socks for Hotspot" disabled=\
    no dst-port=1080 protocol=tcp
add action=accept chain=services comment="allow IPSec connections" disabled=\
    no dst-port=500 protocol=udp
add action=accept chain=services comment="allow IPSec" disabled=no protocol=\
    ipsec-esp
add action=accept chain=services comment="allow IPSec" disabled=no protocol=\
    ipsec-ah
add action=accept chain=services comment="Allow BGP" disabled=no dst-port=179 \
    protocol=tcp
add action=accept chain=services comment="allow RIP" disabled=no dst-port=\
    520-521 protocol=udp
add action=accept chain=services comment="allow OSPF" disabled=no protocol=\
    ospf
add action=accept chain=services comment="allow BGP" disabled=no dst-port=\
    5000-5100 protocol=udp
add action=accept chain=services comment="allow Telephony" disabled=no \
    dst-port=1720 protocol=tcp
add action=accept chain=services comment="allow Telephony" disabled=no \
    dst-port=1719 protocol=udp
add action=accept chain=services comment="allow VRRP " disabled=no protocol=\
    vrrp
add action=drop chain=forward comment="drop invalid packets" \
    connection-state=invalid disabled=no
add action=drop chain=output comment="drop invalid packets" connection-state=\
    invalid disabled=no
add action=drop chain=input comment="Drop All input" disabled=no
/ip firewall mangle
add action=mark-connection chain=forward disabled=no new-connection-mark=\
    p2pCOM p2p=all-p2p passthrough=yes
add action=mark-packet chain=forward connection-mark=p2pCOM disabled=no \
    new-packet-mark=p2p passthrough=yes


routeros
回复

使用道具 举报

发表于 2013-5-17 09:54:23 | 显示全部楼层
不错呀 嘿嘿 学习学习
routeros
回复

使用道具 举报

发表于 2013-5-17 14:16:32 | 显示全部楼层
不错呀 嘿嘿 学习学习
routeros
回复

使用道具 举报

发表于 2013-5-18 14:22:26 | 显示全部楼层
啊.曝光了....
routeros
回复

使用道具 举报

发表于 2013-5-20 21:52:14 | 显示全部楼层
拿铜版走人。。
routeros
回复

使用道具 举报

发表于 2013-5-20 22:38:04 | 显示全部楼层
看了共享直接无视~
routeros
回复

使用道具 举报

发表于 2013-5-21 15:56:22 | 显示全部楼层
过来围观下
routeros
回复

使用道具 举报

发表于 2013-5-21 16:32:33 | 显示全部楼层
看了下,学11楼,拿铜板走人
routeros
回复

使用道具 举报

发表于 2013-5-22 08:53:47 | 显示全部楼层
看了下,学14楼,拿铜板走人
routeros
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|Archiver|手机版|小黑屋|软路由 ( 渝ICP备15001194号-1|渝公网安备 50011602500124号 )

GMT+8, 2024-11-5 20:32 , Processed in 0.116819 second(s), 8 queries , Gzip On, Redis On.

Powered by Discuz! X3.5 Licensed

© 2001-2024 Discuz! Team.

快速回复 返回顶部 返回列表