|
发表于 2012-11-3 21:11:19
|
显示全部楼层
呵呵,上当了,果然很简单呀。。。俺的铜版呀。。。。
# nov/02/2012 10:51:03 by RouterOS 5.20
# software id = W5EY-LHT9
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=30s tcp-close-timeout=10s \
tcp-close-wait-timeout=0ms tcp-established-timeout=5h \
tcp-fin-wait-timeout=2m tcp-last-ack-timeout=30s \
tcp-syn-received-timeout=1m tcp-syn-sent-timeout=2m tcp-syncookie=no \
tcp-time-wait-timeout=2m udp-stream-timeout=3m udp-timeout=30s
/ip firewall filter
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="Port scanners to list " \
disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="NMAP FIN Stealth scan" \
disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="SYN/FIN scan" disabled=no \
protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="SYN/RST scan" disabled=no \
protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="FIN/PSH/URG scan" disabled=\
no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="ALL/ALL scan" disabled=no \
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1d chain=input comment="NMAP NULL scan" disabled=no \
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment=" port scanners " disabled=no \
src-address-list="port scanners"
add action=drop chain=input comment=" Black list " disabled=no \
src-address-list=black_list
add action=drop chain=input comment="drop invalid packets" connection-state=\
invalid disabled=no
add action=accept chain=input comment="accept related packets" \
connection-state=related disabled=no
add action=accept chain=input comment="accept established packets" \
connection-state=established disabled=no
add action=drop chain=input comment="detect and drop port scan connections" \
disabled=no protocol=tcp psd=21,3s,3,1
add action=tarpit chain=input comment="suppress DoS attack" connection-limit=\
3,32 disabled=no protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=1d chain=input comment="detect DoS attack" \
connection-limit=10,32 disabled=no protocol=tcp
add action=drop chain=input comment="drop all that is not to local" disabled=\
no dst-address-type=!local
add action=jump chain=input comment="jump to chain ICMP" disabled=no \
jump-target=ICMP protocol=icmp
add action=jump chain=input comment="Jump to service" disabled=no \
jump-target=services
add action=accept chain=ICMP comment="0:0 and limit for 5pac/s" disabled=no \
icmp-options=0:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:3 and limit for 5pac/s" disabled=no \
icmp-options=3:3 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" disabled=no \
icmp-options=3:4 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="8:0 and limit for 5pac/s" disabled=no \
icmp-options=8:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="11:0 and limit for 5pac/s" disabled=no \
icmp-options=11:0-255 limit=5,5 protocol=icmp
add action=accept chain=services comment="Allow winbox" disabled=no dst-port=\
8291 protocol=tcp
add action=accept chain=services comment="allow ftp" disabled=no dst-port=\
20-21 protocol=tcp
add action=accept chain=services comment="allow Web Proxy" disabled=no \
dst-port=8080 protocol=tcp
add action=accept chain=services comment="accept localhost" disabled=no \
dst-address=127.0.0.1 src-address=127.0.0.1
add action=accept chain=services comment="allow sftp, ssh" disabled=no \
dst-port=22 protocol=tcp
add action=accept chain=services comment="allow telnet" disabled=no dst-port=\
23 protocol=tcp
add action=accept chain=services comment="allow http, webbox" disabled=no \
dst-port=80 protocol=tcp
add action=accept chain=services comment="allow MACwinbox " disabled=no \
dst-port=20561 protocol=udp
add action=accept chain=services comment=" MT Discovery Protocol" disabled=no \
dst-port=5678 protocol=udp
add action=accept chain=services comment="allow DNS request" disabled=no \
dst-port=53 protocol=tcp src-address=172.16.0.0/24
add action=accept chain=services comment="Allow DNS request" disabled=no \
dst-port=53 protocol=udp src-address=172.16.0.0/24
add action=accept chain=services comment="allow L2TP" disabled=no dst-port=\
1701 protocol=udp
add action=accept chain=services comment="allow PPTP" disabled=no dst-port=\
1723 protocol=tcp
add action=accept chain=services comment="allow PPTP and EoIP" disabled=no \
protocol=gre
add action=accept chain=services comment="allow IPIP" disabled=no protocol=\
ipencap
add action=accept chain=services comment=UPnP disabled=no dst-port=1900 \
protocol=udp
add action=accept chain=services comment=UPnP disabled=no dst-port=2828 \
protocol=tcp
add action=accept chain=services comment="allow DHCP" disabled=no dst-port=\
67-68 protocol=udp
add action=accept chain=services comment="allow NTP" disabled=no dst-port=123 \
protocol=tcp
add action=accept chain=services comment="allow SNMP" disabled=no dst-port=\
161 protocol=tcp
add action=accept chain=services comment="allow https for Hotspot" disabled=\
no dst-port=443 protocol=tcp
add action=accept chain=services comment="allow Socks for Hotspot" disabled=\
no dst-port=1080 protocol=tcp
add action=accept chain=services comment="allow IPSec connections" disabled=\
no dst-port=500 protocol=udp
add action=accept chain=services comment="allow IPSec" disabled=no protocol=\
ipsec-esp
add action=accept chain=services comment="allow IPSec" disabled=no protocol=\
ipsec-ah
add action=accept chain=services comment="Allow BGP" disabled=no dst-port=179 \
protocol=tcp
add action=accept chain=services comment="allow RIP" disabled=no dst-port=\
520-521 protocol=udp
add action=accept chain=services comment="allow OSPF" disabled=no protocol=\
ospf
add action=accept chain=services comment="allow BGP" disabled=no dst-port=\
5000-5100 protocol=udp
add action=accept chain=services comment="allow Telephony" disabled=no \
dst-port=1720 protocol=tcp
add action=accept chain=services comment="allow Telephony" disabled=no \
dst-port=1719 protocol=udp
add action=accept chain=services comment="allow VRRP " disabled=no protocol=\
vrrp
add action=drop chain=forward comment="drop invalid packets" \
connection-state=invalid disabled=no
add action=drop chain=output comment="drop invalid packets" connection-state=\
invalid disabled=no
add action=drop chain=input comment="Drop All input" disabled=no
/ip firewall mangle
add action=mark-connection chain=forward disabled=no new-connection-mark=\
p2pCOM p2p=all-p2p passthrough=yes
add action=mark-packet chain=forward connection-mark=p2pCOM disabled=no \
new-packet-mark=p2p passthrough=yes
|
|