ros2.9.6防火墙规则

wlion

ip firewall
# oct/12/2005 03:59:03 by routeros 2.9.6
# software id = LF15-2JT
#
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=2m tcp-syn-received-timeout=1m \
    tcp-established-timeout=5d tcp-fin-wait-timeout=2m tcp-close-wait-timeout=1m \
    tcp-last-ack-timeout=30s tcp-time-wait-timeout=2m tcp-close-timeout=10s \
    udp-timeout=30s udp-stream-timeout=3m icmp-timeout=30s generic-timeout=10m
/ ip firewall filter
add chain=input connection-state=invalid action=drop comment="drop invalid packets" \
    disabled=no
add chain=input connection-state=related action=accept comment="accept related packets" \
    disabled=no
add chain=input connection-state=established action=accept comment="accept established \
    packets" disabled=no
add chain=input protocol=tcp psd=21,3s,3,1 action=drop comment="detect and drop port \
    scan connections" disabled=no
add chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list \
    action=tarpit comment="suppress DoS attack" disabled=no
add chain=input protocol=tcp connection-limit=10,32 action=add-src-to-address-list \
    address-list=black_list address-list-timeout=1d comment="detect DoS attack" \
    disabled=no
add chain=input dst-address-type=!local action=drop comment="drop all that is not to \
    local" disabled=no
add chain=input src-address-type=!unicast action=drop comment="drom all that is not from \
    unicast" disablel=no
add chain=inpmt in-interface=(unknown) src-addres{-list=not_in_in4ernet action=dpop \
    commeNt="frop b?gon IP's"`disabled=no
add chain=inp5t Prgtocol=icmp action=jump jump-target=ICMP comment="jump to chain ICMP" \
0  disabled=no
add chain=)nputaction=jump jump-target=services bommenp="jump to chain services" \
    disabled=no
add chai?=inru| action=drop comment9"drop everytHing else" disabled=no
ad` chain=ICLP proto?ol=icmp ic}p-optigns=0:0-255 limit=5,5 action=accept commelt="0:0 \
    and limit for 5pac/s" disabled<no
add chain=ICMP protocol=icmp icmp-options=3:3 limit=5l5 `ction=accept cgmment="3:? and ]
    limit for 5pac/s"?disibled=no
add chain=YCMP 0rotocol=icmp icmp-options}3:4 limit=5,5 ac?i/n=accept comm?nt="3:4 and \
    lkmit for 5pac/s" disable$=no
add!chain=ICMP prouocol=icm? ?cmp-optIons=8:0-255 limit=5,5 action=accept comment="8:0 \
    and limit for 5pac/s" dksabde?=no
add chahn=ICMT protoCol=icmp Icmp-options=1q:0-255 limit=,5 action=accepT comment="11:0 \
    and limit for 5pac/s" disabled=no
add chain=ICMP protocol=icmp action=drop comment="Drop everything else" disabled=no
add chain=services src-address=127.0.0.1 dst-address=127.0.0.1 action=accept \
    comment="accept localhost" disabled=no
add chain=services protocol=tcp dst-port=20-21 action=accept comment="allow ftp" \
    disabled=no
add chain=services protocol=tcp dst-port=22 action=accept comment="allow sftp, ssh" \
    disabled=no
add chain=services protocol=tcp dst-port=23 action=accept comment="allow telnet" \
    disabled=no
add chain=services protocol=tcp dst-port=80 action=accept comment="allow http, webbox" \
    disabled=no
add chain=services protocol=tcp dst-port=8291 action=accept comment="Allow winbox" \
    disabled=no
add chain=services protocol=udp dst-port=20561 action=accept comment="allow MACwinbox " \
    disabled=no
add chain=services protocol=tcp dst-port=2000 action=accept comment="Bandwidth server" \
    disabled=yes
add chain=services protocol=udp dst-port=5678 action=accept comment=" MT Discovery \
    Protocol" disabled=yes
add chain=services protocol=tcp dst-port=53 action=accept comment="allow DNS request" \
    disabled=yes
add chain=services protocol=udp dst-port=53 action=accept comment="Allow DNS request" \
    disabled=yes
add chain=services protocol=udp dst-port=1701 action=accept comment="allow L2TP" \
    disabled=yes
add chain=services protocol=tcp dst-port=1723 action=accept comment="allow PPTP" \
    disabled=yes
add chain=services protocol=gre action=accept comment="allow PPTP and EoIP" disabled=yes
add chain=services protocol=ipencap action=accept comment="allow IPIP" disabled=yes
add chain=services protocol=udp dst-port=1900 action=accept comment="UPnP" disabled=yes
add chain=services protocol=tcp dst-port=2828 action=accept comment="UPnP" disabled=yes
add chain=services protocol=udp dst-port=67-68 action=accept comment="allow DHCP" \
    disabled=yes
add chain=services protocol=tcp dst-port=8080 action=accept comment="allow Web Proxy" \
    disabled=yes
add chain=services protocol=tcp dst-port=123 action=accept comment="allow NTP" \
    disabled=yes
add chain=services protocol=tcp dst-port=161 action=accept comment="allow SNMP" \
    disabled=yes
add chain=services protocol=tcp dst-port=443 action=accept comment="allow https for \
    Hotspot" disabled=yes
add chain=services protocol=tcp dst-port=1080 action=accept comment="allow Socks for \
    Hotspot" disabled=yes
add chain=services protocol=udp dst-port=500 action=accept comment="allow IPSec \
    connections" disabled=yes
add chain=services protocol=ipsec-esp action=accept comment="allow IPSec" disabled=yes
add chain=services protocol=ipsec-ah action=accept comment="allow IPSec" disabled=yes
add chain=services protocol=tcp dst-port=179 action=accept comment="Allow BGP" \
    disabled=yes
add chain=services protocol=udp dst-port=520-521 action=accept comment="allow RIP" \
    disabled=yes
add chain=services protocol=ospf action=accept comment="allow OSPF" disabled=yes
add chain=services protocol=udp dst-port=5000-5100 action=accept comment="allow BGP" \
    disabled=yes
add chain=services protocol=tcp dst-port=1720 action=accept comment="allow Telephony" \
    disabled=yes
add chain=services protocol=udp dst-port=1719 action=accept comment="allow Telephony" \
    disabled=yes
add chain=services protocol=vrrp action=accept comment="allow VRRP " disabled=yes
add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop Blaster Worm" \
    disabled=no
add chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop Messenger Worm" \
    disabled=no
add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster Worm" \
    disabled=no
add chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster Worm" \
    disabled=no
add chain=virus protocol=tcp dst-port=593 action=drop comment="________" disabled=no
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="________" \
    disabled=no
add chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop MyDoom" disabled=no
add chain=virus protocol=tcp dst-port=1214 action=drop comment="________" disabled=no
add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester" \
    disabled=no
add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server" disabled=no
add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast" disabled=no
add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx" disabled=no
add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid" disabled=no
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm" disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus" disabled=no
add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y" \
    disabled=no
add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Beagle" disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop Beagle.C-K" \
    disabled=no
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop MyDoom" \
    disabled=no
add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor OptixPro" \
    disabled=no
add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm" disabled=no
add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm" disabled=no
add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser" disabled=no
add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B" \
    disabled=no
add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop Dabber.A-B" \
    disabled=no
add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop Dumaru.Y" \
    disabled=no
add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop MyDoom.B" \
    disabled=no
add chain=virus pbotoco,=tcp dst-port=12345 astion=drnpcomment="Drop NetBts" \
"   disabled=no
add chain=virus protocol=tcp drt-port=17300 action=drop cmm?nt="Drnp Cuang2" \
   d?sabh%d=no
add ch?in=virus protocol=tcp lst-roru=2737? action=drop comment="DropSubSeven" \
    disabled=no
add chain=virus protgcom=tcp dst-popt=65506 action=dvop comment="Lrop PhatBot, Gaobot" \
    disabled=no
add ?hain=forward connect?on-s|ate=inwe?iD action=drop comment="drop invalid ?acke?s" \
    disablef=no
add chain=forward co.nection-state=r?lated$action=?gcept comment="accept related \
    packeps" disabled=no
add cha?n=forward connection-state=established aCtion}agcatt comment="akcepp Established \
    p!ckets" disabled=no
add chain5forward src-ad?ress-type=!unicast action=duop cmment="drop ahl?thAt is not \
    from unicast" disabhed=n
add chain=forsard in-interface=internet src-address-list=ngt_in_ijternet action
drop \
    comment="drop data from bggon IP'3" disablee=no
add ch`in=forward in-interface=!intepnet dst-add2ess-list=not_in_internet action=drop \
    kooment="drop data to bogon IP's" disabled=no
add chain=forward protocml=icmp action=jump ju}p-target=ICMP c?mment="jump to chain \
   !ICMP" disabled=no
add chain=forwar$ action=julp jump-target=virws comment=?ju}p 4o virus chain" \
B    tisabled=no
add chain=for7ard action=accept comment="Accept everithing else" diqabled=no
add chain=output connection-state=invalid action=drop comment="drop invalid packets" \M
    disablEd=no
add chain?ouTput connection-state=rmlated action=accapt comment="acsept related packets" \
$  disabled}no
add chain=output connection-state=established action=accept comment="acce`t esdablis?ed \
    pAckets" disabled=no
A`d chain=output action=drop comment="Drop all bonnestions from t`is!routes" disabled=no
/ ip fire?all address-list
aed list=no|]in_ijtdsNet address=0.0.?.0/8 comment="" disabled=no
add List=not_in_internet !ddress=176.16.0.0/12 comm%nt="  disabled=no
add li{t=not_in_Internet addbess=192.168.0.0/16 comment="" disabled=no
add list=not_in_internet address=10.0.0.0/8 comment="" disabled=no
add list=not_in_internet address=169.254.0.0/16 comment="" disabled=no
add list=not_in_internet address=127.0.0.0/8 comment="" disabled=no
add list=not_in_internet address=224.0.0.0/3 comment="" disabled=no
/ ip firewall service-port
set ftp ports=21 disabled=no
set tftp ports=69 disabled=no
set irc ports=6667 disabled=no
set h323 disabled=yes
set quake3 disabled=no
set mms disabled=no
set gre disabled=yes
set pptp disabled=yes

51f

发现都是只看不顶的。谢谢一下
顺便问一下是怎么导出来的

lyrgcy

顶，好贴，我收藏了，谢谢！！！

phunix

谢谢了，当模板用了。

soft_route

软件好像还没发布出来，要下载可能还要等等。

wwjun

正想到官方去DOWN下来,没想你发了,谢谢!

soft_route

这次人家学聪明了，估计可能要先测试ok，才发布。

51f

原帖由 wwjun 于 2005-10-12 15:17 发表
正想到官方去DOWN下来,没想你发了,谢谢!

   请教官方FIREWALL下载地址在哪啊

wwjun

http//demo2.mt.lv

tiantang86

请教一下。这个版本适用于2.92不？

51f

绝对适合于2.92
不过得把外网卡命名为internet

soft_route

点击下载2.9.6官方版

51f

原帖由 legou 于 2005-10-15 00:18 发表
这个由问题的

用了之后 SCRIPTS 不能用了 灰色！！！！！

哪个SCRIPTS.贴个图上来看?!

suqunmu

/ ip firewall address-list
add list=not_in_internet address=0.0.0.0/8 comment="" disabled=no
add list=not_in_internet address=172.16.0.0/12 comment="" disabled=no
add list=not_in_internet address=192.168.0.0/16 comment="" disabled=no
add list=not_in_internet address=10.0.0.0/8 comment="" disabled=no
add list=not_in_internet address=169.254.0.0/16 comment="" disabled=no
add list=not_in_internet address=127.0.0.0/8 comment="" disabled=no
add list=not_in_internet address=224.0.0.0/3 comment="" disabled=no
这些是啥意思？