2.92的防火策略，请高手指导一下

sxlipengfei · 发表于 2005-10-21 15:23:28

马上注册，结交更多好友，享用更多功能，让你轻松玩转社区。

您需要登录才可以下载或查看，没有账号？注册

×

ip firewall filter
virus:
add chain=virus protocol=tcp dst-port=134-139 action=drop comment="drop blaster worm"
add chain=virus protocol=udp dst-port=134-139 action=drop comment="drop messenger worm"
add chain=virus protocol=tcp dst-port=593 action=drop comment="---------"
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment"---------"
add chain=virus protocol=tcp dst-prot=1080 action=drop comment"drop mydoom"
add chain=virus protocol=tcp dst-port=1214 action=drop comment="---------"
add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester"
add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server"
add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast"
add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx"
add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid"
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="worm"
add chain=virus protocol=tcp dst-port=3410 action=drop comment="drop backdoor optixpro"
add chain=virus protocol=tcp dst-port=4444 action=drop comment="worm"
add chain=virus protocol=udp dst-port=4444 action=drop comment="worm"
add chain=virus protocol=tcp dst-port=5554 action=drop comment="drop sasser"
add chain=virus protocol=tcp dst-port=8866 action=drop comment="drop beagle.b"
add chain=virus protocol=tcp dst-port=9898 action=drop comment="drop dabber.a-b"
add chain=virus protocol=tcp dst-port=10000 action=drop comment="drop dumaru.y"
add chain=virus protocol=tcp dst-port=10080 action=drop comment="drop mydoom.b"
add chain=virus protocol=tcp dst-port=12345 action=drop comment="drop netbus"
add chain=virus protocol=tcp dst-port=17300 action=drop comment="drop kuang2"
add chain=virus protocol=tcp dst-port=27374 action=drop comment="drop sbuseven"
add chain=virus protocol=tcp dst-port=65506 action=drop comment="drop phatbot,agobot,gaobot"
add chain=virus protocol=tcp dst-port=445  action=drop
add chain=virus protocol=udp dst-port=445  action=drop
add chain=virus protocol=tcp dst-port=134-139 action=drop
add chain=virus protocol=udp dst-port=134-139 action=drop

forward:
add chain=forward protocol=tcp connection-state=invalid action=drop comment="drop invalid connections"
add chain=forward connection-state=established  action=accept
add chain=forward connection-state=related action=accept
add chain=forward src-address=0.0.0.0/8 action=drop
add chain=forward dst-address=0.0.0.0/8 action=drop
add chain=forward src-address=127.0.0.0/8 action=drop
add chain=forward dst-address=127.0.0.0/8 action=drop
add chain=forward src-address=224.0.0.0/3 action=drop
add chain=forward dst-address=224.0.0.0/3 action=drop
add chain=forward protocol=tcp action=jump jump-target=tcp
add chain=forward protocol=udp action=jump jump-target=udp
add chain=forward protocol=icmp action=jump jump-target=icmp
add chain=forward action=jump jump-target=virus

input:
add chain=input connection-state=invalid  action=drop
add chain=input connection-state=established action=accept
add chain=input action=jump jump-target=virus
add chain=input protocol=udp action=accept
add chain=input protocol=icmp action=accept
add chain=input action=drop log=yes
add chain=input protocol=tcp dst-port=500 in-interface=wan action=drop
add chain=input protocol=udp dst-port=500 in-interface=wan action=drop

tcp:
add chain=tcp protocol=tcp dst-port=69 action=drop
add chain=tcp protocol=tcp dst-port=111 action=drop
add chain=tcp protocol=tcp dst-port=135 action=drop
add chain=tcp protocol=tcp dst-port=137-139 action=drop
add chain=tcp protocol=tcp dst-port=445 action=drop
add chain=tcp protocol=tcp dst-port=2049 action=drop
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop
add chain=tcp protocol=tcp dst-port=20034 action=drop
add chain=tcp protocol=tcp dst-port=3133 action=drop
add chain=tcp protocol=tcp dst-port=67-68 action=drop

udp:
add chain=udp protocol=udp dst-port=69 action=drop
add chain=udp protocol=udp dst-port=111 action=drop
add chain=udp protocol=udp dst-port=135 action=drop
add chain=udp protocol=udp dst-port=137-139 action=drop
add chain=udp protocol=udp dst-port=2049 action=drop
add chain=udp protocol=udp dst-port=3133 action=drop

icmp:
add chain=icmp protocol=icmp icmp-options=0:0 action=accept
add chain=icmp protocol=icmp icmp-options=3:0 action=accept
add chain=icmp protocol=icmp icmp-options=3:1 action=accept
add chain=icmp protocol=icmp icmp-options=4:0 action=accept
add chain=icmp protocol=icmp icmp-options=8:0 action=accept
add chain=icmp protocol=icmp icmp-options=11:0 action=accept
add chain=icmp protocol=icmp icmp-options=12:0 action=accept
add chain=icmp action=drop

ip firewall mangle
add chain=prerouting action=accept
add chain=forward p2p=all-p2p action=mark-connection new-connection-mark=p2p_conn
add chain=forward connection-mark=p2p_conn action=mark-packet new-packet-mark=p2p
add chain=forward packet-mark=!p2p_conn action=mark-packet new-packet-mark=other

nat:
add chain=srcnat action=masquerade

queue simple
add name="queue1" dst-address=0.0.0.0/0 interface=all parent=none priority=8 \
   queue=default/default limit-at=0/0 max-limit=4096000/4096000 \
   total-queue=default
queue tree:

add name="queue1" parent=wan packet-mark=p2p limit-at=1000000 queue=default \
   priority=8 max-limit=10000000 burst-limit=0 burst-threshold=0 \
   burst-time=0s
add name="queue2" parent=255lan packet-mark=p2p limit-at=1000000 queue=default \
   priority=8 max-limit=10000000 burst-limit=0 burst-threshold=0 \
   burst-time=0s
add name="queue3" parent=wan packet-mark=other limit-at=1000000 queue=default \
   priority=1 max-limit=10000000 burst-limit=0 burst-threshold=0 \
   burst-time=0s
add name="queue4" parent=255lan packet-mark=other limit-at=1000000 \
   queue=default priority=1 max-limit=10000000 burst-limit=0 \
   burst-threshold=0 burst-time=0s

偶是菜菜 · 发表于 2005-10-21 21:17:04

显示全部楼层 · 发表于 2005-10-22 04:48:41

提示: 作者被禁止或删除内容自动屏蔽

显示全部楼层 · 发表于 2005-10-22 04:53:52

提示: 作者被禁止或删除内容自动屏蔽

sxlipengfei · 发表于 2005-10-22 12:26:20

谢谢！！！兄台、、、、

显示全部楼层 · 发表于 2005-10-22 12:39:47

提示: 作者被禁止或删除内容自动屏蔽

显示全部楼层 · 发表于 2005-10-22 12:41:20

提示: 作者被禁止或删除内容自动屏蔽

显示全部楼层 · 发表于 2005-10-22 12:44:35

提示: 作者被禁止或删除内容自动屏蔽

账号		自动登录	找回密码
密码			注册

legou 该用户已被删除	发表于 2005-10-22 04:48:41 \| 显示全部楼层提示: 作者被禁止或删除内容自动屏蔽
legou 该用户已被删除	routeros
	回复使用道具举报显身卡

legou 该用户已被删除	发表于 2005-10-22 04:53:52 \| 显示全部楼层提示: 作者被禁止或删除内容自动屏蔽
legou 该用户已被删除	routeros
	回复使用道具举报显身卡

lishinian 该用户已被删除	发表于 2005-10-22 12:39:47 \| 显示全部楼层提示: 作者被禁止或删除内容自动屏蔽
lishinian 该用户已被删除	routeros
	回复使用道具举报显身卡

lishinian 该用户已被删除	发表于 2005-10-22 12:41:20 \| 显示全部楼层提示: 作者被禁止或删除内容自动屏蔽
lishinian 该用户已被删除	routeros
	回复使用道具举报显身卡

legou 该用户已被删除	发表于 2005-10-22 12:44:35 \| 显示全部楼层提示: 作者被禁止或删除内容自动屏蔽
legou 该用户已被删除	routeros
	回复使用道具举报显身卡

[策略设置] 2.92的防火策略，请高手指导一下

马上注册，结交更多好友，享用更多功能，让你轻松玩转社区。