找回密码
 注册

QQ登录

只需一步,快速开始

搜索
查看: 2124|回复: 7

[策略设置] 2.92的防火策略,请高手指导一下

[复制链接]
发表于 2005-10-21 15:23:28 | 显示全部楼层 |阅读模式

马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。

您需要 登录 才可以下载或查看,没有账号?注册

×
ip firewall filter
virus:
add chain=virus protocol=tcp dst-port=134-139 action=drop comment="drop blaster worm"
add chain=virus protocol=udp dst-port=134-139 action=drop comment="drop messenger worm"
add chain=virus protocol=tcp dst-port=593 action=drop comment="---------"
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment"---------"
add chain=virus protocol=tcp dst-prot=1080 action=drop comment"drop mydoom"
add chain=virus protocol=tcp dst-port=1214 action=drop comment="---------"
add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester"
add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server"
add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast"
add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx"
add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid"
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="worm"
add chain=virus protocol=tcp dst-port=3410 action=drop comment="drop backdoor optixpro"
add chain=virus protocol=tcp dst-port=4444 action=drop comment="worm"
add chain=virus protocol=udp dst-port=4444 action=drop comment="worm"
add chain=virus protocol=tcp dst-port=5554 action=drop comment="drop sasser"
add chain=virus protocol=tcp dst-port=8866 action=drop comment="drop beagle.b"
add chain=virus protocol=tcp dst-port=9898 action=drop comment="drop dabber.a-b"
add chain=virus protocol=tcp dst-port=10000 action=drop comment="drop dumaru.y"
add chain=virus protocol=tcp dst-port=10080 action=drop comment="drop mydoom.b"
add chain=virus protocol=tcp dst-port=12345 action=drop comment="drop netbus"
add chain=virus protocol=tcp dst-port=17300 action=drop comment="drop kuang2"
add chain=virus protocol=tcp dst-port=27374 action=drop comment="drop sbuseven"
add chain=virus protocol=tcp dst-port=65506 action=drop comment="drop phatbot,agobot,gaobot"
add chain=virus protocol=tcp dst-port=445  action=drop
add chain=virus protocol=udp dst-port=445  action=drop
add chain=virus protocol=tcp dst-port=134-139 action=drop
add chain=virus protocol=udp dst-port=134-139 action=drop

forward:
add chain=forward protocol=tcp connection-state=invalid action=drop comment="drop invalid connections"
add chain=forward connection-state=established  action=accept
add chain=forward connection-state=related action=accept
add chain=forward src-address=0.0.0.0/8 action=drop
add chain=forward dst-address=0.0.0.0/8 action=drop
add chain=forward src-address=127.0.0.0/8 action=drop
add chain=forward dst-address=127.0.0.0/8 action=drop
add chain=forward src-address=224.0.0.0/3 action=drop
add chain=forward dst-address=224.0.0.0/3 action=drop
add chain=forward protocol=tcp action=jump jump-target=tcp
add chain=forward protocol=udp action=jump jump-target=udp
add chain=forward protocol=icmp action=jump jump-target=icmp
add chain=forward action=jump jump-target=virus


input:
add chain=input connection-state=invalid  action=drop
add chain=input connection-state=established action=accept
add chain=input action=jump jump-target=virus
add chain=input protocol=udp action=accept
add chain=input protocol=icmp action=accept
add chain=input action=drop log=yes
add chain=input protocol=tcp dst-port=500 in-interface=wan action=drop
add chain=input protocol=udp dst-port=500 in-interface=wan action=drop

tcp:
add chain=tcp protocol=tcp dst-port=69 action=drop
add chain=tcp protocol=tcp dst-port=111 action=drop
add chain=tcp protocol=tcp dst-port=135 action=drop
add chain=tcp protocol=tcp dst-port=137-139 action=drop
add chain=tcp protocol=tcp dst-port=445 action=drop
add chain=tcp protocol=tcp dst-port=2049 action=drop
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop
add chain=tcp protocol=tcp dst-port=20034 action=drop
add chain=tcp protocol=tcp dst-port=3133 action=drop
add chain=tcp protocol=tcp dst-port=67-68 action=drop

udp:
add chain=udp protocol=udp dst-port=69 action=drop
add chain=udp protocol=udp dst-port=111 action=drop
add chain=udp protocol=udp dst-port=135 action=drop
add chain=udp protocol=udp dst-port=137-139 action=drop
add chain=udp protocol=udp dst-port=2049 action=drop
add chain=udp protocol=udp dst-port=3133 action=drop


icmp:
add chain=icmp protocol=icmp icmp-options=0:0 action=accept
add chain=icmp protocol=icmp icmp-options=3:0 action=accept
add chain=icmp protocol=icmp icmp-options=3:1 action=accept
add chain=icmp protocol=icmp icmp-options=4:0 action=accept
add chain=icmp protocol=icmp icmp-options=8:0 action=accept
add chain=icmp protocol=icmp icmp-options=11:0 action=accept
add chain=icmp protocol=icmp icmp-options=12:0 action=accept
add chain=icmp action=drop

ip firewall mangle
add chain=prerouting action=accept
add chain=forward p2p=all-p2p action=mark-connection new-connection-mark=p2p_conn
add chain=forward connection-mark=p2p_conn action=mark-packet new-packet-mark=p2p
add chain=forward packet-mark=!p2p_conn action=mark-packet new-packet-mark=other

nat:
add chain=srcnat action=masquerade

queue simple
add name="queue1" dst-address=0.0.0.0/0 interface=all parent=none priority=8 \
      queue=default/default limit-at=0/0 max-limit=4096000/4096000 \
      total-queue=default
queue tree:

add name="queue1" parent=wan packet-mark=p2p limit-at=1000000 queue=default \
     priority=8 max-limit=10000000 burst-limit=0 burst-threshold=0 \
     burst-time=0s
add name="queue2" parent=255lan packet-mark=p2p limit-at=1000000 queue=default \
     priority=8 max-limit=10000000 burst-limit=0 burst-threshold=0 \
     burst-time=0s
add name="queue3" parent=wan packet-mark=other limit-at=1000000 queue=default \
     priority=1 max-limit=10000000 burst-limit=0 burst-threshold=0 \
     burst-time=0s
add name="queue4" parent=255lan packet-mark=other limit-at=1000000 \
     queue=default priority=1 max-limit=10000000 burst-limit=0 \
     burst-threshold=0 burst-time=0s
routeros
发表于 2005-10-21 21:17:04 | 显示全部楼层
up
routeros
回复

使用道具 举报

legou 该用户已被删除
发表于 2005-10-22 04:48:41 | 显示全部楼层
提示: 作者被禁止或删除 内容自动屏蔽
routeros
回复

使用道具 举报

legou 该用户已被删除
发表于 2005-10-22 04:53:52 | 显示全部楼层
提示: 作者被禁止或删除 内容自动屏蔽
routeros
回复

使用道具 举报

 楼主| 发表于 2005-10-22 12:26:20 | 显示全部楼层
谢谢!!!兄台、、、、
routeros
回复

使用道具 举报

lishinian 该用户已被删除
发表于 2005-10-22 12:39:47 | 显示全部楼层
提示: 作者被禁止或删除 内容自动屏蔽
routeros
回复

使用道具 举报

lishinian 该用户已被删除
发表于 2005-10-22 12:41:20 | 显示全部楼层
提示: 作者被禁止或删除 内容自动屏蔽
routeros
回复

使用道具 举报

legou 该用户已被删除
发表于 2005-10-22 12:44:35 | 显示全部楼层
提示: 作者被禁止或删除 内容自动屏蔽
routeros
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|Archiver|手机版|小黑屋|软路由 ( 渝ICP备15001194号-1|渝公网安备 50011602500124号 )

GMT+8, 2024-11-5 22:50 , Processed in 0.055172 second(s), 6 queries , Gzip On, Redis On.

Powered by Discuz! X3.5 Licensed

© 2001-2024 Discuz! Team.

快速回复 返回顶部 返回列表