/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=1m tcp-syn-received-timeout=1m \
tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s \
udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m
# + 防火牆部分 +
#
/ ip firewall filter
# 關135-139端口 不用多說了
add chain=input protocol=tcp dst-port=135-139 action=drop comment="drop Port"
add chain=input protocol=udp dst-port=135-139 action=drop
# + 對本機數據包相關 +
#
# 允許已建立的連接
add chain=input connection-state=established action=accept comment="input"
add chain=input connection-state=related action=accept
# 允許本機對本機
add chain=input src-address=127.0.0.1 dst-address=127.0.0.1 action=accept
# 丟棄明顯異常包
add chain=input connection-state=invalid action=drop
# 丟棄目標非本機的包
add chain=input dst-address-type=!local action=drop
# 丟棄多播包
add chain=input src-address-type=!unicast action=drop
# + 安全相關 +
#
# 在短時間內從同一地址用不斷變化的端口向本機發送大量數據包,視為端口掃瞄
add chain=input protocol=tcp psd=21,3s,3,1 action=drop comment="..."
# 短時間內同時建立大量TCP連接(超過10),視為DoS拒絕服務攻擊,進黑名單一天!
# 開proxy時要將次數加大,例如100,否則會因而無法上網
# 針對有proxy用戶設一規則或除外!,沒有proxy用戶一規則
add chain=input protocol=tcp connection-limit=10,32 action=add-src-to-address-list address-list=black_list address-list-timeout=1d disabled=no
# 黑名單上的只能建立3個並發連接,tarpit
# 開proxy時要將次數加大,例如30,否則會因而無法上網
add chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list action=tarpit disabled=no
# + ICMP相關 +
#
# 允許常見命令ping tracert,其它ICMP丟棄
add chain=input protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept
add chain=input protocol=icmp icmp-options=3:3 limit=5,5 action=accept
add chain=input protocol=icmp icmp-options=3:4 limit=5,5 action=accept
add chain=input protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept
add chain=input protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept
add chain=output protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept
add chain=output protocol=icmp icmp-options=3:3 limit=5,5 action=accept
add chain=output protocol=icmp icmp-options=3:4 limit=5,5 action=accept
add chain=output protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept
add chain=output protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept
add chain=forward protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept
add chain=forward protocol=icmp icmp-options=3:3 limit=5,5 action=accept
add chain=forward protocol=icmp icmp-options=3:4 limit=5,5 action=accept
add chain=forward protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept
add chain=forward protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept
add chain=input protocol=icmp action=drop
add chain=output protocol=icmp action=drop
add chain=forward protocol=icmp action=drop
/ ip firewall service-port
set ftp ports=21 disabled=no
#set tftp ports=69 disabled=no
#set irc ports=6667 disabled=no
#set h323 disabled=no
#set quake3 disabled=no
#set mms disabled=no
#set gre disabled=no
set pptp disabled=no
# + MMS值 +
# 一定要設置的哦...不然某些網頁打不開的...
/ip firewall mangle
add chain=forward protocol=tcp tcp-flags=syn action=change-mss new-mss=1440
沒有留言:
張貼留言