admin管理员组文章数量:1531717
2024年7月7日发(作者:)
MikroTik RouterOS 2.9.x防火墙设置
ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=1m tcp-syn-received-timeout=1m
tcp-established-timeout=1d tcp-fin-wait-timeout=10s
tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s
tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s
udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m
/ ip firewall filter
add chain=input protocol=tcp dst-port=135-139 action=drop
add chain=input protocol=udp dst-port=135-139 action=drop
add chain=input connection-state=established action=accept
add chain=input connection-state=related action=accept
add chain=input src-address=127.0.0.1 dst-address=127.0.0.1 action=accept
add chain=input connection-state=invalid action=drop
add chain=input dst-address-type=!local action=drop
add chain=input src-address-type=!unicast action=drop
add chain=input protocol=tcp psd=21,3s,3,1 action=drop
add chain=input protocol=tcp connection-limit=10,32
action=add-src-to-address-list address-list=black_list address-list-timeout=1d
add chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list
action=tarpit
add chain=input protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept
add chain=input protocol=icmp icmp-options=3:3 limit=5,5 action=accept
add chain=input protocol=icmp icmp-options=3:4 limit=5,5 action=accept
add chain=input protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept
add chain=input protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept
add chain=output protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept
add chain=output protocol=icmp icmp-options=3:3 limit=5,5 action=accept
add chain=output protocol=icmp icmp-options=3:4 limit=5,5 action=accept
add chain=output protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept
add chain=output protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept
add chain=forward protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept
add chain=forward protocol=icmp icmp-options=3:3 limit=5,5 action=accept
add chain=forward protocol=icmp icmp-options=3:4 limit=5,5 action=accept
add chain=forward protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept
add chain=forward protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept
add chain=input protocol=icmp action=drop
add chain=output protocol=icmp action=drop
add chain=forward protocol=icmp action=drop
/ ip firewall service-port
set ftp ports=21 disabled=no
set tftp ports=69 disabled=no
set irc ports=6667 disabled=no
set h323 disabled=no
set quake3 disabled=no
set mms disabled=no
set gre disabled=no
set pptp disabled=no
/ip firewall mangle
add chain=forward protocol=tcp tcp-flags=syn action=change-mss new-mss=1440
说明:
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=1m tcp-syn-received-timeout=1m
tcp-established-timeout=1d tcp-fin-wait-timeout=10s
tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s
tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s
udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m
# + 放火墙部分 +
#
/ ip firewall filter
# 关135-139端口 不用多说了
add chain=input protocol=tcp dst-port=135-139 action=drop comment="drop
Port"
add chain=input protocol=udp dst-port=135-139 action=drop
# + 对本机数据包相关 +
#
# 允许已建立的连接
add chain=input connection-state=established action=accept comment="input"
add chain=input connection-state=related action=accept
# 允许本机对本机
add chain=input src-address=127.0.0.1 dst-address=127.0.0.1 action=accept
# 丢弃明显异常包
add chain=input connection-state=invalid action=drop
# 丢弃目标非本机的包
add chain=input dst-address-type=!local action=drop
# 丢弃多播包
add chain=input src-address-type=!unicast action=drop
# + 安全相关 +
#
# 在短时间内从同一地址用不断变化的端口向本机发送大量数据包,视为端口扫描
add chain=input protocol=tcp psd=21,3s,3,1 action=drop comment="..."
# 短时间内同时建立大量TCP连接(超过10),视为DoS拒绝服务攻击,进黑名单一天!
add chain=input protocol=tcp
address-list=black_list
connection-limit=10,32
address-list-timeout=1d action=add-src-to-address-list
disabled=no
# 黑名单上的只能建立3个并发连接,tarpit
add chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list
action=tarpit disabled=no
# + ICMP相关 +
#
# 允许常见命令ping tracert,其它ICMP丢弃
add chain=input protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept
add chain=input protocol=icmp icmp-options=3:3 limit=5,5 action=accept
add chain=input protocol=icmp icmp-options=3:4 limit=5,5 action=accept
add chain=input protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept
add chain=input protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept
add chain=output protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept
add chain=output protocol=icmp icmp-options=3:3 limit=5,5 action=accept
add chain=output protocol=icmp icmp-options=3:4 limit=5,5 action=accept
add chain=output protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept
add chain=output protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept
add chain=forward protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept
add chain=forward protocol=icmp icmp-options=3:3 limit=5,5 action=accept
add chain=forward protocol=icmp icmp-options=3:4 limit=5,5 action=accept
add chain=forward protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept
add chain=forward protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept
add chain=input protocol=icmp action=drop
add chain=output protocol=icmp action=drop
add chain=forward protocol=icmp action=drop
/ ip firewall service-port
set ftp ports=21 disabled=no
set tftp ports=69 disabled=no
set irc ports=6667 disabled=no
set h323 disabled=no
set quake3 disabled=no
set mms disabled=no
set gre disabled=no
set pptp disabled=no
# + MMS值 +
# 对于光纤填认的没多大关系,但对于ADSL最好如果某些网页打不开,可以修改一下.
/ip firewall mangle
add chain=forward protocol=tcp tcp-flags=syn action=change-mss new-mss=1440
版权声明:本文标题:MikroTik RouterOS 2.9X 防火墙设置 内容由热心网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:https://m.elefans.com/dianzi/1720287349a822759.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论