RouterOS防火墙

/ip firewall filter
add chain=input connection-state=invalid action=drop comment="丢弃非法连接数据" disabled=no
/ip firewall filter
add chain=input protocol=icmp action=drop comment="禁止外网Ping" disabled=no in-interface=ADSL
add chain=input protocol=tcp psd=21,3s,3,1 action=drop comment="探测并丢弃端口扫描连接" disabled=no
add chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list action=tarpit comment="压制DoS攻击" disabled=no
add chain=input protocol=tcp connection-limit=10,32 action=add-src-to-address-list address-list=black_list address-list-timeout=1d comment="探测DoS攻击" disabled=no
add chain=input dst-address-type=!local action=drop comment="丢弃掉非本地数据" disabled=no
add chain=input protocol=icmp action=jump jump-target=ICMP comment="跳转到ICMP链表" disabled=no
add chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept comment="Ping应答限制为每秒5个包" disabled=no
add chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept comment="Traceroute限制为每秒5个包" disabled=no
add chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept comment="MTU线路探测限制为每秒5个包" disabled=no
add chain=ICMP protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept comment="Ping请求限制为每秒5个包" disabled=no
add chain=ICMP protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept comment="Trace TTL限制为每秒5个包" disabled=no
add chain=ICMP protocol=icmp action=drop comment="丢弃掉任何ICMP数据" disabled=no
add chain=forward connection-state=invalid action=drop comment="丢弃非法数据包" disabled=no
add chain=forward src-address-type=!unicast action=drop comment="丢弃掉所有非单播数据" disabled=no
add chain=forward protocol=icmp action=jump jump-target=ICMP comment="跳转到ICMP链表" disabled=no

posted @ 2012-01-14 01:39 wwh 阅读(641) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

wwh

RouterOS防火墙

公告