加入网吧中国 网管会员俱乐部 注册 登陆 加入收藏 | 设为首页 | 会员中心 | 我要投稿 |
您当前的位置:首页 > 网吧学院 > 网络维护

ROS防火墙策略与网页断流解决等系列方法

时间:2010-02-25 09:15:00  来源:  作者:

网吧使用ros软路由的比较多,ros软路由的防火墙策略现在网上也不少。此ros软路由脚本为网吧ros软路由通用防火墙,导入命令:im *.RSC。可以有效利用ros软路由进行禁止P2P电驴下载,禁止比特精灵下载,禁止PPLIVE网络电视,禁止vagaa(哇嘎)的操作,非常的方便。

需要此ros软路由策略的请复制以下代码,保存为*.rsc

------------------------------------------------------------------------------------------------------------------

/ ip firewall connection tracking

set enabled=yes tcp-syn-sent-timeout=5s tcp-syn-received-timeout=30s /

tcp-established-timeout=5d tcp-fin-wait-timeout=2m /

tcp-close-wait-timeout=1m tcp-last-ack-timeout=30s /

tcp-time-wait-timeout=2m tcp-close-timeout=10s udp-timeout=30s /

udp-stream-timeout=3m icmp-timeout=30s generic-timeout=10m

/ ip firewall filter

add chain=input connection-state=invalid action=drop comment="drop invalid /

packets" disabled=no

add chain=input connection-state=related action=accept comment="accept related /

packets" disabled=no

add chain=input connection-state=established action=accept comment="accept /

established packets" disabled=no

add chain=input protocol=tcp psd=21,3s,3,1 action=drop comment="detect and /

drop port scan connections" disabled=no

add chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list /

action=tarpit comment="suppress DoS attack" disabled=no

add chain=input protocol=tcp connection-limit=10,32 /

action=add-src-to-address-list address-list=black_list /

address-list-timeout=1d comment="detect DoS attack" disabled=no

add chain=input dst-address-type=!local action=drop comment="drop all that is /

not to local" disabled=no

add chain=input src-address-type=!unicast action=drop comment="drom all that /

is not from unicast" disabled=no

add chain=input protocol=icmp action=jump jump-target=ICMP comment="jump to /

chain ICMP" disabled=no

add chain=input action=jump jump-target=services comment="jump to chain /

services" disabled=no

add chain=services protocol=tcp dst-port=53 action=accept comment="allow DNS /

request" disabled=no

add chain=services protocol=udp dst-port=53 action=accept comment="Allow DNS /

request" disabled=no

add chain=services src-address=127.0.0.1 dst-address=127.0.0.1 action=accept /

comment="accept localhost" disabled=no

add chain=services protocol=tcp dst-port=20-21 action=accept comment="allow /

ftp" disabled=no

add chain=services protocol=tcp dst-port=22 action=accept comment="allow sftp, /

ssh" disabled=no

add chain=services protocol=tcp dst-port=23 action=accept comment="allow /

telnet" disabled=no

add chain=services protocol=tcp dst-port=80 action=accept comment="allow http, /

webbox" disabled=no

add chain=services protocol=tcp dst-port=8291 action=accept comment="Allow /

winbox" disabled=no

add chain=services protocol=udp dst-port=20561 action=accept comment="allow /

MACwinbox " disabled=no

add chain=services protocol=tcp dst-port=2000 action=accept comment="Bandwidth /

server" disabled=no

add chain=services protocol=udp dst-port=5678 action=accept comment=" MT /

Discovery Protocol" disabled=no

add chain=services protocol=udp dst-port=1701 action=accept comment="allow /

L2TP" disabled=no

add chain=services protocol=tcp dst-port=1723 action=accept comment="allow /

PPTP" disabled=no

add chain=services protocol=gre action=accept comment="allow PPTP and EoIP" /

disabled=no

add chain=services protocol=ipencap action=accept comment="allow IPIP" /

disabled=no

add chain=services protocol=udp dst-port=1900 action=accept comment="UPnP" /

disabled=no

add chain=services protocol=tcp dst-port=2828 action=accept comment="UPnP" /

disabled=no

add chain=services protocol=udp dst-port=67-68 action=accept comment="allow /

DHCP" disabled=no

add chain=services protocol=tcp dst-port=8080 action=accept comment="allow Web /

Proxy" disabled=no

add chain=services protocol=tcp dst-port=123 action=accept comment="allow NTP" /

disabled=no

add chain=services protocol=tcp dst-port=161 action=accept comment="allow /

SNMP" disabled=no

add chain=services protocol=tcp dst-port=443 action=accept comment="allow /

https for Hotspot" disabled=no

add chain=services protocol=tcp dst-port=1080 action=accept comment="allow /

Socks for Hotspot" disabled=no

add chain=services protocol=udp dst-port=500 action=accept comment="allow /

IPSec connections" disabled=no

add chain=services protocol=ipsec-esp action=accept comment="allow IPSec" /

disabled=no

add chain=services protocol=ipsec-ah action=accept comment="allow IPSec" /

disabled=no

add chain=services protocol=tcp dst-port=179 action=accept comment="Allow BGP" /

disabled=no

add chain=services protocol=udp dst-port=520-521 action=accept comment="allow /

RIP" disabled=no

add chain=services protocol=ospf action=accept comment="allow OSPF" /

disabled=no

add chain=services protocol=udp dst-port=5000-5100 action=accept /

comment="allow BGP" disabled=no

add chain=services protocol=tcp dst-port=1720 action=accept comment="allow /

Telephony" disabled=no

add chain=services protocol=udp dst-port=1719 action=accept comment="allow /

Telephony" disabled=no

add chain=forward connection-state=invalid action=drop comment="drop invalid /

packets" disabled=no

add chain=forward connection-state=related action=accept comment="accept /

related packets" disabled=no

add chain=forward connection-state=established action=accept comment="accept /

established packets" disabled=no

add chain=forward src-address-type=!unicast action=drop comment="drop all that /

is not from unicast" disabled=no

add chain=forward protocol=icmp action=jump jump-target=ICMP comment="jump to /

chain ICMP" disabled=no

add chain=forward action=jump jump-target=virus comment="jump to virus chain" /

disabled=no

add chain=forward action=accept comment="Accept everything else" disabled=no

add chain=output protocol=tcp dst-port=53 action=accept comment="allow DNS /

request" disabled=no

add chain=output protocol=udp dst-port=53 action=accept comment="Allow DNS /

request" disabled=no

add chain=output connection-state=invalid action=drop comment="drop invalid /

packets" disabled=no

add chain=output connection-state=related action=accept comment="accept /

related packets" disabled=no

add chain=output connection-state=established action=accept comment="accept /

established packets" disabled=no

add chain=output protocol=icmp action=accept comment="" disabled=no

add chain=output action=drop comment="Drop all connections from this router" /

disabled=no

add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop /

Blaster Worm" disabled=no

add chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop /

Messenger Worm" disabled=no

add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster /

Worm" disabled=no

add chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster /

Worm" disabled=no

add chain=virus protocol=tcp dst-port=593 action=drop comment="________" /

disabled=no

add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="________" /

disabled=no

add chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop MyDoom" /

disabled=no

add chain=virus protocol=tcp dst-port=1214 action=drop comment="________" /

disabled=no

add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester" /

disabled=no

add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server" /

disabled=no

add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast" /

disabled=no

add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx" /

disabled=no

add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid" /

disabled=no

add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm" /

disabled=no

add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus" /

disabled=no

add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y" /

disabled=no

add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Beagle" /

disabled=no

add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop /

Beagle.C-K" disabled=no

add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop /

MyDoom" disabled=no

add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor /

OptixPro" disabled=no

add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm" /

disabled=no

add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm" /

disabled=no

add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser" /

disabled=no

add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B" /

disabled=no

add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop /

Dabber.A-B" disabled=no

add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop /

Dumaru.Y" disabled=no

add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop /

MyDoom.B" disabled=no

add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus" /

disabled=no

add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2" /

disabled=no

add chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop /

SubSeven" disabled=no

add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot, /

Gaobot" disabled=no

上一篇:网吧多网卡负载教程 领略双网卡绑定快感
下一篇:网吧路由器不掉线的秘诀技术
来顶一下
近回首页
返回首页
发表评论 共有条评论
用户名: 密码:
验证码: 匿名发表
推荐资讯
电影服务器不够流畅? 网吧光纤布线指南
电影服务器不够流畅?
栏目更新
栏目热门