routerOS防火墙规则
2008-02-23 04:55:17来源:互联网 阅读 ()
ip firewall rule input !!防火墙!!!!
add protocol=tcp tcp-options=no-sys-only connection-state=established action=accept comment="Established TCP connections" disabled=no
add connection-state=related action=accept comment="Related connections" disabled=no
add dst-address=:69 protocol=tcp action=drop comment="drop blaster worm" disabled=no
add dst-address=:69 protocol=udp action=drop comment="drop blaster worm" disabled=no
add dst-address=:134-139 protocol=tcp action=drop comment="drop blaster worm" disabled=no
add dst-address=:134-139 protocol=udp action=drop comment="drop blaster worm" disabled=no
add dst-address=:161-162 protocol=tcp action=drop comment="drop SNMP Trap" disabled=no
add dst-address=:161-162 protocol=udp action=drop comment="drop SNMP Trap" disabled=no
add dst-address=:445 protocol=tcp action=drop comment="drop blaster worm" disabled=no
add dst-address=:445 protocol=udp action=drop comment="drop blaster worm" disabled=no
add dst-address=:554 protocol=tcp action=drop comment="drop blaster wrom" disabled=no
add dst-address=:554 protocol=udp action=drop comment="drop blaster worm" disabled=no
add dst-address=:593 protocol=tcp action=drop comment="drop blaster worm" disabled=no
add dst-address=:593 protocol=udp action=drop comment="drop blaster worm" disabled=no
add dst-address=:1025 protocol=tcp action=drop comment="drop blaster worm" disabled=no
add dst-address=:1025 protocol=udp action=drop comment="drop blaster worm" disabled=no
add det-address=:1068 protocol=tcp action=drop comment="drop blaster worm" disabled=no
add dst-address=:1068 protocol=udp action=drop comment-"drop blaster worm" disabled=no
add dst-address=:2000 protocol=tcp action=drop comment="drop Millenium" disabled=no
add dst-address=:2000 protocol=udp action=drop comment="drop millenium" disabled=no
add dst-address=:3127-3198 protocol=tcp action=drop comment="drop proxy worm" disabled=no
add dst-address=:3127-3198 protocol=udp action=drop comment="drop proxy worm" disabled=no
add dst-address=:3389 protocol=tcp action=drop comment="drop windows supper clinet link" disabled=no
add dst-address=:3389 protocpl=udp action=drop comment="drop windows supper clinet link" disabled=no
add dst-address=:4444 protocol=tcp action=drop comment="drop blaster worm" disabled=no
add dst-address=:4444 protocol=udp action=drop comment="drop blaster worm" disabled=no
add dst-address=:5554 protocol=tcp action=drop comment="drop blaster worm' disabled=no
add dst-address=:5554 protocol=udp action=drop comment="drop Bt download" disabled=no
add dst-address=:6881-6889 protocol=tcp action=drop comment="drop drop Bt download" disabled=no
add dst-address=:6881-6889 protocol=udp action=drop comment="drop drop Bt download" disabled=no
add dst-address=:8881-8889 protocol=tcp action=drop comment="drop drop Bt download" disabled=no
add dst-address=:8881-8889 protocol=udp action=drop comment="drop drop Bt download" disabled=no
add dst-address=:39213 protocol=tcp action=drop comment="drop worm" disabled=no
add dst-address=:39213 protocol=tcp action=drop comment="drop worm" disabled=no
add protocol=udp action=accept comment="udp" disabled=no
add dst-address=XXX.XXX.XXX.XXX/32 protocol=icmp action=drop
add protocol=icmp limit-count=50 limit-burst=2 limit-time=5s action=accept comment="allow limited pings" disabled=0
comment="dont ping me" disabled=no
add dst-address=!192.168.0.0/24:3987 protocol=tcp action=drop comment="dont link me" disabled=no
add src-address=192.168.0.0/24 dst-address=192.168.0.125/32 action=accept comment="http://blog.chinaitlab.com/from lan admin" disabled=no
add action=drop log=yes comment="Log and drop everything else" disabled=no
ip firewall rule forward (禁止某些网站IP)
add dst-address=:134-139 protocol=tcp action=drop comment="drop blaster worm" disabled=no
add dst-address=:134-139 protocol=tcp action=drop comment="drop blaster worm" disabled=no
add dst-address=61.240.246.41/32 action=DROP comment="DROP WWW. CY07.COM" disabled=no
ip service 禁止外网控制路由
set telent port=23 address=192.168.0.0/24 disabled=yes
set ftp port=21 address=192.168.0.0/24 disabled=no (把21端口改了)
set www port=80 address=192.168.0.0/24 disabled=no (把80端口改了)
set ssh port=22 address=192.168.0.0/24 disabled=yes
user 管理员只能在内网登陆
set 0 address=192.168.0.0/24
将规则另存为*.rsc文件,进入控制台,或者在路由器本机上,输入 import *.rsc
该规则导入完成
标签:
版权申明:本站文章部分自网络,如有侵权,请联系:west999com@outlook.com
特别注意:本站所有转载文章言论不代表本站观点,本站所提供的摄影照片,插画,设计作品,如需使用,请与原作者联系,版权归原作者所有
IDC资讯: 主机资讯 注册资讯 托管资讯 vps资讯 网站建设
网站运营: 建站经验 策划盈利 搜索优化 网站推广 免费资源
网络编程: Asp.Net编程 Asp编程 Php编程 Xml编程 Access Mssql Mysql 其它
服务器技术: Web服务器 Ftp服务器 Mail服务器 Dns服务器 安全防护
软件技巧: 其它软件 Word Excel Powerpoint Ghost Vista QQ空间 QQ FlashGet 迅雷
网页制作: FrontPages Dreamweaver Javascript css photoshop fireworks Flash