/ ip firewall service-port set ftp ports=21 disabled=no set tftp ports=69 disabled=no set irc ports=6667 disabled=no set h323 disabled=no set quake3 disabled=no set mms disabled=no set gre disabled=no set pptp disabled=no /ip firewall mangle
add chain=forward protocol=tcp tcp-flags=syn action=change-mss new-mss=1440 说明:
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=1m tcp-syn-received-timeout=1m \\ tcp-established-timeout=1d tcp-fin-wait-timeout=10s \\ tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s \\
tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s \\ udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m # + 防火墙部分 +# / ip firewall filter
# 关135-139端口 不用多说了
add chain=input protocol=tcp dst-port=135-139 action=drop comment=\add chain=input protocol=udp dst-port=135-139 action=drop
# + 对本机数据包相关 +# # 允许已建立的连接
add chain=input connection-state=established action=accept comment=\add chain=input connection-state=related action=accept # 允许本机对本机
add chain=input src-address=127.0.0.1 dst-address=127.0.0.1 action=accept # 丢弃明显异常包
add chain=input connection-state=invalid action=drop # 丢弃目标非本机的包
add chain=input dst-address-type=!local action=drop # 丢弃多播包
add chain=input src-address-type=!unicast action=drop # + 安全相关 +#
# 在短时间内从同一地址用不断变化的端口向本机发送大量数据包,视为端口扫描 add chain=input protocol=tcp psd=21,3s,3,1 action=drop comment=\
# 短时间内同时建立大量TCP连接(超过10),视为DoS拒绝服务攻击,进黑名单一天! add chain=input protocol=tcp connection-limit=10,32 action=add-src-to-address-list address-list=black_list
address-list-timeout=1d disabled=no # 黑名单上的只能建立3个并发连接,tarpit
add chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list action=tarpit disabled=no
# + ICMP相关 +#
# 允许常见命令ping tracert,其它ICMP丢弃
add chain=input protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept add chain=input protocol=icmp icmp-options=3:3 limit=5,5 action=accept add chain=input protocol=icmp icmp-options=3:4 limit=5,5 action=accept add chain=input protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept add chain=input protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept add chain=output protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept add chain=output protocol=icmp icmp-options=3:3 limit=5,5 action=accept add chain=output protocol=icmp icmp-options=3:4 limit=5,5 action=accept add chain=output protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept add chain=output protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept add chain=forward protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept add chain=forward protocol=icmp icmp-options=3:3 limit=5,5 action=accept add chain=forward protocol=icmp icmp-options=3:4 limit=5,5 action=accept add chain=forward protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept add chain=forward protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept add chain=input protocol=icmp action=drop add chain=output protocol=icmp action=drop add chain=forward protocol=icmp action=drop
/ ip firewall service-port set ftp ports=21 disabled=no set tftp ports=69 disabled=no set irc ports=6667 disabled=no set h323 disabled=no set quake3 disabled=no set mms disabled=no set gre disabled=no set pptp disabled=no # + MMS值 +
# 对于光纤接入的没多大关系,但对于ADSL如果某些网页打不开,可以修改一下. /ip firewall mangle
add chain=forward protocol=tcp tcp-flags=syn action=change-mss new-mss=1440