gfx wrote:
就說您設錯了,連出d...(恕刪)
G兄您好~
其實您說的部份我早先也有這麼設過,只是也是沒反應.....
呵呵~
個人積分:0分
文章編號:50038980
個人積分:1603分
文章編號:50039389
個人積分:0分
文章編號:50040200
個人積分:0分
文章編號:50044333
個人積分:5089分
文章編號:50044744
個人積分:0分
文章編號:50046519
個人積分:351分
文章編號:50086974
個人積分:710分
文章編號:50108554
一直到5/12幾乎每天都會查看address-list.但都沒有封鎖的ip,除非有神功護體..
中間有升級到6.12,5/12 netinstall 重新安裝RB450 routeros 6.12
附上firewall設定檔 第一條drop input我卻可以上Mobile01,是不是代表firewall沒有動作呢?
請問大大這是什麼原因呢?
/ip firewall address-list
add address=0.0.0.0/8 list=blacklist
add address=10.0.0.0/8 list=blacklist
add address=192.168.0.0/16 list=blacklist
add address=172.0.0.0/8 list=blacklist
add address=14.0.0.0/8 list=blacklist
add address=169.254.0.0/16 list=blacklist
add address=100.0.0.0/8 list=blacklist
add address=1.0.0.0/8 list=blacklist
add address=224.0.0.0/4 list=blacklist
add address=240.0.0.0/4 list=blacklist
add address=255.0.0.0/8 list=blacklist
add address=8.8.8.8 list=dns
add address=208.67.220.220 list=dns
/ip firewall filter
add action=drop chain=input
add action=drop chain=input in-interface=wan src-address-list=blacklist
add action=drop chain=input dst-address-list=blacklist in-interface=wan
add action=add-src-to-address-list address-list=blacklist chain=input \
in-interface=wan protocol=icmp
add action=drop chain=input in-interface=wan protocol=icmp
add action=add-src-to-address-list address-list=blacklist chain=input \
connection-state=new in-interface=wan
add action=drop chain=input connection-state=new in-interface=wan
add action=add-src-to-address-list address-list=blacklist chain=input \
connection-state=invalid in-interface=wan
add action=drop chain=input connection-state=invalid in-interface=wan
add action=add-src-to-address-list address-list=blacklist chain=input \
add action=add-src-to-address-list address-list=blacklist chain=input \
add action=drop chain=input dst-port=0-10240 in-interface=wan protocol=tcp
add action=add-src-to-address-list address-list=blacklist chain=input \
dst-port=0-10240 in-interface=wan protocol=udp
add action=drop chain=input dst-port=0-10240 in-interface=wan protocol=udp
add chain=input connection-state=established in-interface=wan protocol=tcp
add chain=input connection-state=established in-interface=wan protocol=udp \
src-address-list=dns src-port=53
add action=drop chain=input in-interface=wan
add action=drop chain=output dst-address-list=blacklist out-interface=wan
add chain=output connection-state=new out-interface=wan protocol=tcp
add chain=output connection-state=established out-interface=wan protocol=tcp
add chain=output connection-state=new out-interface=wan protocol=udp
add action=drop chain=output out-interface=wan
/ip firewall nat
add action=masquerade chain=srcnat src-address=10.168.168.0/24
add action=masquerade chain=srcnat src-address=10.168.169.0/24
個人積分:1603分
文章編號:50108862
chief51688 wrote:
5/6 在露天買的R...(恕刪)
若您想設定防火牆的白名單規則,請參考小弟整理:
firewall filter白名單
個人積分:5089分
文章編號:50112192
既然大大出考題, 那大家就先動動腦, 大大這些 firewall rule 是自己設定的嗎? 你原本預期這些 firewall rule 是要達到什麼作用? 小弟比較建議了解每個指令或是功能所達到的目的, 而並非一下子就套用一大堆規則進來.
>> 中間有升級到6.12,5/12 netinstall 重新安裝RB450 routeros 6.12
firmware 升級並需要用到 netinstall 那麼麻煩, 你可以參考前面的討論文章.
>> 附上firewall設定檔 第一條drop input我卻可以上Mobile01,是不是代表firewall沒有動作呢?
chain=input 是指任何封包目的地是 router 本身, 你應該要處理的是 chain=forward.
FB: Pctine
