NeverGiveUp!! wrote:
老祖宗已更正囉.希...(恕刪)
| /ip firewall address-list add address=0.0.0.0/8 list=BOGONS add address=10.0.0.0/8 list=BOGONS add address=100.64.0.0/10 list=BOGONS add address=127.0.0.0/8 list=BOGONS add address=169.254.0.0/16 list=BOGONS add address=172.16.0.0/12 list=BOGONS add address=192.0.0.0/24 list=BOGONS add address=192.0.2.0/24 list=BOGONS add address=192.88.99.0/24 list=BOGONS add address=192.168.0.0/16 list=BOGONS add address=198.18.0.0/15 list=BOGONS add address=198.51.100.0/24 list=BOGONS add address=203.0.113.0/24 list=BOGONS add address=224.0.0.0/3 list=BOGONS add address=224.0.0.0/4 list=BOGONS add address=224.0.0.0/24 list=BOGONS add address=224.0.1.0/24 list=BOGONS add address=224.0.2.0-224.0.255.255 list=BOGONS add address=224.3.0.0-224.4.255.255 list=BOGONS add address=232.0.0.0/8 list=BOGONS add address=233.0.0.0/8 list=BOGONS add address=233.252.0.0/14 list=BOGONS add address=234.0.0.0/8 list=BOGONS add address=239.0.0.0/8 list=BOGONS add address=240.0.0.0/4 list=BOGONS /ip firewall nat add action=redirect chain=dstnat comment=DNS dst-port=53 protocol=tcp \ to-ports=53 add action=redirect chain=dstnat dst-port=53 protocol=udp to-ports=53 add action=masquerade chain=srcnat comment="IP Masquerading" src-address=\ 192.168.88.0/24 /ip firewall filter add action=reject chain=forward dst-port=53,443 log=yes protocol=udp \ reject-with=icmp-network-unreachable src-address=192.168.88.0/24 add chain=input comment="Accept established connections" connection-state=\ established add chain=input comment="Accept related connections" connection-state=related add action=reject chain=input comment="Reject invalid connections" \ connection-state=invalid reject-with=icmp-network-unreachable add action=accept chain=input comment=UDP limit=0,0:packet protocol=udp \ disabled=no add action=accept chain=input comment="Allow limited pings" icmp-options=\ !8:0-255 limit=50/5s,2:packet protocol=icmp tcp-flags="" add action=reject chain=input comment="Reject excess pings" log=yes protocol=\ icmp reject-with=icmp-network-unreachable add action=accept chain=input comment="From our LAN" in-interface=bridge \ src-address=192.168.88.0/24 add action=reject chain=input comment=\ "Reject all packets which are not destined to routes IP address" \ dst-address-type=!local log=yes reject-with=icmp-network-unreachable add action=reject chain=input comment=\ "Reject all packets which does not have unicast source IP address" log=\ yes reject-with=icmp-network-unreachable src-address-type=!unicast add action=reject chain=input comment="Reject all packets from bogons internet\\ \\_which should not exist in bogons network" in-interface=pppoe-out1 log=\ yes reject-with=icmp-network-unreachable src-address-list=BOGONS add action=reject chain=forward comment="Reject invalid packets" \ connection-state=invalid reject-with=icmp-network-unreachable add action=accept chain=forward comment=\ "Accept established and related packets" connection-state=\ established,related add action=jump chain=forward comment="DDoS Detection and Blocking" \ connection-state=new jump-target=detect-ddos add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s add action=return chain=detect-ddos src-address=192.168.88.1 add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\ 10m chain=detect-ddos add action=add-src-to-address-list address-list=ddoser address-list-timeout=\ 10m chain=detect-ddos add action=reject chain=forward comment=\ "Reject new connections from internet which are not dst-natted" \ connection-nat-state=!dstnat connection-state=new in-interface=pppoe-out1 \ log=yes reject-with=icmp-network-unreachable add action=reject chain=forward comment="Reject all packets from bogons intern\\ et which should not exist in bogons network" in-interface=pppoe-out1 log=\ yes reject-with=icmp-network-unreachable src-address-list=BOGONS add action=reject chain=forward comment="Reject all packets from local network\\ \\_to internet which should not exist in bogons network" dst-address-list=\ BOGONS in-interface=bridge log=yes reject-with=\ icmp-network-unreachable add action=reject chain=forward comment="Reject all packets in local network w\\ hich does not have local network address" in-interface=bridge log=yes \ reject-with=icmp-network-unreachable src-address=!192.168.88.0/24 add action=reject chain=forward comment="Block Teredo IPv6-tunnel" disabled=\ no dst-port=3544,3545 protocol=udp reject-with=icmp-network-unreachable \ src-port=1024-65535 add action=reject chain=input comment="REJECT Bogons" disabled=no \ in-interface=pppoe-out1 log=yes reject-with=icmp-network-unreachable \ src-address-list=BOGONS add action=reject chain=forward connection-state=new disabled=no \ dst-address-list=BOGONS in-interface=bridge log=yes protocol=tcp \ reject-with=tcp-reset add action=reject chain=forward disabled=no dst-address-list=BOGONS \ in-interface=bridge log=yes reject-with=icmp-network-unreachable add action=log chain=input comment="Log everything else" log-prefix=\ "REJECT INPUT" add action=reject chain=input comment="Reject everything else" reject-with=\ icmp-network-unreachable /ip firewall mangle add action=mark-routing chain=prerouting dst-address-list=ddosed \ new-routing-mark=ddoser-route-mark passthrough=no src-address-list=ddoser /ip route add distance=1 routing-mark=ddoser-route-mark type=blackhole |
--
寶貝:)這下暗流要完蛋囉.嘻嘻哈哈.
LAN.WAN.指令不加設再加.--
Migos & Marshmello - Danger (from Bright: The Album) [Music Video]
