achitsai wrote:--
香蕉不見可是猴子吃...(恕刪)
Ventino - Y No (Video Oficial)
個人積分:44972分
文章編號:67539616
個人積分:44972分
文章編號:67546273
| add action=accept chain=forward comment=\ "Accept all New Packets connections from network" connection-state=new \ connection-nat-state=!dstnat in-interface=bridge src-address-list=LAN |
| add action=accept chain=input comment="From our LAN" in-interface=bridge \ connection-state=new connection-nat-state=!dstnat src-address-list=LAN |
| /ip firewall address-list add address=192.168.88.2-192.168.88.254 list=LAN add address=0.0.0.0/8 list=BOGONS add address=10.0.0.0/8 list=BOGONS add address=100.64.0.0/10 list=BOGONS add address=127.0.0.0/8 list=BOGONS add address=169.254.0.0/16 list=BOGONS add address=172.16.0.0/12 list=BOGONS add address=192.0.0.0/24 list=BOGONS add address=192.0.2.0/24 list=BOGONS add address=192.88.99.0/24 list=BOGONS add address=192.168.0.0/16 list=BOGONS add address=198.18.0.0/15 list=BOGONS add address=198.51.100.0/24 list=BOGONS add address=203.0.113.0/24 list=BOGONS add address=224.0.0.0/3 list=BOGONS add address=224.0.0.0/4 list=BOGONS add address=224.0.0.0/24 list=BOGONS add address=224.0.1.0/24 list=BOGONS add address=224.0.2.0-224.0.255.255 list=BOGONS add address=224.3.0.0-224.4.255.255 list=BOGONS add address=232.0.0.0/8 list=BOGONS add address=233.0.0.0/8 list=BOGONS add address=233.252.0.0/14 list=BOGONS add address=234.0.0.0/8 list=BOGONS add address=239.0.0.0/8 list=BOGONS add address=240.0.0.0/4 list=BOGONS /ip firewall nat add action=redirect chain=dstnat comment=DNS dst-port=53 protocol=tcp \ to-ports=53 add action=redirect chain=dstnat dst-port=53 protocol=udp to-ports=53 add action=masquerade chain=srcnat comment="IP Masquerading" \ src-address-list=LAN /ip firewall filter add action=reject chain=forward dst-port=53,443 log=yes protocol=udp \ reject-with=icmp-network-unreachable src-address-list=LAN log-prefix=\ Reject LAN -> UDP(53,443) add action=accept chain=input comment=\ "Accept established and related packets" connection-state=\ established,related add action=accept chain=input comment=udp limit=1/365d,0:packet protocol=udp add action=accept chain=input comment="From our LAN" in-interface=bridge \ connection-state=new connection-nat-state=!dstnat src-address-list=LAN add action=accept chain=input comment="Allow limited pings" icmp-options=\ !8:0-255 limit=50/5s,2:packet protocol=icmp add action=reject chain=input comment="Reject login brute forcers 1" dst-port=\ 21,22,23,8291 log=yes protocol=tcp reject-with=icmp-network-unreachable \ src-address-list=login_blacklist add action=add-src-to-address-list address-list=login_blacklist \ address-list-timeout=4d chain=input comment="Reject login brute forcers 2" \ connection-state=new dst-port=21,22,23,8291 protocol=tcp add action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input comment=\ "Reject port scanners\A1GPort scanners to list" log=yes protocol=tcp psd=\ 21,3s,3,1 add action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" log=\ yes protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg add action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input comment="SYN/FIN scan" log=yes \ protocol=tcp tcp-flags=fin,syn add action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input comment="SYN/RST scan" log=yes \ protocol=tcp tcp-flags=syn,rst add action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" log=yes \ protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack add action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input comment="ALL/ALL scan" log=yes \ protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg add action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input comment="NMAP NULL scan" log=yes \ protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg add action=reject chain=input comment="dropping port scanners" log=yes \ reject-with=icmp-network-unreachable src-address-list="port scanners" add action=reject chain=input comment="Reject all packets from public internet\\ \\_which should not exist in public network" in-interface=pppoe-out1 log=\ yes reject-with=icmp-network-unreachable src-address-list=BOGONS add action=accept chain=forward comment="Established, Related" \ connection-state=established,relatedadd add action=log chain=forward comment=Log connection-state=new add action=log chain=forward connection-state=related log-prefix=RELATED add action=log chain=forward protocol=ipv6 add action=log chain=forward protocol=gre add action=log chain=forward protocol=ipsec-esp action=jump chain=forward comment="DDoS Detection and Blocking" \ connection-state=new jump-target=detect-ddos add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s add action=return chain=detect-ddos src-address=192.168.88.1 add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\ 10m chain=detect-ddos add action=add-src-to-address-list address-list=ddoser address-list-timeout=\ 10m chain=detect-ddos add action=accept chain=forward comment=\ "Accept all New Packets connections from network" connection-state=new \ connection-nat-state=!dstnat in-interface=bridge src-address-list=LAN add action=reject chain=forward comment="Reject new TOR version" log=yes \ reject-with=icmp-network-unreachable src-address-list="New Tor-Users" add action=reject chain=forward comment="Block TOR browser" log=yes \ reject-with=icmp-network-unreachable src-address-list=Tor-Users add action=reject chain=forward comment=\ "Reject tries to reach not BOGONS addresses from LAN" dst-address-list=\ BOGONS in-interface=bridge log=yes log-prefix=!public_from_LAN \ out-interface=!bridge reject-with=icmp-network-unreachable add action=reject chain=forward comment=\ "Reject new connections from internet which are not dst-natted" \ connection-nat-state=!dstnat connection-state=new in-interface=pppoe-out1 \ log=yes reject-with=icmp-network-unreachable add action=reject chain=forward comment="Reject all packets from BOGONS inter\\ net which should not exist in BOGONS network" in-interface=pppoe-out1 log=\ yes reject-with=icmp-network-unreachable src-address-list=BOGONS add action=reject chain=forward comment="Reject all packets from local network\\ \\_to internet which should not exist in BOGONS network" dst-address-list=\ BOGONS in-interface=bridge log=yes reject-with=\ icmp-network-unreachable add action=reject chain=forward comment="Reject all packets in local network w\\ hich does not have local network address" in-interface=bridge log=yes \ reject-with=icmp-network-unreachable src-address=!192.168.88.0/24 add action=reject chain=forward comment="Reject All Forward Packets" log=yes \ log-prefix="Reject All Packets" reject-with=icmp-network-unreachabl add action=log chain=input comment="Log everything else" log-prefix=\ "REJECT INPUT" add action=reject chain=input comment="Reject everything else" reject-with=\ icmp-network-unreachable /ip firewall mangle add action=mark-routing chain=prerouting dst-address-list=ddosed \ new-routing-mark=ddoser-route-mark passthrough=no src-address-list=ddoser add action=add-src-to-address-list address-list="New Tor-Users" \ address-list-timeout=5m chain=prerouting comment="New Tor Version" \ dst-port=22 log=yes protocol=tcp add action=add-src-to-address-list address-list=Tor-Users \ address-list-timeout=5m chain=prerouting comment="Tor Users" \ dst-address-list=TOR-SERVERS dst-port=443 protocol=tcp /ip route add distance=1 routing-mark=ddoser-route-mark type=blackhole /system scheduler add comment="Check and set NTP servers" interval=6h name=SetNtpServers \ on-event="# SetNtpServers - Check and set NTP servers from NTP pool\\ # v1.2 Tested and Developed on ROS v5.7\\ #\\ # Change the following line as needed as progName should match script na\\ me \\ :local progName \\"SetNtpServers\";\ \ # Array of NTP pools to use (check time.windows.com) one or a maximum of\ \_two, a primary & secondary\ # Modify the following line and array variable based on your locale (def\ ault is north america).\ :local arrNtpSystems (\"time.windows.com\", \"time.nist.gov\");\ # Alternatively the US related pool below can be used. \ #:local arrNtpSystems (\"time.windows.com\", \"time.nist.gov\");\ #\ # No modification is necessary beyond this line.\ :put \"\$progName: Running...\";\ :log info \"\$progName: Running...\";\ :set arrNtpSystems [ :toarray \$arrNtpSystems ];\ :if (( [ :len \$arrNtpSystems ] < 1 ) or ( [ :len \$arrNtpSystems ] > 2 \ )) do={ \ :put \"\$progName: ERROR NTP Systems array (\\\$arrNtpSystems) must \ be either one or two DNS names.\";\ :log info \"\$progName: ERROR NTP Systems array (\\\$arrNtpSystems) \ must be either one or two DNS names.\";\ } else={\ :local arrRosNtpSetting (\"primary-ntp\", \"secondary-ntp\");\ :local i 0;\ :foreach strNtpSystem in (\$arrNtpSystems) do={\ :local ipAddrNtpSystem [ :resolve \$strNtpSystem ];\ :local strRosNtpSetting [ :pick \$arrRosNtpSetting \$i ];\ :local strCurrentNtpIp [ /system ntp client get \$strRosNtpSetti\ ng ];\ :put \"\$progName: NTP server DNS name \$strNtpSystem resolves t\ o \$ipAddrNtpSystem.\";\ :log info \"\$progName: NTP server DNS name \$strNtpSystem resol\ ves to \$ipAddrNtpSystem.\";\ :put \"\$progName: Current \$strRosNtpSetting setting is \$strCu\ rrentNtpIp.\";\ :log info \"\$progName: Current \$strRosNtpSetting setting is \$\ strCurrentNtpIp.\";\ :if ( [ :toip \$ipAddrNtpSystem ] != [ :toip \$strCurrentNtpIp ]\ \_) do={\ :put \"\$progName: Changing \$strRosNtpSetting setting to \$\ ipAddrNtpSystem.\";\ :log info \"\$progName: Changing \$strRosNtpSetting setting \ to \$ipAddrNtpSystem.\";\ :local strCommand [ :parse \"/system ntp client set \$strRos\ NtpSetting=\\\"\$ipAddrNtpSystem\\\"\" ];\ \$strCommand;\ } else={\ :put \"\$progName: No changes were made for the \$strRosNtpS\ etting NTP setting.\";\ :log info \"\$progName: No changes were made for the \$strRo\ sNtpSetting NTP setting.\";\ }\ :set i (\$i + 1);\ }\ }\ :put \"\$progName: Done.\";\ :log info \"\$progName: Done.\";" policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \ start-time=startup add comment=Download_Ads_List interval=24h name=DownloadAdsList \ on-event="/system script run Blocklister_download_Ads" policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \ start-time=startup add interval=25h name=DownloadHijackedList on-event=\ "/system script run \ Blocklister_download_Hijacked" policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \ start-time=startup add interval=26h name=DownloadMalwaredomainlistList on-event=\ "/system script run Blocklister_download_Malwaredomainlist" policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \ start-time=startup /system script add name=Blocklister_download_Ads owner=admin policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\\ tool fetch url=\\"https://blocklister.gefoo.org/ads\" dst-path=\"ads.rsc\";\ \_/import file-name=\"ads.rsc\";" add name=Blocklister_download_Hijacked owner=admin policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\\ tool fetch url=\\"https://blocklister.gefoo.org/hijacked\" dst-path=\"hijac\ ked.rsc\"; /import file-name=\"hijacked.rsc\";" add name=Blocklister_download_Malwaredomainlist owner=admin policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\\ tool fetch url=\\"https://blocklister.gefoo.org/malwaredomainlist\" dst-pat\ h=\"malwaredomainlist.rsc\"; /import file-name=\"malwaredomainlist.rsc\";" /ip firewall raw add action=drop chain=prerouting dst-address-list=ads_list log=yes add action=drop chain=prerouting dst-address-list=hijacked_list log=yes add action=drop chain=prerouting dst-address-list=malwaredomainlist_list \ log=yes add action=drop chain=prerouting src-address-list=port scanners log=yes add action=drop chain=prerouting src-address-list=login_blacklist log=yes add action=drop chain=prerouting comment="Block Teredo IPv6-tunnel" dst-port=\ 3544,3545 protocol=udp src-port=1024-65535 |
NeverGiveUp!! wrote:--
這條可續用無誤.規...(恕刪)
Love me, love my cat! - A Simon's Cat Valentines | STORYTIME人品是做人最好的底牌.
個人積分:330320分
文章編號:67546998
個人積分:44972分
文章編號:67547701
這版規則已修正放在這裡.
NeverGiveUp!! wrote:--
這兩條增修.add...(恕刪)
The Pink Panther Season 1 Episode 1| add action=accept chain=forward comment=\ "Accept all New Packets connections from network" connection-state=new \ connection-nat-state=!dstnat in-interface=bridge src-address-list=LAN |
| add action=accept chain=input comment="From our LAN" in-interface=bridge \ connection-nat-state=!dstnat src-address-list=LAN |
人品是做人最好的底牌.
個人積分:16045分
文章編號:67547709
個人積分:330320分
文章編號:67548194
個人積分:44972分
文章編號:67551204
NeverGiveUp!! wrote:--
兩條其一條修正.這...(恕刪)
寶貝:)好噢.早點休息.
上述規則都到位.唯有這篇才是我要的防堵暗流無線擾!用過番茄絕對不會想回原廠的.況且搭配這篇規則.更是沉穩如泰山.從紀錄就能看出更多的動向.
這規則目的就是為了讓從來源(LAN)出去到目的地的封包.一律偽裝(貼上WAN端的IP).
這樣就能防堵暗流運用真絕活從這點從中繼WiFi滲透進來.一律不行.這才是真正超有安全感.
其餘交給最底部的隔鄰機關槍防線攔截.我只取之我要的.其餘不相干的都會經過攔截.這裡就像.
類似NAT的概念.這規則好處就是使用者只能看到局部的無線干擾.但穩順能媲美近於有線上網.
--
2CELLOS - Perfect - Ed Sheeran| add action=accept chain=forward comment=\ "Accept all New Packets connections from network" connection-state=new \ connection-nat-state=!dstnat in-interface=bridge src-address-list=LAN |
| add action=accept chain=input comment="From our LAN" in-interface=bridge \ connection-state=new connection-nat-state=!dstnat src-address-list=LAN |
人品是做人最好的底牌.
個人積分:44972分
文章編號:67551697
NeverGiveUp!! wrote:--
兩條規則經對策後....(恕刪)
寶貝:)留言囉!
ROS功課就留今年下半年再做.為啥會持續修正?這是個過程.當我發這篇規則時.我就知道說可能短暫的有效.過大約不到一天內就被破.故會有上篇兩條規則.
但這兩條.我運用到這一規則時.我當下意識到定義會被穿破.短短不到幾小時.才會回到此規則.
回到此規則看紀錄就能知道.包括無線穩定.最後我想著定義.終於找到了答案.此規則正是解藥.
ROS及中繼設定只要到這裡就足夠了.剩下的都是表皮試探.採用此規則會整個很順穩.重要是.
當然瀏覽器的有一個功能一定要關掉.就是WebRTC.這點易被利用.這些都可以做到防範的.
若採用上述規則.會遇到僅是信號上的擠壓.但網路是順穩的.RTS值非常建議一律採用255.
週期採用2.為啥不採用1及華碩3?這是拿捏算好的.1是很好很快.當無線擾發生時.照樣斷.
3?太閒置.當無線擾發生時.裝置喚醒時易喚不回.所以2是最佳折衷值.同兼具備1與3功能.
反應時間建議預設值100mS.太低不好.遇到無線擾時.後浪推不了前江.容易出現衰減而斷.
當ROS與中繼AP照上述設定規則之搭配.結論就是每層樓一台中繼AP才能避開邊緣的訊濠洨.
--
無線的SSID不太建議設隱藏.隱藏他們也會知道.知道後就搞一個假的SSID假使密碼已知.
這就是為啥中繼AP設定明明是僅設WPA2.為啥裝置隔段數時就會變WPA/WPA2的原因.
原因是這樣的.只有被針對的裝置.裝置設定之WiFi的安全性原對照中繼設定WPA2PSK.
安全性卻出現WPA/WPA2PSK這字樣時.就不合理.所以就意味著裝置有被插過.甚至於.
跳到暗流的網域或許沒有連上使其斷連.這樣暗流才好方便知道的存在感.當下次喚醒WiFi時.
這技術我是不曉得.但至少知道電信詐騙都是利用此法.來達到監機目的與找出適當可詐騙的時機.
WiFi這一切都跟電信詐騙有關.根本不需要用啥連線.只需要全世界的WiFi而有通路利之.
就算手機不連WiFi或根本不用連.就能利用全世界的WiFi通路來辨別手機.最後找到手機.
或利用ISP的通信頻率.比方說僅2G的訊號就算不開3G/4G就能對到.對到基本的訊號後.
信號一大一小一直跳就知有問題.只需隨時準備打電話或等待某種時機與執行試探時就能派用上場.
--
所以WiFi氾濫到很普遍廣泛.暗流不需要移動.只需電腦掃利用AP寄生串串串.最後找到你.
當你要下載那些所謂的下載大師好爽噢.暗流也會經過你AP.看好不好搞.嗯.好搞.允你下載.
若發現不好搞.嗯.直接斷下載.不給你下載.這都是有交換的條件.另外也有會判斷你夠不夠格.
若夠格夠符合暗流的通路.排除鴿子.暗流也會讓你下載.若有通路又不能排除鴿子.暗流照斷連.
鴿子也只是譬喻.若有分享很不好的內容(禁片或影響健全人格發展的)就直接找上你.絕不留情.
--
Halsey - Sorry人品是做人最好的底牌.
個人積分:918分
文章編號:67556064
個人積分:16045分
文章編號:67557127
