josephteng wrote:
記得帶伴手禮回來....(恕刪)
女王會一腳把你踢下去
個人積分:330253分
文章編號:68018259
個人積分:45152分
文章編號:68018318
順序排列已修正.再次完全更正.謝謝收看.
NeverGiveUp!! wrote:
鵝軸雞軸都用完.去年...(恕刪)
| /ip firewall address-list add address=192.168.88.2-192.168.88.254 list=LAN add address=0.0.0.0/8 list=BOGONS add address=10.0.0.0/8 list=BOGONS add address=100.64.0.0/10 list=BOGONS add address=127.0.0.0/8 list=BOGONS add address=169.254.0.0/16 list=BOGONS add address=172.16.0.0/12 list=BOGONS add address=192.0.0.0/24 list=BOGONS add address=192.0.2.0/24 list=BOGONS add address=192.88.99.0/24 list=BOGONS add address=192.168.0.0/16 list=BOGONS add address=198.18.0.0/15 list=BOGONS add address=198.51.100.0/24 list=BOGONS add address=203.0.113.0/24 list=BOGONS add address=224.0.0.0/3 list=BOGONS add address=224.0.0.0/4 list=BOGONS add address=240.0.0.0/4 list=BOGONS /ip firewall nat add action=redirect chain=dstnat comment=DNS dst-port=53 protocol=tcp \ to-ports=53 add action=redirect chain=dstnat dst-port=53 protocol=udp to-ports=53 add action=masquerade chain=srcnat comment="IP Masquerading" \ src-address-list=LAN /ip firewall filter add action=drop chain=forward comment="Drop LAN -> UDP(53,433)" \ dst-port=53,443 log=no log-prefix="Drop LAN -> UDP(53,433)" \ protocol=udp src-address-list=LAN add action=accept chain=input comment=\ "Accept established&related(Input) packets" connection-state=\ established,related add action=accept chain=input comment=\ "Accept all connections from local network" in-interface=!ether1 \ src-address-list=LAN add action=drop chain=input comment="Drop invalid(Input)" \ connection-state=invalid add action=drop chain=input comment="drop login brute forcers 1" dst-port=\ 21,22,23,8291 log=yes protocol=tcp src-address-list=login_blacklist add action=add-src-to-address-list address-list=login_blacklist \ address-list-timeout=4d chain=input comment="drop login brute forcers 2" \ connection-state=new dst-port=21,22,23,8291 protocol=tcp add action=drop chain=input comment="Drop Reports&Targets&Sources 01" \ dst-port=\ 53,81,137,445,1433,2000,2222,2323,3306,5060,5355,5900,7547,8082,8545 log=\ yes protocol=tcp src-address-list=BlockReports01 add action=add-src-to-address-list address-list=BlockReports01 \ address-list-timeout=4d chain=input connection-state=new dst-port=\ 53,81,137,445,1433,2000,2222,2323,3306,5060,5355,5900,7547,8082,8545 \ protocol=tcp add action=drop chain=input comment="Drop Reports&Targets&Sources 02" \ dst-port=9160,7777,5555,389,80,67 log=yes protocol=tcp src-address-list=\ BlockReports02 add action=add-src-to-address-list address-list=BlockReports02 \ address-list-timeout=4d chain=input connection-state=new dst-port=\ 9160,7777,5555,389,80,67 protocol=tcp add action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input comment=\ "Drop port scanners\A1GPort scanners to list" log=yes protocol=tcp psd=\ 21,3s,3,1 add action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" log=\ yes protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg add action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input comment="SYN/FIN scan" log=yes \ protocol=tcp tcp-flags=fin,syn add action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input comment="SYN/RST scan" log=yes \ protocol=tcp tcp-flags=syn,rst add action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" log=yes \ protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack add action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input comment="ALL/ALL scan" log=yes \ protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg add action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input comment="NMAP NULL scan" log=yes \ protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg add action=drop chain=input comment="dropping port scanners" log=yes \ src-address-list="port scanners" add action=drop chain=input comment=\ "Drop all packets which are not destined to routes IP address" \ dst-address-type=!local add action=drop chain=input comment=\ "Drop all packets which does not have unicast source IP address" \ src-address-type=!unicast add action=drop chain=input comment="Drop all packets from bogons \\ internet which should not exist in bogons network" in-interface=\ pppoe-out1 src-address-list=BOGONS add action=drop chain=forward comment="Drop invalid(Forward)" \ connection-state=invalid add action=accept chain=forward comment=\ "Accept established&related(Forward) packets" connection-state=\ established,related add action=drop chain=forward comment=\ "Drop new connections from internet which are not dst-natted" \ connection-nat-state=!dstnat connection-state=new in-interface=pppoe-out1 add action=drop chain=forward comment="Drop all packets from bo\\ gons internet which should not exist in bogons network" in-interface=\ pppoe-out1 src-address-list=BOGONS add action=drop chain=forward comment="Drop all packets from LA\\ N to internet which should not exist in bogins network" \ dst-address-list=BOGONS in-interface=bridge add action=drop chain=forward comment="Drop all packets in LAN \\ which does not have LAN address" in-interface=bridge \ src-address=!192.168.88.0/24 add action=drop chain=input comment="Drop Rule - Input Chain" log=yes \ log-prefix="Drop All" /system scheduler add comment="Check and set NTP servers" interval=6h name=SetNtpServers \ on-event="# SetNtpServers - Check and set NTP servers from NTP pool\\ # v1.2 Tested and Developed on ROS v5.7\\ #\\ # Change the following line as needed as progName should match script na\\ me \\ :local progName \\"SetNtpServers\";\ \ # Array of NTP pools to use (check www.pool.ntp.org) one or a maximum of\ \_two, a primary & secondary\ # Modify the following line and array variable based on your locale (def\ ault is north america).\ :local arrNtpSystems (\"taiwan.pool.ntp.org\", \"asia.pool.ntp.org\");\ # Alternatively the US related pool below can be used. \ #:local arrNtpSystems (\"taiwan.pool.ntp.org\", \"asia.pool.ntp.org\");\ #\ # No modification is necessary beyond this line.\ :put \"\$progName: Running...\";\ :log info \"\$progName: Running...\";\ :set arrNtpSystems [ :toarray \$arrNtpSystems ];\ :if (( [ :len \$arrNtpSystems ] < 1 ) or ( [ :len \$arrNtpSystems ] > 2 \ )) do={ \ :put \"\$progName: ERROR NTP Systems array (\\\$arrNtpSystems) must \ be either one or two DNS names.\";\ :log info \"\$progName: ERROR NTP Systems array (\\\$arrNtpSystems) \ must be either one or two DNS names.\";\ } else={\ :local arrRosNtpSetting (\"primary-ntp\", \"secondary-ntp\");\ :local i 0;\ :foreach strNtpSystem in (\$arrNtpSystems) do={\ :local ipAddrNtpSystem [ :resolve \$strNtpSystem ];\ :local strRosNtpSetting [ :pick \$arrRosNtpSetting \$i ];\ :local strCurrentNtpIp [ /system ntp client get \$strRosNtpSetti\ ng ];\ :put \"\$progName: NTP server DNS name \$strNtpSystem resolves t\ o \$ipAddrNtpSystem.\";\ :log info \"\$progName: NTP server DNS name \$strNtpSystem resol\ ves to \$ipAddrNtpSystem.\";\ :put \"\$progName: Current \$strRosNtpSetting setting is \$strCu\ rrentNtpIp.\";\ :log info \"\$progName: Current \$strRosNtpSetting setting is \$\ strCurrentNtpIp.\";\ :if ( [ :toip \$ipAddrNtpSystem ] != [ :toip \$strCurrentNtpIp ]\ \_) do={\ :put \"\$progName: Changing \$strRosNtpSetting setting to \$\ ipAddrNtpSystem.\";\ :log info \"\$progName: Changing \$strRosNtpSetting setting \ to \$ipAddrNtpSystem.\";\ :local strCommand [ :parse \"/system ntp client set \$strRos\ NtpSetting=\\\"\$ipAddrNtpSystem\\\"\" ];\ \$strCommand;\ } else={\ :put \"\$progName: No changes were made for the \$strRosNtpS\ etting NTP setting.\";\ :log info \"\$progName: No changes were made for the \$strRo\ sNtpSetting NTP setting.\";\ }\ :set i (\$i + 1);\ }\ }\ :put \"\$progName: Done.\";\ :log info \"\$progName: Done.\";" policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \ start-time=startup add comment=Download_Ads_List interval=24h name=DownloadAdsList \ on-event="/system script run Blocklister_download_Ads" policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \ start-time=startup add interval=25h name=DownloadSpywareList on-event=\ "/system script run Blocklister_download_Spyware" policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \ start-time=startup add interval=26h name=DownloadMalwaredomainlistList on-event=\ "/system script run Blocklister_download_Malwaredomainlist" policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \ start-time=startup add interval=27h name=DownloadHijackedList on-event=\ "/system script run \ Blocklister_download_Hijacked" policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \ start-time=startup /system script add name=Blocklister_download_Ads owner=admin policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\\ tool fetch url=\\"https://blocklister.gefoo.org/ads\" dst-path=\"ads.rsc\";\ \_/import file-name=\"ads.rsc\";" add name=Blocklister_download_Spyware owner=admin policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\\ tool fetch url=\\"https://blocklister.gefoo.org/spyware\" dst-path=\"spywar\ e.rsc\"; /import file-name=\"spyware.rsc\";" add name=Blocklister_download_Malwaredomainlist owner=admin policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\\ tool fetch url=\\"https://blocklister.gefoo.org/malwaredomainlist\" dst-pat\ h=\"malwaredomainlist.rsc\"; /import file-name=\"malwaredomainlist.rsc\";" add name=Blocklister_download_Hijacked owner=admin policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\\ tool fetch url=\\"https://blocklister.gefoo.org/hijacked\" dst-path=\"hijac\ ked.rsc\"; /import file-name=\"hijacked.rsc\";" /ip firewall service-port set ftp disabled=yes set tftp disabled=yes set irc disabled=yes set h323 disabled=yes set sip disabled=yes set pptp disabled=yes set udplite disabled=yes set dccp disabled=yes set sctp disabled=yes /ip hotspot service-port set ftp disabled=yes /ip ipsec policy set 0 disabled=yes /ip service set telnet disabled=yes set ftp disabled=yes set www disabled=yes set ssh disabled=yes set api disabled=yes set winbox disabled=yes set api-ssl disabled=yes /ip upnp set show-dummy-rule=no /ip cloud set update-time=no /ip firewall connection tracking set enabled=auto /ip settings set rp-filter=no tcp-syncookies=no /ip address add address=192.168.88.1/24 comment=defconf interface=ether2 \ network=192.168.88.0 /interface list member add comment=defconf interface=ether2 list=LAN add comment=defconf interface=ether1 list=WAN add interface=pppoe-out1 list=WAN /ip firewall raw add action=drop chain=prerouting comment="Block PortScanners" log=yes \ src-address-list="port scanners" add action=drop chain=prerouting log=yes src-address-list=login_blacklist add action=drop chain=prerouting log=yes dst-address-list=ads_list add action=drop chain=prerouting comment="Drop Spyware" log=yes \ dst-address-list=spyware_list add action=drop chain=prerouting log=yes dst-address-list=hijacked_list add action=drop chain=prerouting log=yes dst-address-list=\ malwaredomainlist_list add action=drop chain=prerouting comment="Block Teredo IPv6-tunnel" \ log=yes dst-port=3544,3545 protocol=udp src-port=1024-65535 add action=drop chain=prerouting comment="Block&Drop Other...etc." log=yes \ src-address=216.218.206.0/24 add action=drop chain=prerouting comment="Drop Reports&Targets&Sources" \ log=yes src-address-list=BlockReports01 add action=drop chain=prerouting log=yes src-address-list=BlockReports02 |
寶貝:)這次是有備而改.上帝成功棍的阻擋與假開放是用來壓制通路回流.
--
The Chainsmokers - Everybody Hates Me人品是做人最好的底牌.
個人積分:23726分
文章編號:68018547
個人積分:330253分
文章編號:68019281
個人積分:45152分
文章編號:68020783
會這樣排是要把通路的回流堵起來.避免透過轉發影響中繼AP的訊號.本來阻擋放在通過的下面.
後來發現這樣還是會利用回流時造成一個通路.於是把阻擋放在通過的上面.這樣就能解決了回流.
中繼AP只須改RTS為255.這樣就行了.實測上無線訊號非常良好.已展現訊號無死角威能.
所以中繼AP的歪壞干擾.已找到合理解釋.這扯不上啥宗教鈴學.根據全取於科學與防火牆規則.
上帝成功棍是用來賭隱密的回流.恰巧剛好克服這問題.這版本已算趨近於完全無腦版的通用規則.
這版防君子不防小人原則之下不管是面對鄰居還是自己人甚至外來類似徵信業搞怪都有一定的壓制.
更正規則已去掉紅框條.剛去試發現很快有對應.最主要是上帝成功棍這樣就行了.
它的對應不在於影響中繼AP.而是某回流的另一種對應.影響中繼AP的對應交給轉發規則排序.
只要轉發阻擋放在通過的前面.這樣中繼就不會被影響.至於紅框只是堵回報.我發現這也有缺點.
不如不要堵回報.而是採取正式的.它就算收到回報.有上帝成功棍在.也無法藉隱密的通路搞事.
意思是說若這條若防堵.當裝置要連結時.主機初步知道後.就透過另一個通道來去執行它想要的.
留在執行下一流程時就穿透了.當它只要知道回報被回堵時.它夾加在下一流程時同時傳出而執行.
我推測的判斷是這樣.或者它透過鄰近寄生AP.來做個加料預備.比方說回報回堵後.主機收到.
並同時告知鄰近寄生AP說等下它下一步可能的預覽.屆時再進行穿透.我只能推測這兩種關聯性.
| /ip firewall filter add action=drop chain=forward dst-port=53,443 log=yes log-prefix=\ "Drop LAN -> UDP(53,433)" protocol=udp src-address-list=LAN |
Ying Yang Twins - Salt Shaker (feat. Lil Jon & The East Side Boyz)人品是做人最好的底牌.
個人積分:45152分
文章編號:68021825
醬汁改有個缺點.就手機閒置時.歪壞易斷連.但無妨.因為在測試時已經發現到.通常是廣告聯盟在玩的把戲.它只是想藉廣告通路來阻斷手機.
這與網設及中繼AP無關.僅此鄰近寄生AP針對手機或是藉由股割主機順便不爽來搞個一嚇而已.
這能維持近於完整的順穩.不再有人敢侵犯諸神彩虹橋.而維持彩虹橋該有的運作.
| /ip firewall filter add action=reject chain=forward comment="Reject LAN -> UDP(53,433)" \ dst-port=53,443 log=yes log-prefix="Reject LAN -> UDP(53,433)" \ protocol=udp src-address-list=LAN reject-with=icmp-network-unreachable |
寶貝:)好噢!早點休息噢.
ROS的任務已完成了.也找到無線干擾的科學根據.壓軸版規則排列再次修正囉.任務完成囉.假掰睡不著囉.沒錯啊.老祖宗中指是讓暗流睡不著覺.
--
Lil Jon & The East Side Boyz - Get Low Remix (feat. Busta Rhymes, Elephant Man, Ying Yang Twins)人品是做人最好的底牌.
個人積分:45152分
文章編號:68022770
| add action=accept chain=input comment="udp" disabled=no limit=\ 1/7101w3d6h28m15s,0:packet protocol=udp |
| add action=drop chain=forward comment="Drop LAN -> UDP(53,433)" \ dst-port=53,443 log=yes log-prefix="Drop LAN -> UDP(53,433)" \ protocol=udp src-address-list=LAN |
最後再把中繼AP照圖這樣設.就行了!大致上中繼調整沒啥特別.須注意是原廠韌體要保持更新.
--
寶貝:)留言囉.老祖宗鋼鐵壓軸版完成了.
轉發阻擋放前面.總通才能順利組閣.上帝成功棍有用.把它下嫁是因要解決手機閒置時歪壞易被斷連的問題.缺點是無線訊號穩到爆炸.
願這版本能止息.讓暗流安息.才符合老祖宗救贖的宗旨.尤其是橋接的部分.建議一定要隔開來.
--
Ying Yang Twins - Drop人品是做人最好的底牌.
個人積分:45152分
文章編號:68023050
| add action=accept chain=input comment="udp" disabled=no limit=\ 1/7101w3d6h28m15s,0:packet protocol=udp |
Yelawolf - Punk ft. Travis Barker, Juicy J人品是做人最好的底牌.
個人積分:16045分
文章編號:68023927
個人積分:23726分
文章編號:68024059
achitsai wrote:
房地產這種東西只能...(恕刪)
春之玫瑰
DSC95918_cr-5ps-1 by CH Lin, 於 Flickr
