L7規則部分01排版會跑掉.糾正無法幫上忙.
| /ip dns static add address=127.0.0.1 name=router.utorrent.com ttl=1d add address=127.0.0.1 name=dht.vuze.com ttl=1d add address=127.0.0.1 name=vrpc.vuze.com ttl=1d add address=127.0.0.1 name=vzrpx020.vuze.com ttl=1d add address=127.0.0.1 name=vzapp020.vuze.com ttl=1d add address=127.0.0.1 name=client.vuze.com ttl=1d add address=127.0.0.1 name=mirror-user1.bitcomet.org ttl=1d add address=127.0.0.1 name=ip.bitcomet.org ttl=1d add address=127.0.0.1 name=jp.bitcomet.com ttl=1d add address=127.0.0.1 name=torrent-cache.bitcomet.org ttl=1d add address=127.0.0.1 name=inside.bitcomet.com ttl=1d add address=127.0.0.2 name=router.bitcomet.net ttl=1d /ip firewall mangle add action=mark-packet chain=prerouting in-interface=bridge \ new-packet-mark=client_upload passthrough=yes add action=mark-packet chain=prerouting in-interface=pppoe-out1 \ new-packet-mark=client_download passthrough=yes add action=jump chain=prerouting dst-address=!192.168.88.1 \ jump-target=p2p-service p2p=all-p2p comment="Common P2P-Blocking" add action=jump chain=prerouting dst-address=!192.168.88.1 \ jump-target=p2p-service layer7-protocol=BITTORRENT add action=jump chain=prerouting dst-address=!192.168.88.1 \ jump-target=p2p-service layer7-protocol=DIRECTCONNECT add action=jump chain=prerouting dst-address=!192.168.88.1 \ jump-target=p2p-service layer7-protocol=GNUTELLA add action=add-dst-to-address-list address-list=p2p-users-ext \ address-list-timeout=10m chain=prerouting dst-address=!192.168.88.1 \ comment="UDP-Bittorrent blocking" dst-port=1024-65535 packet-size=\ 62-500 protocol=udp src-address-list=p2p-users src-port=!53 add action=add-src-to-address-list address-list=p2p-users-ext \ address-list-timeout=10m chain=prerouting dst-address-list=p2p-users \ dst-port=1024-65535 packet-size=62-500 protocol=udp src-address=\ !192.168.88.1 src-port=!53 add action=add-dst-to-address-list address-list=p2p-users-ext \ address-list-timeout=10m chain=prerouting connection-type=!ftp \ comment="TCP-Tracker blocking" dst-address=!192.168.88.1 dst-port=\ 1024-65535 packet-size=100-500 protocol=tcp src-address-list=p2p-users \ src-port=1024-65535 tcp-flags=psh,ack add action=add-src-to-address-list address-list=p2p-users-ext \ address-list-timeout=10m chain=prerouting connection-type=!ftp \ dst-address-list=p2p-users dst-port=1024-65535 packet-size=100-500 \ protocol=tcp src-address=!192.168.88.1 src-port=1024-65535 tcp-flags=psh,ack add action=jump chain=prerouting connection-state=new dst-port=443 \ jump-target=tcp-services protocol=tcp add action=jump chain=prerouting connection-state=\ new dst-address=\!192.168.88.1 dst-port=!443 jump-target=p2p-service \ layer7-protocol=HTTPS protocol=tcp add action=jump chain=prerouting connection-state=new jump-target=\ tcp-services protocol=tcp add action=jump chain=prerouting connection-state=new jump-target=\ udp-services protocol=udp add action=jump chain=prerouting connection-state=new jump-target=\ other-services add action=add-src-to-address-list address-list=p2p-users \ address-list-timeout=2m chain=p2p-service src-address-list=LAN add action=mark-connection chain=p2p-service new-connection-mark=p2p \ passthrough=no add action=mark-connection chain=tcp-services dst-port=20-21 \ new-connection-mark=ftp passthrough=no protocol=tcp src-port=1024-65535 add action=mark-connection chain=tcp-services dst-port=22 \ new-connection-mark=ssh passthrough=no protocol=tcp src-port=513-65535 add action=mark-connection chain=tcp-services dst-port=23 \ new-connection-mark=telnet passthrough=no protocol=tcp src-port=1024-65535 add action=mark-connection chain=tcp-services dst-port=25 \ new-connection-mark=smtp passthrough=no protocol=tcp src-port=1024-65535 add action=mark-connection chain=tcp-services dst-port=53 \ new-connection-mark=dns passthrough=no protocol=tcp src-port=53 add action=mark-connection chain=tcp-services dst-port=53 \ new-connection-mark=dns passthrough=no protocol=tcp src-port=1024-65535 add action=mark-connection chain=tcp-services dst-port=80 \ new-connection-mark=http passthrough=no protocol=tcp src-port=1024-65535 add action=mark-connection chain=tcp-services dst-port=110 \ new-connection-mark=pop3 passthrough=no protocol=tcp src-port=1024-65535 add action=mark-connection chain=tcp-services dst-port=113 \ new-connection-mark=auth passthrough=no protocol=tcp src-port=1024-65535 add action=mark-connection chain=tcp-services dst-port=119 \ new-connection-mark=nntp passthrough=no protocol=tcp src-port=1024-65535 add action=mark-connection chain=tcp-services dst-port=137-139 \ new-connection-mark=netbios passthrough=no protocol=tcp src-port=1024-65535 add action=mark-connection chain=tcp-services dst-port=143 \ new-connection-mark=imap passthrough=no protocol=tcp src-port=1024-65535 add action=mark-connection chain=tcp-services dst-port=161-162 \ new-connection-mark=snmp passthrough=no protocol=tcp src-port=1024-65535 add action=mark-connection chain=tcp-services dst-address=78.31.0.0/16 \ dst-port=443 new-connection-mark=spotify passthrough=no \ protocol=tcp src-port=1024-65535 add action=mark-connection chain=tcp-services dst-address=!78.31.0.0/16 \ dst-port=443 new-connection-mark=https passthrough=no \ protocol=tcp src-port=1024-65535 add action=mark-connection chain=tcp-services dst-port=445 \ new-connection-mark=ms-ds passthrough=no protocol=tcp src-port=1024-65535 add action=mark-connection chain=tcp-services dst-port=465 \ new-connection-mark=smtps passthrough=no protocol=tcp src-port=1024-65535 add action=mark-connection chain=tcp-services dst-port=990 \ new-connection-mark=ftps passthrough=no protocol=tcp src-port=1024-65535 add action=mark-connection chain=tcp-services dst-port=993 \ new-connection-mark=imaps passthrough=no protocol=tcp src-port=1024-65535 add action=mark-connection chain=tcp-services dst-port=995 \ new-connection-mark=pop3s passthrough=no protocol=tcp src-port=1024-65535 add action=mark-connection chain=tcp-services dst-port=1080 \ new-connection-mark=socks passthrough=no protocol=tcp src-port=1024-65535 add action=mark-connection chain=tcp-services dst-port=1723 \ new-connection-mark=pptp passthrough=no protocol=tcp src-port=1024-65535 add action=mark-connection chain=tcp-services dst-port=1863 \ new-connection-mark=msn passthrough=no protocol=tcp src-port=1024-65535 add action=mark-connection chain=tcp-services dst-port=2379 \ new-connection-mark=kgs passthrough=no protocol=tcp src-port=1024-65535 add action=mark-connection chain=tcp-services dst-port=3128 \ new-connection-mark=squid-proxy passthrough=no protocol=tcp \ src-port=1024-65535 add action=mark-connection chain=tcp-services dst-port=3389 \ new-connection-mark=win-ts passthrough=no protocol=tcp src-port=1024-65535 add action=mark-connection chain=tcp-services dst-port=3845 \ new-connection-mark=smartpass passthrough=no protocol=tcp \ src-port=1024-65535 add action=mark-connection chain=tcp-services dst-port=4070 \ new-connection-mark=spotify passthrough=no protocol=tcp src-port=1024-65535 add action=mark-connection chain=tcp-services dst-port=2000-3000 \ new-connection-mark=bwtest passthrough=no protocol=tcp src-port=1024-65535 add action=mark-connection chain=tcp-services dst-port=4242-4243 \ new-connection-mark=emule passthrough=no protocol=tcp src-port=1024-65535 add action=mark-connection chain=tcp-services dst-port=1024-65535 \ new-connection-mark=overnet passthrough=no protocol=tcp src-port=4661-4662 add action=mark-connection chain=tcp-services dst-port=1024-65535 \ new-connection-mark=emule passthrough=no protocol=tcp src-port=4711 add action=mark-connection chain=tcp-services dst-port=5900-5901 \ new-connection-mark=vnc passthrough=no protocol=tcp src-port=1024-65535 add action=mark-connection chain=tcp-services dst-port=6667-6669 \ new-connection-mark=irc passthrough=no protocol=tcp src-port=1024-65535 add action=mark-connection chain=tcp-services dst-port=8080 \ new-connection-mark=http-proxy passthrough=no protocol=tcp \ src-port=1024-65535 add action=mark-connection chain=tcp-services dst-port=8291 \ new-connection-mark=winbox passthrough=no protocol=tcp \ src-port=1024-65535 add action=mark-connection chain=tcp-services dst-port=42041-42052 \ new-connection-mark=voddler passthrough=no protocol=tcp \ src-port=1024-65535 add action=mark-connection chain=tcp-services dst-port=55536-55663 \ new-connection-mark=ftp-passive passthrough=no protocol=tcp \ src-port=1024-65535 add action=mark-connection chain=tcp-services new-connection-mark=\ other-tcp passthrough=no protocol=tcp add action=mark-connection chain=udp-services dst-port=53 \ new-connection-mark=dns passthrough=no protocol=udp \ src-port=1024-65535 add action=mark-connection chain=udp-services dst-port=67 \ new-connection-mark=dhcp passthrough=no protocol=udp src-port=67-68 add action=mark-connection chain=udp-services dst-port=123 \ new-connection-mark=ntp passthrough=no protocol=udp src-port=123 add action=mark-connection chain=udp-services dst-port=123 \ new-connection-mark=ntp passthrough=no protocol=udp \ src-port=1024-65535 add action=mark-connection chain=udp-services dst-port=137-139 \ new-connection-mark=netbios passthrough=no protocol=udp \ src-port=1024-65535 add action=mark-connection chain=udp-services dst-port=161-162 \ new-connection-mark=snmp passthrough=no protocol=udp \ src-port=1024-65535 add action=mark-connection chain=udp-services dst-port=514 \ new-connection-mark=syslog passthrough=no protocol=udp \ src-port=1024-65535 add action=mark-connection chain=udp-services dst-port=1701 \ new-connection-mark=l2tp passthrough=no protocol=udp \ src-port=1024-65535 add action=mark-connection chain=udp-services dst-port=3544 \ new-connection-mark=ms-ipv6 passthrough=no protocol=udp \ src-port=1024-65535 add action=mark-connection chain=udp-services dst-port=4665 \ new-connection-mark=emule passthrough=no protocol=udp \ src-port=1024-65535 add action=mark-connection chain=udp-services dst-port=4672 \ new-connection-mark=emule passthrough=no protocol=udp \ src-port=1024-65535 add action=mark-connection chain=udp-services dst-port=2000-3000 \ new-connection-mark=bwtest passthrough=no protocol=udp \ src-port=1024-65535 add action=mark-connection chain=udp-services dst-port=1024-65535 \ new-connection-mark=emule passthrough=no protocol=udp src-port=4672 add action=mark-connection chain=udp-services dst-port=12053 \ new-connection-mark=overnet passthrough=no protocol=udp \ src-port=1024-65535 add action=mark-connection chain=udp-services dst-port=20561 \ new-connection-mark=mac-winbox passthrough=no protocol=udp \ src-port=1024-65535 add action=mark-connection chain=udp-services dst-port=42041-42052 \ new-connection-mark=voddler passthrough=no protocol=udp \ src-port=1024-65535 add action=mark-connection chain=udp-services dst-port=1024-65535 \ new-connection-mark=overnet passthrough=no protocol=udp src-port=12053 add action=mark-connection chain=udp-services dst-port=1024-65535 \ new-connection-mark=skype passthrough=no protocol=udp src-port=36725 add action=mark-connection chain=udp-services new-connection-mark=\ other-udp passthrough=no protocol=udp add action=mark-connection chain=other-services icmp-options=8:0-255 \ new-connection-mark=ping passthrough=no protocol=icmp add action=mark-connection chain=other-services new-connection-mark=gre \ passthrough=no protocol=gre add action=mark-connection chain=other-services new-connection-mark=other \ passthrough=no /ip firewall filter add action=drop chain=forward dst-port=3544,3545 protocol=udp \ comment="Block Teredo IPv6-tunnel" src-port=1024-65535 add action=drop chain=forward connection-mark=p2p \ comment="Drop all P2P" add action=drop chain=forward dst-address-list=p2p-users-ext \ src-address-list=p2p-users add action=drop chain=forward dst-address-list=p2p-users \ src-address-list=p2p-users-ext /ip firewall layer7-protocol add name=BITTORRENT regexp="^(\\\\x13bittorrent protocol|azver\\\\x01\\$|get /scrap\\ e\\\\\\?info_hash=|get /announce\\\\\\?info_hash=|get /client/bitcomet/|GET /dat\\ a\\\\\\?fid=)|d1:.d2:id20:|\\\\x08'7P\\\\)[RP]" add name=GNUTELLA regexp="^(gnd[\\\\x01\\\\x02]\\?.\\?.\\?\\\\x01|gnutella connect/[012\\ ]\\\\.[0-9]\\\\x0d\\\\x0a|get /uri-res/n2r\\\\\\?urn:sha1:|get /.*user-agent: (gtk-\\ gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /.*conte\\ nt-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-\\ f]* [1-9][0-9]\\?[0-9]\\?\\\\.[1-9][0-9]\\?[0-9]\\?\\\\.[1-9][0-9]\\?[0-9]\\?\\\\.[1-9\\ ][0-9]\\?[0-9]\\?:[1-9][0-9]\\?[0-9]\\?[0-9]\\?|gnutella.*content-type: applica\\ tion/x-gnutella|...................\\?lime)" add name=DIRECTCONNECT regexp="^(\\\\\\$mynick |\\\\\\$lock |\\\\\\$key )" add name=HTTPS regexp=\ "^(.\?.\?\\x16\\x03.*\\x16\\x03|.\?.\?\\x01\\x03\\x01\?.*\\x0b)" |
現做現趕出來的.其實不用L7就可以做到局部抵禦P2P釣魚.或有人用時規則會抵擋.
這樣就能降低不相干的人掉入冤枉路.意思是說不管有沒有用.上述規則一律會優先擋掉.
以上用於分享或共用非常適合.就不用擔心有老鼠屎用戶害到申請用戶被告或違法侵版權.
--
The Beatles - Here Comes The Sun (Official Video - 2019 Mix)
