那些年我們一起開的搞笑地產公司 五都法拍屋 9月爆量-歪樓篇

KingDavid520 wrote:
DSE92501_cr...(恕刪)

玫瑰盛開的季節 豐姿舒展、招蜂引蝶

DSE92617_cr-6ps
by CH Lin, 於 Flickr
Sony A7 + Leica 50mm f/2 Summicron with Near-Focusing Range

KingDavid520 wrote:
玫瑰盛開的季節 ...(恕刪)

水喔!
D版於2020/02/25已定版安心使用.
--
/interface bridge
add fast-forward=no igmp-snooping=no name=bridge
/interface bridge port(除非當中繼或開VLAN及需連數據機則用.反之則建議停用.)
add bridge=bridge comment=defconf disabled=yes interface=ether1

add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf disabled=yes interface=wlan1
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge \
network=192.168.88.0
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 \
gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=0s servers=\
168.95.192.1,168.95.1.1
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set rp-filter=no
set tcp-syncookies=no
ip cloud
set update-time=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/system logging
add topics=wireless,debug
/system ntp client
set enabled=yes server-dns-names=\
0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=LAN
add address=0.0.0.0/8 list=NotPublic
add address=10.0.0.0/8 list=NotPublic
add address=100.64.0.0/10 list=NotPublic
add address=127.0.0.0/8 list=NotPublic
add address=169.254.0.0/16 list=NotPublic
add address=172.16.0.0/12 list=NotPublic
add address=192.0.0.0/24 list=NotPublic
add address=192.0.2.0/24 list=NotPublic
add address=192.88.99.0/24 list=NotPublic
add address=192.168.0.0/16 list=NotPublic
add address=198.18.0.0/15 list=NotPublic
add address=198.51.100.0/24 list=NotPublic
add address=203.0.113.0/24 list=NotPublic
add address=224.0.0.0/3 list=NotPublic
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1 \
comment="NAT from local address back to public IP"
add action=redirect chain=dstnat dst-port=53 \
protocol=tcp to-ports=53 comment=\
"Force Users to Router for DNS - TCP"
add action=redirect chain=dstnat dst-port=53 \
protocol=udp to-ports=53 comment=\
"Force Users to Router for DNS - UDP"
add action=redirect chain=dstnat comment=\
"Block DNS Hijacking for Local area Network" \
dst-address-type=!local dst-port=53 \
protocol=udp src-address-type=!local
/ip firewall filter
add action=drop chain=input comment="drop login brute forcers 1" dst-port=\
21,22,23,8291 protocol=tcp src-address-list=login_blacklist
add action=add-src-to-address-list address-list=login_blacklist \
address-list-timeout=1d chain=input comment="drop login brute forcers 2" \
connection-state=new dst-port=21,22,23,8291 protocol=tcp \
src-address-list=login_stage2
add action=add-src-to-address-list address-list=login_stage2 \
address-list-timeout=1m chain=input comment="drop login brute forcers 3" \
connection-state=new dst-port=21,22,23,8291 protocol=tcp \
src-address-list=login_stage1
add action=add-src-to-address-list address-list=login_stage1 \
address-list-timeout=1m chain=input comment="drop login brute forcers 4" \
connection-state=new dst-port=21,22,23,8291 protocol=tcp
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list" \
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="Dropping port scanners(Input)" \
src-address-list="port scanners"
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=drop chain=forward comment="Drop SSH Brute Downstream" \
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add chain=input connection-state=established,related \
comment="Accept established and related packets"
add action=drop chain=input connection-state=invalid \
comment="Drop invalid packets"
add action=jump chain=input jump-target=icmp protocol=icmp \
comment="Jump for icmp input flow"
add chain=input src-address-list=LAN \
comment="Accept all connections from local network"
add action=drop chain=input dst-address-type=!local comment=\
"Drop all packets which are not destined to routes IP address"
add action=drop chain=input src-address-type=!unicast comment=\
"Drop all packets which does not have unicast source IP address"
add action=drop chain=input in-interface=pppoe-out1 \
src-address-list=NotPublic comment=\
"Drop all packets from public internet which should not exist in public network"
add action=drop chain=input log=yes log-prefix="Drop All" \
comment="Drop Rule - Input Chain"
add chain=forward connection-state=established,related \
comment="Accept established and related packets"
add action=drop chain=forward connection-state=invalid \
comment="Drop invalid packets"
add action=drop chain=forward connection-nat-state=!dstnat \
connection-state=new in-interface=pppoe-out1 comment=\
"Drop new connections from internet which are not dst-natted"
add action=drop chain=forward in-interface=pppoe-out1 \
src-address-list=NotPublic comment=\
"Drop all packets from public internet which should not exist in public network"
add action=drop chain=forward dst-address-list=NotPublic \
in-interface=bridge comment=\
"Drop all packets from LAN to internet which should not exist in public network"
add action=drop chain=forward in-interface=bridge \
src-address=!192.168.88.0/24 comment=\
"Drop all packets in local network which does not have local network address"
add action=jump chain=forward jump-target=icmp protocol=icmp \
comment="Jump for icmp forward flow"
add chain=icmp icmp-options=0:0 protocol=icmp \
comment="Echo Reply"
add chain=icmp icmp-options=3:0 protocol=icmp \
comment="Net Unreachable"
add chain=icmp icmp-options=3:1 protocol=icmp \
comment="Host Unreachable"
add chain=icmp icmp-options=3:4 protocol=icmp \
comment="Fragmentation Needed and DF set"
add chain=icmp icmp-options=4:0 protocol=icmp \
comment="Source Quench"
add chain=icmp icmp-options=8:0 protocol=icmp \
comment="Allow Echo Request"
add chain=icmp icmp-options=11:0 protocol=icmp \
comment="Allow Time Exceeded"
add chain=icmp icmp-options=12:0 protocol=icmp \
comment="Parameter Bad"
add action=drop chain=icmp log=yes \
log-prefix="Drop Other Types" comment="Deny Other Types"
add action=jump chain=output jump-target=icmp protocol=icmp \
comment="Jump for icmp output flow"
/system scheduler
add comment="Check and set NTP servers" interval=6h name=SetNtpServers \
on-event="# SetNtpServers - Check and set NTP servers from NTP pool\\

# v1.2 Tested and Developed on ROS v5.7\\

#\\

# Change the following line as needed as progName should match script na\\
me \\

:local progName \\"SetNtpServers\";\

\

# Array of NTP pools to use (check www.pool.ntp.org) one or a maximum of\
\_two, a primary & secondary\

# Modify the following line and array variable based on your locale (def\
ault is north america).\

:local arrNtpSystems (\"taiwan.pool.ntp.org\", \"asia.pool.ntp.org\");\

# Alternatively the TW related pool below can be used. \

#:local arrNtpSystems (\"taiwan.pool.ntp.org\", \"asia.pool.ntp.org\");\

#\

# No modification is necessary beyond this line.\

:put \"\$progName: Running...\";\

:log info \"\$progName: Running...\";\

:set arrNtpSystems [ :toarray \$arrNtpSystems ];\

:if (( [ :len \$arrNtpSystems ] < 1 ) or ( [ :len \$arrNtpSystems ] > 2 \
)) do={ \

:put \"\$progName: ERROR NTP Systems array (\\\$arrNtpSystems) must \
be either one or two DNS names.\";\

:log info \"\$progName: ERROR NTP Systems array (\\\$arrNtpSystems) \
must be either one or two DNS names.\";\

} else={\

:local arrRosNtpSetting (\"primary-ntp\", \"secondary-ntp\");\

:local i 0;\

:foreach strNtpSystem in (\$arrNtpSystems) do={\

:local ipAddrNtpSystem [ :resolve \$strNtpSystem ];\

:local strRosNtpSetting [ :pick \$arrRosNtpSetting \$i ];\

:local strCurrentNtpIp [ /system ntp client get \$strRosNtpSetti\
ng ];\

:put \"\$progName: NTP server DNS name \$strNtpSystem resolves t\
o \$ipAddrNtpSystem.\";\

:log info \"\$progName: NTP server DNS name \$strNtpSystem resol\
ves to \$ipAddrNtpSystem.\";\

:put \"\$progName: Current \$strRosNtpSetting setting is \$strCu\
rrentNtpIp.\";\

:log info \"\$progName: Current \$strRosNtpSetting setting is \$\
strCurrentNtpIp.\";\

:if ( [ :toip \$ipAddrNtpSystem ] != [ :toip \$strCurrentNtpIp ]\
\_) do={\

:put \"\$progName: Changing \$strRosNtpSetting setting to \$\
ipAddrNtpSystem.\";\

:log info \"\$progName: Changing \$strRosNtpSetting setting \
to \$ipAddrNtpSystem.\";\

:local strCommand [ :parse \"/system ntp client set \$strRos\
NtpSetting=\\\"\$ipAddrNtpSystem\\\"\" ];\

\$strCommand;\

} else={\

:put \"\$progName: No changes were made for the \$strRosNtpS\
etting NTP setting.\";\

:log info \"\$progName: No changes were made for the \$strRo\
sNtpSetting NTP setting.\";\

}\

:set i (\$i + 1);\

}\

}\

:put \"\$progName: Done.\";\

:log info \"\$progName: Done.\";" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-time=startup
/queue type
add kind=pcq name=PCQ_download pcq-classifier=dst-address
add kind=pcq name=PCQ_upload pcq-classifier=src-address
/queue tree
add burst-limit=100M burst-threshold=88M burst-time=5s max-limit=95M \
name=queue1 packet-mark=client_download parent=bridge queue=\
PCQ_download
add burst-limit=40M burst-threshold=20M burst-time=5s max-limit=38M \
name=queue2 packet-mark=client_upload parent=pppoe-out1 queue=\
PCQ_upload
/ip firewall mangle
add action=change-mss chain=forward comment="Change MSS" \
new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
add action=change-mss chain=output new-mss=clamp-to-pmtu \
passthrough=yes protocol=tcp tcp-flags=syn
add action=mark-packet chain=prerouting in-interface=bridge \
new-packet-mark=client_upload passthrough=yes
add action=mark-packet chain=prerouting in-interface=pppoe-out1 \
new-packet-mark=client_download passthrough=yes
add action=jump chain=prerouting connection-state=new dst-port=443 \
jump-target=tcp-services protocol=tcp
add action=jump chain=prerouting connection-state=new jump-target=\
tcp-services protocol=tcp
add action=jump chain=prerouting connection-state=new jump-target=\
udp-services protocol=udp
add action=jump chain=prerouting connection-state=new jump-target=\
other-services
add action=mark-connection chain=tcp-services dst-port=20-21 \
new-connection-mark=ftp passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=22 \
new-connection-mark=ssh passthrough=no protocol=tcp src-port=513-65535
add action=mark-connection chain=tcp-services dst-port=23 \
new-connection-mark=telnet passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=25 \
new-connection-mark=smtp passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=53 \
new-connection-mark=dns passthrough=no protocol=tcp src-port=53
add action=mark-connection chain=tcp-services dst-port=53 \
new-connection-mark=dns passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=80 \
new-connection-mark=http passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=110 \
new-connection-mark=pop3 passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=113 \
new-connection-mark=auth passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=119 \
new-connection-mark=nntp passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=137-139 \
new-connection-mark=netbios passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=143 \
new-connection-mark=imap passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=161-162 \
new-connection-mark=snmp passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-address=78.31.0.0/16 \
dst-port=443 new-connection-mark=spotify passthrough=no \
protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-address=!78.31.0.0/16 \
dst-port=443 new-connection-mark=https passthrough=no \
protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=445 \
new-connection-mark=ms-ds passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=465 \
new-connection-mark=smtps passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=990 \
new-connection-mark=ftps passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=993 \
new-connection-mark=imaps passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=995 \
new-connection-mark=pop3s passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=1080 \
new-connection-mark=socks passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=1723 \
new-connection-mark=pptp passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=1863 \
new-connection-mark=msn passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=2379 \
new-connection-mark=kgs passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=3128 \
new-connection-mark=squid-proxy passthrough=no protocol=tcp \
src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=3389 \
new-connection-mark=win-ts passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=3845 \
new-connection-mark=smartpass passthrough=no protocol=tcp \
src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=4070 \
new-connection-mark=spotify passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=2000-3000 \
new-connection-mark=bwtest passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=4242-4243 \
new-connection-mark=emule passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=1024-65535 \
new-connection-mark=overnet passthrough=no protocol=tcp src-port=4661-4662
add action=mark-connection chain=tcp-services dst-port=1024-65535 \
new-connection-mark=emule passthrough=no protocol=tcp src-port=4711
add action=mark-connection chain=tcp-services dst-port=5900-5901 \
new-connection-mark=vnc passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=6667-6669 \
new-connection-mark=irc passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=8080 \
new-connection-mark=http-proxy passthrough=no protocol=tcp \
src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=8291 \
new-connection-mark=winbox passthrough=no protocol=tcp \
src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=42041-42052 \
new-connection-mark=voddler passthrough=no protocol=tcp \
src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=55536-55663 \
new-connection-mark=ftp-passive passthrough=no protocol=tcp \
src-port=1024-65535
add action=mark-connection chain=tcp-services new-connection-mark=\
other-tcp passthrough=no protocol=tcp
add action=mark-connection chain=udp-services dst-port=53 \
new-connection-mark=dns passthrough=no protocol=udp \
src-port=1024-65535
add action=mark-connection chain=udp-services dst-port=67 \
new-connection-mark=dhcp passthrough=no protocol=udp src-port=67-68
add action=mark-connection chain=udp-services dst-port=123 \
new-connection-mark=ntp passthrough=no protocol=udp src-port=123
add action=mark-connection chain=udp-services dst-port=123 \
new-connection-mark=ntp passthrough=no protocol=udp \
src-port=1024-65535
add action=mark-connection chain=udp-services dst-port=137-139 \
new-connection-mark=netbios passthrough=no protocol=udp \
src-port=1024-65535
add action=mark-connection chain=udp-services dst-port=161-162 \
new-connection-mark=snmp passthrough=no protocol=udp \
src-port=1024-65535
add action=mark-connection chain=udp-services dst-port=514 \
new-connection-mark=syslog passthrough=no protocol=udp \
src-port=1024-65535
add action=mark-connection chain=udp-services dst-port=1701 \
new-connection-mark=l2tp passthrough=no protocol=udp \
src-port=1024-65535
add action=mark-connection chain=udp-services dst-port=3544 \
new-connection-mark=ms-ipv6 passthrough=no protocol=udp \
src-port=1024-65535
add action=mark-connection chain=udp-services dst-port=4665 \
new-connection-mark=emule passthrough=no protocol=udp \
src-port=1024-65535
add action=mark-connection chain=udp-services dst-port=4672 \
new-connection-mark=emule passthrough=no protocol=udp \
src-port=1024-65535
add action=mark-connection chain=udp-services dst-port=2000-3000 \
new-connection-mark=bwtest passthrough=no protocol=udp \
src-port=1024-65535
add action=mark-connection chain=udp-services dst-port=1024-65535 \
new-connection-mark=emule passthrough=no protocol=udp src-port=4672
add action=mark-connection chain=udp-services dst-port=12053 \
new-connection-mark=overnet passthrough=no protocol=udp \
src-port=1024-65535
add action=mark-connection chain=udp-services dst-port=20561 \
new-connection-mark=mac-winbox passthrough=no protocol=udp \
src-port=1024-65535
add action=mark-connection chain=udp-services dst-port=42041-42052 \
new-connection-mark=voddler passthrough=no protocol=udp \
src-port=1024-65535
add action=mark-connection chain=udp-services dst-port=1024-65535 \
new-connection-mark=overnet passthrough=no protocol=udp src-port=12053
add action=mark-connection chain=udp-services dst-port=1024-65535 \
new-connection-mark=skype passthrough=no protocol=udp src-port=36725
add action=mark-connection chain=udp-services new-connection-mark=\
other-udp passthrough=no protocol=udp
add action=mark-connection chain=other-services icmp-options=8:0-255 \
new-connection-mark=ping passthrough=no protocol=icmp
add action=mark-connection chain=other-services new-connection-mark=gre \
passthrough=no protocol=gre
add action=mark-connection chain=other-services new-connection-mark=other \
passthrough=no
/ip firewall raw
add action=drop chain=prerouting comment="Block Teredo IPv6-tunnel" \
dst-port=3544,3545 protocol=udp
NeverGiveUp!! wrote:
更正一下.弄精簡一...(恕刪)
--
YUNGBLUD, Halsey - 11 Minutes ft. Travis Barker
寶貝:)開心最重要.嘻哈!
E版於2020/02/25已定版安心使用.
--
/interface bridge
add fast-forward=no igmp-snooping=no name=bridge
/interface bridge port(除非當中繼或開VLAN及需連數據機則用.反之則建議停用.)
add bridge=bridge comment=defconf disabled=yes interface=ether1

add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf disabled=yes interface=wlan1
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge \
network=192.168.88.0
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 \
gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=0s servers=\
168.95.192.1,168.95.1.1
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set rp-filter=no
set tcp-syncookies=no
ip cloud
set update-time=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/system logging
add topics=wireless,debug
/system ntp client
set enabled=yes server-dns-names=\
0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=LAN
add address=0.0.0.0/8 list=NotPublic
add address=10.0.0.0/8 list=NotPublic
add address=100.64.0.0/10 list=NotPublic
add address=127.0.0.0/8 list=NotPublic
add address=169.254.0.0/16 list=NotPublic
add address=172.16.0.0/12 list=NotPublic
add address=192.0.0.0/24 list=NotPublic
add address=192.0.2.0/24 list=NotPublic
add address=192.88.99.0/24 list=NotPublic
add address=192.168.0.0/16 list=NotPublic
add address=198.18.0.0/15 list=NotPublic
add address=198.51.100.0/24 list=NotPublic
add address=203.0.113.0/24 list=NotPublic
add address=224.0.0.0/3 list=NotPublic
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1 \
comment="NAT from local address back to public IP"
add action=redirect chain=dstnat dst-port=53 \
protocol=tcp to-ports=53 comment=\
"Force Users to Router for DNS - TCP"
add action=redirect chain=dstnat dst-port=53 \
protocol=udp to-ports=53 comment=\
"Force Users to Router for DNS - UDP"
add action=redirect chain=dstnat comment=\
"Block DNS Hijacking for Local area Network" \
dst-address-type=!local dst-port=53 \
protocol=udp src-address-type=!local
/ip firewall filter
add action=drop chain=input comment="drop login brute forcers 1" dst-port=\
21,22,23,8291 protocol=tcp src-address-list=login_blacklist
add action=add-src-to-address-list address-list=login_blacklist \
address-list-timeout=1d chain=input comment="drop login brute forcers 2" \
connection-state=new dst-port=21,22,23,8291 protocol=tcp \
src-address-list=login_stage2
add action=add-src-to-address-list address-list=login_stage2 \
address-list-timeout=1m chain=input comment="drop login brute forcers 3" \
connection-state=new dst-port=21,22,23,8291 protocol=tcp \
src-address-list=login_stage1
add action=add-src-to-address-list address-list=login_stage1 \
address-list-timeout=1m chain=input comment="drop login brute forcers 4" \
connection-state=new dst-port=21,22,23,8291 protocol=tcp
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list" \
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="Dropping port scanners(Input)" \
src-address-list="port scanners"
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=drop chain=forward comment="Drop SSH Brute Downstream" \
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=input connection-state=invalid \
comment="Drop invalid packets"
add chain=input connection-state=established \
comment="Accept established packets"
add action=jump chain=input jump-target=icmp protocol=icmp \
comment="Jump for icmp input flow"
add chain=input src-address-list=LAN \
comment="Accept all connections from local network"
add action=drop chain=input dst-address-type=!local comment=\
"Drop all packets which are not destined to routes IP address"
add action=drop chain=input src-address-type=!unicast comment=\
"Drop all packets which does not have unicast source IP address"
add action=drop chain=input in-interface=pppoe-out1 \
src-address-list=NotPublic comment=\
"Drop all packets from public internet which should not exist in public network"
add action=drop chain=input log=yes log-prefix="Drop All" \
comment="Drop Rule - Input Chain"
add action=drop chain=forward connection-state=invalid \
comment="Drop invalid packets"
add chain=forward connection-state=established,related \
comment="Accept established and related packets"
add action=drop chain=forward connection-nat-state=!dstnat \
connection-state=new in-interface=pppoe-out1 comment=\
"Drop new connections from internet which are not dst-natted"
add action=drop chain=forward in-interface=pppoe-out1 \
src-address-list=NotPublic comment=\
"Drop all packets from public internet which should not exist in public network"
add action=drop chain=forward dst-address-list=NotPublic \
in-interface=bridge comment=\
"Drop all packets from LAN to internet which should not exist in public network"
add action=drop chain=forward in-interface=bridge \
src-address=!192.168.88.0/24 comment=\
"Drop all packets in local network which does not have local network address"
add action=jump chain=forward jump-target=icmp protocol=icmp \
comment="Jump for icmp forward flow"
add chain=icmp icmp-options=0:0 protocol=icmp \
comment="Echo Reply"
add chain=icmp icmp-options=3:0 protocol=icmp \
comment="Net Unreachable"
add chain=icmp icmp-options=3:1 protocol=icmp \
comment="Host Unreachable"
add chain=icmp icmp-options=3:4 protocol=icmp \
comment="Fragmentation Needed and DF set"
add chain=icmp icmp-options=4:0 protocol=icmp \
comment="Source Quench"
add chain=icmp icmp-options=8:0 protocol=icmp \
comment="Allow Echo Request"
add chain=icmp icmp-options=11:0 protocol=icmp \
comment="Allow Time Exceeded"
add chain=icmp icmp-options=12:0 protocol=icmp \
comment="Parameter Bad"
add action=drop chain=icmp log=yes \
log-prefix="Drop Other Types" comment="Deny Other Types"
add action=jump chain=output jump-target=icmp protocol=icmp \
comment="Jump for icmp output flow"
/system scheduler
add comment="Check and set NTP servers" interval=6h name=SetNtpServers \
on-event="# SetNtpServers - Check and set NTP servers from NTP pool\\

# v1.2 Tested and Developed on ROS v5.7\\

#\\

# Change the following line as needed as progName should match script na\\
me \\

:local progName \\"SetNtpServers\";\

\

# Array of NTP pools to use (check www.pool.ntp.org) one or a maximum of\
\_two, a primary & secondary\

# Modify the following line and array variable based on your locale (def\
ault is north america).\

:local arrNtpSystems (\"taiwan.pool.ntp.org\", \"asia.pool.ntp.org\");\

# Alternatively the TW related pool below can be used. \

#:local arrNtpSystems (\"taiwan.pool.ntp.org\", \"asia.pool.ntp.org\");\

#\

# No modification is necessary beyond this line.\

:put \"\$progName: Running...\";\

:log info \"\$progName: Running...\";\

:set arrNtpSystems [ :toarray \$arrNtpSystems ];\

:if (( [ :len \$arrNtpSystems ] < 1 ) or ( [ :len \$arrNtpSystems ] > 2 \
)) do={ \

:put \"\$progName: ERROR NTP Systems array (\\\$arrNtpSystems) must \
be either one or two DNS names.\";\

:log info \"\$progName: ERROR NTP Systems array (\\\$arrNtpSystems) \
must be either one or two DNS names.\";\

} else={\

:local arrRosNtpSetting (\"primary-ntp\", \"secondary-ntp\");\

:local i 0;\

:foreach strNtpSystem in (\$arrNtpSystems) do={\

:local ipAddrNtpSystem [ :resolve \$strNtpSystem ];\

:local strRosNtpSetting [ :pick \$arrRosNtpSetting \$i ];\

:local strCurrentNtpIp [ /system ntp client get \$strRosNtpSetti\
ng ];\

:put \"\$progName: NTP server DNS name \$strNtpSystem resolves t\
o \$ipAddrNtpSystem.\";\

:log info \"\$progName: NTP server DNS name \$strNtpSystem resol\
ves to \$ipAddrNtpSystem.\";\

:put \"\$progName: Current \$strRosNtpSetting setting is \$strCu\
rrentNtpIp.\";\

:log info \"\$progName: Current \$strRosNtpSetting setting is \$\
strCurrentNtpIp.\";\

:if ( [ :toip \$ipAddrNtpSystem ] != [ :toip \$strCurrentNtpIp ]\
\_) do={\

:put \"\$progName: Changing \$strRosNtpSetting setting to \$\
ipAddrNtpSystem.\";\

:log info \"\$progName: Changing \$strRosNtpSetting setting \
to \$ipAddrNtpSystem.\";\

:local strCommand [ :parse \"/system ntp client set \$strRos\
NtpSetting=\\\"\$ipAddrNtpSystem\\\"\" ];\

\$strCommand;\

} else={\

:put \"\$progName: No changes were made for the \$strRosNtpS\
etting NTP setting.\";\

:log info \"\$progName: No changes were made for the \$strRo\
sNtpSetting NTP setting.\";\

}\

:set i (\$i + 1);\

}\

}\

:put \"\$progName: Done.\";\

:log info \"\$progName: Done.\";" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-time=startup
/queue type
add kind=pcq name=PCQ_download pcq-classifier=dst-address
add kind=pcq name=PCQ_upload pcq-classifier=src-address
/queue tree
add burst-limit=100M burst-threshold=88M burst-time=5s max-limit=95M \
name=queue1 packet-mark=client_download parent=bridge queue=\
PCQ_download
add burst-limit=40M burst-threshold=20M burst-time=5s max-limit=38M \
name=queue2 packet-mark=client_upload parent=pppoe-out1 queue=\
PCQ_upload
/ip firewall mangle
add action=change-mss chain=forward comment="Change MSS" \
new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
add action=change-mss chain=output new-mss=clamp-to-pmtu \
passthrough=yes protocol=tcp tcp-flags=syn
add action=mark-packet chain=prerouting in-interface=bridge \
new-packet-mark=client_upload passthrough=yes
add action=mark-packet chain=prerouting in-interface=pppoe-out1 \
new-packet-mark=client_download passthrough=yes
add action=jump chain=prerouting connection-state=new dst-port=443 \
jump-target=tcp-services protocol=tcp
add action=jump chain=prerouting connection-state=new jump-target=\
tcp-services protocol=tcp
add action=jump chain=prerouting connection-state=new jump-target=\
udp-services protocol=udp
add action=jump chain=prerouting connection-state=new jump-target=\
other-services
add action=mark-connection chain=tcp-services dst-port=20-21 \
new-connection-mark=ftp passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=22 \
new-connection-mark=ssh passthrough=no protocol=tcp src-port=513-65535
add action=mark-connection chain=tcp-services dst-port=23 \
new-connection-mark=telnet passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=25 \
new-connection-mark=smtp passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=53 \
new-connection-mark=dns passthrough=no protocol=tcp src-port=53
add action=mark-connection chain=tcp-services dst-port=53 \
new-connection-mark=dns passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=80 \
new-connection-mark=http passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=110 \
new-connection-mark=pop3 passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=113 \
new-connection-mark=auth passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=119 \
new-connection-mark=nntp passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=137-139 \
new-connection-mark=netbios passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=143 \
new-connection-mark=imap passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=161-162 \
new-connection-mark=snmp passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-address=78.31.0.0/16 \
dst-port=443 new-connection-mark=spotify passthrough=no \
protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-address=!78.31.0.0/16 \
dst-port=443 new-connection-mark=https passthrough=no \
protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=445 \
new-connection-mark=ms-ds passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=465 \
new-connection-mark=smtps passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=990 \
new-connection-mark=ftps passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=993 \
new-connection-mark=imaps passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=995 \
new-connection-mark=pop3s passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=1080 \
new-connection-mark=socks passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=1723 \
new-connection-mark=pptp passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=1863 \
new-connection-mark=msn passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=2379 \
new-connection-mark=kgs passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=3128 \
new-connection-mark=squid-proxy passthrough=no protocol=tcp \
src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=3389 \
new-connection-mark=win-ts passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=3845 \
new-connection-mark=smartpass passthrough=no protocol=tcp \
src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=4070 \
new-connection-mark=spotify passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=2000-3000 \
new-connection-mark=bwtest passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=4242-4243 \
new-connection-mark=emule passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=1024-65535 \
new-connection-mark=overnet passthrough=no protocol=tcp src-port=4661-4662
add action=mark-connection chain=tcp-services dst-port=1024-65535 \
new-connection-mark=emule passthrough=no protocol=tcp src-port=4711
add action=mark-connection chain=tcp-services dst-port=5900-5901 \
new-connection-mark=vnc passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=6667-6669 \
new-connection-mark=irc passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=8080 \
new-connection-mark=http-proxy passthrough=no protocol=tcp \
src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=8291 \
new-connection-mark=winbox passthrough=no protocol=tcp \
src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=42041-42052 \
new-connection-mark=voddler passthrough=no protocol=tcp \
src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=55536-55663 \
new-connection-mark=ftp-passive passthrough=no protocol=tcp \
src-port=1024-65535
add action=mark-connection chain=tcp-services new-connection-mark=\
other-tcp passthrough=no protocol=tcp
add action=mark-connection chain=udp-services dst-port=53 \
new-connection-mark=dns passthrough=no protocol=udp \
src-port=1024-65535
add action=mark-connection chain=udp-services dst-port=67 \
new-connection-mark=dhcp passthrough=no protocol=udp src-port=67-68
add action=mark-connection chain=udp-services dst-port=123 \
new-connection-mark=ntp passthrough=no protocol=udp src-port=123
add action=mark-connection chain=udp-services dst-port=123 \
new-connection-mark=ntp passthrough=no protocol=udp \
src-port=1024-65535
add action=mark-connection chain=udp-services dst-port=137-139 \
new-connection-mark=netbios passthrough=no protocol=udp \
src-port=1024-65535
add action=mark-connection chain=udp-services dst-port=161-162 \
new-connection-mark=snmp passthrough=no protocol=udp \
src-port=1024-65535
add action=mark-connection chain=udp-services dst-port=514 \
new-connection-mark=syslog passthrough=no protocol=udp \
src-port=1024-65535
add action=mark-connection chain=udp-services dst-port=1701 \
new-connection-mark=l2tp passthrough=no protocol=udp \
src-port=1024-65535
add action=mark-connection chain=udp-services dst-port=3544 \
new-connection-mark=ms-ipv6 passthrough=no protocol=udp \
src-port=1024-65535
add action=mark-connection chain=udp-services dst-port=4665 \
new-connection-mark=emule passthrough=no protocol=udp \
src-port=1024-65535
add action=mark-connection chain=udp-services dst-port=4672 \
new-connection-mark=emule passthrough=no protocol=udp \
src-port=1024-65535
add action=mark-connection chain=udp-services dst-port=2000-3000 \
new-connection-mark=bwtest passthrough=no protocol=udp \
src-port=1024-65535
add action=mark-connection chain=udp-services dst-port=1024-65535 \
new-connection-mark=emule passthrough=no protocol=udp src-port=4672
add action=mark-connection chain=udp-services dst-port=12053 \
new-connection-mark=overnet passthrough=no protocol=udp \
src-port=1024-65535
add action=mark-connection chain=udp-services dst-port=20561 \
new-connection-mark=mac-winbox passthrough=no protocol=udp \
src-port=1024-65535
add action=mark-connection chain=udp-services dst-port=42041-42052 \
new-connection-mark=voddler passthrough=no protocol=udp \
src-port=1024-65535
add action=mark-connection chain=udp-services dst-port=1024-65535 \
new-connection-mark=overnet passthrough=no protocol=udp src-port=12053
add action=mark-connection chain=udp-services dst-port=1024-65535 \
new-connection-mark=skype passthrough=no protocol=udp src-port=36725
add action=mark-connection chain=udp-services new-connection-mark=\
other-udp passthrough=no protocol=udp
add action=mark-connection chain=other-services icmp-options=8:0-255 \
new-connection-mark=ping passthrough=no protocol=icmp
add action=mark-connection chain=other-services new-connection-mark=gre \
passthrough=no protocol=gre
add action=mark-connection chain=other-services new-connection-mark=other \
passthrough=no
/ip firewall raw
add action=drop chain=prerouting comment="Block Teredo IPv6-tunnel" \
dst-port=3544,3545 protocol=udp
--
G Eazy & Halsey Perform Him & I (GMA LIVE)
寶貝:)開心最重要.嘻哈!
寶貝:)開心最重要.嘻哈!

KingDavid520 wrote:
玫瑰盛開的季節 ...(恕刪)
...
寶貝:)開心最重要.嘻哈!
寶貝:)開心最重要.嘻哈!
寶貝:)開心最重要.嘻哈!

KingDavid520 wrote:
玫瑰盛開的季節 豐姿舒展、招蜂引蝶


這要像K大這麼有閒情雅緻悠閒時光者...才能等到蜜蜂上門吧?
限制級
您即將進入之討論頁 需滿18歲 方可瀏覽。
提醒:內容可能因過於寫實、驚悚而令人感到不舒服,是否繼續觀看?

根據「電腦網路內容分級處理辦法」修正條文第六條第三款規定,已於該限制級網頁,依台灣網站分級推廣基金會規定作標示。
評分
複製連結
請輸入您要前往的頁數(1 ~ 7363)