[操作疑難] Router OS Firewall 設定一問

細佬最近學玩ROUTER OS,而家有個問題想請教,
屋企係用緊偉大的PCCW 8MB線,其實間唔中都會上唔到網,
要REBOOT 隻ADSL MODEM,轉左ROUTER OS 之後,
發現上唔到網個陣,多數係有堆IP,開勁多連線連入我度,
由於我冇任何PORT FORWARD 設定左,亦沒有開任何SERVER ,我唔知點解會咁,
我想問,我想用FIREWALL 功能去標記呢D IP 生成一個IP LIST,再BLOCK 左個IP LIST 入面的IP佢,
但我應該用咩RULE 去標記?
附件: 您需要登錄才可以下載或查看附件。沒有帳號?註冊

樓主你中緊 QOTD 既 UDP DDoS attack
Mikrotik 有 rate limiter 去幫輕下,你 search 下官網啦

TOP

Ching 你check吓RouterOS 入面 IP - > DNS -> Allow Remote Requests 有冇enable,因為佢冇得指定listen interface, 一係disable一係用rule 去block WAN request 53port.

回覆 1# 天師

TOP

Ching 你check吓RouterOS 入面 IP - > DNS -> Allow Remote Requests 有冇enable,因為佢冇得指定listen int ...
a2940u2w 發表於 2015-12-2 09:15



  本來開左,而家DISABLE 左, 請問呢個係咩功能黎?接受其他人的DNS 查詢?

TOP

樓主你中緊 QOTD 既 UDP DDoS attack
Mikrotik 有 rate limiter 去幫輕下,你 search 下官網啦 ...
fakeman 發表於 2015-12-2 02:00


THX,上去查一查先.

TOP

本帖最後由 whitechunk 於 2015-12-2 10:07 編輯

回覆 1# 天師

  try this

D in/out-interface 改返你用緊嘅
  1. /ip firewall filter
  2. add action=drop chain=input comment="default configuration" connection-state=\
  3.     invalid
  4. add action=drop chain=input dst-port=53 in-interface=ether1-gateway protocol=\
  5.     tcp
  6. add action=drop chain=input dst-port=53 in-interface=ether1-gateway protocol=\
  7.     udp
  8. add action=drop chain=input comment="drop ssh brute forcers" dst-port=\
  9.     22,23,8291 protocol=tcp src-address-list=ssh_blacklist
  10. add action=add-src-to-address-list address-list=ssh_blacklist \
  11.     address-list-timeout=1w3d chain=input connection-state=new dst-port=\
  12.     22,23,8291 protocol=tcp src-address-list=ssh_stage3
  13. add action=add-src-to-address-list address-list=ssh_stage3 \
  14.     address-list-timeout=1m chain=input connection-state=new dst-port=\
  15.     22,23,8291 protocol=tcp src-address-list=ssh_stage2
  16. add action=add-src-to-address-list address-list=ssh_stage2 \
  17.     address-list-timeout=1m chain=input connection-state=new dst-port=\
  18.     22,23,8291 protocol=tcp src-address-list=ssh_stage1
  19. add action=add-src-to-address-list address-list=ssh_stage1 \
  20.     address-list-timeout=1m chain=input connection-state=new dst-port=\
  21.     22,23,8291 protocol=tcp
  22. add action=add-src-to-address-list address-list=blocked-addr \
  23.     address-list-timeout=1h chain=input comment=\
  24.     "Limit TCP incoming connections" connection-limit=100,32 protocol=tcp
  25. add action=tarpit chain=input comment="Action tarpit" connection-limit=3,32 \
  26.     protocol=tcp src-address-list=blocked-addr
  27. add chain=input comment="default configuration" protocol=icmp
  28. add chain=input comment="RouterOS Remote" dst-port=22,23,8088,8291,8728,8729 \
  29.     protocol=tcp
  30. add chain=input comment="default configuration" connection-state=\
  31.     established,related
  32. add action=drop chain=input comment="default configuration" in-interface=\
  33.     ether1-gateway
  34. add action=drop chain=forward comment="default configuration" \
  35.     connection-state=invalid
  36. add action=jump chain=forward comment="SYN Flood protect" connection-state=\
  37.     new jump-target=SYN-Protect protocol=tcp tcp-flags=syn
  38. add action=fasttrack-connection chain=forward comment="default configuration" \
  39.     connection-state=established,related disabled=yes
  40. add chain=forward comment="default configuration" connection-state=\
  41.     established,related
  42. add action=drop chain=forward comment="default configuration" \
  43.     connection-nat-state=!dstnat connection-state=new in-interface=\
  44.     ether1-gateway
  45. add chain=SYN-Protect comment="SYN filtering" connection-state=new limit=\
  46.     400,5 protocol=tcp tcp-flags=syn
  47. add action=drop chain=SYN-Protect connection-state=new protocol=tcp \
  48.     tcp-flags=syn
複製代碼

TOP