gfx wrote:
可能還需判定conn...(恕刪)
感謝大大的回覆。
小弟的白名單防火牆粗解析:
黑名單是不允許的連線將其阻擋在外;而白名單則是一律封鎖,但只有合乎條件才留著.
因白名單幾近無條件封鎖,所以相對比較安全.
但若不懂得那些是屬於可放行的,很容易弄的天翻地覆什麼連線都無法使用...
所以在建立白名單前,請仔細閱讀您的工作是需要那些連接埠.
TCP/UDP端口列表
網路是屬雙向,運作就如同貨車從A地向B地前進載取貨物,再從B地返往A地.
而防火牆就如同攔查哨,您可以在A地到B地間建立攔查哨;或者在B地到A地建立攔查哨;
甚至A到B, B到A都建立攔查哨...
但建越多攔查,代表需更多人力.對防火牆來說則是損耗更多資源,更多的維護時間.
而防火牆設定主要分兩部份:
一個是分享器自己本身,另一個是區域網路所有的電腦.
上面有提到網路是雙向,資料是從A到B ,B再到A這樣運行.
所以分享器A到B的部分,是用output來控制;而B到A則是靠input來控制.
也因output與input都是針對分享器本身,不含其它電腦...
所以output的scr.address永遠是192.168.88.1或WAN-IP(分享器ip),
input的dst.address也永遠是192.168.88.1 或WAN-IP,無法定義成其它(定義會沒有作用).
所以與分享器相關的防火設定,皆請利用output/input做控制.
而區域網路相關則是用forward控制,因forward沒像分享器output/input分的這麼清.
所以要定義的ip您可以放在src.address或dst.address
但更重要的是您同意的連線假如是A到B ,相對也要同意B到A才算完整.
不然只要一個連線方向被阻擋,這個連線則不完整,不存在.
防火牆管理不管是用在分享器本身,或區域網路電腦,
或者是外網對內網電腦的存取,連線一定得完成一個循環才算完整成功.
因連線是A到B ,B再到A
所以我的防火牆採A到B一律放行,不管是分享器對外網,還是區域網路對外.
然後再從B到A作控制;
或者您也可先從A到B作控制,之後B到A再全放行也行.
但若要做到A到B ,B到A全攔控...
不但勞心勞力,一個不小心還有可能造成網路全癱的可能,非嫻熟者千萬別碰!
實際規劃,因為我是希望A到B全部放行,
所以分享器output沒做drop相關,等於變向開放所有分享器(A)連到外網(B).
而區域網路電腦也要連外,所以在rule 25,
firewall同意All-Lan(A) 到ALL((B)空白即全部連線)
接下是B到A,也就是防火牆允許的部份,
rule 24及26-36是針對IP(B)全部開放 ,rule 37-54則是針對(B)連接埠判定允許.
而最後的rule 55,56 也就白名單最重要的部份...drop B到A未定義的一切.
/ip firewall filter
add action=drop chain=input comment="\\A5\\E1\\B1\\F3\\ABD\\A5\\BB\\BE\\F7\\AA\\BA\\AB\\CA\\A5]" dst-address-type=!local
add action=drop chain=input comment="\\A5\\E1\\B1\\F3\\B5L\\AE\\C4\\AA\\BA\\AB\\CA\\A5]" connection-state=invalid
add action=drop chain=forward connection-state=invalid dst-address=!10.8.0.0/24
add action=drop chain=input comment="\\A5\\E1\\B1\\F3\\A6h\\BC\\BD\\AA\\BA\\AB\\CA\\A5]" src-address-type=!unicast
add action=drop chain=input comment="DoS\\A9\\DA\\B5\\B4\\AAA\\B0\\C8\\A7\\F0\\C0\\BB" connection-limit=10,32 protocol=tcp
add action=drop chain=input comment="\\A8\\BE\\A4\\EE\\B3Q\\B1\\BD\\BA\\CB Port" protocol=tcp src-address-list="port scanners"
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input protocol=tcp tcp-flags=\
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input protocol=tcp tcp-flags=\
fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input protocol=tcp tcp-flags=\
fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input protocol=tcp tcp-flags=\
!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="PPTP\\A1\\FEL2TP \\A8\\BE\\A4\\F5\\C0\\F0(\\B5n\\A4J3\\A6\\B8\\BF\\F9\\BB~\\A7Y\\AB\\CA\\C2\\EA)" \
src-address-list=login_blacklist
add action=add-src-to-address-list address-list=login_blacklist address-list-timeout=10m chain=input connection-state=new \
dst-port=1723 protocol=tcp src-address-list=login_stage3
add action=add-src-to-address-list address-list=login_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=\
1723 protocol=tcp src-address-list=login_stage2
add action=add-src-to-address-list address-list=login_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=\
1723 protocol=tcp src-address-list=login_stage1
add action=add-src-to-address-list address-list=login_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=\
1723 protocol=tcp
add action=add-src-to-address-list address-list=login_blacklist address-list-timeout=10m chain=input connection-state=new \
dst-port=1701 protocol=udp src-address-list=login_stage3
add action=add-src-to-address-list address-list=login_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=\
1701 protocol=udp src-address-list=login_stage2
add action=add-src-to-address-list address-list=login_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=\
1701 protocol=udp src-address-list=login_stage1
add action=add-src-to-address-list address-list=login_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=\
1701 protocol=udp
add action=drop chain=forward comment="\\AB\\CA\\C2\\EA\\AC\\F5\\A6\\CC\\AA\\BA\\B9\\EF\\A9\\A4\\AAA\\B0\\C8" dst-address-list=ChinaIPList \
src-address=192.168.88.95
add action=drop chain=forward comment="[Mon~Fri] 01:00:00-10:30:00 \\AB\\CA\\C2\\EA\\C3\\F6\\C1\\E4\\A6r: BookReader" content=BookReader \
dst-address-list=ChinaIPList dst-port=80 protocol=tcp src-address-list=!tippi616 time=1h-10h30m,mon,tue,wed,thu,fri
add chain=input comment="\\A4\\B9\\B3\\\\\\B0\\CF\\BA\\F4\\B8\\CB\\B8m" src-address-list=All-Lan
add chain=forward src-address-list=All-Lan
add chain=input comment="\\A4\\B9\\B3\\\\\\A6n\\A4\\CD\\A1\\FE\\AEQ\\AEa\\B8\\CB\\B8m" src-address-list=friends
add chain=input src-address-list=amberlin
add chain=forward src-address-list=friends
add chain=forward src-address-list=amberlin
add chain=forward comment="\\A4\\B9\\B3\\\\NAS\\A9\\D2\\A6\\B3\\B3s\\BDu" dst-address-list=NAS
add chain=forward dst-address-list=A2400H
add chain=forward comment="\\A4\\B9\\B3\\\\\\B3\\B7\\ADs\\B8\\CB\\B8m\\A9\\D2\\A6\\B3\\B3s\\BDu" dst-address-list=tippi616
add chain=input comment="\\A4\\B9\\B3\\\\\\B8\\F3\\A4\\E9\\A5\\BBVPN\\A6\\F8\\AAA\\BE\\B9" src-address=49.212.0.54
add chain=input src-address=49.212.48.199
add chain=input src-address=118.157.74.169
add chain=forward src-address=118.157.74.169
add chain=input comment="\\A4\\B9\\B3\\\\VPN" dst-port=1723 protocol=tcp
add chain=input protocol=gre
add chain=input dst-port=500,1701,4500 protocol=udp
add chain=input protocol=ipsec-esp
add chain=input dst-port=1195 protocol=tcp
add chain=forward comment="\\A4\\B9\\B3\\\\ICMP\\A6^\\C0\\B3" protocol=icmp
add chain=input comment="\\A4\\B9\\B3\\\\DNS" protocol=udp src-port=53
add chain=forward protocol=udp src-port=53
add chain=forward comment="\\A4\\B9\\B3\\\\\\B6l\\A5\\F3\\A6\\F8\\AAA\\BE\\B9" protocol=tcp src-port=25,110,993,995,587,465
add chain=input protocol=tcp src-port=25
add chain=input comment="\\A4\\B9\\B3\\\\WWW\\A6\\F8\\AAA\\BE\\B9" protocol=tcp src-port=80,443
add chain=forward protocol=tcp src-port=80,443,8080
add chain=input comment="\\A4\\B9\\B3\\\\\\AE\\C9\\B6\\A1\\A6\\F8\\AAA\\BE\\B9" protocol=udp src-port=123
add chain=forward protocol=udp src-port=123
add chain=forward comment="\\A4\\B9\\B3\\\\FTP\\A1\\FESFTP \\C0\\C9\\AE\\D7\\A6\\F8\\AAA\\BE\\B9" protocol=tcp src-port=21,115
add chain=forward comment="\\A4\\B9\\B3\\\\Teamviewer \\A6\\F8\\AAA\\BE\\B9" protocol=tcp src-port=5938
add chain=forward comment="\\A4\\B9\\B3\\\\Teredo\\A6\\F8\\AAA\\BE\\B9" protocol=udp src-port=3544
add chain=forward comment="\\A4\\B9\\B3\\\\Gogo6\\A6\\F8\\AAA\\BE\\B9" protocol=udp src-port=3653
add action=drop chain=input comment="\\A5\\E1\\B1\\F3\\A5\\BC\\A9w\\B8q\\AA\\BA\\AB\\CA\\A5]"
add action=drop chain=forward
有大大能幫忙寫個script 將檔案讀到address-list嗎?
附上47XXIP的文件: 201405/mobile01-8247d485ad68974e3e80a3d53f1a7167.zip
不知道有人遇到跟我類似的問題嗎?
我的設置是:
台灣:RB750 L2TP/IPsec & PPTP VPN server
上海:mac os L2TP/IPsec & PPTP client
youtube: L2TP 可以連上但是看不了影片, PPTP OK
speedtest.net: L2TP 沒速度,PPTP 正常
一般網頁: L2TP 訪問 mobile01, yahoo 奇摩 OK, 但是影片看不了
內文搜尋
從 APP 打開
X