[研究所] MikroTik RouterOS 學習 (持續更新) (第437頁)

gfx

gfx
個人積分：1603分
文章編號：58524967

1603分

4361樓

2015-12-11 0:40

dophone wrote:
*42a4好神奇喔...(恕刪)

好了,script設定每分鐘檢查一次即可.
記得test.noip.me 也要改

https://dl.dropboxusercontent.com/u/34743921/dophone.txt

請注意:
凡nat內眾src-address要與address-list設定的ip相同才會跟著一起更新;
其它不同ip的src-address則不會有任何反應.

dophone

dophone
個人積分：84分
文章編號：58526747

84分

4362樓

2015-12-11 9:20

gfx wrote:
好了,script...(恕刪)

感謝g大，已設定成功可自動更新!

EdiKeng

EdiKeng
個人積分：52分
文章編號：58528886

52分

4363樓

2015-12-11 11:48

小欷o wrote:
各位好 ~ 這幾天心...
我自己的PPTP會被DOS防禦給加到清單裡面 ... 然後就不能上網了
我也不懂為什麼會這樣 ... 所以想請各位幫忙看一下(恕刪)

前陣子也遇到類似狀況, ROS 將網內電腦當成 syb flood 加到 address list 擋掉, 試了一些方法, 將 firewall filter connection limit 由 30 放大到 100, 似乎就不會了; 猜測但沒經驗證的原因, 可能是我在 Chrome 加了擋廣告 ABP, 瞬間放大了 connection, 個人非專業. 如有其他後遺症, 或正確方法, 請賜教!

gfx

gfx
個人積分：1603分
文章編號：58529035

1603分

4364樓

2015-12-11 12:01

EdiKeng wrote:
前陣子也遇到類似狀...(恕刪)

同#4357樓把firewall filter分享出來討論,不要亂猜原因.

EdiKeng

EdiKeng
個人積分：52分
文章編號：58534298

52分

4365樓

2015-12-11 20:11

gfx wrote:
同#4357樓把firewall...(恕刪)

請教高手 gfx 代為看看了, 為何內網電腦會被 ROS firewall 列入 address list 擋掉了 (firewall filter #1 rule)?
有關 Port Knocking 參數我 xxxx 塗掉了.

BTW; 我依據 http://forum.mikrotik.com/viewtopic.php?t=60909 試將 firewall filter #1 rule connection-limit 改100)
=========================================================================
/ip firewall filter
add action=add-src-to-address-list address-list=Syn_Flooder \
address-list-timeout=30m chain=input comment=\
"Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
address-list-timeout=1w chain=input comment="Port Scanner Detect" \
protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop port scanner list" \
src-address-list=Port_Scanner
add action=drop chain=forward comment="Block doubleclick.net" content=\
doubleclick.net disabled=yes port=80,443 protocol=tcp
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except t\\
o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\\
PORT ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp \
src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" \
jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
bogons
add action=add-src-to-address-list address-list=spammers \
address-list-timeout=3h chain=forward comment=\
"Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
protocol=tcp src-address-list=spammers
add action=drop chain=input comment="drop login brute forcers 1" dst-port=\
21,22,23,8291 log=yes log-prefix="Block login forcers" protocol=tcp \
src-address-list=login_blacklist
add action=add-src-to-address-list address-list=login_blacklist \
address-list-timeout=1d chain=input comment="drop login brute forcers 2" \
connection-state=new dst-port=21,22,23,8291 log=yes log-prefix=\
"Force logging 6-Block" protocol=tcp src-address-list=login_stage5
add action=add-src-to-address-list address-list=login_stage5 \
address-list-timeout=1m chain=input comment="drop login brute forcers 3" \
connection-state=new dst-port=21,22,23,8291 log=yes log-prefix=\
"Force Logging 5" protocol=tcp src-address-list=login_stage4
add action=add-src-to-address-list address-list=login_stage4 \
address-list-timeout=5m chain=input comment="drop login brute forcers 4" \
connection-state=new dst-port=21,22,23,8291 log=yes log-prefix=\
"Force Loging 4" protocol=tcp src-address-list=login_stage3
add action=add-src-to-address-list address-list=login_stage3 \
address-list-timeout=1m chain=input comment="drop login brute forcers 5" \
connection-state=new dst-port=21,22,23,8291 log-prefix="Force Loging 3" \
protocol=tcp src-address-list=login_stage2
add action=add-src-to-address-list address-list=login_stage2 \
address-list-timeout=1m chain=input comment="drop login brute forcers 6" \
connection-state=new dst-port=21,22,23,8291 log-prefix="Force Loging 2" \
protocol=tcp src-address-list=login_stage1
add action=add-src-to-address-list address-list=login_stage1 \
address-list-timeout=1m chain=input comment="drop login brute forcers 7" \
connection-state=new dst-port=21,22,23,8291 log-prefix="Force Loging 1" \
protocol=tcp
add chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add chain=input in-interface=ether1-gateway protocol=gre
add action=add-src-to-address-list address-list=knock1 address-list-timeout=\
15s chain=input comment="Port Knocking 1" dst-port=xxxx protocol=tcp
add action=add-src-to-address-list address-list=knock2 address-list-timeout=\
15s chain=input comment="Port Knocking 2" dst-port=xxxx protocol=tcp \
src-address-list=knock1
add action=add-src-to-address-list address-list=support address-list-timeout=\
1h chain=input comment="Port Knocking Sucess" dst-port=xxxx log=yes \
log-prefix="Port Knocking Sucess" protocol=tcp src-address-list=knock2
add chain=input comment="Accept DNS - UDP in Support List" port=53 protocol=\
udp src-address-list=support
add chain=input comment="Accept DNS - TCP in Support List" port=53 protocol=\
tcp src-address-list=support
add chain=input comment="Accept to established connections" connection-state=\
established
add chain=input comment="Accept to related connections" connection-state=\
related
add chain=input comment="Full access to SUPPORT address list" \
src-address-list=support
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \\
RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED"
add chain=ICMP comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 \
limit=1,5 protocol=icmp
add chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=\
icmp
add chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
protocol=icmp
===================================================================

gfx

gfx
個人積分：1603分
文章編號：58534909

1603分

4366樓

2015-12-11 21:30

EdiKeng wrote:
請教高手 gfx ...(恕刪)

您真的懂的這些filter的作用嗎

請把下面的全部複製,然後一口氣全部貼到命令視窗去.
再到firewall filter看小弟替您變更的地方.

/ip firewall filter
set 0 src-port=!80
move 0 2
move 2 4
disable 4
disable 5
disable 6
disable 7
disable 8
move 9 11
disable 20
disable 21
move 22 28
disable 28

關閉的代表沒實質上意義,您思量看是否需要保留.

gfx

gfx
個人積分：1603分
文章編號：58534984

1603分

4367樓

2015-12-11 21:37

設firewall filter第一即懂得為何而設,若不懂原故不如做免得徒增困擾.

eavictor

eavictor
個人積分：6分
文章編號：58535043

6分

4368樓

2015-12-11 21:44

gfx wrote:
設firewall ...(恕刪)

個人習慣是該開的開一開，最後一條全部drop

這樣可以有效減少防火牆規則數，降低路由器負擔

gfx

gfx
個人積分：1603分
文章編號：58535202

1603分

4369樓

2015-12-11 22:00

eavictor wrote:
個人習慣是該開的開...(恕刪)

握手,小弟即這樣規劃白名單的.
但仍遇到2個案用開放的方式也不行.

一個在/ipv6 firewall filter :
即使開放區開放了synology nas 所有的連線,只要最後白名單用來鎖未定義的未關,
nas就無法把ipv6-address更新到ddnshost上.

另一個則在/ip firewall filter:
問題在做ipsec site-to-site後 ,即使把遠端192.168.13.0/24整個網段加到開放區去,
網域仍會被最後的封鎖規則給鎖到.

necosjou

necosjou
個人積分：2分
文章編號：58535543

2分

4370樓

2015-12-11 22:32

gfx wrote:
不要開cache就...(恕刪)

gfx大大請教一下：
像
www.nicesoftware.co/2014/07/hosts-20140714.html
及
winhelp2002.mvps.org/hosts.txt
提供的惡意網站資料很多，經修改hosts檔後，
在web proxy access導入可能會導到眼花，
是否有其他的方式直接引用這個檔來進行阻擋的方法呢？

感謝指導… orz