小笨賢 wrote:
RAW 功能 是用在(恕刪)
我查資料 RAW 可以減少CPU 使用是因為他在資料進入路由前就被攔下來
所以可以減少一些效能
這是我查到的資料的見解
tiaol88 wrote:
我查資料 RAW 可(恕刪)
應該不是攔了下來...是忽略!! 所以不會有紀錄!! 實際有運作!!
要自動DDos 應該是這樣6條命令!!
/ip firewall filter
add chain=forward connection-state=new action=jump jump-target=detect-ddos comment="DDoS-1"
add chain=detect-ddos dst-limit=50,50,src-and-dst-addresses/10s action=return comment="DDoS-2"
add chain=detect-ddos src-address=192.168.88.1 action=return comment="DDoS-3"
add chain=detect-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m comment="DDoS-4"
add chain=detect-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m comment="DDoS-5"
add chain=forward connection-state=new src-address-list=ddoser dst-address-list=ddosed action=drop comment="DDoS-6"
結果把 dns 1.1.1.1 給封了 >_<
RB450g 環境下 設定 ddos 這類 還有用,惡意掃描埠 也有用,同樣的指令在
RB4011iGS+ 環境下 都沒碰到,單位為 0。
倒是 RB4011iGS+ 多了一些 預設指令。
網路上現成的
/ip firewall filter
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="Port scanners to list" disabled=no
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="NMAP FIN Stealth scan"
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="SYN/FIN scan"
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="SYN/RST scan"
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="FIN/PSH/URG scan"
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="ALL/ALL scan"
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=14d comment="NMAP NULL scan"
add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no
mandymak wrote:無法直接抓取地址,需script代替您更新地址:
gfx大大, 您好!(恕刪)
假設Router1(一級):
lan-local-address:fe80::764d:28ff:fe34:8541
cloud:31b60218c5d1.sn.mynetname.net
Router2新增(二級):
/ipv6 firewall address-list
add list=r1v6 address="31b60218c5d1.sn.mynetname.net"
/ipv6 address
add address="::2/128" advertise=no interface=lan
/ipv6 route
add distance=1 dst-address=2000::/3 gateway="fe80::764d:28ff:fe34:8541%lan"
/system scheduler
新增v6排程腳本,每30s更新一次:
:local v6 [/ipv6 firewall address-list get [find list=r1v6 dynamic] address]
:set v6 "$[:pick $v6 0 [:find $v6 "::1/128"]]::2/128"
:local past [/ipv6 address get [find global] address]
:if ($past!=$v6) do={/ipv6 address set [find global] address=$v6}
內文搜尋
從 APP 打開
X