代码拉取完成,页面将自动刷新
同步操作将从 狐狸 Nomad./RouterOS_Toss_Notes 强制同步,此操作会覆盖自 Fork 仓库以来所做的任何修改,且无法恢复!!!
确定后同步将在后台操作,完成时将刷新页面,请耐心等待。
## Filter 规则 16 条 + 虚拟规则 1 条
## NAT 规则 4 条
## Mangle 规则 2 条 + 虚拟规则 3 条
## Raw 规则 46 条 + 虚拟规则 1 条
## Address-list 规则 26 条
/ip firewall address-list
add address=192.168.100.1 comment="onuconf: local ONU address" list=local_onu_ipv4
add address=172.16.1.0/24 comment="lanconf: local LAN address" list=local_lan_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890 - this network" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890 - link local" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: RFC5771 - multicast" list=no_forward_ipv4
add address=255.255.255.255/32 comment="defconf: RFC6890 - limited broadcast" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890 - loopback" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890 - IETF protocol assignments" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 - TEST-NET-1" list=bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 - TEST-NET-2" list=bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 - TEST-NET-3" list=bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 - reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890 - this network" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890 - private use" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890 - shared address space" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890 - link local" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890 - private use" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890 - DS-Lite" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890 - private use" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 - benchmarking" list=not_global_ipv4
add address=255.255.255.255/32 comment="defconf: RFC6890 - limited broadcast" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: RFC5771 - multicast" list=bad_src_ipv4
add address=255.255.255.255/32 comment="defconf: RFC6890 - limited broadcast" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890 - this network" list=bad_dst_ipv4
add comment="ddosconf: DDoS" list=ddos_targets_ipv4
add comment="ddosconf: DDoS" list=ddos_attackers_ipv4
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP after RAW" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix="[wan-not-dnat]"
add action=drop chain=forward comment="onuconf: drop all from ONU not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=ONU log=yes log-prefix="[onu-not-dnat]"
add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv4
add action=jump chain=forward comment="ddosconf: DDoS" connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos comment="ddosconf: DDoS SYN-ACK Flood" dst-limit=50,50,src-and-dst-addresses/10s protocol=tcp tcp-flags=syn,ack log=yes log-prefix="[syn-ack-flood]"
add action=return chain=detect-ddos comment="ddosconf: DDoS" dst-limit=200,200,src-and-dst-addresses/10s
add action=add-dst-to-address-list chain=detect-ddos comment="ddosconf: DDoS" address-list=ddos_targets_ipv4 address-list-timeout=10m
add action=add-src-to-address-list chain=detect-ddos comment="ddosconf: DDoS" address-list=ddos_attackers_ipv4 address-list-timeout=10m log=yes log-prefix="[ddos-ipv4]"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade IPv4" out-interface-list=WAN
add action=masquerade chain=srcnat comment="onuconf: access to ONU" out-interface-list=ONU src-address-list=local_lan_ipv4 dst-address-list=local_onu_ipv4
add action=redirect chain=dstnat comment="lanconf: redirect DNS query (UDP)" dst-port=53 in-interface-list=LAN protocol=udp to-ports=53
add action=redirect chain=dstnat comment="lanconf: redirect DNS query (TCP)" dst-port=53 in-interface-list=LAN protocol=tcp to-ports=53
/ip firewall mangle
add action=change-mss chain=forward comment="defconf: fix IPv4 mss for WAN" new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
add action=accept chain=prerouting comment="onuconf: access to ONU" src-address-list=local_lan_ipv4 dst-address-list=local_onu_ipv4
/ip firewall raw
add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes
add action=drop chain=prerouting comment="ddosconf: DDoS" dst-address-list=ddos_targets_ipv4 src-address-list=ddos_attackers_ipv4
add action=accept chain=prerouting comment="defconf: accept DHCPv4 discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IPs" src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IPs" dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IPs" src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IPs" dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" src-address-list=not_global_ipv4 in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop forward to local LAN from WAN" in-interface-list=WAN dst-address-list=local_lan_ipv4 log=yes log-prefix="[wan-to-lan]"
add action=drop chain=prerouting comment="onuconf: drop if not from ONU address" in-interface-list=ONU src-address-list=!local_onu_ipv4
add action=drop chain=prerouting comment="onuconf: drop forward to local LAN from ONU" in-interface-list=ONU dst-address-list=local_lan_ipv4 log=yes log-prefix="[onu-to-lan]"
add action=drop chain=prerouting comment="defconf: drop local if not from default IPv4 range" in-interface-list=LAN src-address-list=!local_lan_ipv4
add action=drop chain=prerouting comment="defconf: drop UDP port 0" port=0 protocol=udp log=yes log-prefix="[udp-port-0]"
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=bad-tcp protocol=tcp
add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment="onuconf: accept everything else from ONU" in-interface-list=ONU
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad-tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad-tcp comment="defconf: drop flags fin,syn" protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad-tcp comment="defconf: drop flags fin,rst" protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad-tcp comment="defconf: drop flags fin,!ack" protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad-tcp comment="defconf: drop flags fin,urg" protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad-tcp comment="defconf: drop flags syn,rst" protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad-tcp comment="defconf: drop flags rst,urg" protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad-tcp comment="defconf: drop TCP port 0" port=0 protocol=tcp log=yes log-prefix="[tcp-port-0]"
add action=accept chain=icmp4 comment="lanconf: accept echo reply from WAN" icmp-options=0:0 protocol=icmp in-interface-list=WAN
add action=accept chain=icmp4 comment="lanconf: accept net unreachable from WAN" icmp-options=3:0 protocol=icmp in-interface-list=WAN
add action=accept chain=icmp4 comment="lanconf: accept fragmentation needed from WAN" icmp-options=3:4 protocol=icmp in-interface-list=WAN
add action=accept chain=icmp4 comment="lanconf: accept time exceeded from WAN" icmp-options=11:0-255 protocol=icmp in-interface-list=WAN
add action=drop chain=icmp4 comment="lanconf: drop other ICMP from WAN" protocol=icmp in-interface-list=WAN
add action=accept chain=icmp4 comment="onuconf: accept echo reply from ONU" icmp-options=0:0 protocol=icmp in-interface-list=ONU
add action=drop chain=icmp4 comment="onuconf: drop other ICMP from ONU" protocol=icmp in-interface-list=ONU log=yes log-prefix="[onu-icmp]"
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 protocol=icmp in-interface-list=LAN
add action=accept chain=icmp4 comment="defconf: net unreachable" icmp-options=3:0 protocol=icmp in-interface-list=LAN
add action=accept chain=icmp4 comment="defconf: host unreachable" icmp-options=3:1 protocol=icmp in-interface-list=LAN
add action=accept chain=icmp4 comment="defconf: protocol unreachable" icmp-options=3:2 protocol=icmp in-interface-list=LAN
add action=accept chain=icmp4 comment="defconf: port unreachable" icmp-options=3:3 protocol=icmp in-interface-list=LAN
add action=accept chain=icmp4 comment="defconf: fragmentation needed" icmp-options=3:4 protocol=icmp in-interface-list=LAN
add action=accept chain=icmp4 comment="defconf: echo to local device" icmp-options=8:0 protocol=icmp in-interface-list=LAN dst-address-list=local_lan_ipv4
add action=accept chain=icmp4 comment="onuconf: echo to ONU" icmp-options=8:0 protocol=icmp in-interface-list=LAN dst-address-list=local_onu_ipv4
add action=drop chain=icmp4 comment="defconf: echo to non global" icmp-options=8:0 protocol=icmp in-interface-list=LAN dst-address-list=not_global_ipv4
add action=accept chain=icmp4 comment="defconf: echo to WAN" icmp-options=8:0 protocol=icmp in-interface-list=LAN
add action=accept chain=icmp4 comment="defconf: time exceeded" icmp-options=11:0-255 protocol=icmp in-interface-list=LAN
add action=drop chain=icmp4 comment="defconf: drop all other ICMP" protocol=icmp
/ip settings
set max-neighbor-entries=1024 rp-filter=loose tcp-syncookies=yes
/ip neighbor discovery-settings
set discover-interface-list=none
/ip proxy
set enabled=no
/ip socks
set enabled=no
/ip upnp
set enabled=no
/ip cloud
set ddns-enabled=no update-time=no
/ip ssh
set strong-crypto=yes
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool bandwidth-server
set enabled=no
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
马建仓 AI 助手
