mirror of
https://gitee.com/callmer/routeros_toss_notes.git
synced 2025-09-19 07:51:18 +08:00
精简 ICMPv4 规则
This commit is contained in:
CallMeR
@ -1,7 +1,7 @@
|
||||
## Filter 规则 10 条 + 虚拟规则 1 条
|
||||
## NAT 规则 3 条
|
||||
## Mangle 规则 1 条 + 虚拟规则 3 条
|
||||
## Raw 规则 37 条 + 虚拟规则 1 条
|
||||
## Raw 规则 34 条 + 虚拟规则 1 条
|
||||
## Address-list 规则 20 条
|
||||
|
||||
/ip firewall address-list
|
||||
@ -99,20 +99,15 @@ add action=drop chain=bad-tcp comment="defconf: drop flags fin,urg" protocol=tcp
|
||||
add action=drop chain=bad-tcp comment="defconf: drop flags syn,rst" protocol=tcp tcp-flags=syn,rst
|
||||
add action=drop chain=bad-tcp comment="defconf: drop flags rst,urg" protocol=tcp tcp-flags=rst,urg
|
||||
|
||||
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: host unreachable" icmp-options=3:1 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: port unreachable" icmp-options=3:3 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: fragmentation needed" icmp-options=3:4 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: time exceeded" icmp-options=11:0-255 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 echo reply" icmp-options=0:0 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 host unreachable" icmp-options=3:1 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 port unreachable" icmp-options=3:3 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 fragmentation needed" icmp-options=3:4 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 echo request" icmp-options=8:0 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 time exceeded" icmp-options=11:0-255 protocol=icmp
|
||||
|
||||
add action=drop chain=icmp4 comment="lanconf: drop ICMP not from LAN" protocol=icmp in-interface-list=!LAN
|
||||
|
||||
add action=accept chain=icmp4 comment="defconf: net unreachable" icmp-options=3:0 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: protocol unreachable" icmp-options=3:2 protocol=icmp
|
||||
|
||||
add action=accept chain=icmp4 comment="lanconf: echo to local device" icmp-options=8:0 protocol=icmp dst-address-list=local_subnet_ipv4
|
||||
add action=drop chain=icmp4 comment="lanconf: echo to non global" icmp-options=8:0 protocol=icmp dst-address-list=not_global_ipv4
|
||||
add action=accept chain=icmp4 comment="lanconf: echo to WAN" icmp-options=8:0 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 net unreachable only LAN" icmp-options=3:0 in-interface-list=LAN protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 protocol unreachable only LAN" icmp-options=3:2 in-interface-list=LAN protocol=icmp
|
||||
|
||||
add action=drop chain=icmp4 comment="defconf: drop all other ICMP" protocol=icmp
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
## Filter 规则 18 条
|
||||
## NAT 规则 5 条
|
||||
## Mangle 规则 1 条
|
||||
## Raw 规则 38 条
|
||||
## Raw 规则 35 条
|
||||
## Address-list 规则 25 条
|
||||
|
||||
/ip firewall address-list
|
||||
@ -120,20 +120,15 @@ add action=drop chain=bad-tcp comment="defconf: drop flags fin,urg" protocol=tcp
|
||||
add action=drop chain=bad-tcp comment="defconf: drop flags syn,rst" protocol=tcp tcp-flags=syn,rst
|
||||
add action=drop chain=bad-tcp comment="defconf: drop flags rst,urg" protocol=tcp tcp-flags=rst,urg
|
||||
|
||||
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: host unreachable" icmp-options=3:1 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: port unreachable" icmp-options=3:3 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: fragmentation needed" icmp-options=3:4 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: time exceeded" icmp-options=11:0-255 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 echo reply" icmp-options=0:0 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 host unreachable" icmp-options=3:1 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 port unreachable" icmp-options=3:3 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 fragmentation needed" icmp-options=3:4 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 echo request" icmp-options=8:0 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 time exceeded" icmp-options=11:0-255 protocol=icmp
|
||||
|
||||
add action=drop chain=icmp4 comment="lanconf: drop ICMP not from LAN" protocol=icmp in-interface-list=!LAN
|
||||
|
||||
add action=accept chain=icmp4 comment="defconf: net unreachable" icmp-options=3:0 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: protocol unreachable" icmp-options=3:2 protocol=icmp
|
||||
|
||||
add action=accept chain=icmp4 comment="lanconf: echo to local device" icmp-options=8:0 protocol=icmp dst-address-list=local_subnet_ipv4
|
||||
add action=drop chain=icmp4 comment="lanconf: echo to non global" icmp-options=8:0 protocol=icmp dst-address-list=not_global_ipv4
|
||||
add action=accept chain=icmp4 comment="lanconf: echo to WAN" icmp-options=8:0 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 net unreachable only LAN" icmp-options=3:0 in-interface-list=LAN protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 protocol unreachable only LAN" icmp-options=3:2 in-interface-list=LAN protocol=icmp
|
||||
|
||||
add action=drop chain=icmp4 comment="defconf: drop all other ICMP" protocol=icmp
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
## Filter 规则 11 条 + 虚拟规则 1 条
|
||||
## NAT 规则 4 条
|
||||
## Mangle 规则 2 条 + 虚拟规则 3 条
|
||||
## Raw 规则 41 条 + 虚拟规则 1 条
|
||||
## Raw 规则 37 条 + 虚拟规则 1 条
|
||||
## Address-list 规则 24 条
|
||||
|
||||
/ip firewall address-list
|
||||
@ -110,21 +110,15 @@ add action=drop chain=bad-tcp comment="defconf: drop flags fin,urg" protocol=tcp
|
||||
add action=drop chain=bad-tcp comment="defconf: drop flags syn,rst" protocol=tcp tcp-flags=syn,rst
|
||||
add action=drop chain=bad-tcp comment="defconf: drop flags rst,urg" protocol=tcp tcp-flags=rst,urg
|
||||
|
||||
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: host unreachable" icmp-options=3:1 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: port unreachable" icmp-options=3:3 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: fragmentation needed" icmp-options=3:4 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: time exceeded" icmp-options=11:0-255 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 echo reply" icmp-options=0:0 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 host unreachable" icmp-options=3:1 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 port unreachable" icmp-options=3:3 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 fragmentation needed" icmp-options=3:4 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 echo request" icmp-options=8:0 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 time exceeded" icmp-options=11:0-255 protocol=icmp
|
||||
|
||||
add action=drop chain=icmp4 comment="lanconf: drop ICMP not from LAN" protocol=icmp in-interface-list=!LAN
|
||||
|
||||
add action=accept chain=icmp4 comment="defconf: net unreachable" icmp-options=3:0 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: protocol unreachable" icmp-options=3:2 protocol=icmp
|
||||
|
||||
add action=accept chain=icmp4 comment="lanconf: echo to local device" icmp-options=8:0 protocol=icmp dst-address-list=local_subnet_ipv4
|
||||
add action=accept chain=icmp4 comment="onuconf: echo to ONU" icmp-options=8:0 protocol=icmp dst-address-list=local_onu_ipv4
|
||||
add action=drop chain=icmp4 comment="lanconf: echo to non global" icmp-options=8:0 protocol=icmp dst-address-list=not_global_ipv4
|
||||
add action=accept chain=icmp4 comment="lanconf: echo to WAN" icmp-options=8:0 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 net unreachable only LAN" icmp-options=3:0 in-interface-list=LAN protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 protocol unreachable only LAN" icmp-options=3:2 in-interface-list=LAN protocol=icmp
|
||||
|
||||
add action=drop chain=icmp4 comment="defconf: drop all other ICMP" protocol=icmp
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
## Filter 规则 19 条
|
||||
## NAT 规则 6 条
|
||||
## Mangle 规则 2 条
|
||||
## Raw 规则 42 条
|
||||
## Raw 规则 38 条
|
||||
## Address-list 规则 29 条
|
||||
|
||||
/ip firewall address-list
|
||||
@ -131,21 +131,15 @@ add action=drop chain=bad-tcp comment="defconf: drop flags fin,urg" protocol=tcp
|
||||
add action=drop chain=bad-tcp comment="defconf: drop flags syn,rst" protocol=tcp tcp-flags=syn,rst
|
||||
add action=drop chain=bad-tcp comment="defconf: drop flags rst,urg" protocol=tcp tcp-flags=rst,urg
|
||||
|
||||
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: host unreachable" icmp-options=3:1 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: port unreachable" icmp-options=3:3 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: fragmentation needed" icmp-options=3:4 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: time exceeded" icmp-options=11:0-255 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 echo reply" icmp-options=0:0 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 host unreachable" icmp-options=3:1 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 port unreachable" icmp-options=3:3 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 fragmentation needed" icmp-options=3:4 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 echo request" icmp-options=8:0 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 time exceeded" icmp-options=11:0-255 protocol=icmp
|
||||
|
||||
add action=drop chain=icmp4 comment="lanconf: drop ICMP not from LAN" protocol=icmp in-interface-list=!LAN
|
||||
|
||||
add action=accept chain=icmp4 comment="defconf: net unreachable" icmp-options=3:0 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: protocol unreachable" icmp-options=3:2 protocol=icmp
|
||||
|
||||
add action=accept chain=icmp4 comment="lanconf: echo to local device" icmp-options=8:0 protocol=icmp dst-address-list=local_subnet_ipv4
|
||||
add action=accept chain=icmp4 comment="onuconf: echo to ONU" icmp-options=8:0 protocol=icmp dst-address-list=local_onu_ipv4
|
||||
add action=drop chain=icmp4 comment="lanconf: echo to non global" icmp-options=8:0 protocol=icmp dst-address-list=not_global_ipv4
|
||||
add action=accept chain=icmp4 comment="lanconf: echo to WAN" icmp-options=8:0 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 net unreachable only LAN" icmp-options=3:0 in-interface-list=LAN protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 protocol unreachable only LAN" icmp-options=3:2 in-interface-list=LAN protocol=icmp
|
||||
|
||||
add action=drop chain=icmp4 comment="defconf: drop all other ICMP" protocol=icmp
|
||||
|
||||
|
||||
@ -96,7 +96,7 @@ add address=172.16.1.10 comment="<your-device-name1>" lease-time=2d mac-address=
|
||||
## Filter 规则 11 条 + 虚拟规则 1 条
|
||||
## NAT 规则 4 条
|
||||
## Mangle 规则 2 条 + 虚拟规则 3 条
|
||||
## Raw 规则 41 条 + 虚拟规则 1 条
|
||||
## Raw 规则 37 条 + 虚拟规则 1 条
|
||||
## Address-list 规则 24 条
|
||||
## Blackhole 规则 13 条
|
||||
/ip firewall address-list
|
||||
@ -205,21 +205,15 @@ add action=drop chain=bad-tcp comment="defconf: drop flags fin,urg" protocol=tcp
|
||||
add action=drop chain=bad-tcp comment="defconf: drop flags syn,rst" protocol=tcp tcp-flags=syn,rst
|
||||
add action=drop chain=bad-tcp comment="defconf: drop flags rst,urg" protocol=tcp tcp-flags=rst,urg
|
||||
|
||||
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: host unreachable" icmp-options=3:1 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: port unreachable" icmp-options=3:3 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: fragmentation needed" icmp-options=3:4 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: time exceeded" icmp-options=11:0-255 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 echo reply" icmp-options=0:0 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 host unreachable" icmp-options=3:1 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 port unreachable" icmp-options=3:3 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 fragmentation needed" icmp-options=3:4 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 echo request" icmp-options=8:0 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 time exceeded" icmp-options=11:0-255 protocol=icmp
|
||||
|
||||
add action=drop chain=icmp4 comment="lanconf: drop ICMP not from LAN" protocol=icmp in-interface-list=!LAN
|
||||
|
||||
add action=accept chain=icmp4 comment="defconf: net unreachable" icmp-options=3:0 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: protocol unreachable" icmp-options=3:2 protocol=icmp
|
||||
|
||||
add action=accept chain=icmp4 comment="lanconf: echo to local device" icmp-options=8:0 protocol=icmp dst-address-list=local_subnet_ipv4
|
||||
add action=accept chain=icmp4 comment="onuconf: echo to ONU" icmp-options=8:0 protocol=icmp dst-address-list=local_onu_ipv4
|
||||
add action=drop chain=icmp4 comment="lanconf: echo to non global" icmp-options=8:0 protocol=icmp dst-address-list=not_global_ipv4
|
||||
add action=accept chain=icmp4 comment="lanconf: echo to WAN" icmp-options=8:0 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 net unreachable only LAN" icmp-options=3:0 in-interface-list=LAN protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 protocol unreachable only LAN" icmp-options=3:2 in-interface-list=LAN protocol=icmp
|
||||
|
||||
add action=drop chain=icmp4 comment="defconf: drop all other ICMP" protocol=icmp
|
||||
|
||||
|
||||
@ -187,7 +187,7 @@ add address=172.16.1.30 comment="<your-device-name3>" dhcp-option-set=opt-bypass
|
||||
## Filter 规则 19 条
|
||||
## NAT 规则 6 条
|
||||
## Mangle 规则 2 条
|
||||
## Raw 规则 42 条
|
||||
## Raw 规则 38 条
|
||||
## Address-list 规则 29 条
|
||||
## Blackhole 规则 13 条
|
||||
/ip firewall address-list
|
||||
@ -317,21 +317,15 @@ add action=drop chain=bad-tcp comment="defconf: drop flags fin,urg" protocol=tcp
|
||||
add action=drop chain=bad-tcp comment="defconf: drop flags syn,rst" protocol=tcp tcp-flags=syn,rst
|
||||
add action=drop chain=bad-tcp comment="defconf: drop flags rst,urg" protocol=tcp tcp-flags=rst,urg
|
||||
|
||||
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: host unreachable" icmp-options=3:1 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: port unreachable" icmp-options=3:3 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: fragmentation needed" icmp-options=3:4 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: time exceeded" icmp-options=11:0-255 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 echo reply" icmp-options=0:0 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 host unreachable" icmp-options=3:1 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 port unreachable" icmp-options=3:3 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 fragmentation needed" icmp-options=3:4 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 echo request" icmp-options=8:0 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 time exceeded" icmp-options=11:0-255 protocol=icmp
|
||||
|
||||
add action=drop chain=icmp4 comment="lanconf: drop ICMP not from LAN" protocol=icmp in-interface-list=!LAN
|
||||
|
||||
add action=accept chain=icmp4 comment="defconf: net unreachable" icmp-options=3:0 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: protocol unreachable" icmp-options=3:2 protocol=icmp
|
||||
|
||||
add action=accept chain=icmp4 comment="lanconf: echo to local device" icmp-options=8:0 protocol=icmp dst-address-list=local_subnet_ipv4
|
||||
add action=accept chain=icmp4 comment="onuconf: echo to ONU" icmp-options=8:0 protocol=icmp dst-address-list=local_onu_ipv4
|
||||
add action=drop chain=icmp4 comment="lanconf: echo to non global" icmp-options=8:0 protocol=icmp dst-address-list=not_global_ipv4
|
||||
add action=accept chain=icmp4 comment="lanconf: echo to WAN" icmp-options=8:0 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 net unreachable only LAN" icmp-options=3:0 in-interface-list=LAN protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 protocol unreachable only LAN" icmp-options=3:2 in-interface-list=LAN protocol=icmp
|
||||
|
||||
add action=drop chain=icmp4 comment="defconf: drop all other ICMP" protocol=icmp
|
||||
|
||||
|
||||
@ -88,7 +88,7 @@ add address=172.16.1.10 comment="<your-device-name1>" lease-time=2d mac-address=
|
||||
## Filter 规则 10 条 + 虚拟规则 1 条
|
||||
## NAT 规则 3 条
|
||||
## Mangle 规则 1 条 + 虚拟规则 3 条
|
||||
## Raw 规则 37 条 + 虚拟规则 1 条
|
||||
## Raw 规则 34 条 + 虚拟规则 1 条
|
||||
## Address-list 规则 20 条
|
||||
## Blackhole 规则 13 条
|
||||
/ip firewall address-list
|
||||
@ -186,20 +186,15 @@ add action=drop chain=bad-tcp comment="defconf: drop flags fin,urg" protocol=tcp
|
||||
add action=drop chain=bad-tcp comment="defconf: drop flags syn,rst" protocol=tcp tcp-flags=syn,rst
|
||||
add action=drop chain=bad-tcp comment="defconf: drop flags rst,urg" protocol=tcp tcp-flags=rst,urg
|
||||
|
||||
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: host unreachable" icmp-options=3:1 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: port unreachable" icmp-options=3:3 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: fragmentation needed" icmp-options=3:4 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: time exceeded" icmp-options=11:0-255 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 echo reply" icmp-options=0:0 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 host unreachable" icmp-options=3:1 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 port unreachable" icmp-options=3:3 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 fragmentation needed" icmp-options=3:4 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 echo request" icmp-options=8:0 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 time exceeded" icmp-options=11:0-255 protocol=icmp
|
||||
|
||||
add action=drop chain=icmp4 comment="lanconf: drop ICMP not from LAN" protocol=icmp in-interface-list=!LAN
|
||||
|
||||
add action=accept chain=icmp4 comment="defconf: net unreachable" icmp-options=3:0 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: protocol unreachable" icmp-options=3:2 protocol=icmp
|
||||
|
||||
add action=accept chain=icmp4 comment="lanconf: echo to local device" icmp-options=8:0 protocol=icmp dst-address-list=local_subnet_ipv4
|
||||
add action=drop chain=icmp4 comment="lanconf: echo to non global" icmp-options=8:0 protocol=icmp dst-address-list=not_global_ipv4
|
||||
add action=accept chain=icmp4 comment="lanconf: echo to WAN" icmp-options=8:0 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 net unreachable only LAN" icmp-options=3:0 in-interface-list=LAN protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 protocol unreachable only LAN" icmp-options=3:2 in-interface-list=LAN protocol=icmp
|
||||
|
||||
add action=drop chain=icmp4 comment="defconf: drop all other ICMP" protocol=icmp
|
||||
|
||||
|
||||
@ -95,7 +95,7 @@ add address=172.16.1.10 comment="<your-device-name1>" lease-time=2d mac-address=
|
||||
## Filter 规则 11 条 + 虚拟规则 1 条
|
||||
## NAT 规则 4 条
|
||||
## Mangle 规则 2 条 + 虚拟规则 3 条
|
||||
## Raw 规则 41 条 + 虚拟规则 1 条
|
||||
## Raw 规则 37 条 + 虚拟规则 1 条
|
||||
## Address-list 规则 24 条
|
||||
## Blackhole 规则 13 条
|
||||
/ip firewall address-list
|
||||
@ -204,21 +204,15 @@ add action=drop chain=bad-tcp comment="defconf: drop flags fin,urg" protocol=tcp
|
||||
add action=drop chain=bad-tcp comment="defconf: drop flags syn,rst" protocol=tcp tcp-flags=syn,rst
|
||||
add action=drop chain=bad-tcp comment="defconf: drop flags rst,urg" protocol=tcp tcp-flags=rst,urg
|
||||
|
||||
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: host unreachable" icmp-options=3:1 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: port unreachable" icmp-options=3:3 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: fragmentation needed" icmp-options=3:4 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: time exceeded" icmp-options=11:0-255 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 echo reply" icmp-options=0:0 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 host unreachable" icmp-options=3:1 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 port unreachable" icmp-options=3:3 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 fragmentation needed" icmp-options=3:4 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 echo request" icmp-options=8:0 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 time exceeded" icmp-options=11:0-255 protocol=icmp
|
||||
|
||||
add action=drop chain=icmp4 comment="lanconf: drop ICMP not from LAN" protocol=icmp in-interface-list=!LAN
|
||||
|
||||
add action=accept chain=icmp4 comment="defconf: net unreachable" icmp-options=3:0 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: protocol unreachable" icmp-options=3:2 protocol=icmp
|
||||
|
||||
add action=accept chain=icmp4 comment="lanconf: echo to local device" icmp-options=8:0 protocol=icmp dst-address-list=local_subnet_ipv4
|
||||
add action=accept chain=icmp4 comment="onuconf: echo to ONU" icmp-options=8:0 protocol=icmp dst-address-list=local_onu_ipv4
|
||||
add action=drop chain=icmp4 comment="lanconf: echo to non global" icmp-options=8:0 protocol=icmp dst-address-list=not_global_ipv4
|
||||
add action=accept chain=icmp4 comment="lanconf: echo to WAN" icmp-options=8:0 protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 net unreachable only LAN" icmp-options=3:0 in-interface-list=LAN protocol=icmp
|
||||
add action=accept chain=icmp4 comment="defconf: rfc4884 protocol unreachable only LAN" icmp-options=3:2 in-interface-list=LAN protocol=icmp
|
||||
|
||||
add action=drop chain=icmp4 comment="defconf: drop all other ICMP" protocol=icmp
|
||||
|
||||
|
||||
Reference in New Issue
Block a user