V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
shudongin
V2EX  ›  宽带症候群

有没有同学分享一下 ros 防火墙脚本啊?尤其是 ipv6 的

  •  
  •   shudongin · 2021-07-03 22:35:23 +08:00 · 2439 次点击
    这是一个创建于 1269 天前的主题,其中的信息可能已经有所发展或是发生改变。

    用了一天,才发现整个防火墙全是空的。 谢谢。

    8 条回复    2021-07-07 15:52:22 +08:00
    zro
        1
    zro  
       2021-07-04 01:53:15 +08:00
    不空啊,默认有 21 条设定的。。
    cr0wd
        2
    cr0wd  
       2021-07-04 07:10:57 +08:00 via Android
    可以参考下 Manual:Securing Your Router 这篇官方文档
    shudongin
        3
    shudongin  
    OP
       2021-07-04 08:37:24 +08:00
    @zro 原来我重置的时候把 no default configuration 勾上了,谢谢提醒。
    @cr0wd 好的,谢谢。
    ericbize
        4
    ericbize  
       2021-07-04 22:15:04 +08:00
    [admin@Home] > ipv6 firewall filter print
    Flags: X - disabled, I - invalid, D - dynamic
    0 ;;; defconf: accept established,related,untracked
    chain=input action=accept connection-state=established,related,untracked

    1 ;;; defconf: drop invalid
    chain=input action=drop connection-state=invalid

    2 ;;; defconf: accept ICMPv6
    chain=input action=accept protocol=icmpv6

    3 ;;; defconf: accept UDP traceroute
    chain=input action=accept protocol=udp port=33434-33534

    4 ;;; defconf: accept DHCPv6-Client prefix delegation.
    chain=input action=accept protocol=udp src-address=fe80::/16 dst-port=546

    5 ;;; defconf: accept IKE
    chain=input action=accept protocol=udp dst-port=500,4500

    6 ;;; defconf: accept ipsec AH
    chain=input action=accept protocol=ipsec-ah

    7 ;;; defconf: accept ipsec ESP
    chain=input action=accept protocol=ipsec-esp

    8 ;;; defconf: accept all that matches ipsec policy
    chain=input action=accept ipsec-policy=in,ipsec

    9 ;;; defconf: drop everything else not coming from LAN
    chain=input action=drop in-interface-list=!LAN

    10 ;;; defconf: accept established,related,untracked
    chain=forward action=accept connection-state=established,related,untracked

    11 ;;; defconf: drop invalid
    chain=forward action=drop connection-state=invalid

    12 ;;; defconf: drop packets with bad src ipv6
    chain=forward action=drop src-address-list=bad_ipv6

    13 ;;; defconf: drop packets with bad dst ipv6
    chain=forward action=drop dst-address-list=bad_ipv6

    14 ;;; defconf: rfc4890 drop hop-limit=1
    chain=forward action=drop protocol=icmpv6 hop-limit=equal:1

    15 ;;; defconf: accept ICMPv6
    chain=forward action=accept protocol=icmpv6

    16 ;;; defconf: accept HIP
    chain=forward action=accept protocol=139

    17 ;;; defconf: accept IKE
    chain=forward action=accept protocol=udp dst-port=500,4500

    18 ;;; defconf: accept ipsec AH
    chain=forward action=accept protocol=ipsec-ah

    19 ;;; defconf: accept ipsec ESP
    chain=forward action=accept protocol=ipsec-esp

    20 ;;; defconf: accept all that matches ipsec policy
    chain=forward action=accept ipsec-policy=in,ipsec

    21 ;;; defconf: drop everything else not coming from LAN
    chain=forward action=drop in-interface-list=!LAN
    brMu
        5
    brMu  
       2021-07-05 08:53:35 +08:00
    实在不理解,用个路由器整这么复杂干吗?爱快、openwrt 、高恪不香吗?操作简单易上手,是因为有什么功能他们做不到非得用 ros 吗?
    redial39
        6
    redial39  
       2021-07-05 09:38:04 +08:00
    @brMu 先不说转发性能和稳定性.毕竟这些参数都可以大力出奇迹...流量打标.我用到现在只有他能做到..民用能买到的软件路由系统上
    wm5d8b
        7
    wm5d8b  
       2021-07-06 12:52:51 +08:00 via Android
    不知道 ipv6 前缀动态变的情况下,怎么开放内网某个服务的端口
    Yechs
        8
    Yechs  
       2021-07-07 15:52:22 +08:00
    脚本计算前缀动态更新防火墙
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   3053 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 19ms · UTC 00:38 · PVG 08:38 · LAX 16:38 · JFK 19:38
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.