有没有同学分享一下 ros 防火墙脚本啊?尤其是 ipv6 的

2021-07-03 22:35:23 +08:00
 shudongin

用了一天,才发现整个防火墙全是空的。 谢谢。

2435 次点击
所在节点    宽带症候群
8 条回复
zro
2021-07-04 01:53:15 +08:00
不空啊,默认有 21 条设定的。。
cr0wd
2021-07-04 07:10:57 +08:00
可以参考下 Manual:Securing Your Router 这篇官方文档
shudongin
2021-07-04 08:37:24 +08:00
@zro 原来我重置的时候把 no default configuration 勾上了,谢谢提醒。
@cr0wd 好的,谢谢。
ericbize
2021-07-04 22:15:04 +08:00
[admin@Home] > ipv6 firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked

1 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid

2 ;;; defconf: accept ICMPv6
chain=input action=accept protocol=icmpv6

3 ;;; defconf: accept UDP traceroute
chain=input action=accept protocol=udp port=33434-33534

4 ;;; defconf: accept DHCPv6-Client prefix delegation.
chain=input action=accept protocol=udp src-address=fe80::/16 dst-port=546

5 ;;; defconf: accept IKE
chain=input action=accept protocol=udp dst-port=500,4500

6 ;;; defconf: accept ipsec AH
chain=input action=accept protocol=ipsec-ah

7 ;;; defconf: accept ipsec ESP
chain=input action=accept protocol=ipsec-esp

8 ;;; defconf: accept all that matches ipsec policy
chain=input action=accept ipsec-policy=in,ipsec

9 ;;; defconf: drop everything else not coming from LAN
chain=input action=drop in-interface-list=!LAN

10 ;;; defconf: accept established,related,untracked
chain=forward action=accept connection-state=established,related,untracked

11 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid

12 ;;; defconf: drop packets with bad src ipv6
chain=forward action=drop src-address-list=bad_ipv6

13 ;;; defconf: drop packets with bad dst ipv6
chain=forward action=drop dst-address-list=bad_ipv6

14 ;;; defconf: rfc4890 drop hop-limit=1
chain=forward action=drop protocol=icmpv6 hop-limit=equal:1

15 ;;; defconf: accept ICMPv6
chain=forward action=accept protocol=icmpv6

16 ;;; defconf: accept HIP
chain=forward action=accept protocol=139

17 ;;; defconf: accept IKE
chain=forward action=accept protocol=udp dst-port=500,4500

18 ;;; defconf: accept ipsec AH
chain=forward action=accept protocol=ipsec-ah

19 ;;; defconf: accept ipsec ESP
chain=forward action=accept protocol=ipsec-esp

20 ;;; defconf: accept all that matches ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec

21 ;;; defconf: drop everything else not coming from LAN
chain=forward action=drop in-interface-list=!LAN
brMu
2021-07-05 08:53:35 +08:00
实在不理解,用个路由器整这么复杂干吗?爱快、openwrt 、高恪不香吗?操作简单易上手,是因为有什么功能他们做不到非得用 ros 吗?
redial39
2021-07-05 09:38:04 +08:00
@brMu 先不说转发性能和稳定性.毕竟这些参数都可以大力出奇迹...流量打标.我用到现在只有他能做到..民用能买到的软件路由系统上
wm5d8b
2021-07-06 12:52:51 +08:00
不知道 ipv6 前缀动态变的情况下,怎么开放内网某个服务的端口
Yechs
2021-07-07 15:52:22 +08:00
脚本计算前缀动态更新防火墙

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/787368

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX