类别:ROS / 日期:2021-02-22 / 浏览:2300 / 评论:0
# 发个默认的防火墙规则
# jan/02/1970 00:02:57 by RouteROS 6.45.8
# software id = G902-Pxxx
# model = RouterBOARD wsAP 5Hac2nD
# serial number = 7D450xxx
#
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
#
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
#
#
------------以下非默认-----------------------
另外,应该在最后面加一条,限制所有从外网进入的策略("drop all form wan”),而且一定要放在最后。这条策略很关键。如果需要路由器的某服务端口,那一定要先添加一条通过的策略。而且这条某服务端口策略要在这个“drop all from wan”之前。同时,如果正在外网调试的,如果不提前设定一条winbox的通过8291端口或80端口策略,这条限制策略一设定,就马上断网!
例如这几条策略要提前设定,在外网调试的话一定要排在“drop all from wan”之前!!
drop all form wan策略设定:
要放在最后: