RouterOS防火牆

/ ip firewall filter
add chain=input connection-state=invalid action=drop comment="丟棄非法連線資料" disabled=no
/ip firewall filter
add chain=input protocol=icmp action=drop comment="禁止外網Ping" disabled=no in-interface=ADSL
add chain=input protocol=tcp psd=21,3s,3,1 action=drop comment="探測並丟棄埠掃描連線" disabled=no
add chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list action=tarpit comment="壓制DoS攻擊" disabled=no
add chain=input protocol=tcp connection-limit=10,32 action=add-src-to-address-list address-list=black_list address-list-timeout=1d comment="探測DoS攻擊" disabled=no
add chain=input dst-address-type=!local action=drop comment="丟棄掉非本地資料" disabled=no
add chain=input protocol=icmp action=jump jump-target=ICMP comment="跳轉到ICMP連結串列" disabled=no
add chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept comment="Ping應答限制為每秒5個包" disabled=no
add chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept comment="Traceroute限制為每秒5個包" disabled=no
add chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept comment="MTU線路探測限制為每秒5個包" disabled=no
add chain=ICMP protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept comment="Ping請求限制為每秒5個包" disabled=no
add chain=ICMP protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept comment="Trace TTL限制為每秒5個包" disabled=no
add chain=ICMP protocol=icmp action=drop comment="丟棄掉任何ICMP資料" disabled=no
add chain=forward connection-state=invalid action=drop comment="丟棄非法資料包" disabled=no
add chain=forward src-address-type=!unicast action=drop comment="丟棄掉所有非單播資料" disabled=no
add chain=forward protocol=icmp action=jump jump-target=ICMP comment="跳轉到ICMP連結串列" disabled=no[@more@]