bigjoe185 wrote:
V大,請問這篇是不...(恕刪)
"default" after running one of the setup wizards is "block everything from the internet" (but allow all out).
那有那麼好的事情...
這是叫你從firewall policy慢慢調整...
他有一些類似的方式...
policy設定其中幾個欄位:
Recent Time:
Enter the number of seconds to monitor for attempts to connect from the same source.
Recent Count:
Enter the number of times the same source is detected within the Recent Time duration. This helps thwart attacks using continual attempts to connect.
只是沒有現成做好像FortiOS的DoS policy的設計畫面..
你要一個一個慢慢確認然後再去調整...
bad idea....
ubnt之前有些討論關於DDoS防護, 有些回覆答案給得很直接..
就是叫你換產品...
EdgeOS並沒有獨立的DDoS防護功能...
有需要建議去官方網站討論區寫Feature Request請求提供獨立的DDoS Protection...
但我不覺得它們可能會接受(accepted)..
那似乎不是它們目前的重點項目...
vxr wrote:
"default" after running one of the setup wizards is "block everything from the internet" (but allow all out).
那有那麼好的事情...
這是叫你從firewall policy慢慢調整.....(恕刪)
請問V大,我以下的設定有bug嗎? 想試試看可否簡單的擋
set firewall name WAN_IN rule 10
set firewall name WAN_IN rule 10 action drop
set firewall name WAN_IN rule 10 description syn-flood
set firewall name WAN_IN rule 10 destination 192.168.1.0/24
set firewall name WAN_IN rule 10 limit rate 10000/second
set firewall name WAN_IN rule 10 protocol tcp
bigjoe185 wrote:
請問V大,我以下的...(恕刪)
根據你提供的設定..
我們來參考FortiOS的tcp_syn_flood預設的設定值:
可以看到threshold是2000..
這代表2000 packets/second
根據你提供的設定檔..
set firewall name WAN_IN rule 10
將threshold對應:
set firewall name name rule rule-num limit {burst size | rate rate}
>>rate:
The maximum average rate of data traffic for packets matching
the rule. Supported time units are: second, minute, hour, and
day. The rate is specified in the format “X/<time unit>”. For
example “2/second” limits the packets matching the rule to two
per second
那麼為:
set firewall name WAN_IN rule 10 limit rate 2000/second
protocol為TCP:
set firewall name WAN_IN rule 10 protocol tcp
syn_flood這代表大量的syn packet, 基於iptables的設計, 決定幾種狀態(state):
established, invalid, new, related
其中的狀態 new :
New packets are packets creating new connections. For TCP, this will be packets
with the SYN flag set.
對於CLI命令:
set firewall name name rule rule-num state {established state | invalid state | new state | related state}
對應你的設定:
set firewall name WAN_IN rule 10 state new enable
那麼總結一下:
set firewall name WAN_IN rule 10
set firewall name WAN_IN rule 10 description syn-flood
set firewall name WAN_IN rule 10 destination 192.168.1.0/24
set firewall name WAN_IN rule 10 state new enable
set firewall name WAN_IN rule 10 protocol tcp
set firewall name WAN_IN rule 10 limit rate 2000/second
set firewall name WAN_IN rule 10 action drop
關閉廣告