那些年我們一起開的搞笑地產公司 五都法拍屋 9月爆量-歪樓篇

KingDavid520 wrote:
今天終於第一次聽完...(恕刪)

今天繼續努力,一口氣聽完了5號命運和6號田園交響曲
貝多芬寫田園交響曲時正好住在維也納北郊靠近Grinzing鄉間,
讓我想起了15年前在Grinzing某酒館葡萄樹下喝葡萄酒聽小提琴演奏的往事
可惜當時沒去拜訪僅只一公里遠的貝多芬故居
josephteng wrote:

吃完一攤又一攤.....(恕刪)



真的, 開會還有這個..
蜜小雪 wrote:



真的, 開會還...(恕刪)



然後.....





居然有這個口味...




蜜小雪 wrote:
居然有這個口味...
雪姐有去嚐嚐嗎...
到底會是什麼樣的港覺...
josephteng wrote:

雪姐有去嚐嚐嗎.....(恕刪)



我才不要....會破壞我對冰淇淋的熱情! 

蜜小雪 wrote:
我才不要....會破壞我對冰淇淋的熱情!

要有冒險精神阿...
josephteng wrote:

[...(恕刪)



吃了一口....

蜜小雪 wrote:
吃了一口.......(恕刪)



一桶一口就吃掉了,女王霸氣、威武
一雙玉臂千人枕、半點朱唇萬客嚐,還君明珠雙淚垂、恨不相逢未嫁時
確認規則沒問題.中繼歪壞難被擾.所以問題在暗流能看透規則加以打擊歪壞.中繼設定就回原來.
僅需要改RTS值256.其餘原廠預設值.因為我們終於知道.歪壞會被擾是普遍規則已被看透.
所以不管哪一家路由器.規則若沒有設限.歪壞也一樣面臨被干擾干擾干干擾真的真的真的被干擾.
還有提醒就是剛換規則唯一建議是把中繼AP密碼換一下.用梅林記得重啟前要先設定套用格式化.
規則說明就.封包進來時經NAT偽裝進來.雙向通同時傳出很抱歉出路不通請改Forward.
Forward收到後出去經NAT偽裝.似正常封包傳輸.若被利用僅看能到NAT偽裝的IP.
接著若要出去包括NEW.都一律經過NAT偽裝.進來當然是可以.看似雙向但僅能單向通進來.
出去只是有幾條路可通.這就看似接近雙向.所以暗流利用雙向發生的同時而看準這一點進行搞事.
若要夠嚴謹規則可以把紅框這條改為紫框這樣就好.讓暗流利用當雙向進行時搞怪的機率都沒得搞.
紫框部分沒問題.被影響其實很小的.這樣才能達到真正的防堵那群人爽職濫用權限作為公器私用.
add action=accept chain=input comment="From our LAN" in-interface=bridge \
connection-nat-state=!dstnat src-address-list=LAN

add action=accept chain=input comment="From our LAN" in-interface=bridge \
connection-state=new connection-nat-state=!dstnat src-address-list=LAN
--
修正紫框確實會影響部分功能.故不採用.而把原規則紅框改為綠框.這樣就在部分功能就能正常.
add action=accept chain=input comment="From our LAN" in-interface=bridge \
connection-state=established,related,new connection-nat-state=!dstnat \
src-address-list=LAN
NeverGiveUp!! wrote:
再來就是精簡化.紅...(恕刪)
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=LAN
/ip firewall nat
add action=redirect chain=dstnat comment=DNS dst-port=53 protocol=tcp \
to-ports=53
add action=redirect chain=dstnat dst-port=53 protocol=udp to-ports=53
add action=masquerade chain=srcnat comment="IP Masquerading" \
src-address-list=LAN
/ip firewall filter
add action=reject chain=forward dst-port=53,443 log=yes protocol=udp \
reject-with=icmp-network-unreachable src-address-list=LAN log-prefix=\
Reject LAN -> UDP(53,443)
add action=accept chain=input comment=\
"Accept established and related packets" connection-state=\
established,related connection-nat-state=!srcnat
add action=accept chain=input comment=udp limit=1/365d,0:packet protocol=udp
add action=accept chain=input comment="From our LAN" in-interface=bridge \
connection-state=established,related,new connection-nat-state=!dstnat \
src-address-list=LAN
add action=accept chain=input comment="Allow limited pings" icmp-options=\
!8:0-255 limit=50/5s,2:packet protocol=icmp
add action=reject chain=input comment="Reject login brute forcers 1" dst-port=\
21,22,23,8291 log=yes protocol=tcp reject-with=icmp-network-unreachable \
src-address-list=login_blacklist
add action=add-src-to-address-list address-list=login_blacklist \
address-list-timeout=4d chain=input comment="Reject login brute forcers 2" \
connection-state=new dst-port=21,22,23,8291 protocol=tcp
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment=\
"Reject port scanners\A1GPort scanners to list" log=yes protocol=tcp psd=\
21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" log=\
yes protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" log=yes \
protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" log=yes \
protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" log=yes \
protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" log=yes \
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" log=yes \
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=reject chain=input comment="dropping port scanners" log=yes \
reject-with=icmp-network-unreachable src-address-list="port scanners"
add action=accept chain=forward comment="Established, Related" \
connection-state=established,relatedadd connection-nat-state=!dstnat
add action=accept chain=forward comment=\
"Accept all New Packets connections from network" connection-nat-state=!dstnat \
connection-state=new in-interface=bridge src-address-list=LAN
add action=reject chain=forward comment="Reject All Forward Packets" log=no \
log-prefix="Reject All Packets" reject-with=icmp-network-unreachabl
add action=log chain=input comment="Log everything else" log-prefix=\
"REJECT INPUT"
add action=reject chain=input comment="Reject everything else" reject-with=\
icmp-network-unreachable
/system scheduler
add comment="Check and set NTP servers" interval=6h name=SetNtpServers \
on-event="# SetNtpServers - Check and set NTP servers from NTP pool\\

# v1.2 Tested and Developed on ROS v5.7\\

#\\

# Change the following line as needed as progName should match script na\\
me \\

:local progName \\"SetNtpServers\";\

\

# Array of NTP pools to use (check www.pool.ntp.org) one or a maximum of\
\_two, a primary & secondary\

# Modify the following line and array variable based on your locale (def\
ault is north america).\

:local arrNtpSystems (\"taiwan.pool.ntp.org\", \"asia.pool.ntp.org\");\

# Alternatively the US related pool below can be used. \

#:local arrNtpSystems (\"taiwan.pool.ntp.org\", \"asia.pool.ntp.org\");\

#\

# No modification is necessary beyond this line.\

:put \"\$progName: Running...\";\

:log info \"\$progName: Running...\";\

:set arrNtpSystems [ :toarray \$arrNtpSystems ];\

:if (( [ :len \$arrNtpSystems ] < 1 ) or ( [ :len \$arrNtpSystems ] > 2 \
)) do={ \

:put \"\$progName: ERROR NTP Systems array (\\\$arrNtpSystems) must \
be either one or two DNS names.\";\

:log info \"\$progName: ERROR NTP Systems array (\\\$arrNtpSystems) \
must be either one or two DNS names.\";\

} else={\

:local arrRosNtpSetting (\"primary-ntp\", \"secondary-ntp\");\

:local i 0;\

:foreach strNtpSystem in (\$arrNtpSystems) do={\

:local ipAddrNtpSystem [ :resolve \$strNtpSystem ];\

:local strRosNtpSetting [ :pick \$arrRosNtpSetting \$i ];\

:local strCurrentNtpIp [ /system ntp client get \$strRosNtpSetti\
ng ];\

:put \"\$progName: NTP server DNS name \$strNtpSystem resolves t\
o \$ipAddrNtpSystem.\";\

:log info \"\$progName: NTP server DNS name \$strNtpSystem resol\
ves to \$ipAddrNtpSystem.\";\

:put \"\$progName: Current \$strRosNtpSetting setting is \$strCu\
rrentNtpIp.\";\

:log info \"\$progName: Current \$strRosNtpSetting setting is \$\
strCurrentNtpIp.\";\

:if ( [ :toip \$ipAddrNtpSystem ] != [ :toip \$strCurrentNtpIp ]\
\_) do={\

:put \"\$progName: Changing \$strRosNtpSetting setting to \$\
ipAddrNtpSystem.\";\

:log info \"\$progName: Changing \$strRosNtpSetting setting \
to \$ipAddrNtpSystem.\";\

:local strCommand [ :parse \"/system ntp client set \$strRos\
NtpSetting=\\\"\$ipAddrNtpSystem\\\"\" ];\

\$strCommand;\

} else={\

:put \"\$progName: No changes were made for the \$strRosNtpS\
etting NTP setting.\";\

:log info \"\$progName: No changes were made for the \$strRo\
sNtpSetting NTP setting.\";\

}\

:set i (\$i + 1);\

}\

}\

:put \"\$progName: Done.\";\

:log info \"\$progName: Done.\";" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-time=startup
add comment=Download_Ads_List interval=24h name=DownloadAdsList \
on-event="/system script run Blocklister_download_Ads" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-time=startup
add interval=25h name=DownloadSpywareList on-event=\
"/system script run Blocklister_download_Spyware" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-time=startup
add interval=26h name=DownloadMalwaredomainlistList on-event=\
"/system script run Blocklister_download_Malwaredomainlist" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-time=startup
add interval=27h name=DownloadHijackedList on-event=\
"/system script run \

Blocklister_download_Hijacked" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-time=startup
/system script
add name=Blocklister_download_Ads owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\\
tool fetch url=\\"https://blocklister.gefoo.org/ads\" dst-path=\"ads.rsc\";\
\_/import file-name=\"ads.rsc\";"
add name=Blocklister_download_Spyware owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\\
tool fetch url=\\"https://blocklister.gefoo.org/spyware\" dst-path=\"spywar\
e.rsc\"; /import file-name=\"spyware.rsc\";"
add name=Blocklister_download_Malwaredomainlist owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\\
tool fetch url=\\"https://blocklister.gefoo.org/malwaredomainlist\" dst-pat\
h=\"malwaredomainlist.rsc\"; /import file-name=\"malwaredomainlist.rsc\";"
add name=Blocklister_download_Hijacked owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\\
tool fetch url=\\"https://blocklister.gefoo.org/hijacked\" dst-path=\"hijac\
ked.rsc\"; /import file-name=\"hijacked.rsc\";"
/ip firewall raw
add action=drop chain=prerouting dst-address-list=ads_list log=yes
add action=drop chain=prerouting comment="Drop Spyware" dst-address-list=\
spyware_list log=yes
add action=drop chain=prerouting dst-address-list=hijacked_list log=yes
add action=drop chain=prerouting dst-address-list=malwaredomainlist_list \
log=yes
add action=drop chain=prerouting src-address-list=port scanners log=yes
add action=drop chain=prerouting src-address-list=login_blacklist log=yes
add action=drop chain=prerouting comment="Block Teredo IPv6-tunnel" dst-port=\
3544,3545 protocol=udp src-port=1024-65535
--
Becky G - Sola (Official Video)
寶貝:)開心最重要!
規則可採用上篇.已沒得可多改了.紫框確實比較好.會影響部分功能.折衷辦法採用綠框就對了.紫框可以完全讓歪壞不被干擾.影響幾乎是甚小.但礙於部分軟體功能性需要.故採用綠框來應對.
歪壞表現上雖沒有比紫框好.但有比啥框都沒加還要好.有額外嘗試另種方式.但效果並不是很好.
所以這樣就剛好.路由表現很穩定.唯一差別就在歪壞.若撇去歪壞就已經很完善.歪壞進階設定.
有僅RTS設256其餘採用原廠預設值與RTS值及其餘設定值可以參考前幾篇設定這兩種變換.
NeverGiveUp!! wrote:
確認規則沒問題.中...(恕刪)
--
寶貝:)記得休息噢!
--
Fifth Harmony - Me & My Girls
寶貝:)開心最重要!
關閉廣告
文章分享
評分
評分
複製連結
請輸入您要前往的頁數(1 ~ 9050)

今日熱門文章 網友點擊推薦!