用了一天,才发现整个防火墙全是空的。 谢谢。
1
zro 2021-07-04 01:53:15 +08:00
不空啊,默认有 21 条设定的。。
|
2
cr0wd 2021-07-04 07:10:57 +08:00 via Android
可以参考下 Manual:Securing Your Router 这篇官方文档
|
3
shudongin OP |
4
ericbize 2021-07-04 22:15:04 +08:00
[admin@Home] > ipv6 firewall filter print
Flags: X - disabled, I - invalid, D - dynamic 0 ;;; defconf: accept established,related,untracked chain=input action=accept connection-state=established,related,untracked 1 ;;; defconf: drop invalid chain=input action=drop connection-state=invalid 2 ;;; defconf: accept ICMPv6 chain=input action=accept protocol=icmpv6 3 ;;; defconf: accept UDP traceroute chain=input action=accept protocol=udp port=33434-33534 4 ;;; defconf: accept DHCPv6-Client prefix delegation. chain=input action=accept protocol=udp src-address=fe80::/16 dst-port=546 5 ;;; defconf: accept IKE chain=input action=accept protocol=udp dst-port=500,4500 6 ;;; defconf: accept ipsec AH chain=input action=accept protocol=ipsec-ah 7 ;;; defconf: accept ipsec ESP chain=input action=accept protocol=ipsec-esp 8 ;;; defconf: accept all that matches ipsec policy chain=input action=accept ipsec-policy=in,ipsec 9 ;;; defconf: drop everything else not coming from LAN chain=input action=drop in-interface-list=!LAN 10 ;;; defconf: accept established,related,untracked chain=forward action=accept connection-state=established,related,untracked 11 ;;; defconf: drop invalid chain=forward action=drop connection-state=invalid 12 ;;; defconf: drop packets with bad src ipv6 chain=forward action=drop src-address-list=bad_ipv6 13 ;;; defconf: drop packets with bad dst ipv6 chain=forward action=drop dst-address-list=bad_ipv6 14 ;;; defconf: rfc4890 drop hop-limit=1 chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 15 ;;; defconf: accept ICMPv6 chain=forward action=accept protocol=icmpv6 16 ;;; defconf: accept HIP chain=forward action=accept protocol=139 17 ;;; defconf: accept IKE chain=forward action=accept protocol=udp dst-port=500,4500 18 ;;; defconf: accept ipsec AH chain=forward action=accept protocol=ipsec-ah 19 ;;; defconf: accept ipsec ESP chain=forward action=accept protocol=ipsec-esp 20 ;;; defconf: accept all that matches ipsec policy chain=forward action=accept ipsec-policy=in,ipsec 21 ;;; defconf: drop everything else not coming from LAN chain=forward action=drop in-interface-list=!LAN |
5
brMu 2021-07-05 08:53:35 +08:00
实在不理解,用个路由器整这么复杂干吗?爱快、openwrt 、高恪不香吗?操作简单易上手,是因为有什么功能他们做不到非得用 ros 吗?
|
6
redial39 2021-07-05 09:38:04 +08:00
@brMu 先不说转发性能和稳定性.毕竟这些参数都可以大力出奇迹...流量打标.我用到现在只有他能做到..民用能买到的软件路由系统上
|
7
wm5d8b 2021-07-06 12:52:51 +08:00 via Android
不知道 ipv6 前缀动态变的情况下,怎么开放内网某个服务的端口
|
8
Yechs 2021-07-07 15:52:22 +08:00
脚本计算前缀动态更新防火墙
|