ROS基本防护脚本

ROS3.30全套多线负载平衡设置脚本ROS3.30设置脚本如果你是菜鸟，下面的脚本也许会帮了，如果你是高高手，请你多指证，谢谢下面是我花了一整天的时间整理出来的，第一次用ROS3.30，走了很多弯路，还好以前有点2.9的基础，结合在网上找些前辈门的脚本，终于测试一切正常，我自己在我的线路上测试通过，如果到你机器上有问题，请嘴上留情，别骂我，请仔细检查，相信你也一定能行的。

如果有问题实在搞不懂，可以加我QQ307237303（请先自己多钻研一下在加我）# dec/03/2011 20:55:29 by RouterOS 3.30# software id = K6BP-MUXD#/interface ethernetset 0 arp=enabled auto-negotiation=yes cable-settings=default comment="" \disable-running-check=yes disabled=no full-duplex=yes mac-address=\00:03:47:95:C8:66 mtu=1500 name=W AN3 speed=100Mbpsset 1 arp=enabled auto-negotiation=yes cable-settings=default comment="" \disable-running-check=yes disabled=no full-duplex=yes mac-address=\00:03:47:95:C2:FC mtu=1500 name=LAN speed=100Mbpsset 2 arp=enabled auto-negotiation=yes cable-settings=default comment="" \disable-running-check=yes disabled=no full-duplex=yes mac-address=\00:20:ED:1C:B3:90 mtu=1500 name=W AN1 speed=100Mbpsset 3 arp=enabled auto-negotiation=yes cable-settings=default comment="" \disable-running-check=yes disabled=no full-duplex=yes mac-address=\00:20:ED:1C:B3:91 mtu=1500 name=W AN2 speed=100Mbps以上是网卡名称设置/ip pooladd name=PPPOE-IP ranges=10.0.0.5-10.0.0.200以上是PPPOE拔号地址池/portset 0 baud-rate=9600 data-bits=8 flow-control=hardware name=serial0 parity=\none stop-bits=1set 1 baud-rate=9600 data-bits=8 flow-control=hardware name=serial1 parity=\none stop-bits=1以上是导出后不知用处的/ppp profileset default change-tcp-mss=yes comment="" name=default only-one=default \use-compression=default use-encryption=default use-vj-compression=defaultadd change-tcp-mss=default comment="" dns-server=210.21.196.6 local-address=\10.0.0.1 name=PPPOE-1 only-one=yes rate-limit=\"108k/1400k 128k/1600k 90k/1m" remote-address=PPPOE-IP use-compression=\default use-encryption=default use-vj-compression=default wins-server=\221.5.88.88add change-tcp-mss=default comment="" dns-server=210.21.196.6 local-address=\10.0.0.1 name=LOW only-one=yes rate-limit="88k/900k 108k/1100k 90k/1m" \remote-address=PPPOE-IP use-compression=default use-encryption=default \use-vj-compression=default wins-server=221.5.88.88set default-encryption change-tcp-mss=yes comment="" name=default-encryption \ only-one=default use-compression=default use-encryption=yes \use-vj-compression=default以上是PPPOE服务建立/interface pppoe-clientadd ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 comment="" \ dial-on-demand=no disabled=no interface=WAN1 max-mru=1480 max-mtu=1480 \ mrru=disabled name=pppoe-out1 password=123 profile=default \service-name="" use-peer-dns=no user=123add ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 comment="" \ dial-on-demand=no disabled=no interface=WAN2 max-mru=1480 max-mtu=1480 \ mrru=disabled name=pppoe-out2 password=123456 profile=default \service-name="" use-peer-dns=no user=123add ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 comment="" \ dial-on-demand=no disabled=no interface=WAN3 max-mru=1480 max-mtu=1480 \ mrru=disabled name=pppoe-out3 password=3 profile=default service-name="" \ use-peer-dns=no user=3 以上是ADSL拔号上网的建立/queue treeadd burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \ max-limit=12M name=totaldown parent=global-in priority=8/queue typeset default kind=pfifo name=default pfifo-limit=50set ethernet-default kind=pfifo name=ethernet-default pfifo-limit=50set wireless-default kind=sfq name=wireless-default sfq-allot=1514 \sfq-perturb=5set synchronous-default kind=red name=synchronous-default red-avg-packet=1000 \ red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10set hotspot-default kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=\ 5add kind=pcq name=PCQ-up pcq-classifier=src-address pcq-limit=50 pcq-rate=\ 1000000 pcq-total-limit=10000 add kind=pcq name=PCQ-down pcq-classifier=dst-address pcq-limit=50 pcq-rate=\ 1000000 pcq-total-limit=10000 add kind=pcq name=80-Down pcq-classifier=dst-address pcq-limit=50 pcq-rate=\ 800000 pcq-total-limit=10000 add kind=pcq name=other_down pcq-classifier=dst-address pcq-limit=50 \ pcq-rate=0 pcq-total-limit=2000 add kind=pcq name=server_down pcq-classifier=dst-address pcq-limit=50 \ pcq-rate=0 pcq-total-limit=2000add kind=pcq name=game-down pcq-classifier=dst-address pcq-limit=50 pcq-rate=\ 400000 pcq-total-limit=10000 set default-small kind=pfifo name=default-small pfifo-limit=10/queue treeadd burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=1M \ max-limit=10M name=otherdown packet-mark=Port_Packet parent=totaldown \ priority=8 queue=defaultadd burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=1M \ max-limit=12M name=portdown packet-mark=Port_Packet parent=totaldown \priority=1 queue=defaultadd burst-limit=0 burst-threshold=0 burst-time=3s disabled=no limit-at=5M \ max-limit=12M name=80down packet-mark=80_packet parent=totaldown \priority=2 queue=defaultadd burst-limit=0 burst-threshold=0 burst-time=3s disabled=yes limit-at=0 \ max-limit=18M name=totalup packet-mark=PCQ-up parent=global-out priority=\7 queue=default以上是网络优先设置，感觉用处不大，我是3*4M AD/snmpset contact="" enabled=no engine-boots=0 engine-id="" location="" \time-window=15 trap-sink=0.0.0.0 trap-version=1/snmp communityset public address=0.0.0.0/0 authentication-password="" \ authentication-protocol=MD5 encryption-password="" encryption-protocol=\DES name=public read-access=yes security=none write-access=no/system logging actionset memory memory-lines=100 memory-stop-on-full=no name=memory target=memory set disk disk-file-count=2 disk-file-name=log disk-lines-per-file=100 \disk-stop-on-full=no name=disk target=diskset echo name=echo remember=yes target=echoset remote bsd-syslog=no name=remote remote=0.0.0.0:514 src-address=0.0.0.0 \ syslog-facility=daemon syslog-severity=auto target=remote /user groupadd comment="" name=read policy="local,telnet,ssh,reboot,read,test,winbox,pass\word,web,sniff,sensitive,!ftp,!write,!policy"add comment="" name=write policy="local,telnet,ssh,reboot,read,write,test,winb\ox,password,web,sniff,sensitive,!ftp,!policy"add comment="" name=full policy="local,telnet,ssh,ftp,reboot,read,write,policy\ ,test,winbox ,password,web,sniff,sensitive"/interface bridge settingsset use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=\ no/interface ethernet mirrorset/interface l2tp-server serverset authentication=pap,chap,mschap1,mschap2 default-profile=\default-encryption enabled=no max-mru=1460 max-mtu=1460 mrru=disabled/interface ovpn-server serverset auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=\ default enabled=no keepalive-timeout=60 mac-address=FE:46:57:28:66:CB \max-mtu=1500 mode=ip netmask=24 port=1194 require-client-certificate=no/interface pppoe-server serveradd authentication=pap,chap,mschap1,mschap2 default-profile=PPPOE-1 disabled=\ yes interface=LAN keepalive-timeout=10 max-mru=1480 max-mtu=1480 \max-sessions=0 mrru=disabled one-session-per-host=no service-name=\service1/interface pptp-server serverset authentication=mschap1,mschap2 default-profile=default-encryption \ enabled=no keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled /ip accounting set account-local-traffic=no enabled=no threshold=256/ip accounting web-accessset accessible-via-web=no address=0.0.0.0/0以上也是不知的东东/ip addressadd address=192.168.2.1/24 broadcast=192.168.2.255 comment="" disabled=no \ interface=LAN network=192.168.2.0 以上是设置ROS的内网IP/ip dhcp-server configset store-leases-disk=5m/ip dnsset allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \ max-udp-packet-size=512 primary-dns=210.21.196.6 secondary-dns=\221.5.88.88以上是设置DNS,你的可能不一样/ip firewall connection trackingset enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \ tcp-close-wait-timeout=10s tcp-established-timeout=1d \tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s以上是系统默认值/ip firewall mangleadd action=change-mss chain=postrouting comment="" disabled=yes new-mss=1460 \ protocol=tcp tcp-flags=syn add action=mark-routing chain=prerouting comment="" disabled=yes \ new-routing-mark=add passthrough=no src-address-list=src1add action=mark-connection chain=prerouting comment=1 disabled=yes \ in-interface=LAN new-connection-mark=1 passthrough=yes \per-connection-classifier=src-address-and-port:3/0add action=mark-routing chain=prerouting comment="" connection-mark=1 \ disabled=yes in-interface=LAN new-routing-mark=1 passthrough=noadd action=mark-connection chain=prerouting comment=2 disabled=yes \ in-interface=LAN new-connection-mark=2passthrough=yes \per-connection-classifier=src-address-and-port:3/1add action=mark-routing chain=prerouting comment="" connection-mark=2 \ disabled=yes in-interface=LAN new-routing-mark=2 passthrough=noadd action=mark-connection chain=prerouting comment=3 disabled=yes \ in-interface=LAN new-connection-mark=3 passthrough=yes \per-connection-classifier=src-address-and-port:3/2add action=mark-routing chain=prerouting comment="" connection-mark=3 \ disabled=yes in-interface=LAN new-routing-mark=3 passthrough=noadd action=change-mss chain=forward comment="" disabled=no new-mss=1400 \ protocol=tcp tcp-flags=syn add action=add-src-to-address-list address-list=src1 address-list-timeout=5s \ chain=prerouting comment="" disabled=no dst-port=80 protocol=tcp \src-address-list=!src2add action=add-src-to-address-list address-list=src2 address-list-timeout=3h \ chain=prerouting comment="" disabled=no dst-port=80 protocol=tcp \src-address-list=!src2add action=accept chain=prerouting comment="" disabled=no dst-port=443 \in-interface=LAN protocol=tcpadd action=mark-connection chain=input comment="" disabled=no in-interface=\pppoe-out1 new-connection-mark=1 passthrough=yesadd action=mark-connection chain=input comment="" disabled=no in-interface=\pppoe-out2 new-connection-mark=2 passthrough=yesadd action=mark-connection chain=input comment="" disabled=no in-interface=\pppoe-out3 new-connection-mark=3 passthrough=yesadd action=mark-routing chain=output comment="" connection-mark=1 disabled=no \new-routing-mark=to_1 passthrough=yesadd action=mark-routing chain=output comment="" connection-mark=2 disabled=no \new-routing-mark=to_2 passthrough=yesadd action=mark-routing chain=output comment="" connection-mark=3 disabled=no \new-routing-mark=to_3 passthrough=yesadd action=mark-connection chain=prerouting comment="" disabled=no \dst-address-type=!local new-connection-mark=1 passthrough=yes \per-connection-classifier=both-addresses:3/0 src-address=10.0.0.0/24add action=mark-connection chain=prerouting comment="" disabled=no \dst-address-type=!local new-connection-mark=2 passthrough=yes \per-connection-classifier=both-addresses:3/1 src-address=10.0.0.0/24add action=mark-connection chain=prerouting comment="" disabled=no \dst-address-type=!local new-connection-mark=3 passthrough=yes \per-connection-classifier=both-addresses:3/2 src-address=10.0.0.0/24add action=mark-routing chain=prerouting comment="" connection-mark=1 \disabled=no new-routing-mark=to_1 passthrough=yes src-address=10.0.0.0/24add action=mark-routing chain=prerouting comment="" connection-mark=2 \disabled=no new-routing-mark=to_2 passthrough=yes src-address=10.0.0.0/24add action=mark-routing chain=prerouting comment="" connection-mark=3 \disabled=no new-routing-mark=to_3 passthrough=yes src-address=10.0.0.0/24以上是PPPOE 负载平衡，为both-addresses形式的（好像和PCC一样，不明白，还有就是我没做IP负载平衡，我用不着，做了也删了）add action=mark-connection chain=prerouting comment="" disabled=no dst-port=\8291 in-interface=pppoe-out3 new-connection-mark=in_3 passthrough=yes \protocol=tcpadd action=mark-routing chain=output comment="" connection-mark=in_3 \disabled=no new-routing-mark=3 passthrough=yes以上是指定外网访问ROS的线路和端口，我这样理解，具体也不明白add action=mark-connection chain=prerouting comment=\ "\D3\C5\CF\C8\B6\CB\BF\DA" disabled=no dst-port=443 new-connection-mark=\Port_Conn passthrough=yes protocol=tcpadd action=mark-connection chain=prerouting comment="" disabled=no dst-port=\3724 new-connection-mark=Port_Conn passthrough=yes protocol=tcpadd action=mark-connection chain=prerouting comment="" disabled=no dst-port=\8000 new-connection-mark=Port_Conn passthrough=yes protocol=udpadd action=mark-packet chain=prerouting comment="" connection-mark=Port_Conn \disabled=no new-packet-mark=Port_Packet passthrough=noadd action=mark-connection chain=prerouting comment="web\B6\CB\BF\DA" \disabled=no dst-port=80 new-connection-mark=80_Conn passthrough=yes \protocol=tcpadd action=mark-connection chain=prerouting comment="" disabled=no dst-port=\53 new-connection-mark=80_Conn passthrough=yes protocol=udpadd action=mark-packet chain=prerouting comment="" connection-mark=80_Conn \ disabled=no new-packet-mark=80_packet passthrough=noadd action=mark-connection chain=prerouting comment=\ "\C6\E4\CB\FB\CA\FD\BE\DD" disabled=no new-connection-mark=Other_Conn \passthrough=yesadd action=mark-packet chain=prerouting comment="" connection-mark=Other_Conn \ disabled=no new-packet-mark=Other_Packet passthrough=no以上是端口优先标记，和前面的一起使用，不用就都不要加/ip firewall natadd action=masquerade chain=srcnat comment=10 disabled=no out-interface=\pppoe-out1add action=masquerade chain=srcnat comment=11 disabled=no out-interface=\pppoe-out2add action=masquerade chain=srcnat comment=12 disabled=no out-interface=\pppoe-out3以上是IP伪装，我是三知AD，和2.9的不一样，开始这里按2.9的搞，搞了很久上不了网/ip firewall service-portset ftp disabled=no ports=21set tftp disabled=no ports=69set irc disabled=no ports=6667set h323 disabled=noset sip disabled=no ports=5060,5061set pptp disabled=no/ip neighbor discoveryset WAN3 discover=yesset LAN discover=yesset WAN1 discover=yesset WAN2 discover=yesset pppoe-out1 discover=noset pppoe-out2 discover=noset pppoe-out3 discover=no/ip proxyset always-from-cache=no cache-administrator=webmastercache-hit-dscp=4 \cache-on-disk=no enabled=no max-cache-size=none max-client-connections=\600 max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 \parent-proxy-port=0 port=8080 serialize-connections=no src-address=\0.0.0.0以上是不知用的东东/ip routeadd check-gateway=ping comment="" disabled=yes distance=1 dst-address=\0.0.0.0/0 gateway=pppoe-out2 routing-mark=2add check-gateway=ping comment="" disabled=yes distance=1 dst-address=\0.0.0.0/0 gateway=pppoe-out3 routing-mark=3add check-gateway=ping comment="" disabled=yes distance=1 dst-address=\0.0.0.0/0 gateway=pppoe-out1add check-gateway=ping comment="" disabled=yes distance=1 dst-address=\0.0.0.0/0 gateway=pppoe-out1 routing-mark=1add check-gateway=ping comment="" disabled=yes distance=2 dst-address=\0.0.0.0/0 gateway=pppoe-out2add comment=WAN1 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\pppoe-out1 routing-mark=to_1add comment=WAN3 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\pppoe-out3 routing-mark=to_3add check-gateway=ping comment="" disabled=yes distance=2 dst-address=\0.0.0.0/0 gateway=pppoe-out1add check-gateway=ping comment=WAN2 disabled=no distance=10 dst-address=\0.0.0.0/0 gateway=pppoe-out2add check-gateway=ping comment="" disabled=yes distance=2 dst-address=\0.0.0.0/0 gateway=pppoe-out3add comment=WAN2 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\pppoe-out2 routing-mark=to_2add check-gateway=ping comment=WAN1 disabled=no distance=10 dst-address=\0.0.0.0/0 gateway=pppoe-out1add check-gateway=ping comment=WAN3 disabled=no distance=10 dst-address=\0.0.0.0/0 gateway=pppoe-out3以上这里就是路由了，看着有点长，设好后其实就只有3*2+1条了，为什么？我这样理解的，3条AD+3条备用+1条默认/ip serviceset telnet address=0.0.0.0/0 disabled=no port=23set ftp address=0.0.0.0/0 disabled=no port=21set www address=0.0.0.0/0 disabled=no port=80set www-ssl address=0.0.0.0/0 certificate=none disabled=yes port=443set api address=0.0.0.0/0 disabled=yes port=8728set winbox address=0.0.0.0/0 disabled=no port=8291/ip socksset connection-idle-timeout=2m enabled=no max-connections=200 port=1080/ip traffic-flowset active-flow-timeout=30m cache-entries=4k enabled=no \inactive-flow-timeout=15s interfaces=all/ip upnpset allow-disable-external-interface=yes enabled=yes show-dummy-rule=yes以上这些也是不知用的东东，也不用管吧/ppp aaaset accounting=yes interim-update=0s use-radius=no/ppp secretadd caller-id="" comment="" disabled=no limit-bytes-in=0 limit-bytes-out=0 \name=ADSC110 password=110110 profile=LOW routes="" service=anyadd caller-id="" comment="" disabled=no limit-bytes-in=0 limit-bytes-out=0 \name=ADSC207 password=207207 profile=default routes="" service=any以上是我拔号上网的用户名和密码，按自己的加，PPPOE服务前面已建立好了set WAN3 queue=ethernet-defaultset LAN queue=ethernet-defaultset WAN1 queue=ethernet-defaultset WAN2 queue=ethernet-defaultset pppoe-out1 queue=defaultset pppoe-out2 queue=defaultset pppoe-out3 queue=default/radius incomingset accept=no port=3799/storeadd comment="" disabled=no disk=primary-master name=web-proxy1 type=web-proxy /system clockset time-zone-name=manual/system clock manualset dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start=\"jan/01/1970 00:00:00" time-zone=+00:00/system consoleadd disabled=no port=serial0 term=vt102set [ find vcno=1 ] disabled=no term=linuxset [ find vcno=2 ] disabled=no term=linuxset [ find vcno=3 ] disabled=no term=linuxset [ find vcno=4 ] disabled=no term=linuxset [ find vcno=5 ] disabled=no term=linuxset [ find vcno=6 ] disabled=no term=linuxset [ find vcno=7 ] disabled=no term=linuxset [ find vcno=8 ] disabled=no term=linux/system console screenset line-count=25/system hardwareset multi-cpu=yes/system healthset state-after-reboot=enabled/system identityset name=MikroTik/system loggingadd action=memory disabled=no prefix="" topics=infoadd action=memory disabled=no prefix="" topics=erroradd action=memory disabled=no prefix="" topics=warning add action=echo disabled=no prefix="" topics=critical/system noteset note="" show-at-login=yes/system ntp clientset enabled=no mode=broadcast primary-ntp=0.0.0.0 secondary-ntp=0.0.0.0上面的我也没搞明白是什么，也不用去理会/system scheduleradd comment="" disabled=no interval=30s name=getadsl on-event=":global assign\ \r\\n:global new\r\\n:global status\r\\n:global x\r\\n:set x 3\r\（红字3改成你的AD条数）\n:for i from=1 to=\$x do={\r\\n :set status [/interface get [/interface find name=(\"pppoe-out\" . \\$i)] running]\r\\n :if (\$status=true) do={\r\\n :set new [/ip address get [/ip address find dynamic=yes interface=(\\"pppoe-out\" . \$i)] address]\r\\n :set new [:pick \$new 0 ([:len \$new] -3)]\r\\n :set assign [/ip address get [/ip address find dynamic=no interface\=(\"pppoe-out\" . \$i)] address]\r\\n :set assign [:pick \$assign 0 ([:len \$assign] -3)]\r\\n :if (\$assign != \$new) do={ /ip address set [/ip addressfind c\omment=(\"adsl\" . \$i)] address=\$new network=\$new broadcast=\$new\r\\n /ip route set [/ip route find comment=(\"adsl\" . \$i)] gateway\=\$new\r\\n }\r\\n }\r\\n} \r\\n" start-time=startup以上是刷网关的脚本，很重点的哟add comment="" disabled=no interval=5m name=DDNS on-event=":log info \"DDNS: B\ egin\"\r\\n:global ddns-user \"123456\"\r\\n:global ddns-pass \"123456\"\r\\n:global ddns-host \"/doc/143656614.html,\"\r\（将红字改成你的）\n:global ddns-interface \"pppoe-out1\"\r\（这个是用那条线做DDNS）\n:global ddns-ip [ /ip address get [/ip address find interface=\$ddns-int\erface] address ] \r\\n:log info \"DDNS: Sending UPDATE!\"\r\\n:log info [ /tool dns-update name=\$ddns-host address=[:pick \$ddns-ip 0\\_[:find \$ddns-ip \"/\"] ] key-name=\$ddns-user key=\$ddns-pass ]\r\\n:log info \"DDNS: End\"" start-time=startup以上是DDNS,很好用的/system scriptadd name=ADSL policy=\ftp,reboot,read,write,policy,test,winbox,password,sniff,sensit ive source="\:global assign\r\\n:global new\r\\n:global status\r\\n:global x\r\\n:set x 2\r\\n:for i from=1 to=\$x do={\r\\n :set status [/interface get [/interface find name=(\"pppoe-out\" . \\$i)] running]\r\\n :if (\$status=true) do={\r\\n :set new [/ip address get [/ip address find dynamic=yes interface=(\\"pppoe-out\" . \$i)] address]\r\\n :set new [:pick \$new 0 ([:len \$new] -3)]\r\\n :set assign [/ip address get [/ip address find dynamic=no interface\=(\"pppoe-out\" . \$i)] address]\r\\n :set assign [:pick \$assign 0 ([:len \$assign] -3)]\r\\n :if (\$assign != \$new) do={ /ip address set [/ip address find c\omment=(\"adsl\" . \$i)] address=\$new network=\$new broadcast=\$new\r\\n /ip route set [/ip route find comment=(\"adsl\" . \$i)] gateway\=\$new\r\\n }\r\\n }\r\\n} \r\\n"/system upgrade mirrorset check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=\0.0.0.0 user=""/system watchdogset auto-send-supout=no automatic-supout=yes no-ping-delay=5m watch-address=\ none watchdog-timer=yes /tool bandwidth-serverset allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=\ 100/tool e-mailset from=<> password="" server=0.0.0.0:25 username=""/tool graphingset page-refresh=300 store-every=5min/tool graphing interfaceadd allow-address=0.0.0.0/0 disabled=no interface=all store-on-disk=yes/tool mac-serveradd disabled=no interface=all/tool mac-server pingset enabled=yes/tool smsset allowed-number="" channel=0 keep-max-sms=0 receive-enabled=no secret="" /tool snifferset file-limit=10 file-name="" filter-address1=0.0.0.0/0:0-65535 \filter-address2=0.0.0.0/0:0-65535 filter-protocol=ip-only filter-stream=\yes interface=all memory-limit=10 only-headers=no streaming-enabled=no \ streaming-server=0.0.0.0/useradd address=0.0.0.0/0 comment="system default user" disabled=no group=full \ name=admin/user aaaset accounting=yes default-group=read interim-update=0s use-radius=no以上的我还是搞不懂的。

ROS脚本大全(通用)ROS脚本大全(通用)一：限速脚本:for wbsz from 1 to 254 do={/queue simple add name=(wbsz . $wbsz) dst-address=(192.168.0. . $wbsz) limit-at=1024K/1024K max-limit=1024K/1024K}二：限制每台机最大线程数:for wbsz from 1 to 254 do={/ip firewall filter add chain=forward src-address=(192.168.0. . $wbsz) protocol=tcp connection-limit=50,32 action=drop}三：端口映射ip firewall nat add chain=dstnat dst-address=(202.96.134.134) protocol=tcp dst-port=80 to-addresses=(192.168.0.1) to-ports=80 action=dst-nat四：封端口号/ ip firewall filterad ch forward pr tcp dst-po 8000 act drop comment="Blockade QQ"五：更变telnet服务端口/ip service set telnet port=23六：更变SSH管理服务端口/ip service set ssh port=22七：更变www服务端口号/ip service set www port=80八：更变FTP服务端口号/ip service set ftp port=21九：增加本ROS管理用户/user add name=wbsz password=admin group=full十：删除限速脚本:for wbsz from 1 to 254 do={/queue simple remove (wbsz . $wbsz) }十一：封IP脚步本/ ip firewall filteradd chain=forward dst-address=58.60.13.38/32 action=drop comment="Blockade QQ"十二：禁P2P脚本/ ip firewall filteradd chain=forward src-address=192.168.0.0/24 p2p=all-p2p action=drop comment="No P2P"十三：限制每台机最大的TCP线程数(线程数=60)/ ip firewall filteradd chain=forward protocol=tcp connection-limit=60,32 action=drop \ disabled=no十四：一次性绑定所有在线机器MAC:foreach wbsz in=[/ip arp find dynamic=yes ] do=[/ip arp add copy-from=$wbsz]十五：解除所以绑定的MAC:foreach wbsz in [/ip arp find] do={/ip arp remove $wbsz}十六：禁Ping/ ip firewall filteradd chain=output protocol=icmp action=drop comment="No Ping"十七：禁电驴/ ip firewall filteradd chain=forward protocol=tcp dst-port=4661-4662 action=drop comment="No Emule"add chain=forward protocol=tcp dst-port=4242 action=dropadd chain=forward dst-address=62.241.53.15 action=drop十八：禁PPLIVE/ ip firewall filteradd chain=forward protocol=tcp dst-port=8008 action=drop comment="No PPlive TV"add chain=forward protocol=udp dst-port=4004 action=dropadd chain=forward dst-address=218.108.237.11 action=drop十九：禁QQ直播/ ip firewall filteradd chain=forward protocol=udp dst-port=13000-14000 action=drop comment="No QQLive"二十：禁比特精灵/ ip firewall filteradd chain=forward protocol=tcp dst-port=16881 action=drop comment="No BitSpirit"二十一：禁QQ聊天(一般公司才需要)/ ip firewall filteradd chain=forward src-address=10.5.6.7/32 action=accept comment="No Tencent QQ"ad ch forward pr tcp dst-po 8000 act dropad ch forward pr udp dst-po 8000 act dropad ch forward pr udp dst-po 8000 act dropadd chain=forward dst-address=61.144.238.0/24 action=dropadd chain=forward dst-address=61.152.100.0/24 action=dropadd chain=forward dst-address=61.141.194.0/24 action=dropadd chain=forward dst-address=202.96.170.163/32 action=dropadd chain=forward dst-address=202.104.129.0/24 action=dropadd chain=forward dst-address=202.104.193.20/32 action=dropadd chain=forward dst-address=202.104.193.11/32 action=dropadd chain=forward dst-address=202.104.193.12/32 action=dropadd chain=forward dst-address=218.17.209.23/32 action=dropadd chain=forward dst-address=218.18.95.153/32 action=dropadd chain=forward dst-address=218.18.95.165/32 action=dropadd chain=forward dst-address=218.18.95.220/32 action=dropadd chain=forward dst-address=218.85.138.70/32 action=dropadd chain=forward dst-address=219.133.38.0/24 action=dropadd chain=forward dst-address=219.133.49.0/24 action=dropadd chain=forward dst-address=220.133.40.0/24 action=dropadd chain=forward content=sz.tencent action=rejectadd chain=forward content=sz2.tencent action=rejectadd chain=forward content=sz3.tencent action=rejectadd chain=forward content=sz4.tencent action=rejectadd chain=forward content=sz5.tencent action=rejectadd chain=forward content=sz6.tencent action=rejectadd chain=forward content=sz7.tencent action=rejectadd chain=forward content=sz8.tencent action=rejecadd chain=forward content=sz9.tencent action=rejecadd chain=forward content=tcpconn.tencent action=rejectadd chain=forward content=tcpconn2.tencent action=rejectadd chain=forward content=tcpconn3.tencent action=rejectadd chain=forward content=tcpconn4.tencent action=rejectadd chain=forward content=tcpconn5.tencent action=rejectadd chain=forward content=tcpconn6.tencent action=rejectadd chain=forward content=tcpconn7.tencent action=rejectadd chain=forward content=tcpconn8.tencent action=rejectadd chain=forward content=qq action=rejectadd chain=forward content=www.qq action=reject二十二：防止灰鸽子入浸/ ip firewall filteradd chain=forward protocol=tcp dst-port=1999 action=drop comment="Backdoor.GrayBird.ad"add chain=forward dst-address=80.190.240.125 action=dropadd chain=forward dst-address=203.209.245.168 action=dropadd chain=forward dst-address=210.192.122.106 action=dropadd chain=forward dst-address=218.30.88.43 action=dropadd chain=forward dst-address=219.238.233.110 action=dropadd chain=forward dst-address=222.186.8.88 action=dropadd chain=forward dst-address=124.42.125.37 action=dropadd chain=forward dst-address=210.192.122.107 action=dropadd chain=forward dst-address=61.147.118.198 action=dropadd chain=forward dst-address=219.238.233.11 action=drop二十三：防三波/ ip firewall filteradd chain=forward protocol=tcp dst-port=135-139 action=drop comment="No 3B"以上脚本使用说明：用winbox.exe 登陆找到System -- Script - 点击+ 将对应脚本复制其中后，点击Run Script即脚本安装成功！。

ROS软路‎由防火墙配‎置规则Route‎r os防火‎墙功能非常‎灵活。

route‎r os防火‎墙属于包过‎滤防火墙，你可以定义‎一系列的规‎则过滤掉发‎往rout‎e ros、从rout‎e ros发‎出、通过rou‎t eros‎转发的数据‎包。

在rout‎e ros防‎火墙中定义‎了三个防火‎墙（过滤）链（即inpu‎t、forwa‎r d、outpu‎t），你可以在这‎三个链当中‎定义你自己‎的规则。

input‎意思是指发‎往rout‎e ros自‎己的数据（也就是目的‎i p是ro‎u tero‎s接口中的‎一个ip地‎址）；outpu‎t意思是指‎从rout‎e ros发‎出去的数据‎（也就是数据‎包源ip是‎r oute‎r os接口‎中的一个i‎p地址）；forwa‎r d意思是‎指通过ro‎u tero‎s转发的（比如你内部‎计算机访问‎外部网络，数据需要通‎过你的ro‎u tero‎s进行转发‎出去）。

禁止pin‎g route‎r os，我们一般需‎要在inp‎u t链中添‎加规则，因为数据包‎是发给ro‎u tero‎s 的，数据包的目‎标ip是r‎o uter‎o s的一个‎接口ip地‎址。

（当然如果你‎硬是要在o‎u tput‎里建立一条‎规则过滤掉‎i cmp信‎息也能做到‎p ing不‎通，当你pin‎g的数据包‎到达rou‎t eos时‎，route‎o s能接收‎这个数据包‎并做出回应‎，当rout‎e ros回‎应给你的包‎要发出去的‎时候会检查‎o utpu‎t的规则并‎过滤掉回应‎你的包。

）在每条链中‎的每条规则‎都有目标i‎p，源ip，进入的接口‎（in inter‎f ace），非常灵活的‎去建立规则‎。

比如ROS‎禁止PIN‎G，禁止外网p‎i ng你r‎o uter‎o s，只需要在i‎n inter‎f ace中‎选择你连外‎部网络的接‎口。

ros脚本大全（ROS scripts）ROS script Daquan (generic) Post By:2010-3-13 10:11:37 [just see the author]This article summarizes some of the commonly used ROS script, in the hope that everyone will help!Speed limit script: for, wbsz, from, 1, to,, do={/queue, simple, add, name= (wbsz. $wbsz), dst-address= (192.168.0.. $wbsz),limit-at=1024K/1024K, max-limit=1024K/1024K}Two: limit the maximum number of threads per machine: for, wbsz, from, 1, to,, do={/ip, firewall, filter, add, chain=forward, src-address= (192.168.0.. $wbsz), protocol=tcp, connection-limit=50,32, action=drop}Three: port mappingIP, firewall, NAT, add, chain=dstnat, dst-address=(202.96.134.134), protocol=tcp, dst-port=80, to-addresses= (192.168.0.1), to-ports=80, action=dst-natFour: end slogan/ IP firewall filterAd, CH, forward, PR, TCP, dst-po,, act, drop, comment=, Blockade, QQ"Five: more variable telnet service port/ip, service, set, Telnet, port=23Six: more change SSH management service port/ip, service, set, SSH, port=22Seven: change the WWW service port number/ip, service, set, WWW, port=80Eight: change the FTP service port number/ip, service, set, FTP, port=21Nine: increase this ROS management user/user, add, name=wbsz, password=admin, group=fullTen: delete speed limit script: for, wbsz, from, 1, to, 254, do={/queue, simple, remove (wbsz. $wbsz)}Eleven: seal IP footsteps/ IP firewall filterAdd, chain=forward, dst-address=58.60.13.38/32, action=drop,comment=, "Blockade, QQ.""Twelve: banned P2P script/ IP firewall filterAdd, chain=forward, src-address=192.168.0.0/24, p2p=all-p2p, action=drop, comment=, No, P2P"Thirteen: limit the maximum number of TCP threads per machine (thread number =60)/ IP firewall filterAdd, chain=forward, protocol=tcp, connection-limit=60,32, action=drop \Disabled=noFourteen: one-time binding all online machines MACForeach, wbsz, in=[/ip, find, dynamic=yes, ARP] do=[/ip, ARP, add, copy-from=$wbsz]Fifteen: remove the bound MACForeach, wbsz, in, [/ip, ARP, find], do={/ip, ARP, $wbsz}, remove, etc.Sixteen: ban Ping/ IP firewall filterAdd, chain=output, protocol=icmp, action=drop, comment=, "No, Ping.""Seventeen: prohibition/ IP firewall filterAdd, chain=forward, protocol=tcp, dst-port=4661-4662,action=drop, comment=, No, Emule"Add, chain=forward, protocol=tcp, dst-port=4242, action=dropAdd chain=forward dst-address=62.241.53.15 action=dropEighteen: ban PPLIVE/ IP firewall filterAdd, chain=forward, protocol=tcp, dst-port=8008, action=drop, comment=, No, PPlive, TV"Add, chain=forward, protocol=udp, dst-port=4004, action=dropAdd chain=forward dst-address=218.108.237.11 action=dropNineteen: forbidden QQ live broadcastIP防火墙过滤器添加链= =口=转发协议UDP DST 13000-14000行动=滴评论=“没有QQLive”二十：禁比特精灵IP防火墙过滤器添加链=转发协议TCP端口= 16881 = DST行动=滴评论=“BitSpirit”二十一：禁QQ聊天（一般公司才需要）IP防火墙过滤器添加链=正向src地址= 10.5.6.7/32行动=接受评论=“腾讯QQ”广告公关CH了TCP DST PO 8000幕广告公关CH了UDP DST PO 8000幕广告公关CH了UDP DST PO 8000幕添加链=了DST地址=行动=降61.144.238.0/24添加链=了DST地址=行动=降61.152.100.0/24添加链=了DST地址=行动=降61.141.194.0/24添加链=了DST地址=行动=降202.96.170.163/32添加链=了DST地址=行动=降202.104.129.0/24添加链=了DST地址=行动=降202.104.193.20/32 添加链=了DST地址=行动=降202.104.193.11/32 添加链=了DST地址=行动=降202.104.193.12/32 添加链=了DST地址=行动=降218.17.209.23/32 添加链=了DST地址=行动=降218.18.95.153/32 添加链=了DST地址=行动=降218.18.95.165/32 添加链=了DST地址=行动=降218.18.95.220/32 添加链=了DST地址=行动=降218.85.138.70/32 添加链=了DST地址=行动=降219.133.38.0/24 添加链=了DST地址=行动=降219.133.49.0/24 添加链=了DST地址=行动=降220.133.40.0/24 添加了内容sz.tencent链= =行动=拒绝添加了内容sz2.tencent链= =行动=拒绝添加了内容sz3.tencent链= =行动=拒绝添加了内容sz4.tencent链= =行动=拒绝添加了内容sz5.tencent链= =行动=拒绝添加了内容sz6.tencent链= =行动=拒绝添加了内容sz7.tencent链= =行动=拒绝添加了内容sz8.tencent链= =行动=拒添加了内容sz9.tencent链= =行动=拒添加了内容tcpconn.tencent链= =行动=拒绝添加了内容tcpconn2.tencent链= =行动=拒绝添加了内容tcpconn3.tencent链= =行动=拒绝添加了内容tcpconn4.tencent链= =行动=拒绝添加了内容tcpconn5.tencent链= =行动=拒绝添加了内容tcpconn6.tencent链= =行动=拒绝添加了内容tcpconn7链= =。

ROS 做PCQ脚本集体[按IP]自动限速 +带宽按端口管理流环境：对于带宽紧张的环境那些有 100M光纤或 30台+10M光纤的用户可以省略了，因为对你们来说这个没有必要了我现在做的是基于 ADSL PPPOE的 ROUTER OS 2.9.7 做的但是光纤用户一样适用我现在开始说说步骤第一：当然最前提的是你的 ROUTER OS 软件路由器能工作了 NAT共享上网成功第2步：在所有经过ROUTER OS的数据包+ 上MARK 就像猎人要杀猎物也要先找到目标阿其次 mark connection 那里是点passthrough,而 mark packet 那里是不点这个选项的Mark connection 和 Mark packet 的顺序搞反了官方手册首先 mark connection 然后在 mark packet第3步：在QUEUE菜单里面选择Queue Types 创作PCQ限速的子项这里就决定了你的限制每个IP多少K的速度（2.9系列可以直接用K单位2.8 的不行）这里多说2句关于 PCQ的块大小，官方默认值是每IP 20个链接计算的，理解下面这2张图非常关键第2张关于块的图是举例的网吧的带宽和银行道理一样总带宽不能平均处以IP数量这个公式不合适你可以想想网吧的客人不可能同时全部去下载或者全部去上传网吧的目标追求网络利用最大化这个IP的限制要看你自己的网吧的需要的1般来说每个IP限制下载最高 512K；上传128K已经可以流畅游戏和视频----------------------------------------------------------------------------------------------另外：这个也和你的开关频繁开启和关闭有关系如果设置得不合理网络带宽浪费严重客户也会对你的网吧的网络速度抱怨的！（这可是得不尝失）注意 parent 那里的选择是内网网卡和外网网卡当作总流量的控制点第4步：做好流量监视触发器就像1个条件过滤器注意2 和3 红色数字那里*要选择对你的外网线路*要注意ABOVE是 > 的意思,就是大于多少K的时候启动这个限制,只要模糊数字就可以如果你的带宽是10M,你可以直接设置 10000000*另外1个就是BELOW 当然就是 < 小于的意思，这里很关键的地方就是你刚才设置的每IP限制数了你们看第2张图的2那里，你这个BELOW的数值一定要 < 它不然你在限速的时候客户的机器就会1会快1会慢的，其中的道理你们慢慢体会就会理解第5步：做1个执行这个限制的脚本很简单的就2行，但是注意脚本的名字要和你的在第四张图EVEN里面的一致（如果你想我拷贝那几句命令出来给你，你就不要看了，这么懒的都有的！）做到这里这个PCQ 脚本限速就做好了排除服务器等机器，不受PCQ限制做了PCQ，全部机子都是一样速度，连自己用的主机也慢啊，下电影慢死了，网吧只有一个网段，192.168.0.X，怎么样才能单独分某几个IP出来？以下为设置的例子,超级感谢,能用看我的例子 192.168.0.20 和192.168.0.21不受限制/ ip firewall mangleadd chain=prerouting src-address=192.168.0.252 action=mark-connection \??? new-connection-mark=nopcqlimit passthrough=yes comment="" disabled=noadd chain=prerouting src-address=192.168.0.228 action=mark-connection \??? new-connection-mark=nopcqlimit passthrough=yes comment="" disabled=noadd chain=prerouting connection-mark=nopcqlimit action=accept comment="" \ ??? disabled=no把这个脚本允许下，接这到第一部那里，把顺序拉下调整下，请看下图再发图吧: 怎么保证和按优先级管理流量?怎么保证和按优先级管理流量?概述队列树通常的应用，是用来限定特殊用户，协议和端口等等。

ros默认防火墙规则ROS（Robot Operating System）是一种用于构建机器人软件的开源框架。

在ROS中，默认情况下会有一套防火墙规则来保护系统的安全性。

本文将介绍ROS默认防火墙规则的相关内容。

ROS默认防火墙规则的目的是限制网络访问，以保护系统免受潜在的网络攻击。

它通过限制对ROS节点的访问来确保系统的安全性。

默认情况下，ROS防火墙规则允许本地主机上的进程之间的通信，但禁止来自外部网络的访问。

这样可以防止未经授权的访问和潜在的攻击。

ROS默认防火墙规则的配置是通过iptables来实现的。

iptables是Linux系统上的一个工具，用于配置和管理数据包过滤规则。

在ROS 中，iptables用于限制对ROS节点的访问。

通过配置iptables规则，可以指定允许或禁止特定的IP地址或端口访问ROS节点。

ROS默认防火墙规则的配置文件位于/etc/ros/roscore.d/50-ros-comm.conf。

在这个配置文件中，可以找到一些默认的iptables规则。

例如，以下规则限制了对ROS节点的访问：iptables -A INPUT -p tcp --dport 11311 -j ACCEPTiptables -A INPUT -p tcp --dport 11312 -j ACCEPTiptables -A INPUT -j DROP第一条规则允许来自TCP端口11311的访问，这是ROS节点的默认通信端口。

第二条规则允许来自TCP端口11312的访问，这是ROS 节点的RPC（Remote Procedure Call）端口。

第三条规则是一个默认规则，它禁止除了11311和11312端口之外的所有访问。

除了默认规则之外，我们还可以根据需要添加其他规则。

例如，如果我们希望允许来自特定IP地址的访问，可以使用以下命令：iptables -A INPUT -s 192.168.0.10 -j ACCEPT这个规则允许来自IP地址为192.168.0.10的主机的访问。

ROS通用脚本一：限速脚本:for wbsz from 1 to 254 do={/queue simple add name=(wbsz . $wbsz)dst-address=(192.168.0. . $wbsz) limit-at=1024K/1024K max-limit=1024K/1024K} 二：限制每台机最大线程数:for wbsz from 1 to 254 do={/ip firewall filter add chain=forwardsrc-address=(192.168.0. . $wbsz) protocol=tcp connection-limit=50,32action=drop}三：端口映射ip firewall nat add chain=dstnat dst-address=(202.96.134.134) protocol=tcp dst-port=80 to-addresses=(192.168.0.1) to-ports=80 action=dst-nat四：封端口号/ ip firewall filterad ch forward pr tcp dst-po 8000 act drop comment="Blockade QQ"五：更变telnet服务端口/ip service set telnet port=23六：更变SSH管理服务端口/ip service set ssh port=22七：更变www服务端口号/ip service set www port=80八：更变FTP服务端口号/ip service set ftp port=21十：删除限速脚本:for wbsz from 1 to 254 do={/queue simple remove (wbsz . $wbsz) }十一：封IP脚步本/ ip firewall filteradd chain=forward dst-address=58.60.13.38/32 action=drop comment="Blockade QQ" 十二：禁P2P脚本/ ip firewall filteradd chain=forward src-address=192.168.0.0/24 p2p=all-p2p action=drop comment="No P2P"十三：限制每台机最大的TCP线程数(线程数=60)/ ip firewall filteradd chain=forward protocol=tcp connection-limit=60,32 action=drop \disabled=no十四：一次性绑定所有在线机器MAC:foreach wbsz in=[/ip arp find dynamic=yes ] do=[/ip arp add copy-from=$wbsz] 十五：解除所以绑定的MAC:foreach wbsz in [/ip arp find] do={/ip arp remove $wbsz}十六：禁Ping/ ip firewall filteradd chain=output protocol=icmp action=drop comment="No Ping"十七：禁电驴/ ip firewall filteradd chain=forward protocol=tcp dst-port=4661-4662 action=drop comment="No Emule"add chain=forward protocol=tcp dst-port=4242 action=dropadd chain=forward dst-address=62.241.53.15 action=drop十八：禁PPLIVE/ ip firewall filteradd chain=forward protocol=tcp dst-port=8008 action=drop comment="No PPlive TV" add chain=forward protocol=udp dst-port=4004 action=dropadd chain=forward dst-address=218.108.237.11 action=drop十九：禁QQ直播/ ip firewall filteradd chain=forward protocol=udp dst-port=13000-14000 action=drop comment="No QQLive"二十：禁比特精灵/ ip firewall filteradd chain=forward protocol=tcp dst-port=16881 action=drop comment="No BitSpirit"二十一：禁QQ聊天(没事不要用)/ ip firewall filteradd chain=forward src-address=10.5.6.7/32 action=accept comment="No Tencent QQ" ad ch forward pr tcp dst-po 8000 act dropad ch forward pr udp dst-po 8000 act dropad ch forward pr udp dst-po 8000 act dropadd chain=forward dst-address=61.144.238.0/24 action=dropadd chain=forward dst-address=61.152.100.0/24 action=dropadd chain=forward dst-address=61.141.194.0/24 action=dropadd chain=forward dst-address=202.96.170.163/32 action=dropadd chain=forward dst-address=202.104.129.0/24 action=dropadd chain=forward dst-address=202.104.193.20/32 action=dropadd chain=forward dst-address=202.104.193.11/32 action=dropadd chain=forward dst-address=202.104.193.12/32 action=dropadd chain=forward dst-address=218.17.209.23/32 action=dropadd chain=forward dst-address=218.18.95.153/32 action=dropadd chain=forward dst-address=218.18.95.165/32 action=dropadd chain=forward dst-address=218.18.95.220/32 action=dropadd chain=forward dst-address=218.85.138.70/32 action=dropadd chain=forward dst-address=219.133.38.0/24 action=dropadd chain=forward dst-address=219.133.49.0/24 action=dropadd chain=forward dst-address=220.133.40.0/24 action=dropadd chain=forward content=sz.tencent action=rejectadd chain=forward content=sz2.tencent action=rejectadd chain=forward content=sz3.tencent action=rejectadd chain=forward content=sz4.tencent action=rejectadd chain=forward content=sz5.tencent action=rejectadd chain=forward content=sz6.tencent action=rejectadd chain=forward content=sz7.tencent action=rejectadd chain=forward content=sz8.tencent action=rejecadd chain=forward content=sz9.tencent action=rejecadd chain=forward content=tcpconn.tencent action=rejectadd chain=forward content=tcpconn2.tencent action=rejectadd chain=forward content=tcpconn3.tencent action=rejectadd chain=forward content=tcpconn4.tencent action=rejectadd chain=forward content=tcpconn5.tencent action=rejectadd chain=forward content=tcpconn6.tencent action=rejectadd chain=forward content=tcpconn7.tencent action=rejectadd chain=forward content=tcpconn8.tencent action=rejectadd chain=forward content=qq action=rejectadd chain=forward content=www.qq action=reject二十二：防止灰鸽子入浸/ ip firewall filteradd chain=forward protocol=tcp dst-port=1999 action=dropcomment="Backdoor.GrayBird.ad"add chain=forward dst-address=80.190.240.125 action=dropadd chain=forward dst-address=203.209.245.168 action=dropadd chain=forward dst-address=210.192.122.106 action=dropadd chain=forward dst-address=218.30.88.43 action=dropadd chain=forward dst-address=219.238.233.110 action=dropadd chain=forward dst-address=222.186.8.88 action=dropadd chain=forward dst-address=124.42.125.37 action=dropadd chain=forward dst-address=210.192.122.107 action=dropadd chain=forward dst-address=61.147.118.198 action=dropadd chain=forward dst-address=219.238.233.11 action=drop二十三：防三波/ ip firewall filteradd chain=forward protocol=tcp dst-port=135-139 action=drop comment="No 3B"================================================================================ ================================================================================ ==================================以上脚本使用说明：用winbox.exe 登陆找到 System -- Script - 点击+ 将对应脚本复制其中后，点击 Run Script即脚本一、导出 ARP 列表ip arp export file arp这样就能将所有ARP列表导出到 arp.rsc 文件。

ros默认防火墙规则ROS（Robot Operating System）是一个用于开发机器人软件的开源框架，它提供了一系列的工具、库和规范，使得开发者可以更轻松地构建和部署机器人系统。

在ROS中，默认的防火墙规则是为了保护系统安全和网络通信的稳定性而设定的。

下面将详细介绍ROS默认防火墙规则的内容和作用。

1. 入站规则ROS默认防火墙的入站规则主要用于控制外部网络对ROS系统的访问。

入站规则限制了哪些IP地址和端口可以与ROS系统进行通信。

默认情况下，ROS只允许来自本地主机的连接，并关闭了除了回环接口（localhost）外的所有端口。

这样可以有效防止未经授权的外部访问，保护ROS系统的安全性。

2. 出站规则ROS默认防火墙的出站规则用于控制ROS系统对外部网络的访问。

出站规则限制了ROS系统可以访问的IP地址和端口。

默认情况下，ROS允许对外部网络的访问，并开放了一些常用的端口，如HTTP 端口（80）、SSH端口（22）等。

这样可以保证ROS系统能够正常进行网络通信，并方便开发者进行远程访问和调试。

3. 转发规则ROS默认防火墙的转发规则用于控制ROS系统中数据包的转发。

转发规则主要用于网络中存在多个ROS节点之间的通信。

默认情况下，ROS允许节点之间的数据包转发，并且不对数据包进行任何过滤。

这样可以保证ROS系统中的各个节点能够顺利地进行数据交换和共享。

4. 其他规则除了上述的入站规则、出站规则和转发规则外，ROS默认防火墙还包括一些其他的规则，用于控制ROS系统的其他网络行为。

例如，ROS默认防火墙禁止了网络广播和多播，以防止网络拥塞和滥用资源。

此外，ROS还对一些危险的网络协议和服务进行了限制，以避免安全风险和系统崩溃。

总结起来，ROS默认防火墙规则是为了保护ROS系统的安全性和网络通信的稳定性而设定的。

它通过控制入站、出站和转发规则，限制了ROS系统与外部网络的交互。

默认情况下，ROS只允许本地主机的连接，并开放了一些常用的端口，以方便系统的远程访问和调试。

ROS防登录攻击自动将登录源IP加黑名单一天ROS防登录攻击自动将登录IP加黑名单一天命令行说明：1分钟内登录三次ros的22,23端口（可自行修改）将自动将登录源IP加入黑名单一天（可自行修改）；打开ros命令行界面复制粘贴即可；/ip firewall filter add action=drop chain=input comment="\C8\FD\B4\CE\B5\C7\C2\BC\CA\A7\B0\DC\BC\D3\C 8\EB\BA\DA\C3\FB\B5\A51\CC\EC-1" dst-port=\22,23 protocol=tcp src-address-list=Login_Blacklist/ip firewall filter add action=add-src-to-address-list address-list=Login_Blacklist address-list-timeout=1d chain=input comment=\"\C8\FD\B4\CE\B5\C7\C2\BC\CA\A7\B0\DC\BC\D3\C8\EB\B A\DA\C3\FB\B5\A51\CC\EC-2" connection-state=new dst-port=22,23 \protocol=tcp src-address-list=LoginNum-3/ip firewall filter add action=add-src-to-address-list address-list=LoginNum-3 address-list-timeout=1m chain=input comment=\"\C8\FD\B4\CE\B5\C7\C2\BC\CA\A7\B0\DC\BC\D3\C8\EB\B A\DA\C3\FB\B5\A51\CC\EC-3" connection-state=new dst-port=22,23 \protocol=tcp src-address-list=LoginNum-2/ip firewall filter add action=add-src-to-address-list address-list=LoginNum-2 address-list-timeout=1m chain=input comment=\"\C8\FD\B4\CE\B5\C7\C2\BC\CA\A7\B0\DC\BC\D3\C8\EB\B A\DA\C3\FB\B5\A51\CC\EC-4" connection-state=new dst-port=22,23 \protocol=tcp src-address-list=LoginNum-1/ip firewall filter add action=add-src-to-address-list address-list=LoginNum-1 address-list-timeout=1m chain=input comment=\"\C8\FD\B4\CE\B5\C7\C2\BC\CA\A7\B0\DC\BC\D3\C8\EB\B A\DA\C3\FB\B5\A51\CC\EC-5" connection-state=new dst-port=22,23 \protocol=tcp。

ROS脚本语法使用教程ROS（Robot Operating System）是一个开源的机器人操作系统，为机器人软件开发提供了强大的工具和库。

在ROS中，可以使用Python或C++编写脚本来控制和操作机器人。

本教程将重点介绍ROS脚本语法的使用，包括ROS中常用的数据类型、主要语法结构以及ROS的常用命令和函数。

一、ROS脚本语法基础1.数据类型在ROS中，常用的数据类型包括：（1）String（字符串）：用于存储文本信息。

（2）Int（整数）：用于存储整数。

（3）Float（浮点数）：用于存储浮点数。

（4）Bool（布尔值）：用于存储逻辑值，例如True或False。

2.注释在脚本中，可以使用注释来提高代码的可读性。

注释以"#"开头，可以单行或多行使用。

3.变量在ROS脚本中，变量可以用于存储和操作数据。

变量的命名要符合Python的命名规则，一般以字母或下划线开头，可以包含字母、数字和下划线。

4.条件语句条件语句用于根据不同的条件执行不同的代码块。

常用的条件语句包括if、elif和else。

例如：```pythonif condition:code_blockelif condition:code_blockelse:code_block```5.循环语句循环语句用于多次执行相同的代码块。

常用的循环语句有for循环和while循环。

例如：```pythonfor item in iterable:code_blockwhile condition:code_block```6.函数函数是一段可重用的代码块，可以接受参数并返回结果。

在ROS中，可以使用函数来组织代码和实现功能的封装。

例如：```pythondef function_name(arg1, arg2):code_blockreturn result```二、ROS相关语法和命令1.导入必要的ROS库在脚本中，需要导入ROS相关的库才能使用ROS提供的功能。

限速脚本:for aaa from 2 to 254 do={/queue simple add name=(KP . $aaa) dst-address=(172.31.1. . $aaa) limit-at=100000/100000 max-limit=150000/150000}/ ip firewall mangleadd chain=prerouting action=mark-packet new-packet-mark=all-mark \passthrough=yes comment="" disabled=no/ queue typeadd name="PCQ-up" kind=pcq pcq-rate=30000 pcq-limit=50 \pcq-classifier=src-address pcq-total-limit=2000add name="PCQ-down" kind=pcq pcq-rate=80000 pcq-limit=50 \pcq-classifier=dst-address pcq-total-limit=2000/ queue simpleadd name="PCQ" target-addresses=172.31.1.0/24 dst-address=0.0.0.0/0 \interface=all parent=none packet-marks=all-mark direction=both priority=1 \queue=PCQ-up/PCQ-down limit-at=0/0 max-limit=600000/600000 \total-queue=default-small disabled=yes/ system script.add name="PCQON" source=":if ([ /queue sim get [/queue sim find name=\"PCQ\"] disable ]=true ) do={/queue sim enable PCQ}" policy=ftp,reboot,read,write,policy,test,winbox,passwordadd name="PCQOFF" source=":if ([ /queue sim get [/queue sim find name=\"PCQ\"] disable ]=false ) do={/queue sim disable PCQ}"policy=ftp,reboot,read,write,policy,test,winbox,password/ tool traffic-monitoradd name="PCQON" interface=ether1 traffic=received trigger=above \threshold=480000 on-event=PCQON comment="" disabled=noadd name="PCQOFF" interface=ether1 traffic=received trigger=below \threshold=300000 on-event=PCQOFF comment="" disabled=no防御DDOS、CC攻击策略/ ip firewall filterad ch forward pr tcp dst-po 135-139 act dropad ch forward pr tcp dst-po 82 act drop comm Sky.Y@mmad ch forward pr tcp dst-po 113 act drop comm W32.Korgo.A/B/C/D/E/F-1ad ch forward pr tcp dst-po 2041 act drop comm W33.Korgo.A/B/C/D/E/F-2ad ch forward pr tcp dst-po 3067 act drop comm W32.Korgo.A/B/C/D/E/F-3ad ch forward pr tcp dst-po 6667 act drop comm W32.Korgo.A/B/C/D/E/F-4ad ch forward pr tcp dst-po 445 act drop comm W32.Korgo.A/B/C/D/E/F-5ad ch forward pr tcp dst-po 1000-1001 act drop comm Backdoor.Nibu.B-1ad ch forward pr tcp dst-po 2283 act drop comm Backdoor.Nibu.B-2ad ch forward pr tcp dst-po 10000 act drop comm Backdoor.Nibu.E/G/Had ch forward pr tcp dst-po 3422 act drop comm Backdoor.IRC.Aladinz.R-1ad ch forward pr tcp dst-po 43958 act drop comm Backdoor.IRC.Aladinz.R-2ad ch forward pr tcp dst-po 5554 act drop comm W32.Dabber.A/B-1ad ch forward pr tcp dst-po 8967 act drop comm W32.Dabber.A/B-2ad ch forward pr tcp dst-po 9898-9999 act drop comm W32.Dabber.A/B-3ad ch forward pr tcp dst-po 6789 act drop comm Sky.S/T/U@mmad ch forward pr tcp dst-po 8787 act drop comm Back.Orifice.2000.Trojan-1ad ch forward pr tcp dst-po 8879 act drop comm Back.Orifice.2000.Trojan-2ad ch forward pr tcp dst-po 31666 act drop comm Back.Orifice.2000.Trojan-3ad ch forward pr tcp dst-po 31337-31338 act drop comm Back.Orifice.2000.Trojan-4 ad ch forward pr tcp dst-po 54320-54321 act drop comm Back.Orifice.2000.Trojan-5 ad ch forward pr tcp dst-po 12345-12346 act drop comm Bus.Trojan-1ad ch forward pr tcp dst-po 20034 act drop comm Bus.Trojan-2ad ch forward pr tcp dst-po 21554 act drop comm GirlFriend.Trojan-1ad ch forward pr tcp dst-po 41 act drop comm DeepThroat.Trojan-1ad ch forward pr tcp dst-po 3150 act drop comm DeepThroat.Trojan-2ad ch forward pr tcp dst-po 999 act drop comm DeepThroat.Trojan-3ad ch forward pr tcp dst-po 6670 act drop comm DeepThroat.Trojan-4ad ch forward pr tcp dst-po 6771 act drop comm DeepThroat.Trojan-5ad ch forward pr tcp dst-po 60000 act drop comm DeepThroat.Trojan-6ad ch forward pr tcp dst-po 2140 act drop comm DeepThroat.Trojan-7ad ch forward pr tcp dst-po 10067 act drop comm Portal.of.Doom.Trojan-1ad ch forward pr tcp dst-po 10167 act drop comm Portal.of.Doom.Trojan-2ad ch forward pr tcp dst-po 3700 act drop comm Portal.of.Doom.Trojan-3ad ch forward pr tcp dst-po 9872-9875 act drop comm Portal.of.Doom.Trojan-4ad ch forward pr tcp dst-po 6883 act drop comm Delta.Source.Trojan-1ad ch forward pr tcp dst-po 26274 act drop comm Delta.Source.Trojan-2ad ch forward pr tcp dst-po 4444 act drop comm Delta.Source.Trojan-3ad ch forward pr tcp dst-po 47262 act drop comm Delta.Source.Trojan-4ad ch forward pr tcp dst-po 3791 act drop comm Eclypse.Trojan-1ad ch forward pr tcp dst-po 3801 act drop comm Eclypse.Trojan-2ad ch forward pr tcp dst-po 65390 act drop comm Eclypse.Trojan-3ad ch forward pr tcp dst-po 5880-5882 act drop comm Y3K.RAT.Trojan-1ad ch forward pr tcp dst-po 5888-5889 act drop comm Y3K.RAT.Trojan-2ad ch forward pr tcp dst-po 30100-30103 act drop comm NetSphere.Trojan-1 ad ch forward pr tcp dst-po 30133 act drop comm NetSphere.Trojan-2ad ch forward pr tcp dst-po 7300-7301 act drop comm NetMonitor.Trojan-1ad ch forward pr tcp dst-po 7306-7308 act drop comm NetMonitor.Trojan-2ad ch forward pr tcp dst-po 79 act drop comm FireHotcker.Trojan-1ad ch forward pr tcp dst-po 5031 act drop comm FireHotcker.Trojan-2ad ch forward pr tcp dst-po 5321 act drop comm FireHotcker.Trojan-3ad ch forward pr tcp dst-po 6400 act drop comm TheThing.Trojan-1ad ch forward pr tcp dst-po 7777 act drop comm TheThing.Trojan-2ad ch forward pr tcp dst-po 1047 act drop comm GateCrasher.Trojan-1ad ch forward pr tcp dst-po 6969-6970 act drop comm GateCrasher.Trojan-2ad ch forward pr tcp dst-po 2774 act drop comm SubSeven-1ad ch forward pr tcp dst-po 27374 act drop comm SubSeven-2ad ch forward pr tcp dst-po 1243 act drop comm SubSeven-3ad ch forward pr tcp dst-po 1234 act drop comm SubSeven-4ad ch forward pr tcp dst-po 6711-6713 act drop comm SubSeven-5ad ch forward pr tcp dst-po 16959 act drop comm SubSeven-7ad ch forward pr tcp dst-po 11000 act drop comm Senna.Spy.Trojan-1ad ch forward pr tcp dst-po 13000 act drop comm Senna.Spy.Trojan-2ad ch forward pr tcp dst-po 25685-25686 act drop comm Moonpie.Trojan-1ad ch forward pr tcp dst-po 25982 act drop comm Moonpie.Trojan-2ad ch forward pr tcp dst-po 1024-1030 act drop comm NetSpy.Trojan-1ad ch forward pr tcp dst-po 1033 act drop comm NetSpy.Trojan-2ad ch forward pr tcp dst-po 31337-31339 act drop comm NetSpy.Trojan-3ad ch forward pr tcp dst-po 8102 act drop comm Trojanad ch forward pr tcp dst-po 7306 act drop comm Netspy3.0Trojanad ch forward pr tcp dst-po 8011 act drop comm WAY.Trojanad ch forward pr tcp dst-po 7626 act drop comm Trojan.BingHead ch forward pr tcp dst-po 19191 act drop comm Trojan.NianSeHoYianad ch forward pr tcp dst-po 23444-23445 act drop comm NetBull.Trojanad ch forward pr tcp dst-po 2583 act drop comm WinCrash.Trojan-1ad ch forward pr tcp dst-po 3024 act drop comm WinCrash.Trojan-2ad ch forward pr tcp dst-po 4092 act drop comm WinCrash.Trojan-3ad ch forward pr tcp dst-po 5714 act drop comm WinCrash.Trojan-4ad ch forward pr tcp dst-po 1010-1012 act drop comm Doly1.0/1.35/1.5trojan-1 ad ch forward pr tcp dst-po 1015 act drop comm Doly1.0/1.35/1.5trojan-2ad ch forward pr tcp dst-po 1999-2005 act drop comm TransScout.Trojan-1ad ch forward pr tcp dst-po 9878 act drop comm TransScout.Trojan-2ad ch forward pr tcp dst-po 2773 act drop comm Backdoor.YAI..Trojan-1ad ch forward pr tcp dst-po 7215 act drop comm Backdoor.YAI.Trojan-2ad ch forward pr tcp dst-po 54283 act drop comm Backdoor.YAI.Trojan-3ad ch forward pr tcp dst-po 1003 act drop comm BackDoorTrojan-1ad ch forward pr tcp dst-po 5598 act drop comm BackDoorTrojan-2ad ch forward pr tcp dst-po 5698 act drop comm BackDoorTrojan-3ad ch forward pr tcp dst-po 2716 act drop comm PrayerTrojan-1ad ch forward pr tcp dst-po 9999 act drop comm PrayerTrojan-2ad ch forward pr tcp dst-po 21544 act drop comm SchwindlerTrojan-1ad ch forward pr tcp dst-po 31554 act drop comm SchwindlerTrojan-2ad ch forward pr tcp dst-po 18753 act drop comm Shaft.DDoS.Trojan-1ad ch forward pr tcp dst-po 20432 act drop comm Shaft.DDoS.Trojan-2ad ch forward pr tcp dst-po 65000 act drop comm Devil.DDoS.Trojanad ch forward pr tcp dst-po 11831 act drop comm LatinusTrojan-1ad ch forward pr tcp dst-po 29559 act drop comm LatinusTrojan-2ad ch forward pr tcp dst-po 1784 act drop comm Snid.X2Trojan-1ad ch forward pr tcp dst-po 3586 act drop comm Snid.X2Trojan-2ad ch forward pr tcp dst-po 7609 act drop comm Snid.X2Trojan-3ad ch forward pr tcp dst-po 12348-12349 act drop comm BionetTrojan-1ad ch forward pr tcp dst-po 12478 act drop comm BionetTrojan-2ad ch forward pr tcp dst-po 57922 act drop comm BionetTrojan-3ad ch forward pr tcp dst-po 3127-3198 act drop comm Worm.Novarg.a.Mydoom.a.-1 ad ch forward pr tcp dst-po 4444 act drop comm Worm.MsBlaster-1ad ch forward pr tcp dst-po 6777 act drop comm Worm.BBeagle.a.Bagle.a.ad ch forward pr tcp dst-po 8866 act drop comm Worm.BBeagle.bad ch forward pr tcp dst-po 2745 act drop comm Worm.BBeagle.c-g/j-lad ch forward pr tcp dst-po 2556 act drop comm Worm.BBeagle.p/q/r/nad ch forward pr tcp dst-po 20742 act drop comm Worm.BBEagle.m-2ad ch forward pr tcp dst-po 4751 act drop comm Worm.BBeagle.s/t/u/vad ch forward pr tcp dst-po 2535 act drop comm Worm.BBeagle.aa/ab/w/x-z-2ad ch forward pr tcp dst-po 5238 act drop comm Worm.LovGate.r.RpcExploitad ch forward pr tcp dst-po 1068 act drop comm Worm.Sasser.aad ch forward pr tcp dst-po 5554 act drop comm Worm.Sasser.b/c/fad ch forward pr tcp dst-po 9996 act drop comm Worm.Sasser.b/c/fad ch forward pr tcp dst-po 9995 act drop comm Worm.Sasser.dad ch forward pr tcp dst-po 10168 act drop comm Worm.Lovgate.a/b/c/dad ch forward pr tcp dst-po 20808 act drop comm Worm.Lovgate.v.QQad ch forward pr tcp dst-po 1092 act drop comm Worm.Lovgate.f/gad ch forward pr tcp dst-po 20168 act drop comm Worm.Lovgate.f/gad ch forward pr tcp dst-po 593 act dropad ch forward pr tcp dst-po 1214 act dropad ch forward pr tcp dst-po 1363-1364 act drop comm ndm.requesterad ch forward pr tcp dst-po 1368 act drop comm screen.castad ch forward pr tcp dst-po 1373 act drop comm hromgrafxad ch forward pr tcp dst-po 1377 act drop comm cichlidad ch forward pr tcp dst-po 3410 act drop comm Backdoor.OptixProad ch forward pr udp dst-po 135-139 act dropad ch forward pr udp dst-po 8787 act drop comm Back.Orifice.2000.Trojan-6ad ch forward pr udp dst-po 8879 act drop comm Back.Orifice.2000.Trojan-7ad ch forward pr udp dst-po 31666 act drop comm Back.Orifice.2000.Trojan-8ad ch forward pr udp dst-po 31337-31338 act drop comm Back.Orifice.2000.Trojan-9 ad ch forward pr udp dst-po 54320-54321 act drop comm Back.Orifice.2000.Trojan-10 ad ch forward pr udp dst-po 12345-12346 act drop comm Bus.Trojan-3ad ch forward pr udp dst-po 20034 act drop comm Bus.Trojan-4ad ch forward pr udp dst-po 21554 act drop comm GirlFriend.Trojan-2ad ch forward pr udp dst-po 41 act drop comm DeepThroat.Trojan-8ad ch forward pr udp dst-po 3150 act drop comm DeepThroat.Trojan-9ad ch forward pr udp dst-po 999 act drop comm DeepThroat.Trojan-10ad ch forward pr udp dst-po 6670 act drop comm DeepThroat.Trojan-11ad ch forward pr udp dst-po 6771 act drop comm DeepThroat.Trojan-12ad ch forward pr udp dst-po 60000 act drop comm DeepThroat.Trojan-13ad ch forward pr udp dst-po 10067 act drop comm Portal.of.Doom.Trojan-5ad ch forward pr udp dst-po 10167 act drop comm Portal.of.Doom.Trojan-6ad ch forward pr udp dst-po 3700 act drop comm Portal.of.Doom.Trojan-7ad ch forward pr udp dst-po 9872-9875 act drop comm Portal.of.Doom.Trojan-8ad ch forward pr udp dst-po 6883 act drop comm Delta.Source.Trojan-5ad ch forward pr udp dst-po 26274 act drop comm Delta.Source.Trojan-6ad ch forward pr udp dst-po 44444 act drop comm Delta.Source.Trojan-7ad ch forward pr udp dst-po 47262 act drop comm Delta.Source.Trojan-8ad ch forward pr udp dst-po 3791 act drop comm Eclypse.Trojan-1ad ch forward pr udp dst-po 3801 act drop comm Eclypse.Trojan-2ad ch forward pr udp dst-po 5880-5882 act drop comm Eclypse.Trojan-3ad ch forward pr udp dst-po 5888-5889 act drop comm Eclypse.Trojan-4ad ch forward pr udp dst-po 34555 act drop comm Trin00.DDoS.Trojan-1ad ch forward pr udp dst-po 35555 act drop comm Trin00.DDoS.Trojan-2ad ch forward pr udp dst-po 31338 act drop comm NetSpy.DK.Trojan-1ad ch forward pr udp dst-po 69 act drop comm Worm.MsBlaster-2ad ch forward pr udp dst-po 123 act drop comm Worm.Sobig.f-1ad ch forward pr udp dst-po 995-999 act drop comm Worm.Sobig.f-2ad ch forward pr udp dst-po 8998 act drop comm Worm.Sobig.f-3。

ROS全部命令及技巧个人资料请勿外泄ROS菜单含义guanlianinterfaces---网络接口wireless---无线网络bridge---桥接ppp-虚拟拨号ipports--端口queues-限速drivers-设备systemfiles-文件备份/恢复log--系统日志snmp-snmp管理方式users-用户radius-radius管理tools-工具new terminal-命令方式telnet--tlenet连接方式password--修改密码certificate---证书哎，盗版madk supout.rif 制作rif文件manual--说明isdn chanels--一线通方式routing--路由exit--退出sys reset__________________________________ addresses--ip地址routers-路由表pool-地址池arp-帮定ipvrrp-热备份firewall-防火墙socks-代理upnp-自动端口映射traffic flow-网络流量accounting--合计services--服务packing-ros模块neighbors--邻居ros用户dns--proxy-代理dhcp client-dhcp客户端dhcp server - dhcp服务dhcp relay-dhcp转换hospot-热点认证telephony-电话ipsec-ip隧道连接方式web proxy web代理system system system system system system---------------------------------------------identity---ros标示clock-时间resources-系统配置license-注册信息packages--安装包auto upgrade-自动升级logging--日志history--历史日志console---com控制台scripts--脚本scheduler--进程watchdog--监视狗reboot-从起shutdown-关机lcd-小液晶显示ros消息ntp chient--ros时间客户端ntp server---ros时间服务端自动更新ros时间health---ros情况ups-ups电源，可持续电源，就是电瓶。

ROS IPv6 防火墙规则IPv6是Internet Protocol Version 6的简写，是互联网协议的第六个版本。

与IPv4相比，IPv6具有更大的位置区域空间、更好的安全性和更高的性能等优点。

在大多数情况下，IPv6已经成为网络的标准协议。

在使用ROS（RouterOS）设备时，我们也需要对IPv6网络进行防火墙规则的配置，以保障网络的安全。

下面将介绍在ROS中配置IPv6防火墙规则的步骤和注意事项。

1. 确定防火墙规则的目的在配置IPv6防火墙规则之前，首先需要确定防火墙规则的目的。

是为了保护内部网络免受来自外部网络的攻击，还是为了限制内部网络对外部网络的访问？不同的目的将会导致不同的防火墙规则配置。

2. 进入ROS系统需要登入ROS设备的管理界面，输入管理员账号和密码，进入系统的命令行界面或者Web界面。

3. 配置IPv6防火墙规则在ROS中，可以使用以下命令配置IPv6防火墙规则：```/ip firewall filter add ch本人n=forward action=dropprotocol=ipv6```这条命令的作用是在forward链上增加一个动作为drop的过滤规则，针对IPv6协议。

这意味着所有经过ROS设备的IPv6流量都会被丢弃。

当然，这只是一个简单的示例。

实际情况中，需要根据具体的网络环境和安全策略来配置防火墙规则。

4. 设置防火墙规则的条件在配置IPv6防火墙规则时，可以根据需要设置一些条件来限制规则的生效范围。

可以根据源位置区域、目标位置区域、协议类型、端口号等条件来匹配特定的流量。

```/ip firewall filter add ch本人n=forward action=acceptprotocol=ipv6 src-address=2001:0db8::/32 dst-address=2001:0db8:1000::/48```这条命令的作用是在forward链上增加一个动作为accept的过滤规则，针对IPv6协议，源位置区域为2001:0db8::/32，目标位置区域为2001:0db8:1000::/48。