/interface bridge filter add action=drop chain=forward dst-port=67 ip-protocol=udp mac-protocol=ip disabled=no comment="drop all dhcp requests over bridge"
вторник, 31 марта 2015 г.
VMware Tools для гостевой FreeBSD
Отправте с хоста команду на установку VMware Tools
#cd cd /usr/ports/misc/compat6x
#make install clean
#mount /cdrom
#cd /tmp
#tar zxpf /cdrom/vmware-freebsd-tools.tar.gz
#umount /cdrom
#cd vmware-tools-distrib
#./vmware-install.pl
#cd cd /usr/ports/misc/compat6x
#make install clean
#mount /cdrom
#cd /tmp
#tar zxpf /cdrom/vmware-freebsd-tools.tar.gz
#umount /cdrom
#cd vmware-tools-distrib
#./vmware-install.pl
Простая защита от DDoS mikrotik routerboard
/ip firewall filter
add action=jump chain=forward comment="drop ddos" connection-state=new jump-target=block-ddos
add action=drop chain=forward connection-state=new dst-address-list=ddosed log=yes log-prefix=ddos src-address-list=ddoser
add action=return chain=block-ddos dst-limit=50,50,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m chain=block-ddos
add action=add-src-to-address-list address-list=ddoser address-list-timeout=10m chain=block-ddos
add action=jump chain=forward comment="drop ddos" connection-state=new jump-target=block-ddos
add action=drop chain=forward connection-state=new dst-address-list=ddosed log=yes log-prefix=ddos src-address-list=ddoser
add action=return chain=block-ddos dst-limit=50,50,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m chain=block-ddos
add action=add-src-to-address-list address-list=ddoser address-list-timeout=10m chain=block-ddos
Защита от сканирования портов mikrotik routerboard
/ip firewall filter
add action=drop chain=input comment="port scanners" src-address-list="port scanners"
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="port scanners" src-address-list="port scanners"
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
Защита от брутфорсеров mikrotik routerboard
/ip firewall filter
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
/ip firewall filter
add action=drop chain=input comment="drop telnet brute forcers" dst-port=23 protocol=tcp src-address-list=telnet_blacklist
add action=add-src-to-address-list address-list=telnet_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
/ip firewall filter
add action=drop chain=input comment="drop telnet brute forcers" dst-port=23 protocol=tcp src-address-list=telnet_blacklist
add action=add-src-to-address-list address-list=telnet_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp
Обрезание скорости торрентам mikrotik routerboard двумя способами
Первый способ по соединениям:
/ip firewall filter
add action=drop chain=forward comment="torrent limit 20 connection" connection-limit=20,32 dst-port=!80,443,8080 protocol=tcp src-address-list=torrent_limit tcp-flags=syn
add action=drop chain=forward connection-limit=20,32 protocol=udp src-address-list=torrent_limit
список torrent_limit для тех кому на ограничить, в примере 20 коннектов
Второй способ по пакетам:
/ip firewall nat
add action=add-dst-to-address-list address-list=dst_list chain=forward comment="torrent limit 250 packets" dst-address=192.168..1-192.168.1.253 protocol=udp
add chain=forward dst-address-list=dst_list dst-limit=250,250,dst-address
add action=reject chain=forward dst-address-list=dst_list reject-with=icmp-admin-prohibited
Локалка для ограничения по 250 пакетов 192.168.1.1-192.168.1.253
p.s. Как по мне первый способ лучше
/ip firewall filter
add action=drop chain=forward comment="torrent limit 20 connection" connection-limit=20,32 dst-port=!80,443,8080 protocol=tcp src-address-list=torrent_limit tcp-flags=syn
add action=drop chain=forward connection-limit=20,32 protocol=udp src-address-list=torrent_limit
список torrent_limit для тех кому на ограничить, в примере 20 коннектов
Второй способ по пакетам:
/ip firewall nat
add action=add-dst-to-address-list address-list=dst_list chain=forward comment="torrent limit 250 packets" dst-address=192.168..1-192.168.1.253 protocol=udp
add chain=forward dst-address-list=dst_list dst-limit=250,250,dst-address
add action=reject chain=forward dst-address-list=dst_list reject-with=icmp-admin-prohibited
Локалка для ограничения по 250 пакетов 192.168.1.1-192.168.1.253
p.s. Как по мне первый способ лучше
Блокировка торрентов mikrotik routerboard
/ip firewall filter
add action=drop chain=forward comment="block torrent" layer7-protocol=torrentsites src-address-list=no_torrent
add action=drop chain=forward dst-port=53 layer7-protocol=torrentsites protocol=udp src-address-list=no_torrent
add action=drop chain=forward content=torrent src-address-list=no_torrent
add action=drop chain=forward content=tracker src-address-list=no_torrent
add action=drop chain=forward content=getpeers src-address-list=no_torrent
add action=drop chain=forward content=info_hash src-address-list=no_torrent
add action=drop chain=forward content=announce_peers src-address-list=no_torrent
add action=drop chain=forward p2p=all-p2p src-address-list=no_torrent
/ip firewall layer7-protocol
add name=torrentsites regexp="^.*(get|GET).+(torrent|nthepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|ntorrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|nentertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|nflixflux|seedpeer|fenopy|gpirate|commonbits).*$"
no_torrent адрес лист для блокированных ip
add action=drop chain=forward comment="block torrent" layer7-protocol=torrentsites src-address-list=no_torrent
add action=drop chain=forward dst-port=53 layer7-protocol=torrentsites protocol=udp src-address-list=no_torrent
add action=drop chain=forward content=torrent src-address-list=no_torrent
add action=drop chain=forward content=tracker src-address-list=no_torrent
add action=drop chain=forward content=getpeers src-address-list=no_torrent
add action=drop chain=forward content=info_hash src-address-list=no_torrent
add action=drop chain=forward content=announce_peers src-address-list=no_torrent
add action=drop chain=forward p2p=all-p2p src-address-list=no_torrent
/ip firewall layer7-protocol
add name=torrentsites regexp="^.*(get|GET).+(torrent|nthepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|ntorrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|nentertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|nflixflux|seedpeer|fenopy|gpirate|commonbits).*$"
no_torrent адрес лист для блокированных ip
Простой динамический шейпер mkrotik routerboard
/queue simple
add max-limit=40M/40M name=internet queue=pcq-upload-default/pcq-download-default target=192.168.1.0/24
add max-limit=40M/40M name=internet queue=pcq-upload-default/pcq-download-default target=192.168.1.0/24
Закрытие одноклассников и подобных на mikrotik routerboard
/ip firewall filter
add action=drop chain=forward comment="block socials" dst-address-list=!yes_social layer7-protocol=social protocol=tcp src-port=80
add action=drop chain=forward dst-address-list=!yes_social layer7-protocol=social protocol=tcp src-port=443
/ip firewall layer7-protocol
add name=social regexp="^.+(vk.com|vkontakte|odnoklassniki|ok.ru|odnoklasniki).*$"
разумеется для особо озабоченных yes_social )
разумеется для особо озабоченных yes_social )
Если VmWare ESXi 5.5 не видит SSD
Установите SSD и создайте datastore, скопируйте идентификатор datastore (например naa.600508b1001cac41a272e11c2263b25b) и выполните
~ # esxcli storage nmp satp rule add -s VMW_SATP_LOCAL -d naa.600508b1001cac41a272e11c2263b25b -o enable_ssd
~ # esxcli storage core claiming reclaim -d naa.600508b1001cac41a272e11c2263b25b
~ # esxcli storage nmp satp rule add -s VMW_SATP_LOCAL -d naa.600508b1001cac41a272e11c2263b25b -o enable_ssd
~ # esxcli storage core claiming reclaim -d naa.600508b1001cac41a272e11c2263b25b
Обновление hp в vmware esxi
Загрузить обновление в datastore, выполнить команды
cd /vmfs/volumes/datastore1/bios
chmod +x ./CP024363.scexe
./CP024363.scexe
cd /vmfs/volumes/datastore1/bios
chmod +x ./CP024363.scexe
./CP024363.scexe
Подписаться на:
Сообщения (Atom)