moses

1. /ip firewall filter
   
2. add action=drop chain=input comment="Drop pptp brute forcers 7D" dst-port=1723 protocol=tcp src-address-list=pptp_blacklist
   
3. add action=add-src-to-address-list address-list=pptp_blacklist address-list-timeout=1w chain=input connection-state=new dst-port=1723 protocol=tcp src-address-list=pptp_stage3
   
4. add action=add-src-to-address-list address-list=pptp_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=1723 protocol=tcp src-address-list=pptp_stage2
   
5. add action=add-src-to-address-list address-list=pptp_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=1723 protocol=tcp src-address-list=pptp_stage1
   
6. add action=add-src-to-address-list address-list=pptp_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=1723 protocol=tcp

複製代碼

代码说明：将连续尝试三次PPTP连接的用户IP添加至地址列表"pptp_blacklist"并且禁止此列表中IP地址访问你的RouterBoard 7天.

其他服务包括SSH, L2TP之类的服务都可以如此添加， 添加前注意修改服务是UDP/TCP, 服务端口号就好, 必要的时候可以加上log prefix.

moses

回復 4# gfx86674


    正常认证后 connection-state将会变为established
我目前家里的就是这么配置的. 我的mAP 2n, RB951G-2HnD, 连接到RB450G上都没有问题.