华硕补丁的不合理及修改建议

goingchan

那个补丁的不合理性 在于会使内网对外网的开放服务不成功。
看下边华硕用的过滤规则举例(在script.txt里)
create ipf rule entry ruleid 1 ifname public dir in act deny transprot eq TCP enable seclevel low destport eq num 80
此规则完全阻断了80端口的访问，要是要在内网开放WEB服务，显然，就算做了RDR的也是不能访问的，包在IP过滤被拦了。
建议上例改为如下(其它改法一样)
create ipf rule entry ruleid 1 ifname public dir in act deny destaddr self transprot eq TCP enable seclevel low destport eq num 80

draw

是啊！如果已用了138030917a26、27-cn版本的FW，本身就已有了上述端口设置，只要将防火墙开启、IP过滤设置为可用即可。

cspeed

麻烦版主检查检查华硕针对断流问题新发布的补丁有无不合理处，比如说映射了80端口后仍会被IP过滤滤掉？谢啦！
adsl
adsl1234
modify ipf global seclevel high pubdefact accept dmzdefact accept pvtdefact accept
create ipf rule entry
create ipf rule entry ruleid 4 ifname public dir in act deny transprot eq TCP enable seclevel high destport eq 80
create ipf rule entry ruleid 4 ifname public dir in act deny transprot eq TCP enable seclevel high destport eq num 80
create ipf rule entry ruleid 7 ifname public dir in transprot eq udp destport eq num 69 seclevel high
create ipf rule entry ruleid 8 dir in destaddr eq 255.255.255.255 seclevel high act accept
create ipf rule entry ruleid 9 dir in destaddr bcast seclevel high act accept
create ipf rule entry ruleid 10 dir in destaddr bcast seclevel high
create ipf rule entry ruleid 20 dir in destaddr eq 255.255.255.255 seclevel high
create ipf rule entry ruleid 30 ifname private dir in act accept storestate enable seclevel high medium low
create ipf rule entry ruleid 40 ifname private dir out act accept srcaddr self storestate enable seclevel high medium low
create ipf rule entry ruleid 50 ifname private dir out act accept transprot eq num 17 destport eq 53 inifname dmz storestate enable seclevel high medium low
create ipf rule entry ruleid 60 ifname private dir out act accept transprot eq num 6 destport eq 53 inifname dmz storestate enable seclevel high medium low
create ipf rule entry ruleid 70 ifname private dir out act accept transprot eq num 6 destport eq 25 inifname dmz storestate enable seclevel high medium low
create ipf rule entry ruleid 80 ifname private dir out act accept transprot eq num 6 destport eq 110 inifname dmz storestate enable seclevel high medium low
create ipf rule entry ruleid 130 ifname dmz dir out transprot eq num 6 destport eq 23 inifname private seclevel high
create ipf rule entry ruleid 140 ifname dmz dir out transprot eq num 17 destport eq 53 inifname public seclevel high
create ipf rule entry ruleid 150 ifname dmz dir out transprot eq num 6 destport eq 53 inifname public seclevel high
create ipf rule entry ruleid 160 ifname dmz dir out transprot eq num 6 destport eq 21 inifname public seclevel high
create ipf rule entry ruleid 170 ifname dmz dir out transprot eq num 6 destport eq 23 inifname public seclevel high medium low
create ipf rule entry ruleid 190 ifname public dir out transprot eq num 6 destport eq 23 seclevel high
create ipf rule entry ruleid 230 ifname public dir in transprot eq num 17 destport eq 7 seclevel high medium
create ipf rule entry ruleid 240 ifname public dir in transprot eq num 17 destport eq 9 seclevel high medium
create ipf rule entry ruleid 250 ifname public dir in transprot eq num 17 destport eq 19 seclevel high medium
create ipf rule entry ruleid 260 ifname public dir in destaddr self transprot eq num 6 destport eq 80 seclevel high medium low
create ipf rule entry ruleid 270 ifname public dir in destaddr self transprot eq num 17 destport eq 53 seclevel high
create ipf rule entry ruleid 280 ifname public dir in destaddr self transprot eq num 6 destport eq 53 seclevel high
create ipf rule entry ruleid 290 ifname public dir in destaddr self transprot eq num 6 destport eq 21 seclevel high medium low
create ipf rule entry ruleid 300 ifname public dir in destaddr self transprot eq num 6 destport eq 23 seclevel high medium low
create ipf rule entry ruleid 311 ifname public dir in transprot eq num 6 destport eq 110 seclevel high
create ipf rule entry ruleid 312 ifname public dir in transprot eq num 6 destport eq 25 seclevel high
create ipf rule entry ruleid 360 ifname dmz dir in destaddr self transprot eq num 6 destport eq 80 seclevel high medium
create ipf rule entry ruleid 370 ifname dmz dir in destaddr self transprot eq num 6 destport eq 21 seclevel high medium
create ipf rule entry ruleid 380 ifname dmz dir in destaddr self transprot eq num 6 destport eq 23 seclevel high medium
create ipf rule entry ruleid 50 ifname private dir out act accept transprot eq num 17 destport eq num 53 inifname dmz storestate enable seclevel high medium low
create ipf rule entry ruleid 60 ifname private dir out act accept transprot eq num 6 destport eq num 53 inifname dmz storestate enable seclevel high medium low
create ipf rule entry ruleid 70 ifname private dir out act accept transprot eq num 6 destport eq num 25 inifname dmz storestate enable seclevel high medium low
create ipf rule entry ruleid 80 ifname private dir out act accept transprot eq num 6 destport eq num 110 inifname dmz storestate enable seclevel high medium low
create ipf rule entry ruleid 130 ifname dmz dir out transprot eq num 6 destport eq num 23 inifname private seclevel high
create ipf rule entry ruleid 140 ifname dmz dir out transprot eq num 17 destport eq num 53 inifname public seclevel high
create ipf rule entry ruleid 150 ifname dmz dir out transprot eq num 6 destport eq num 53 inifname public seclevel high
create ipf rule entry ruleid 160 ifname dmz dir out transprot eq num 6 destport eq num 21 inifname public seclevel high
create ipf rule entry ruleid 170 ifname dmz dir out transprot eq num 6 destport eq num 23 inifname public seclevel high medium low
create ipf rule entry ruleid 180 ifname dmz dir out transprot eq num 1 inifname public seclevel high medium
create ipf rule entry ruleid 190 ifname public dir out transprot eq num 6 destport eq num 23 seclevel high
create ipf rule entry ruleid 200 ifname public dir out act accept srcaddr self storestate enable seclevel high medium low
create ipf rule entry ruleid 230 ifname public dir in transprot eq num 17 destport eq num 7 seclevel high medium
create ipf rule entry ruleid 240 ifname public dir in transprot eq num 17 destport eq num 9 seclevel high medium
create ipf rule entry ruleid 250 ifname public dir in transprot eq num 17 destport eq num 19 seclevel high medium
create ipf rule entry ruleid 260 ifname public dir in destaddr self transprot eq num 6 destport eq num 80 seclevel high medium low
create ipf rule entry ruleid 270 ifname public dir in destaddr self transprot eq num 17 destport eq num 53 seclevel high
create ipf rule entry ruleid 280 ifname public dir in destaddr self transprot eq num 6 destport eq num 53 seclevel high
create ipf rule entry ruleid 290 ifname public dir in destaddr self transprot eq num 6 destport eq num 21 seclevel high medium low
create ipf rule entry ruleid 300 ifname public dir in destaddr self transprot eq num 6 destport eq num 23 seclevel high medium low
create ipf rule entry ruleid 310 ifname public dir in destaddr self transprot eq num 1 seclevel high medium
create ipf rule entry ruleid 311 ifname public dir in transprot eq num 6 destport eq num 110 seclevel high
create ipf rule entry ruleid 312 ifname public dir in transprot eq num 6 destport eq num 25 seclevel high
create ipf rule entry ruleid 340 ifname public dir in seclevel high isipopt yes
create ipf rule entry ruleid 350 ifname public dir in seclevel high isfrag yes
create ipf rule entry ruleid 360 ifname dmz dir in destaddr self transprot eq num 6 destport eq num 80 seclevel high medium
create ipf rule entry ruleid 370 ifname dmz dir in destaddr self transprot eq num 6 destport eq num 21 seclevel high medium
create ipf rule entry ruleid 380 ifname dmz dir in destaddr self transprot eq num 6 destport eq num 23 seclevel high medium
create ipf rule entry ruleid 390 ifname dmz dir in act accept storestate enable seclevel high medium low
modify fwl global blistprotect disable attackprotect disable dosprotect disable maxtcpconn 30
commit

reboot

cspeed

通过关闭ip过滤后映射了 80和21 端口，已经可以实现外网访问内网架设的web站点了。

goingchan

华硕的那个新版补丁没什么问题的呀

wahaha2002

我用了补丁后也能访问啊，难道我用错了！@#￥