/ip firewall filter add action=drop chain=forward comment=" drop invalid connections" connection-state=invalid protocol=tcp add action=accept chain=forward comment=" accept Established & related connections but HTTPS" connection-state= Established,related packet-mark=no-mark add action=accept chain=forward comment="允许已建立的被FW标记为良好的HTTPS连接" connection-state= Established,related packet-mark= Allow - HTTPS add action=jump chain=forward comment="Catch标记为HTTPS的数据包对于SNI检查“跳转-目标=forward-https数据包标记=https添加动作=拒绝链=转发评论=“重置不允许的https连接”数据包标记=bad-https协议=tcp拒绝-with=tcp- Reset #以下是允许的tls主机列表添加动作=add-dst-to-address-list地址列表=允许-https地址列表-timeout=5s链=forward-https评论=“允许谷歌”协议=tcp tls-host=*.google.com添加动作=add-dst-to-address-list地址列表=允许-https地址列表-timeout=5s链=forward-https评论="允许谷歌"协议=tcp tls-host=*.googleusercontent.com add action=add- st-to-address-list address-list= Allow -https地址列表地址列表= Allow -https地址列表超时=5s chain=forward-https评论="允许谷歌"协议=tcp tls-host=*.gstatic.com #我们将不得不允许其余的数据包通过这个阶段从这个匹配链添加动作=接受链=forward-https端口=443协议=tcp /ip防火墙mangle添加动作=标记连接链=prerouting评论="标记检查&st-address-list=allow-https st-port=443 new-connection-mark=allow-https passthrough=yes protocol=tcp add action= Mark -packet chain= allow-https passthrough=no #接下来我们匹配新的HTTPS连接并标记在forward-https链中尚未被匹配器清除的数据包添加action= Mark -connection chain=prerouting comment=“标记HTTPS”connection-state=new dst-port=443 new-connection- Mark =https protocol=tcp add action= Mark -packet chain=prerouting comment="根据连接标记标记https数据包，每个连接只允许少量通过" connection- Mark =https dst-limit=1/1m,6,addresses-and-dst-port/1m new-packet- Mark =https passthrough=no #其余的https流量必须被标记为恶意，不得通过。连接将被fw filter中的规则重置。add action= Mark -connection chain=prerouting comment="在几个数据包通过后标记HTTPS连接为坏，如果它没有被之前的规则标记为好" st-port=443 log=yes log-prefix= bad- HTTPS \ new-connection-mark=bad- HTTPS协议=tcp add action= Mark -packet chain=prerouting comment="通过bad- HTTPS连接标记标记HTTPS数据包为坏" connection- Mark =bad- HTTPS new-packet-mark=bad- HTTPS passthrough=no