Community discussions

MikroTik App
  4. RouterOS
  5. General

Is my rules for firewall and mangle right?

Post Reply
 
fahedksa
Member Candidate
Member Candidate
Topic Author
Posts: 107
Joined: Mon Nov 27, 2006 2:27 pm

Is my rules for firewall and mangle right?

Mon Jul 14, 2008 7:24 pm

hay,
Please i need advice if my rules here good and good or its bad and affect on my server?





/ ip firewall mangle
add chain=forward src-address=10.0.0.0/24 action=mark-connection new-connection-mark=users-con passthrough=yes comment="" \
disabled=no
add chain=forward connection-mark=users-con action=mark-packet new-packet-mark=users passthrough=yes comment="" \
disabled=no

/ ip firewall nat
add chain=srcnat out-interface=llup action=masquerade comment="" disabled=no

/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s \
udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m tcp-syncookie=no

/ ip firewall filter
add chain=forward connection-state=established action=accept comment="Established connections" disabled=no
add chain=input connection-state=established action=accept comment="Accept established connections" disabled=no
add chain=input connection-state=related action=accept comment="Accept related connections" disabled=no
add chain=forward protocol=tcp dst-port=5050 action=accept comment="JMSN Messenger" disabled=no
add chain=forward protocol=tcp dst-port=5000-5010 action=accept comment="JMSN Messenger" disabled=no
add chain=forward protocol=tcp dst-port=1493 action=accept comment="JMSN Messenger" disabled=no
add chain=forward protocol=tcp dst-port=1542 action=accept comment="JMSN Messenger" disabled=no
add chain=forward protocol=tcp dst-port=1863 action=accept comment="JMSN Messenger" disabled=no
add chain=forward protocol=tcp dst-port=1963 action=accept comment="JMSN Messenger" disabled=no
add chain=forward protocol=tcp dst-port=80 action=accept comment="JMSN Messenger" disabled=no
add chain=forward protocol=tcp dst-port=443 action=accept comment="JMSN Messenger" disabled=no
add chain=forward p2p=all-p2p action=drop comment="Drop all P2P" disabled=no
add chain=input connection-state=invalid action=drop comment="Drop invalid connections" disabled=no
add chain=input src-address=0.0.0.0/24 action=accept comment="From Mikrotikls network" disabled=no
add chain=input src-address=10.0.0.0/24 action=accept comment="From Mikrotikls network" disabled=no
add chain=input protocol=tcp dst-port=80 connection-limit=100,0 action=drop comment="limit total http connections to 100" disabled=no
add chain=input protocol=tcp connection-limit=2,32 src-address-list=black_list action=drop comment="suppress DoS attack from 1 IP" disabled=no
add chain=input protocol=tcp connection-limit=10,32 action=add-src-to-address-list address-list=black_list address-list-timeout=1d comment="detect DoS attack 1 IP" disabled=no
add chain=input action=jump jump-target=virus comment="!!! Check for well-known viruses !!!" disabled=yes
add chain=input protocol=udp action=accept comment="UDP" disabled=no
add chain=input protocol=icmp limit=50/5s,2 action=accept comment="Allow limited pings" disabled=no
add chain=input protocol=icmp action=drop comment="Drop excess pings" disabled=no
add chain=input protocol=tcp dst-port=22 action=accept comment="SSH for demo purposes" disabled=no
add chain=input protocol=tcp dst-port=25 action=accept comment="" disabled=no
add chain=input protocol=tcp dst-port=23 action=accept comment="Telnet for demo purposes" disabled=no
add chain=input protocol=tcp dst-port=80 action=accept comment="http for demo purposes" disabled=no
add chain=input protocol=tcp dst-port=3987 action=accept comment="winbox for demo purposes" disabled=no
add chain=input protocol=tcp dst-port=8291 action=accept comment="new winbox for demo purposes" disabled=no
add chain=input action=log log-prefix="DROP" comment="Log and drop everything else" disabled=no
add chain=input action=drop comment="Log and drop everything else" disabled=yes
add chain=forward connection-state=related action=accept comment="Related connections" disabled=no
add chain=forward connection-state=invalid action=drop comment="Drop invalid connections" disabled=no
add chain=forward action=jump jump-target=virus comment="!!! Check for well-known viruses !!!" disabled=no
add chain=forward protocol=udp action=accept comment="UDP" disabled=no
add chain=forward protocol=icmp limit=50/5s,2 action=accept comment="Allow limited pings" disabled=yes
add chain=forward protocol=icmp action=drop comment="Drop excess pings" disabled=yes
add chain=output connection-state=related action=accept comment="Related" disabled=no
add chain=output protocol=udp dst-port=123 action=accept comment="UDP 123" disabled=no
add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster Worm" disabled=no
add chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster Worm" disabled=no
add chain=virus protocol=tcp dst-port=593 action=drop comment="________" disabled=no
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="________" disabled=no
add chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop MyDoom" disabled=no
add chain=virus protocol=tcp dst-port=1214 action=drop comment="________" disabled=no
add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester" disabled=no
add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server" disabled=no
add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast" disabled=no
add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx" disabled=no
add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid" disabled=no
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm" disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus" disabled=no
add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y" disabled=no
add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Beagle" disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop Beagle.C-K" disabled=no
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop MyDoom" disabled=no
add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor OptixPro" disabled=no
add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm" disabled=no
add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm" disabled=no
add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser" disabled=no
add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B" disabled=no
add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop Dabber.A-B" disabled=no
add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop Dumaru.Y" disabled=no
add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop MyDoom.B" disabled=no
add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus" disabled=no
add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2" disabled=no
add chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop SubSeven" disabled=yes
add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot, Agobot, Gaobot" disabled=no
add chain=forward dst-address=10.0.0.1 action=log log-prefix="" comment="demo2" disabled=no
add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm" disabled=no
add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser" disabled=no
add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B" disabled=no
add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop Dabber.A-B" disabled=no
add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop Dumaru.Y" disabled=no
add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop MyDoom.B" disabled=no
add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus" disabled=no
add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2" disabled=no
add chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop SubSeven" disabled=no
add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot, Agobot, Gaobot" disabled=no
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list " disabled=no
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan\n" disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="" disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan" disabled=no
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan" disabled=no
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan" disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan" disabled=no
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan" disabled=no
add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no
add chain=forward protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list " disabled=yes
add chain=forward protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan\n" disabled=yes
add chain=forward protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="" disabled=yes
add chain=forward protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan" disabled=yes
add chain=forward protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan" disabled=yes
add chain=forward protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan" disabled=yes
add chain=forward protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan" disabled=yes
add chain=forward protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan" disabled=yes
add chain=forward src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=yes

/ ip firewall service-port
set ftp ports=21 disabled=no
set tftp ports=69 disabled=no
set irc ports=6667 disabled=no
set h323 disabled=yes
set quake3 disabled=no
set gre disabled=yes
set pptp disabled=yes
Top
Post Reply

Who is online

Users browsing this forum: Bing [Bot], GoogleOther [Bot], quezhou and 97 guests
  4. RouterOS
  5. General