GanFall
November 8, 2012, 12:13pm
1
Hi all,
I have Mikrotik RouterBoard 750G. I still learn how to use it, but i was already able to set unbreakable firewall with help of google naturally.
Neither setting allow p2p-all is not working.
Could someone help me to find answer for my newbie problem?
You could enable UPNP and let utorrent open the port itself, or you can specify a port in the utorrent preferences and then forward that using NAT. Make
GanFall
November 10, 2012, 9:25pm
3
Hello, thanks for answer,but i would like to do it without unpn. This forwarding by NAT is working(randomize port is disabled), but Utorrent still try connect to some IP addresses and random ports, and as i I mentioned before, my firewall rules will block everything what is not allowed. I can see that this ports are just server, because when i try to connect to France or London, every time it is another IP and port.
I will post here my firewall rules later.
GanFall
November 13, 2012, 5:25pm
4
My firewall settings:
/ip firewall filter
add action=accept chain=forward comment=\
"Allow traffic between wired and wireless networks" disabled=no \
in-interface=ether2-local-master out-interface=ether2-local-master
add action=accept chain=forward comment=IPTV1 disabled=no dst-address-list=\
IP_tv-addr protocol=tcp src-address-list=local-addr src-port=\
1000-5000,9081,9082
add action=accept chain=forward comment="P2P Emule TCP" disabled=yes dst-port=\
11158 protocol=tcp
add action=accept chain=forward comment="P2P Emule UDP" disabled=yes dst-port=\
12862 protocol=udp
add action=accept chain=forward disabled=yes dst-address=178.86.3.184 \
dst-port=4184 protocol=tcp src-address=192.168.88.251 src-port=3484
add action=accept chain=input comment=IGMP disabled=no protocol=igmp
add action=accept chain=input disabled=no protocol=udp
add action=accept chain=forward disabled=no protocol=udp
add action=jump chain=forward comment="Sanity Check Forward" disabled=no \
jump-target=sanity-check
add action=jump chain=sanity-check comment="Deny illegal NAT traversal" \
disabled=no jump-target=drop packet-mark=nat-traversal
add action=add-src-to-address-list address-list=blocked-addr \
address-list-timeout=1d chain=sanity-check comment="Block port scans" \
disabled=no protocol=tcp psd=20,3s,3,1
add action=add-src-to-address-list address-list=blocked-addr \
address-list-timeout=1d chain=sanity-check comment="Block TCP Null scan" \
disabled=no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=blocked-addr \
address-list-timeout=1d chain=sanity-check comment="Block TCP Xmas scan" \
disabled=no protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=jump chain=sanity-check disabled=no jump-target=drop protocol=tcp \
src-address-list=blocked-addr
add action=accept chain=public-services comment="SSH (22/TCP)" \
connection-mark=ssh disabled=no
add action=jump chain=sanity-check comment="Drop TCP RST" disabled=no \
jump-target=drop protocol=tcp tcp-flags=rst
add action=jump chain=sanity-check comment="Drop TCP SYN+FIN" disabled=no \
jump-target=drop protocol=tcp tcp-flags=fin,syn
add action=jump chain=sanity-check comment=\
"Dropping invalid connections at once" connection-state=invalid disabled=\
no jump-target=drop
add action=accept chain=sanity-check comment=\
"Accepting already established connections" connection-state=established \
disabled=no
add action=accept chain=sanity-check comment=\
"Also accepting related connections" connection-state=related disabled=no
add action=jump chain=sanity-check comment=\
"Drop all traffic that goes to multicast or broadcast addresses" disabled=\
no dst-address-type=broadcast,multicast jump-target=drop
add action=jump chain=sanity-check comment=\
"Drop illegal destination addresses" disabled=no dst-address-list=\
illegal-addr dst-address-type=!local in-interface=ether2-local-master \
jump-target=drop
add action=jump chain=sanity-check comment="Drop everything that goes from loca\
l interface but not from local address" disabled=no in-interface=\
ether2-local-master jump-target=drop src-address-list=!local-addr
add action=jump chain=sanity-check comment="Drop illegal source addresses" \
disabled=no in-interface=ether1-gateway jump-target=drop src-address-list=\
illegal-addr
add action=jump chain=sanity-check comment=\
"Drop everything that goes from public interface but not to local address" \
disabled=no dst-address-list=!local-addr in-interface=ether1-gateway \
jump-target=drop
add action=accept chain=forward comment=BSGO disabled=yes dst-address-list=\
BSGO-addr dst-port=27051,27050,9338,843 hotspot="" protocol=tcp \
src-address-list=local-addr
add action=accept chain=forward comment=STO disabled=yes dst-address-list=\
STO-addr dst-port=7000-7500 hotspot="" protocol=tcp src-address-list=\
local-addr
add action=accept chain=forward comment=VPN disabled=yes dst-address-list=\
VPN-addr dst-port=500,4500,10000,86 protocol=udp src-address-list=\
local-addr
add action=accept chain=forward disabled=yes dst-address-list=VPN-addr \
dst-port=10000,86 protocol=tcp src-address-list=local-addr
add action=jump chain=sanity-check comment=\
"Drop all traffic that comes from multicast or broadcast addresses" \
disabled=no jump-target=drop src-address-type=broadcast,multicast
add action=jump chain=forward disabled=no jump-target=restrict-tcp protocol=\
tcp
add action=jump chain=forward disabled=no jump-target=restrict-udp protocol=\
udp
add action=jump chain=forward disabled=no jump-target=restrict-ip
add action=reject chain=restrict-tcp connection-mark=auth disabled=no \
reject-with=icmp-network-unreachable
add action=jump chain=restrict-tcp comment="anti-spam policy" connection-mark=\
smtp disabled=no jump-target=smtp-first-drop
add action=add-src-to-address-list address-list=approved-smtp \
address-list-timeout=0s chain=smtp-first-drop disabled=no \
src-address-list=first-smtp
add action=return chain=smtp-first-drop disabled=no src-address-list=\
approved-smtp
add action=add-src-to-address-list address-list=first-smtp \
address-list-timeout=0s chain=smtp-first-drop disabled=no
add action=reject chain=smtp-first-drop disabled=no reject-with=\
icmp-network-unreachable
add action=jump chain=restrict-tcp connection-mark=other-tcp disabled=no \
jump-target=drop
add action=jump chain=restrict-udp connection-mark=other-udp disabled=no \
jump-target=drop
add action=jump chain=restrict-ip connection-mark=other disabled=no \
jump-target=drop
add action=accept chain=input comment=\
"Allow local traffic (between router applications)" disabled=no \
dst-address-type=local src-address-type=local
add action=jump chain=input comment="DHCP protocol would not pass sanity checki\
ng, so enabling it explicitly before other checks" disabled=no dst-port=67 \
in-interface=ether2-local-master jump-target=dhcp protocol=udp src-port=68
add action=jump chain=input comment="Sanity Check" disabled=no jump-target=\
sanity-check
add action=accept chain=local-services comment="Winbox (8291/TCP)" \
connection-mark=winbox disabled=no
add action=jump chain=input comment="Dropping packets not destined to the route\
r itself, including all broadcast traffic" disabled=no dst-address-type=\
!local jump-target=drop
add action=accept chain=input comment=\
"Allow pings, but at a very limited rate (5 packets per sec)" \
connection-mark=ping disabled=no limit=5,5
add action=jump chain=input comment=\
"Allowing some services to be accessible from the local network" disabled=\
no in-interface=ether2-local-master jump-target=local-services
add action=jump chain=input comment=\
"Allowing some services to be accessible from the Internet" disabled=no \
in-interface=ether1-gateway jump-target=public-services
add action=jump chain=input disabled=no jump-target=drop
add action=accept chain=dhcp disabled=no dst-address=255.255.255.255 \
src-address=0.0.0.0
add action=accept chain=dhcp disabled=no dst-address-type=local src-address=\
0.0.0.0
add action=accept chain=dhcp disabled=no dst-address-type=local \
src-address-list=local-addr
add action=accept chain=local-services comment="SSH (22/TCP)" connection-mark=\
ssh disabled=no
add action=accept chain=local-services comment=DNS connection-mark=dns \
disabled=no
add action=accept chain=local-services comment="HTTP Proxy (3128/TCP)" \
connection-mark=proxy disabled=no
add action=log chain=local-services comment="Log & Drop Other Local Services" \
disabled=no log-prefix=""
add action=drop chain=local-services disabled=no
add action=accept chain=public-services comment="Winbox (8291/TCP)" \
connection-mark=winbox disabled=no
add action=accept chain=public-services comment="PPTP (1723/TCP)" \
connection-mark=pptp disabled=no
add action=accept chain=public-services comment="GRE for PPTP" \
connection-mark=gre disabled=no
add action=log chain=public-services comment=\
"Log & Drop Other ether1-gateway Services" disabled=no log-prefix=""
add action=drop chain=public-services disabled=no
add action=accept chain=forward comment=uTorrent connection-mark=bittorrent \
disabled=yes packet-mark=bittorrent src-address-list=local-addr
add action=log chain=drop comment="Log Everything that we drop" disabled=yes \
log-prefix=""
add action=drop chain=drop disabled=no
This is so great firewall, that i need to open specific port and address for every service which I need to use. So my question is , in case that my firewall drops all traffic which is not accepted by rule, what rule should I create to accept Utorrent? I have already set NAT that forward necessary port, but what I had learnt from web, Utorrent use every time another port and IP, so i don’t know how I could push Utorrent connection outside firewall.