Hi,
I have one mikrotik routerOs AP with Hotspot configured.
I could see that the traffic in bold/underline filters are extremely bigger than in other filter rules. Why? What happens if I delete this bold/underline rules?
I need to accept only traffic listed in accepted rules (like port 80) and chain MSN and count/drop traffic in drop rules (like port 3389). I think this bold/underline rules permit traffic not listed in accept filter rules. why?
I have these filter rules in my firewall:
/ ip firewall filter
add chain=input action=accept connection-state=established comment=“accept
established connection packets” disabled=no
add chain=input action=accept connection-state=related comment=“accept related
connection packets” disabled=no
add chain=input action=drop connection-state=invalid comment=“drop invalid
packets” disabled=no
add chain=input action=drop dst-port=80 protocol=tcp connection-limit=200,0
comment=“;;; limit total http connections to 200” disabled=no
add chain=input action=drop protocol=tcp psd=21,3s,3,1 comment=“;;; detect and
drop port scan connections” disabled=no
add chain=input action=jump jump-target=ICMP protocol=icmp comment=“;;; jump
to chain ICMP” disabled=no
add chain=input action=jump jump-target=services comment=“;;; jump to chain
services” disabled=no
add chain=input action=drop comment=“” disabled=no
add chain=ICMP action=accept protocol=icmp icmp-options=0:0-255 limit=5,5
comment=“;;; 0:0 and limit for 5pac/s” disabled=no
add chain=ICMP action=accept protocol=icmp icmp-options=3:3 limit=5,5
comment=“;;; 3:3 and limit for 5pac/s” disabled=no
add chain=ICMP action=accept protocol=icmp icmp-options=3:4 limit=5,5
comment=“;;; 3:4 and limit for 5pac/s” disabled=no
add chain=ICMP action=accept protocol=icmp icmp-options=8:0-255 limit=5,5
comment=“;;; 8:0 and limit for 5pac/s” disabled=no
add chain=ICMP action=accept protocol=icmp icmp-options=11:0-255 limit=5,5
comment=“;;; 11:0 and limit for 5pac/s” disabled=no
add chain=ICMP action=drop protocol=icmp comment=“;;; Drop everything else”
disabled=no
add chain=services action=accept src-address=127.0.0.1 dst-address=127.0.0.1
comment=“;;; accept localhost” disabled=no
add chain=services action=drop dst-port=20-21 protocol=tcp comment=“;;; drop
ftp” disabled=no
add chain=services action=accept dst-port=22 protocol=tcp comment=“;;; allow
sftp, ssh” disabled=no
add chain=services action=accept dst-port=23 protocol=tcp comment=“;;; drop
telnet” disabled=no
add chain=services action=accept dst-port=80 protocol=tcp comment=“;;; allow
http, webbox” disabled=no
add chain=services action=accept dst-port=8291 protocol=tcp comment=“;;; Allow
winbox” disabled=no
add chain=services action=accept dst-port=20561 protocol=udp comment=“;;;
allow MACwinbox” disabled=no
add chain=services action=accept dst-port=2000 protocol=tcp comment=“;;;
Bandwidth server” disabled=no
add chain=services action=accept dst-port=5678 protocol=udp comment=“;;; MT
Discovery Protocol” disabled=no
add chain=services action=accept dst-port=53 protocol=tcp comment=“;;; allow
DNS request” disabled=no
add chain=services action=accept dst-port=53 protocol=udp comment=“;;; Allow
DNS request” disabled=no
add chain=services action=drop dst-port=1701 protocol=udp comment=“;;; drop
L2TP” disabled=no
add chain=services action=accept dst-port=1723 protocol=tcp comment=“;;; allow
PPTP” disabled=no
add chain=services action=accept protocol=gre comment=“;;; allow PPTP and
EoIP” disabled=no
add chain=services action=accept protocol=ipencap comment=“;;; allow IPIP”
disabled=no
add chain=services action=accept dst-port=1900 protocol=udp comment=“;;; UPnP”
disabled=no
add chain=services action=accept dst-port=2828 protocol=tcp comment=“;;; UPnP”
disabled=no
add chain=services action=accept dst-port=67-68 protocol=udp comment=“;;;
allow DHCP” disabled=no
add chain=services action=accept dst-port=8080 protocol=tcp comment=“;;; allow
Web Proxy” disabled=no
add chain=services action=accept dst-port=123 protocol=tcp comment=“;;; allow
NTP” disabled=no
add chain=services action=accept dst-port=161 protocol=tcp comment=“;;; allow
SNMP” disabled=no
add chain=services action=accept dst-port=443 protocol=tcp comment=“;;; allow
https for Hotspot” disabled=no
add chain=services action=accept dst-port=1080 protocol=tcp comment=“;;; allow
Socks for Hotspot” disabled=no
add chain=services action=accept dst-port=500 protocol=udp comment=“;;; allow
IPSec connections” disabled=no
add chain=services action=accept protocol=ipsec-esp comment=“;;; allow IPSec”
disabled=no
add chain=services action=accept protocol=ipsec-ah comment=“;;; allow IPSec”
disabled=no
add chain=services action=accept dst-port=179 protocol=tcp comment=“;;; Allow
BGP” disabled=no
add chain=services action=accept dst-port=520-521 protocol=udp comment=“;;;
allow RIP” disabled=no
add chain=services action=accept protocol=ospf comment=“;;; allow OSPF”
disabled=no
add chain=services action=accept dst-port=5000-5100 protocol=udp comment=“;;;
allow BGP” disabled=no
add chain=services action=drop dst-port=1720 protocol=tcp comment=“;;; drop
Telephony” disabled=no
add chain=services action=drop dst-port=1719 protocol=udp comment=“;;; drop
Telephony” disabled=no
add chain=services action=drop protocol=vrrp comment=“;;; drop VRRP”
disabled=no
add chain=services action=return comment=“” disabled=no
add chain=forward action=accept connection-state=established comment=“;;;
accept established packets” disabled=no
add chain=forward action=accept connection-state=related comment=“;;; accept
related packets” disabled=no
add chain=forward action=drop connection-state=invalid comment=“;;; drop
invalid packets” disabled=no
add chain=forward action=jump jump-target=ICMP protocol=icmp comment=“;;; jump
to chain ICMP” disabled=no
add chain=forward action=jump jump-target=virus comment=“;;; jump to virus
chain” disabled=no
add chain=forward action=jump jump-target=msn comment=“;;; jump to msn chain”
disabled=no
add chain=forward action=jump jump-target=services_OUT comment=“;;; jump to
services_OUT chain” disabled=no
add chain=forward action=drop comment=“” disabled=no
add chain=msn action=accept dst-port=1863 protocol=tcp comment=“;;; MESSENGER
OK” disabled=no
add chain=msn action=accept dst-address=207.46.110.0/24 protocol=tcp
comment=“;;; MESSENGER OK servers” disabled=no
add chain=msn action=accept dst-port=5190 protocol=tcp comment=“;;; MESSENGER
OK” disabled=no
add chain=msn action=accept dst-port=6901 protocol=tcp comment=“;;; MESSENGER
OK voz computer-computer” disabled=no
add chain=msn action=accept dst-port=6901 protocol=udp comment=“;;; MESSENGER
OK voz computer-computer” disabled=no
add chain=msn action=accept dst-port=6891-6900 protocol=tcp comment=“;;;
MESSENGER OK transferencia ficheros” disabled=no
add chain=msn action=accept dst-port=2001-2120 protocol=udp comment=“;;;
MESSENGER OK voice computer to phone” disabled=no
add chain=msn action=accept dst-port=6801 protocol=udp comment=“;;; MESSENGER
OK voice computer to phone” disabled=no
add chain=msn action=accept dst-port=6901 protocol=udp comment=“;;; MESSENGER
OK voice computer to phone” disabled=no
add chain=msn action=accept dst-port=5050 protocol=tcp comment=“;;; yahoo
MESSENGER OK” disabled=no
add chain=msn action=accept dst-port=5000-5001 protocol=tcp comment=“;;; yahoo
MESSENGER OK” disabled=no
add chain=msn action=accept dst-port=5100-5101 protocol=tcp comment=“;;; yahoo
MESSENGER OK” disabled=no
add chain=msn action=accept dst-port=5000-5010 protocol=udp comment=“;;; yahoo
MESSENGER OK” disabled=no
add chain=msn action=return comment=“” disabled=no
add chain=virus action=drop dst-port=135-139 protocol=tcp comment=“;;; Drop
Blaster Worm” disabled=no
add chain=virus action=drop dst-port=135-139 protocol=udp comment=“;;; Drop
Messenger Worm” disabled=no
add chain=virus action=drop dst-port=445 protocol=tcp comment=“;;; Drop
Blaster Worm” disabled=no
add chain=virus action=drop dst-port=445 protocol=udp comment=“;;; Drop
Blaster Worm” disabled=no
add chain=virus action=drop dst-port=593 protocol=tcp comment=“;;; ________”
disabled=no
add chain=virus action=drop dst-port=1024-1030 protocol=tcp comment=“;;;
________” disabled=no
add chain=virus action=drop dst-port=1080 protocol=tcp comment=“;;; Drop
MyDoom” disabled=no
add chain=virus action=drop dst-port=1214 protocol=tcp comment=“;;; ________”
disabled=no
add chain=virus action=drop dst-port=1363 protocol=tcp comment=“;;; ndm
requester” disabled=no
add chain=virus action=drop dst-port=1364 protocol=tcp comment=“;;; ndm
server” disabled=no
add chain=virus action=drop dst-port=1368 protocol=tcp comment=“;;; screen
cast” disabled=no
add chain=virus action=drop dst-port=1373 protocol=tcp comment=“;;; hromgrafx”
disabled=no
add chain=virus action=drop dst-port=1377 protocol=tcp comment=“;;; cichlid”
disabled=no
add chain=virus action=drop dst-port=1433-1434 protocol=tcp comment=“;;; Worm”
disabled=no
add chain=virus action=drop dst-port=2745 protocol=tcp comment=“;;; Bagle
Virus” disabled=no
add chain=virus action=drop dst-port=2283 protocol=tcp comment=“;;; Drop
Dumaru.Y” disabled=no
add chain=virus action=drop dst-port=2535 protocol=tcp comment=“;;; Drop
Beagle” disabled=no
add chain=virus action=drop dst-port=2745 protocol=tcp comment=“;;; Drop
Beagle.C-K” disabled=no
add chain=virus action=drop dst-port=3127-3128 protocol=tcp comment=“;;; Drop
MyDoom” disabled=no
add chain=virus action=drop dst-port=3410 protocol=tcp comment=“;;; Drop
Backdoor OptixPro” disabled=no
add chain=virus action=drop dst-port=4444 protocol=tcp comment=“;;; Worm”
disabled=no
add chain=virus action=drop dst-port=4444 protocol=udp comment=“;;; Worm”
disabled=no
add chain=virus action=drop dst-port=5554 protocol=tcp comment=“;;; Drop
Sasser” disabled=no
add chain=virus action=drop dst-port=8866 protocol=tcp comment=“;;; Drop
Beagle.B” disabled=no
add chain=virus action=drop dst-port=9898 protocol=tcp comment=“;;; Drop
Dabber.A-B” disabled=no
add chain=virus action=drop dst-port=10000 protocol=tcp comment=“;;; Drop
Dumaru.Y” disabled=no
add chain=virus action=drop dst-port=10080 protocol=tcp comment=“;;; Drop
MyDoom.B” disabled=no
add chain=virus action=drop dst-port=12345 protocol=tcp comment=“;;; Drop
NetBus” disabled=no
add chain=virus action=drop dst-port=17300 protocol=tcp comment=“;;; Drop
Kuang2” disabled=no
add chain=virus action=drop dst-port=27374 protocol=tcp comment=“;;; Drop
SubSeven” disabled=no
add chain=virus action=drop dst-port=65506 protocol=tcp comment=“;;; Drop
PhatBot, Gaobot” disabled=no
add chain=services_OUT action=accept src-address=127.0.0.1
dst-address=127.0.0.1 comment=“;;; accept localhost” disabled=no
add chain=services_OUT action=drop dst-port=20-21 protocol=tcp comment=“;;;
drop ftp” disabled=no
add chain=services_OUT action=drop dst-port=22 protocol=tcp comment=“;;; drop
sftp, ssh” disabled=no
add chain=services_OUT action=drop dst-port=23 protocol=tcp comment=“;;; drop
telnet” disabled=no
add chain=services_OUT action=accept dst-port=8291 protocol=tcp comment=“;;;
Allow winbox” disabled=no
add chain=services_OUT action=accept dst-port=20561 protocol=udp comment=“;;;
allow MACwinbox” disabled=no
add chain=services_OUT action=accept dst-port=2000 protocol=tcp comment=“;;;
Bandwidth server” disabled=no
add chain=services_OUT action=accept dst-port=5678 protocol=udp comment=“;;;
MT Discovery Protocol” disabled=no
add chain=services_OUT action=accept dst-port=53 protocol=tcp comment=“;;;
allow DNS request” disabled=no
add chain=services_OUT action=accept dst-port=53 protocol=udp comment=“;;;
Allow DNS request” disabled=no
add chain=services_OUT action=drop dst-port=1701 protocol=udp comment=“;;;
drop L2TP” disabled=no
add chain=services_OUT action=drop dst-port=3389 protocol=udp comment=“;;;
drop Remote Desktop” disabled=no
add chain=services_OUT action=drop dst-port=4899 protocol=udp comment=“;;;
drop RADMIN” disabled=no
add chain=services_OUT action=accept dst-port=1723 protocol=tcp comment=“;;;
allow PPTP” disabled=no
add chain=services_OUT action=accept dst-port=6665-6669 protocol=tcp
comment=“;;; allow IRC” disabled=no
add chain=services_OUT action=accept dst-port=6665-6669 protocol=udp
comment=“;;; allow IRC” disabled=no
add chain=services_OUT action=accept protocol=gre comment=“;;; allow PPTP and
EoIP” disabled=no
add chain=services_OUT action=accept protocol=ipencap comment=“;;; allow IPIP”
disabled=no
add chain=services_OUT action=accept dst-port=1900 protocol=udp comment=“;;;
UPnP” disabled=no
add chain=services_OUT action=accept dst-port=2828 protocol=tcp comment=“;;;
UPnP” disabled=no
add chain=services_OUT action=accept dst-port=67-68 protocol=udp comment=“;;;
allow DHCP” disabled=no
add chain=services_OUT action=accept dst-port=8080 protocol=tcp comment=“;;;
allow Web Proxy” disabled=no
add chain=services_OUT action=drop dst-port=36013 protocol=tcp comment=“;;;
drop skype por defecto” disabled=no
add chain=services_OUT action=accept dst-port=123 protocol=tcp comment=“;;;
allow NTP” disabled=no
add chain=services_OUT action=accept dst-port=161 protocol=tcp comment=“;;;
allow SNMP” disabled=no
add chain=services_OUT action=accept dst-port=80 protocol=tcp comment=“;;;
allow http” disabled=no
add chain=services_OUT action=accept dst-port=443 protocol=tcp comment=“;;;
allow https for Hotspot” disabled=no
add chain=services_OUT action=accept dst-port=1080 protocol=tcp comment=“;;;
allow Socks for Hotspot” disabled=no
add chain=services_OUT action=accept dst-port=500 protocol=udp comment=“;;;
allow IPSec connections” disabled=no
add chain=services_OUT action=accept protocol=ipsec-esp comment=“;;; allow
IPSec” disabled=no
add chain=services_OUT action=accept protocol=ipsec-ah comment=“;;; allow
IPSec” disabled=no
add chain=services_OUT action=accept dst-port=179 protocol=tcp comment=“;;;
Allow BGP” disabled=no
add chain=services_OUT action=accept dst-port=520-521 protocol=udp
comment=“;;; allow RIP” disabled=no
add chain=services_OUT action=accept protocol=ospf comment=“;;; allow OSPF”
disabled=no
add chain=services_OUT action=accept dst-port=5000-5100 protocol=udp
comment=“;;; allow BGP” disabled=no
add chain=services_OUT action=drop dst-port=1720 protocol=tcp comment=“;;;
drop Telephony” disabled=no
add chain=services_OUT action=drop dst-port=1719 protocol=udp comment=“;;;
drop Telephony” disabled=no
add chain=services_OUT action=drop protocol=vrrp comment=“;;; drop VRRP”
disabled=no
add chain=services_OUT action=accept dst-port=110 protocol=tcp comment=“;;;
allow email POP3” disabled=no
add chain=services_OUT action=accept dst-port=25 protocol=tcp comment=“;;;
allow email SMTP” disabled=no
add chain=services_OUT action=accept dst-port=465 protocol=tcp comment=“;;;
allow email SMTPs” disabled=no
add chain=services_OUT action=accept dst-port=995 protocol=tcp comment=“;;;
allow email sPOP3” disabled=no
add chain=services_OUT action=accept dst-port=143 protocol=tcp comment=“;;;
allow email IMAP4” disabled=no
add chain=services_OUT action=accept dst-port=993 protocol=tcp comment=“;;;
allow email sIMAP4” disabled=no
add chain=services_OUT action=return comment=“” disabled=no
add chain=output action=drop connection-state=invalid comment=“;;; drop
invalid packets” disabled=no
add chain=output action=accept connection-state=established comment=“;;;
accept established packets” disabled=no
add chain=output action=accept connection-state=related comment=“;;; accept
related packets” disabled=no
add chain=output action=jump jump-target=ICMP protocol=icmp comment=“;;; jump
to chain ICMP” disabled=no
add chain=output action=jump jump-target=virus comment=“;;; jump to virus
chain” disabled=no
add chain=output action=jump jump-target=msn comment=“;;; jump to msn chain”
disabled=no
add chain=output action=jump jump-target=services_OUT comment=“;;; jump to
services_OUT chain” disabled=no
add chain=output action=drop comment=“” disabled=no
Thanks!
Martín.