When setting up a firewall I thought I’d copy the settings from the MT demo router at demo2.mt.lv.
[demo@demo2.mt.lv] > ip firewall export
# jul/31/2007 10:15:46 by RouterOS 3.0rc1
# software id = X9V6-YNT
#
#error exporting //ip firewall calea
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s \
tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
.
.
.
As far as I can see I get all the firewall settings visible in Winbox this way so what does the error message mean?
mrz
July 31, 2007, 9:57am
2
you get this error because calea package is not enabled, so exporter can’t export calea firewall settings.
And calea is??
Another question:
I post entire dump here:
[demo@demo2.mt.lv] > ip firewall export
# jul/31/2007 12:28:46 by RouterOS 3.0rc1
# software id = X9V6-YNT
#
#error exporting //ip firewall calea
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s \
tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="Established connections" connection-state=established disabled=no
add action=accept chain=input comment="Related connections" connection-state=related disabled=no
add action=log chain=input comment="Log invalid connections" connection-state=invalid disabled=no log-prefix="INVALID"
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid disabled=no
add action=jump chain=input comment="!!! Check for well-known viruses !!!" disabled=no jump-target=virus
add action=accept chain=input comment="UDP" disabled=no protocol=udp
add action=accept chain=input comment="ICMP" disabled=no protocol=icmp
add action=accept chain=input comment="Allow PPTP" disabled=no dst-port=1723 protocol=tcp
add action=accept chain=input comment="Allow PPTP" disabled=no protocol=gre
add action=accept chain=input comment="From Mikrotikls" disabled=no src-address=159.148.147.192/28
add action=accept chain=input comment="From Mikrotikls" disabled=no src-address=159.148.172.192/28
add action=accept chain=input comment="From local net" disabled=no src-address=10.0.0.0/8
add action=accept chain=input comment="SSH for demo purposes" disabled=no dst-port=22 protocol=tcp
add action=accept chain=input comment="Telnet for demo purposes" disabled=no dst-port=23 protocol=tcp
add action=accept chain=input comment="http for demo purposes" disabled=no dst-port=80 protocol=tcp
add action=accept chain=input comment="winbox for demo purposes" disabled=no dst-port=8291 protocol=tcp
add action=log chain=input comment="Log everything else" disabled=no log-prefix="DROP"
add action=drop chain=input comment="Drop everything else" disabled=no
add action=accept chain=forward comment="Established connections" connection-state=established disabled=no
add action=accept chain=forward comment="Related connections" connection-state=related disabled=no
add action=log chain=forward comment="Log invalid connections" connection-state=invalid disabled=no \
log-prefix="INVALID"
add action=drop chain=forward comment="Drop invalid connections" connection-state=invalid disabled=no
add action=jump chain=forward comment="!!! Check for well-known viruses !!!" disabled=no jump-target=virus
add action=accept chain=forward comment="UDP" disabled=no protocol=udp
add action=accept chain=forward comment="ICMP" disabled=no protocol=icmp
add action=accept chain=forward comment="From Mikrotikls" disabled=no src-address=159.148.147.192/28
add action=accept chain=forward comment="From Mikrotikls" disabled=no src-address=159.148.172.192/28
add action=accept chain=forward comment="From local net" disabled=no src-address=10.0.0.0/8
add action=log chain=forward comment="Log everything else" disabled=no log-prefix="DROP"
add action=drop chain=forward comment="Drop everything else" disabled=no
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port=135-139 protocol=tcp
add action=drop chain=virus comment="Drop Messenger Worm" disabled=no dst-port=135-139 protocol=udp
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port=445 protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port=445 protocol=udp
add action=drop chain=virus comment="________" disabled=no dst-port=593 protocol=tcp
add action=drop chain=virus comment="________" disabled=no dst-port=1024-1030 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" disabled=no dst-port=1080 protocol=tcp
add action=drop chain=virus comment="________" disabled=no dst-port=1214 protocol=tcp
add action=drop chain=virus comment="ndm requester" disabled=no dst-port=1363 protocol=tcp
add action=drop chain=virus comment="ndm server" disabled=no dst-port=1364 protocol=tcp
add action=drop chain=virus comment="screen cast" disabled=no dst-port=1368 protocol=tcp
add action=drop chain=virus comment="hromgrafx" disabled=no dst-port=1373 protocol=tcp
add action=drop chain=virus comment="cichlid" disabled=no dst-port=1377 protocol=tcp
add action=drop chain=virus comment="Worm" disabled=no dst-port=1433-1434 protocol=tcp
add action=drop chain=virus comment="Bagle Virus" disabled=no dst-port=2745 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" disabled=no dst-port=2283 protocol=tcp
add action=drop chain=virus comment="Drop Beagle" disabled=no dst-port=2535 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.C-K" disabled=no dst-port=2745 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" disabled=no dst-port=3127-3128 protocol=tcp
add action=drop chain=virus comment="Drop Backdoor OptixPro" disabled=no dst-port=3410 protocol=tcp
add action=drop chain=virus comment="Worm" disabled=no dst-port=4444 protocol=tcp
add action=drop chain=virus comment="Worm" disabled=no dst-port=4444 protocol=udp
add action=drop chain=virus comment="Drop Sasser" disabled=no dst-port=5554 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.B" disabled=no dst-port=8866 protocol=tcp
add action=drop chain=virus comment="Drop Dabber.A-B" disabled=no dst-port=9898 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" disabled=no dst-port=10000 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom.B" disabled=no dst-port=10080 protocol=tcp
add action=drop chain=virus comment="Drop NetBus" disabled=no dst-port=12345 protocol=tcp
add action=drop chain=virus comment="Drop Kuang2" disabled=no dst-port=17300 protocol=tcp
add action=drop chain=virus comment="Drop SubSeven" disabled=no dst-port=27374 protocol=tcp
add action=drop chain=virus comment="Drop PhatBot, Agobot, Gaobot" disabled=no dst-port=65506 protocol=tcp
add action=accept chain=output comment="" connection-state=established disabled=no
add action=accept chain=output comment="" connection-state=related disabled=no
add action=accept chain=output comment="" disabled=no dst-port=123 protocol=udp
add action=accept chain=output comment="To mailgw.mikrotik.com" disabled=no dst-address=159.148.147.199 dst-port=25 \
protocol=tcp
add action=log chain=output comment="" disabled=yes log-prefix="DROP"
add action=drop chain=output comment="" disabled=no
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no
set pptp disabled=no
[demo@demo2.mt.lv] >
BTW, is it possible to store port numbers in a list and use it for one-line matching (one for UDP and one for TCP), instead of one line for each proto/port?
mrz
July 31, 2007, 10:26am
4
if it didn’t match any firewall rule in virus chain it automatically jumps back to forward and goes through rules after jump rule.
Calea->http://wiki.mikrotik.com/wiki/Calea