firewall

gianluca · September 25, 2005, 3:11pm

it would be useful to have a sample of correct firewall rules for a border router to avoid attacks, viruses etc..

i know that there are some topics on the forum about virus chain … but it would be useful to write down ALL we need to think about to protect the network.

thanks Gianluca

Snowy · October 6, 2005, 6:55am

YES, please paste a FINAL firewall code for virus protection and make it sticky. There are quite a few different codes for 2.9 on this forum, but I don;t know which to trust, because some1 always has a comment regarding how correct it is, Last one I saw was:

/ip firewall filter add chain=virus comment=“Reglas Antivirus”

/ip firewall filter add chain=forward connection-state=invalid action=drop comment=“Drop invalid connections” disabled=no
/ip firewall filter add chain=forward connection-state=established action=accept comment=“Established Connections” disabled=no
/ip firewall filter add chain=forward connection-state=related action=accept comment=“Related connections” disabled=no
/ip firewall filter add chain=forward action=jump jump-target=virus comment=“!!! Check for well-known viruses !!!” disabled=no
/ip firewall filter add chain=forward protocol=udp action=accept comment=“UDP” disabled=no
/ip firewall filter add chain=forward protocol=icmp limit=50/5,2 action=accept comment=“Allow limited Pings” disabled=no
/ip firewall filter add chain=forward protocol=icmp action=drop comment=“Drop excess pings” disabled=no

/ip firewall filter add chain=input connection-state=invalid action=drop comment=“Drop invalid connections” disabled=no
/ip firewall filter add chain=input tcp-flags=!syn connection-state=established action=accept comment=“Accept established connections” disabled=no
/ip firewall filter add chain=input connection-state=related action=accept comment=“Accept related connections” disabled=no
/ip firewall filter add chain=input action=jump jump-target=virus comment=“!!! Check for well-known viruses !!!” disabled=no
/ip firewall filter add chain=input protocol=udp action=accept comment=“UDP” disabled=no
/ip firewall filter add chain=input protocol=icmp limit=50/5,2 action=accept comment=“Allow limited pings” disabled=no
/ip firewall filter add chain=input protocol=icmp action=drop comment=“Drop excess pings” disabled=no
/ip firewall filter add chain=input dst-port=22 protocol=tcp action=accept comment=“SSH for demo purposes” disabled=no
/ip firewall filter add chain=input dst-port=23 protocol=tcp action=accept comment=“Telnet for demo purposes” disabled=no
/ip firewall filter add chain=input dst-port=80 protocol=tcp action=accept comment=“http for demo purposes” disabled=no
/ip firewall filter add chain=input dst-port=3987 protocol=tcp action=accept comment=“winbox for demo purposes” disabled=no
/ip firewall filter add chain=input action=accept log=yes comment=“Log and drop everything else” disabled=no

/ip firewall filter add chain=virus dst-port=135-139 protocol=tcp action=drop comment=“Drop Blaster Worm” disabled=no
/ip firewall filter add chain=virus dst-port=135-139 protocol=udp action=drop comment=“Drop Messenger Worm” disabled=no
/ip firewall filter add chain=virus dst-port=445 protocol=tcp action=drop comment=“Drop Blaster Worm” disabled=no
/ip firewall filter add chain=virus dst-port=445 protocol=udp action=drop comment=“Drop Blaster Worm” disabled=no
/ip firewall filter add chain=virus dst-port=593 protocol=tcp action=drop comment=“" disabled=no
/ip firewall filter add chain=virus dst-port=1024-1030 protocol=tcp action=drop comment="” disabled=no
/ip firewall filter add chain=virus dst-port=1080 protocol=tcp action=drop comment=“Drop MyDoom” disabled=no
/ip firewall filter add chain=virus dst-port=1214 protocol=tcp action=drop comment=“________” disabled=no
/ip firewall filter add chain=virus dst-port=1363 protocol=tcp action=drop comment=“ndm requester” disabled=no
/ip firewall filter add chain=virus dst-port=1364 protocol=tcp action=drop comment=“ndm server” disabled=no
/ip firewall filter add chain=virus dst-port=1368 protocol=tcp action=drop comment=“screen cast” disabled=no
/ip firewall filter add chain=virus dst-port=1373 protocol=tcp action=drop comment=“hromgrafx” disabled=no
/ip firewall filter add chain=virus dst-port=1377 protocol=tcp action=drop comment=“cichlid” disabled=no
/ip firewall filter add chain=virus dst-port=1433-1434 protocol=tcp action=drop comment=“Worm” disabled=no
/ip firewall filter add chain=virus dst-port=2745 protocol=tcp action=drop comment=“Bagle Virus” disabled=no
/ip firewall filter add chain=virus dst-port=2283 protocol=tcp action=drop comment=“Drop Dumaru.Y” disabled=no
/ip firewall filter add chain=virus dst-port=2535 protocol=tcp action=drop comment=“Drop Beagle” disabled=no
/ip firewall filter add chain=virus dst-port=2745 protocol=tcp action=drop comment=“Drop Beagle.C-K” disabled=no
/ip firewall filter add chain=virus dst-port=3127-3128 protocol=tcp action=drop comment=“Drop MyDoom” disabled=no
/ip firewall filter add chain=virus dst-port=3410 protocol=tcp action=drop comment=“Drop Backdoor OptixPro” disabled=no
/ip firewall filter add chain=virus dst-port=4444 protocol=tcp action=drop comment=“Worm” disabled=no
/ip firewall filter add chain=virus dst-port=4444 protocol=udp action=drop comment=“Worm” disabled=no
/ip firewall filter add chain=virus dst-port=5554 protocol=tcp action=drop comment=“Drop Sasser” disabled=no
/ip firewall filter add chain=virus dst-port=8866 protocol=tcp action=drop comment=“Drop Beagle.B” disabled=no
/ip firewall filter add chain=virus dst-port=9898 protocol=tcp action=drop comment=“Drop Dabber.A-B” disabled=no
/ip firewall filter add chain=virus dst-port=10000 protocol=tcp action=drop comment=“Drop Dumaru.Y” disabled=no
/ip firewall filter add chain=virus dst-port=10080 protocol=tcp action=drop comment=“Drop MyDoom.B” disabled=no
/ip firewall filter add chain=virus dst-port=12345 protocol=tcp action=drop comment=“Drop NetBus” disabled=no
/ip firewall filter add chain=virus dst-port=17300 protocol=tcp action=drop comment=“Drop Kuang2” disabled=no
/ip firewall filter add chain=virus dst-port=27374 protocol=tcp action=drop comment=“Drop SubSeven” disabled=no
/ip firewall filter add chain=virus dst-port=65506 protocol=tcp action=drop comment=“Drop PhatBot, Agobot, Gaobot” disabled=no

How correct is this??

gianluca · October 10, 2005, 7:04am

dont know. If you look at the test server of mk you probably can find more.
but still there is not so much explanation for it

maroon · October 10, 2005, 7:21am

how can I access the MT test server again? I lost the URL

thanks

yancho · October 10, 2005, 7:30am

demo2.mt.lv login: demo

wildbill442 · October 10, 2005, 4:37pm

umm…

why not just block everything and allow the services you need… Block ALL incoming, allow ALL outgoing. Then just add rules for the services you need and you’re protected against all virii..

Now if your a service provider there are obvious problems with doing this.. I just block the main services like NetBIOS and certain ports for SMTP and other services I don’t want clients running on the network. Then tell the customers its up to them to firewall and should invest in a hardware/software firewall.

maxfava · January 16, 2006, 6:06pm

Hi,
how my internet service provider dows not drop certain protocols, I want to do this to my customers.
How my service provider works? Have you any idea?