i need sample firewall rules help??????????????????

RouterOS Beginner Basics
1

for the first time i am configuring the firewall on p2p2 link and for accesspoint radio.

so i can’t understand the how to enable firewall on radio and p2p link.
if want to block visus
nd only allow this address 192.168.1.1.254 then how it will be configured

can any send me the sample firewall rules??? :slight_smile:

2

http://wiki.mikrotik.com/wiki/Firewall

Always search the wiki and forums first.

3

thanks fevi but i cant understand how apply on my point to point link

as well as at access point .

here is the access point details

[admin@radio1] > /interface print detail
Flags: D - dynamic, X - disabled, R - running, S - slave
0 R name=“ether1” type=“ether” mtu=1500 l2mtu=1526

1 R name=“wlan1” type=“wlan” mtu=1500 l2mtu=2290

2 R name=“bridge1” type=“bridge” mtu=1500 l2mtu=1526


[admin@radio1] > ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 address=192.168.1.51/24 network=192.168.1.0 broadcast=192.168.1.255
interface=ether1 actual-interface=bridge1


[admin@radio1] > ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 ADC dst-address=192.168.1.0/24 pref-src=192.168.1.51 gateway=bridge1
gateway-status=bridge1 reachable distance=0 scope=10



[admin@radio1] > ip firewall export

jan/07/1970 12:13:01 by RouterOS 4.10

software id = 6F3F-IRVF

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=1d
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

And the this is the p2p print detail–

/interface print detail
Flags: D - dynamic, X - disabled, R - running, S - slave 
 0  R  name="ether1" type="ether" mtu=1500 l2mtu=1526 

 1  R  name="wlan1" type="wlan" mtu=1500 l2mtu=2290 

 2     name="wds1" type="wds" mtu=1500 

 3  R  name="bridge1" type="bridge" mtu=1500 l2mtu=1526 

 4 DR  name="wds2" type="wds" mtu=1500 l2mtu=2290




 ip address print detail  
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     address=192.168.1.54/24 network=192.168.1.0 broadcast=192.168.1.255 
     interface=ether1 actual-interface=bridge1 





 ip firewall export
# mar/14/1970 13:43:52 by RouterOS 4.5
# software id = 4YHJ-U939
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no




 print iproute detail
bad command name print (line 1 column 1)
[admin@p2p ppcompound] > ip route print detail
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 ADC  dst-address=192.168.1.0/24 pref-src=192.168.1.54 gateway=bridge1 
        gateway-status=bridge1 reachable distance=0 scope=10



this is all

now you can see the all things that you want

now i want to know how to configure the firewall on access point and p2p routers.
can you give the sample firewall rules and also for virus prevention ..


thanks u very much
New Microsoft Office Word Document.docx (56.6 KB)

4

The worst thing you can do is install a firewall rule set you don’t understand. If the wiki doesn’t make sense to you, keep reading. Installing rules that drop packets when you don’t understand how they work is going to lead to your devices dropping packets you don’t want them to, and customers complaining.

5

thanks for reply
now i will read the wiki first then implement it on the network. see what happens ???


thank for guiding me

6

Firewall filtering is easy, the key is figuring out what you want to allow and what you don’t.

Start with the basics:

  1. What are your sources and destinations? WAN or upstream links? LAN or downstream links?

  2. Which sources (originating addresses) do you want to have access to the router itself? We’re talking about router services like router management and DNS here.

  3. What forwarding do you want to allow? Since routers forward naturally you’re mostly looking at things you want to block and exceptions(*).

Then for each source decide whether it (or some subset of the addresses on it) can access the router and which destinations it can forward to.

(*) Most filtering rule sets start with allowing packets for established and related connections before getting into “drop” rules. The assumption being that they were only established after passing all of the other rules. Another example of an exception might be allowing ICMP packets before blocking other upstream access.

The best way to learn is to read some filter rule sets and figure out for yourself how they work.

7

thanks for reply

i will read the wiki carefully then i configure the firewall
and thanks for ur valuable advice ;;;;;;; :smiley:

thanks again