Trying to follow guide "Basic universal firewall script" at the wiki

sirlindqvist · Wed Aug 03, 2016 11:10 pm

Hi,

Tying to setup with the rules described in the wiki page: http://wiki.mikrotik.com/wiki/Basic_uni ... all_script. All went fine expect for 2 rules that I'm not able to add (using ssh). These are:

add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 hours"\
connection-limit=30,32 disabled=no dst-port=25,587 limit=30/1m,0 protocol=tcp

add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" disabled=no icmp-options=8:0 limit=1,5 protocol=icmp

I just get "expected : (line 1 column 90)" or whatever how many lines used. I get a red square indicating an error like this:

Can anyone help me to see whats wrong so i can add these 2 rules?

efaden · Wed Aug 03, 2016 11:27 pm

add ":packet"....

See the wiki:

http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter

Matches packets up to a limited rate (packet rate or bit rate). Rule using this matcher will match until this limit is reached. Parameters are written in following format: count[/time],burst:mode.
count - packet or bit count per time interval to match
time - specifies the time interval in which the packet or bit count cannot be exceeded (optional, 1s will be used if not specified)
burst - initial number of packets or bits to match: this number gets recharged every 10ms so burst should be at least 1/100 of rate per second
mode - packet or bit mode

Basically they made "mode" mandatory.... so you need to either add ":packet" or ":bit" to the end of the limit statement....

sirlindqvist · Wed Aug 03, 2016 11:36 pm

Lovely! Working now, tnx a lot!

Found another great fw rule at this forum:

;;; Auto-block any SSH attempt on port 22
chain=sanity-check action=add-src-to-address-list protocol=tcp address-list=blocked-addr address-list-timeout=3m dst-port=22 log=yes log-prefix="ssh-ban"

The user commented "(and of course "blocked-addr" is dropped later) I did it for 3 minutes since I don't want to lock myself out if I forget to specify the port somehow "

Which type of rule to i need to create in additional to be dropped? Also, the list "blocked-addr" needs to be created in some way? The fw rule seems good, logging any attempts on port 22 connect and adds them to a black-list do drop them, wanna use this rule

efaden · Wed Aug 03, 2016 11:47 pm

Basically that rule doesn't block anything.... That rule merely takes matching packets and adds that address to the address list specified for 3 minutes. Likely what you want to do is change that to be only on your external interface.

You then need a rule to "drop" packets in the address list.

What you using this for? Home router? ... I can post my script later. I have a pretty decent firewall setup.

sirlindqvist · Thu Aug 04, 2016 12:05 am

Home router, yes

I would really like to have your script! Is it in some way based on that guide on wiki "Basic universal firewall script"?

I you have time post it tonight, going to bed in an hour

efaden · Thu Aug 04, 2016 1:32 am

Here is my basic starting point....

The GIST.... block EVERYTHING from the internet not related.... .... allow EVERYTHING from the LAN. Allow DHCP/DNS from Guest Network. Allow IPSec/L2TP... Allow anything in the WANAllow list... I also don't take credit for this.... this is what I pieced together from the forums etc....

/ip firewall address-list
add address=10.0.0.0/24 list=LocalRanges ## YOUR LAN
add address=10.0.1.0/24 list=GuestRanges ## YOUR GUEST NETWORK
add address=8.8.8.8/32 list=WANAllow ## ADD INTERNET ADDRESSES YOU WANT TO ALLOW HERE
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=Bogon
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A" list=Bogon
add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=Bogon
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=Bogon
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B" list=Bogon
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C" list=Bogon
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=Bogon
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=Bogon
add address=198.18.0.0/15 comment="NIDB Testing" list=Bogon
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=Bogon
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=Bogon
add address=224.0.0.0/4 comment="MC, Class D, IANA" list=Bogon


/ip firewall filter
add action=accept chain=input comment="Connection State - Established" connection-state=established
add action=accept chain=input comment="Connection State - Related" connection-state=related
add action=drop chain=input comment="Connection State - Invalid" connection-state=invalid
add action=drop chain=input comment="Bogon via Ether01" in-interface=ether01-gateway src-address-list=Bogon
add action=jump chain=input comment="Invalid TCP" in-interface=ether01-gateway jump-target=invalid_tcp protocol=tcp
add action=jump chain=input comment="Invalid UDP" in-interface=ether01-gateway jump-target=invalid_udp protocol=udp
add action=jump chain=input comment="ICMP - From Internet - Jump" in-interface=ether01-gateway jump-target=ICMP protocol=icmp
add action=accept chain=input comment="ICMP - From Local" in-interface=!ether01-gateway protocol=icmp
add action=drop chain=input comment="TCP - Syn Flood Suppression - Drop SynFlood" src-address-list=SynFlood
add action=add-src-to-address-list address-list=SynFloodaddress-list-timeout=30m chain=input comment="TCP - Syn Flood Detection -Add To SynFlood (30 Connections Per IP Address)" connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=drop chain=input comment="TCP - Port Scan Detection - Drop Port Scans (21,3s,3,1)" protocol=tcp psd=21,3s,3,1
add action=tarpit chain=input comment="TCP - DoS Attack Supression - Tarpit BlackList (3 Connections Per IP Address)" connection-limit=3,32 protocol=tcp src-address-list=BlackList
add action=add-src-to-address-list address-list=BlackListaddress-list-timeout=1d chain=input comment="TCP - DoS Attack Detection -Add to BlackList for 1d (10 Connections per IP Address)"connection-limit=10,32 protocol=tcp
add action=accept chain=input comment="Local Ranges" in-interface=!ether01-gateway src-address-list=LocalRanges
add action=accept chain=input comment=IPSecRange in-interface=ether01-gateway src-address-list=IPSecRange
add action=jump chain=input comment="Guest Traffic Jump" in-interface=bridge-guest jump-target=guest
add action=accept chain=input comment=WANAllow in-interface=ether01-gateway src-address-list=WANAllow
add action=jump chain=input comment=IPSec in-interface=ether01-gateway jump-target=ipsec
add action=drop chain=input comment="Default Drop"
add action=fasttrack-connection chain=forward comment="Connection State - FastTrack Established/Related" connection-state=established,related
add action=accept chain=forward comment="Connection State - Established/Related" connection-state=established,related
add action=drop chain=forward comment="Connection State - Invalid" connection-state=invalid
add action=drop chain=forward comment="Bogon via Ether01" in-interface=ether01-gateway src-address-list=Bogon
add action=jump chain=forward comment="Invalid TCP" jump-target=invalid_tcp protocol=tcp
add action=jump chain=forward comment="Invalid UDP" jump-target=invalid_udp protocol=udp
add action=accept chain=forward comment="Forward to Ether1-Gateway" out-interface=ether01-gateway
add action=accept chain=forward comment=LocalRanges dst-address-list=LocalRanges in-interface=!ether01-gateway out-interface=!ether01-gateway src-address-list=LocalRanges
add action=accept chain=forward comment=IPSecRange in-interface=ether01-gateway src-address-list=IPSecRange
add action=accept chain=forward comment=DST-NAT connection-nat-state=dstnat
add action=drop chain=forward comment="Default Drop"
add action=accept chain=ipsec comment=IPSec protocol=ipsec-esp
add action=accept chain=ipsec comment=IPSec protocol=ipsec-ah
add action=accept chain=ipsec comment=IPSec dst-port=500 protocol=udp
add action=accept chain=ipsec comment=IPSec dst-port=4500 protocol=udp
add action=accept chain=ipsec comment="L2TP for L2TPAllowed" dst-port=1701 protocol=udp src-address-list=L2TP_Allowed
add action=accept chain=guest comment="Guest Allow DNS via TCP" dst-port=53 protocol=tcp src-address-list=GuestRanges
add action=accept chain=guest comment="Guest Allow DNS via UDP" dst-port=53 protocol=udp src-address-list=GuestRanges
add action=accept chain=guest comment="Guest Allow DHCP via UDP" dst-port=67 protocol=udp src-address-list=GuestRanges
add action=accept chain=guest comment="Guest Allow DHCP via UDP" dst-port=68 protocol=udp src-address-list=GuestRanges
add action=accept chain=ICMP comment="Allow Echo Reply (0:0-255), Limit 5pps"icmp-options=0:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment="ICMP - Allow Destination Unreachable (3:0-255), Limit 5pps" icmp-options=3:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment="ICMP - Allow Source Quench (4:0), Limit 5pps" icmp-options=4:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment="ICMP - Allow Echo Request (8:0), Limit 5pps" icmp-options=8:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment="ICMP - Allow Time Exceeded (11:0), Limit 5pps" icmp-options=11:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment="ICMP - Allow Parameter Bar (12:0), Limit 5pps" icmp-options=12:0-255 limit=5,5:packet protocol=icmp
add action=drop chain=ICMP comment="ICMP - Drop All Others" protocol=icmp
add action=drop chain=invalid_tcp comment="Invalid TCP - !(FIN/SYN/RST/ACK)"protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=invalid_tcp comment="Invalid TCP - FIN/SYN" protocol=tcp tcp-flags=fin,syn
add action=drop chain=invalid_tcp comment="Invalid TCP - FIN/RST" protocol=tcp tcp-flags=fin,rst
add action=drop chain=invalid_tcp comment="Invalid TCP - FIN/!ACK" protocol=tcp tcp-flags=fin,!ack
add action=drop chain=invalid_tcp comment="Invalid TCP - FIN/URG" protocol=tcp tcp-flags=fin,urg
add action=drop chain=invalid_tcp comment="Invalid TCP - SYN/RST" protocol=tcp tcp-flags=syn,rst
add action=drop chain=invalid_tcp comment="Invalid TCP - RST/URG" protocol=tcp tcp-flags=rst,urg
add action=drop chain=invalid_tcp comment="Invalid TCP - Source Port 0"protocol=tcp src-port=0
add action=drop chain=invalid_tcp comment="Invalid TCP - Destination Port 0"dst-port=0 protocol=tcp
add action=drop chain=invalid_udp comment="Invalid UDP - Source Port 0"protocol=udp src-port=0
add action=drop chain=invalid_udp comment="Invalid UDP - Destination Port 0"dst-port=0 protocol=udp

/ip firewall nat
add action=masquerade chain=srcnat comment=NAT out-interface=ether01-gateway to-addresses=0.0.0.0

This is a script to allow access to the L2TP server for those people connected via IPSec (from Greg Sewell I think... )


#
# Variables
#
:local listName "L2TP_Allowed"

#
# Script
#
:local inAddressList false
:local inRemotePeers false
:local currentAddress 0

# Add New Peers Not Already In List
/ip ipsec remote-peers {
    :foreach i in [find] do={
        :set currentAddress [get $i remote-address]

        /ip firewall address-list {
            :foreach j in [find list=$listName address=$currentAddress] do={
                :set inAddressList true
            }

            :if (!$inAddressList) do={
                add list=$listName address=$currentAddress
            }
        }

        :set inAddressList false
    }
}

# Remove Old Peers From List
/ip firewall address-list {
    :foreach i in [find list=$listName] do={
        :set currentAddress [get $i address]

        :foreach j in [/ip ipsec remote-peers find remote-address=$currentAddress] do={
            :set inRemotePeers true
        }

        :if (!$inRemotePeers) do={
            remove [find list=$listName address=$currentAddress]
        }

        :set inRemotePeers false
    }
}

efaden · Thu Aug 04, 2016 1:34 am

Some spacing got screwed up.... I'll fix it later when I get time....

sirlindqvist · Thu Aug 04, 2016 9:03 am

Some spacing got screwed up.... I'll fix it later when I get time....

OK, what did go wrong?

add address=10.0.0.0/24 list=LocalRanges ## YOUR LAN <--- using default 192.168.88.0/24, this one goes here?
add address=10.0.1.0/24 list=GuestRanges ## YOUR GUEST NETWORK <--- Not using any guest network, should i? Can i lock down everything in a guest network? Aslo, an easy wifi key will make me mor open to "attacks" ?

add address=8.8.8.8/32 list=WANAllow ## ADD INTERNET ADDRESSES YOU WANT TO ALLOW HERE <--- What do add here?

Also you have "in-interface=ether01-gateway" i call mine just "ehter1" so i guess i should use that?

Also, do you have any good settings for wifi to get the best speed? I'm using therb962UiGS-5HacT2HnT and was told where i bought it to mix the 2.4 & 5ghz band together in one ssid and let the clients choose which freq/band/speed to use. I did that and it seems like most clients (iPads, iPhones etc. choose the 2.4 band). Can you tell howto proper config the wifi to get the most out of it, i want one ssid but the clients to choose the best speed the device supports (b/g/n/ac).

Trying to follow guide "Basic universal firewall script" at the wiki

Trying to follow guide "Basic universal firewall script" at the wiki

Re: Trying to follow guide "Basic universal firewall script" at the wiki

Re: Trying to follow guide "Basic universal firewall script" at the wiki

Re: Trying to follow guide "Basic universal firewall script" at the wiki

Re: Trying to follow guide "Basic universal firewall script" at the wiki

Re: Trying to follow guide "Basic universal firewall script" at the wiki

Re: Trying to follow guide "Basic universal firewall script" at the wiki

Re: Trying to follow guide "Basic universal firewall script" at the wiki

Who is online