Advices to optimize my MT

Enemy · Fri Jul 13, 2007 1:32 am

Hi,

I'm running PC router with MT. It has 2 interfaces, one for internet and one for the LAN. There are about 100 users connecting through PPPoE and LAN.

I've made some basic firewall (filter) settings, and limited TCP and ICMP connections for users to 20, blocked some ports following wiki.

But my ISP keep complaining on high load from my part, something to do with spurious trafic and port scans, i guess.

And how i can limit UDP traffic too?

Any advices on wise configuration would be greatly appreciated

omega-00 · Wed Jul 18, 2007 10:51 am

Try some of the following (these aren't all mine.. mainly snippets posted previously by other users)

Stops people trying to bruteforce SSH login

 / ip firewall filter
 add chain=input protocol=tcp dst-port=22 src-address-list=black_list action=drop \
     comment="drop ssh brute forcers" disabled=no
 add chain=input protocol=tcp dst-port=22 connection-state=new \
     src-address-list=ssh_stage3 action=add-src-to-address-list address-list=black_list address-list-timeout=1d \
     comment="" disabled=no
 add chain=input protocol=tcp dst-port=22 connection-state=new \
     src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m \
     comment="" disabled=no
 add chain=input protocol=tcp dst-port=22 connection-state=new \
     src-address-list=ssh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m \
     comment="" disabled=no
 add chain=input protocol=tcp dst-port=22 connection-state=new \
     action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m comment="" \
     disabled=no

Drop invalid or attacking connections (note the port-scan blocker is turned off by default as it uses lots of resources)

/ ip firewall filter 
add chain=sanity-check protocol=tcp psd=50,3s,3,1 \
    action=add-src-to-address-list address-list=blocked-addr \
    address-list-timeout=1d comment="Block port scans \(causes high \
    cpu load\)" disabled=yes 
add chain=sanity-check protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack \
    action=add-src-to-address-list address-list=blocked-addr \
    address-list-timeout=1d comment="Block TCP Null scan" disabled=yes 
add chain=sanity-check protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg \
    action=add-src-to-address-list address-list=blocked-addr \
    address-list-timeout=1d comment="Block TCP Xmas scan" disabled=yes 
add chain=sanity-check protocol=tcp src-address-list=blocked-addr action=jump \
    jump-target=drop comment="" disabled=no 
add chain=sanity-check protocol=tcp tcp-flags=rst action=jump jump-target=drop \
    comment="Drop TCP RST" disabled=no 
add chain=sanity-check protocol=tcp tcp-flags=fin,syn action=jump \
    jump-target=drop comment="Drop TCP SYN+FIN" disabled=no

Drop Broadcast packets.

/ ip firewall filter 
add chain=sanity-check dst-address-type=broadcast,multicast action=jump \
    jump-target=drop comment="Drop all traffic that goes to multicast or \
    broadcast addresses" disabled=no 
add chain=sanity-check src-address-type=broadcast,multicast action=jump \
    jump-target=drop comment="Drop all traffic that goes from multicast or \
    broadcast addresses" disabled=no

You could also try restricting ALL udp traffic, then allowing regular stuff through.
Eg: dns, ntp, whatever else your users use.

trottolino1970 · Mon Jul 23, 2007 12:56 am

this rule function so? i put this rulein my mikrotik but i dont know which address and which rule i active
help me

trottolino1970 · Thu Aug 30, 2007 4:18 pm

nothing??????

Advices to optimize my MT

Advices to optimize my MT

Re: Advices to optimize my MT

Re: Advices to optimize my MT

Re: Advices to optimize my MT

Who is online