Community discussions

MikroTik App
 
gmidia
Member Candidate
Member Candidate
Topic Author
Posts: 223
Joined: Sun Sep 02, 2007 3:28 pm

Securing the dns/web proxy

Wed Sep 26, 2007 12:15 am

i have tried securing the DNS and web proxy from being used by external sources to my network but it is becoming dificult any body with an idea of doing so. To stop the open proxy factor
Thanks
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6624
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: Securing the dns/web proxy

Wed Sep 26, 2007 10:15 am

You have not pointed, what is difficult.

Use firewall to filter traffic going to the router, chain=input should be used for that, allow only local users traffic and addresses that are used to manage the router, then drop other traffic. Look at the firewall documentation examples to build firewall configuration.
 
User avatar
ashish
Long time Member
Long time Member
Posts: 550
Joined: Mon Feb 12, 2007 5:50 am
Location: Virginia, USA.

Re: Securing the dns/web proxy

Wed Sep 26, 2007 1:35 pm

/ip firewall
chain=input
src-address=0.0.0.0/0
protocol=tcp
dst-port=<your webproxy port>
interface=WAN <To internet cloud>

action=drop

very simple

ASHISH.
 
gmidia
Member Candidate
Member Candidate
Topic Author
Posts: 223
Joined: Sun Sep 02, 2007 3:28 pm

Re: Securing the dns/web proxy

Wed Sep 26, 2007 8:11 pm

Thank you it has contained the misuse. unfortunately i had been blacklisted by certain mail servers for spamming. but it is now its okay.
 
tonywarutere
just joined
Posts: 1
Joined: Wed Sep 26, 2007 1:10 pm

Re: Securing the dns/web proxy

Fri Sep 28, 2007 2:06 pm

Ashish,

The rule works well with traffic destined for port 8080, but when i use the same rule to prevent dns requests on the dns server set on the router, the rule doesnt seem to work. Any idea? The rule i have implemented is blocking requests on port 53.as shown below: 4 chain=input action=drop in-interface=ether1 src-address=0.0.0.0/0 dst-port=53 protocol=tcp
 
User avatar
Letni
Member
Member
Posts: 375
Joined: Tue Dec 05, 2006 5:16 am
Location: South Carolina

Re: Securing the dns/web proxy

Fri Sep 28, 2007 3:16 pm

DNS lookups uses UDP not TCP.

-Louis
 
rumiclord
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Fri Jul 23, 2010 10:20 pm

Re: Securing the dns/web proxy

Fri Sep 03, 2010 7:57 pm

I have tried this rule, and it is blocking internet users from accessing my web proxy, my firewall counter is constantly adding up, however when i check my web proxy status it is no longer adding any request or hits, when i disable this rule it starts adding requests and hits again. This rule seems to simply disable my web proxy all together.

chain=input action=drop protocol=tcp in-interface=ether1 dst-port=8090
ether1 is my internet port interface.

Any help or insight would be greatly appreciated.
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: Securing the dns/web proxy

Fri Sep 03, 2010 8:29 pm

Are you permitting established and related traffic before dropping with that rule?
 
rumiclord
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Fri Jul 23, 2010 10:20 pm

Re: Securing the dns/web proxy

Fri Sep 03, 2010 10:31 pm

No I have not, would I simply create 2 rules similar to it allowing established and related then deny the rest ?
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: Securing the dns/web proxy

Fri Sep 03, 2010 10:52 pm

Something like:
/ip firewall filter
add chain=input connection-state=established action=accept
add chain=input connection-state=related action=accept
add chain=input action=drop protocol=tcp in-interface=ether1 dst-port=8090
add chain=output action=accept
Of course adjust that to also account for the result of your rules. the lines with 'connection-state' should be the first listed in the input chain.

The idea is that you want to ensure that while traffic initiated to the router should be dropped, but that all connections that the router itself established should be unconditionally allowed.

I do not use the built in (or any other) proxy so this is a guess, but at worst it just won't have any effect.
 
rumiclord
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Fri Jul 23, 2010 10:20 pm

Re: Securing the dns/web proxy

Fri Sep 03, 2010 11:58 pm

Thank you for the reply that appears to be working properly. I believe the underlying issue is the fact that the web proxy is sending so much traffic out to the internet. Does anyone have a link to a discussion to help resolve this issue. My bandwidth usage increases by 3 fold when the web proxy is on. This is defeating the overall goal of using the proxy. The goal is for clients to used the cached web pages so less internet bandwidth is used.

Thank you in advance
 
User avatar
JP_Wireless
Member Candidate
Member Candidate
Posts: 273
Joined: Thu Dec 13, 2007 4:31 pm
Location: Lagos Nigeria
Contact:

Re: Securing the dns/web proxy

Sat Jul 30, 2011 7:12 pm

Did you enabled serialize connection in the web proxy? Try tougle it the other way and see the result.
Enable always from cache.
JP Wireless:::
One Stop ICT, Alternative Power & Electronics Securities Solutions Provider!
Tel: +2348098798779, +2348055353151
http://www.jpwireless.net: Email: info[at]jpwireless.net
36, Diya Road, Gbagada, Lagos - Nigeria.
.

Who is online

Users browsing this forum: faxxe and 44 guests