Port Ranges

enriqueza · Thu Mar 27, 2008 6:25 am

I'm trying to set up a mikrotik as a firewall in front of several servers and I need to know the easiest way to block port ranges. As of yet, I've been doing it port by port, but when we get hit by a massive port scan, I really dont want to enter them all in one at a time. if there was a way to only leave open the ports I was sure we were using that would be great. Thanks in advance for any help

Thu Mar 27, 2008 10:57 am

just make a drop rule that blocks all ports and then make a rule witch action 'accept' to allow the good ports

ahmedsaffar76 · Thu Mar 27, 2008 11:26 am

just make a drop rule that blocks all ports and then make a rule witch action 'accept' to allow the good ports

Hi Normis ;
Glad to write again
first could you write these rules here ?
second i am inside a maze of the firewall rules , i read many types in the forume and wiki but here i am asking if you could write the rules which are tested before and working accurately .
also i do not remember where i read about preventing the use of the web proxy as public proxy , could you write the rule for it or the link to the article talking about this case .
with best regards .

Thu Mar 27, 2008 12:00 pm

add chain=forward action=accept protocol=tcp dst-port=80 comment="Allow HTTP" 
add chain=forward action=accept protocol=tcp dst-port=25 comment="Allow SMTP" 
add chain=forward action=drop comment="drop everything else"

this will allow some stuff, and then drop everything else. see more examples here:
http://wiki.mikrotik.com/wiki/Firewall

ahmedsaffar76 · Thu Mar 27, 2008 1:57 pm

Code: Select all
add chain=forward action=accept protocol=tcp dst-port=80 comment="Allow HTTP" 
add chain=forward action=accept protocol=tcp dst-port=25 comment="Allow SMTP" 
add chain=forward action=drop comment="drop everything else"
this will allow some stuff, and then drop everything else. see more examples here:
http://wiki.mikrotik.com/wiki/Firewall

Hi Normis ;
first thanks to your reply .
i think these rules will only alow the browsing and the smtp port while any other connection like yahoo messenger and other applications will be blocked .
would you mind to tell me the rule which block the internet users reaching my web proxy server and use it as public web proxy , i don't remember where i read about it .
with best regards .

Thu Mar 27, 2008 2:41 pm

you have to find out what ports those programs use, and add similar rules yourself.

ahmedsaffar76 · Thu Mar 27, 2008 2:50 pm

you have to find out what ports those programs use, and add similar rules yourself.

Hi Normis ;
Thanks to your reply , i have i list of ports i collect it from the internet i will read them again to get benefit of it .
i was having the following rules in my firewall which i get them from a friend , it suppose to kill the viruses attacking the network , but all the time it's counter is 0 , like :

add chain=virus protocol=tcp dst-port=135-139 action=drop comment=";;; Drop \
    Blaster Worm" disabled=yes 
add chain=virus protocol=udp dst-port=135-139 action=drop comment=";;; Drop \
    Messenger Worm" disabled=yes 
add chain=virus protocol=tcp dst-port=445 action=drop comment=";;; Drop \
    Blaster Worm" disabled=yes 
add chain=virus protocol=udp dst-port=445 action=drop comment=";;; Drop \
    Blaster Worm" disabled=yes 
add chain=virus protocol=tcp dst-port=593 action=drop comment=";;; ________" \
    disabled=yes 
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment=";;; \
    ________" disabled=yes

yesterday i changed the chain for these rules from virus to input and then some of them start counting
am i write in changing the chain to input ? or i have to use other chain to protect the pc's behind MT from virus attackes .
recently i stopped all the firewall filter and mangle rules i have , because i misunderstand the firewall rules and how to orgnaize them , i changed the rules sequence and lost the internet then did a restore .
do you think that i have to put all the action=drop rules in the beginning and at the bottom the accept rules ?

will be waiting your reply to add some other questions
with best regards .

Thu Mar 27, 2008 3:43 pm

Explanation of CHAINS:

1. FORWARD is for traffic going from Internet to LAN and in the other direction (LAN to internet).
2. INPUT is for traffic going to the router itself. Use for protection of router
3. OUTPUT if for traffic coming from router itself (not used often).

ahmedsaffar76 · Thu Mar 27, 2008 4:56 pm

Explanation of CHAINS:

1. FORWARD is for traffic going from Internet to LAN and in the other direction (LAN to internet).
2. INPUT is for traffic going to the router itself. Use for protection of router
3. OUTPUT if for traffic coming from router itself (not used often).

Hi Normin ;
so do you think that i should repeat the rules which it suppose to block the viruses ports and use them with forward chain as well ? while the input chain only protect the router itself .
what about the other question i wrote ? :

do you think that i have to put all the action=drop rules in the beginning and at the bottom the accept rules ?

will be waiting your reply .
with best regards .

balimore · Thu Mar 27, 2008 5:17 pm

-----
Hello Frens
Yes, that's good ide, but i am so sorry my ports 95% is Open ...

and i dont want lost my resources dropping by any rules firewall

regards

peace
Hasbullah.com
-----

Code: Select all
add chain=forward action=accept protocol=tcp dst-port=80 comment="Allow HTTP" 
add chain=forward action=accept protocol=tcp dst-port=25 comment="Allow SMTP" 
add chain=forward action=drop comment="drop everything else"
this will allow some stuff, and then drop everything else. see more examples here:
http://wiki.mikrotik.com/wiki/Firewall

skillful · Thu Mar 27, 2008 5:23 pm

so do you think that i should repeat the rules which it suppose to block the viruses ports and use them with forward chain as well ? while the input chain only protect the router itself .

No, you don't have to change the rule. All you have to do is to create a "jump" rule on the "forward chain" to the "virus chain"

/ip firewall filter add action=jump chain=forward comment="" disabled=no jump-target=virus

place this rule high up.

do you think that i have to put all the action=drop rules in the beginning and at the bottom the accept rules ?

Always place the action=drop rule below your action=accept rule if the traffic can match both rules.

ahmedsaffar76 · Thu Mar 27, 2008 8:40 pm

-----
Hello Frens
Yes, that's good ide, but i am so sorry my ports 95% is Open ...
and i dont want lost my resources dropping by any rules firewall

Hi ;
do you mean that you do not use firewall rules ?
do you face attackes from the internet ?

, how you protect yourself ?

No, you don't have to change the rule. All you have to do is to create a "jump" rule on the "forward chain" to the "virus chain"

do you mean that there is a chain called virus in default ?
and do you mean that i should use the chain forward not input ?
Code: Select all
/ip firewall filter add action=jump chain=forward comment="" disabled=no jump-target=virus
place this rule high up.

i do not see any port in this rule , if i put it in the top of the list , will it take all the traffic coming from the internet to the virus chain to check it ?
i am sorry i am asking and will ask too many questions regarding the firewall filter and mangle .
hounstly i am inside a maze and anyone using server should understand how the traffic moves from the client computer to the internet and come back again to him .

Always place the action=drop rule below your action=accept rule if the traffic can match both rules.

as i know if the packet match a rule then it will be processed and it will ignore the reset of the rules .
so if i put rule with action=accept then i will not be able to block undesired traffic .
will be waiting all replies untill i and all forum members understand the firewall policies correctly .
thanks for all the help provided .
with best regards

balimore · Fri Mar 28, 2008 2:03 am

-----
Hai Friends,
maybe, am i CRAZY. . . .? ?

Many arguments why i am running with little firewalls on mikrotik's OS and withoutAV on workstations. again so i am so sorry this option is good and nice to sleep for myself.
i have tons of workstation with XP, W2000, MacOS and little W98 running on Roaming Networks [Transparant_Networks] without proxying. and i know the viruses will encrease everytime/everyday with high technologies, and must you know some virusses will handshake or infected from user to user with tons of metode or innovations.

Just make review:
- you must know and quick stopping when your router will bruceforcying from unknow user
- you must stopping them when unknow file will infected to your system's file workstations for.
- how many $$$ will span of money and time for udpate AV connection for. when you are with AV [e.g: 100 workstations]
- how to make nice sleep but your system Always On on the NET
- how to make secure when some viruses infacted is not only from NET, but infected from other interfaces [e.g: floppy, CD, wireless card, blutooth, modem, ethernet etc...]
- so i am so sorry, since 18 months ago all my workstations withoutAV. so my resources encreased and connection-trackking decreased.
- all program and application will patching when they have hole with low secure

as far as i understood, i can't everytime stay on my networks or my workstation, again don't try this CRAZY metode.

Peace men

, special Thanks to Mikrotik and Teams
regards
Hasbullah.com
------

Hi ;
do you mean that you do not use firewall rules ?
do you face attackes from the internet ? , how you protect yourself ?

ahmedsaffar76 · Fri Mar 28, 2008 3:09 am

Hi ;
let me ask you from another point of view .
you have a bandwidth from your ISP ,
if you do not stop or kill unwanted connections i think your bandwidth will serve less no of workstations in the network .
so we configure the firewall to save the bandwidth to be used totally by the users .
another thing confiusing me is : i have a shared bandwidth when i be alone on the server and open the rate to unlimited some times i get half the bandwidth or more and some times during late night times i get all the bandwidth and maybe more .
but when i have users using the service behind the server i can not reach the same level i got before and the browsing start becomming slower and the yahoo messenger takes long time to be opened and some times it very hard to open it .
there is something chacking the network and reduces the effecinecy .
also what i noticed when the upload increase it reduce the browsing speed .
here a new couple of questions :
can i change the ports used by some services ? , in otherword make some users using port 80 for browsing and other users using port xxx for browsing ? the same for other application .
why you are not using web-proxy for your system ? while it save data not to be used many times per day and to save these connections for others ? .
will be waiting your reply .
with best regards .

balimore · Fri Mar 28, 2008 3:18 am

-----
Hai Achmad....
yes, we used symetric line 256k/256k 1:1 with FO backbone.
to make nice networks, only one answer Mikrotik bandwidth Management will help you to make user enjoy, and priority line must have.
here, we used centralized AAA for pptp [VPN], pppoe, hotspot, dedicated-line with roaming networking...nice

over wire and unwire line...

regards
Hasbullah.com
-----

ahmedsaffar76 · Fri Mar 28, 2008 3:32 am

-----
Hai Achmad....
yes, we used symetric line 256k/256k 1:1 with FO backbone.
to make nice networks, only one answer Mikrotik bandwidth Management will help you to make user enjoy, and priority line must have.
here, we used centralized AAA for pptp [VPN], pppoe, hotspot, dedicated-line with roaming networking...nice over wire and unwire line...

regards
Hasbullah.com
-----

HI again ;
first the name is Ahmed
second i have questions here to know why our service not very well :
which one is heavier 1 Kg of steel or 1 Kg of cotton ? ???

so you have 256 kbit / 256 kbit 1:1 coming through fiber obtic connection , will it be faster than 256 kbit / 256 kbit scpc /scpc VSAT connection ? or the same speed
this dedicated bandwidth is suitable for how many pc's working together in the same time and what is the speed for each one ?
thanks alot for your help and efforts .
with best regards .

Port Ranges

Port Ranges

Re: Port Ranges

Re: Port Ranges

Re: Port Ranges

Re: Port Ranges

Re: Port Ranges

Re: Port Ranges

Re: Port Ranges

Re: Port Ranges

Re: Port Ranges

Re: Port Ranges

Re: Port Ranges

Re: Port Ranges

Re: Port Ranges

Re: Port Ranges

Re: Port Ranges

Who is online