Hi Normis ;just make a drop rule that blocks all ports and then make a rule witch action 'accept' to allow the good ports
add chain=forward action=accept protocol=tcp dst-port=80 comment="Allow HTTP"
add chain=forward action=accept protocol=tcp dst-port=25 comment="Allow SMTP"
add chain=forward action=drop comment="drop everything else"
Hi Normis ;this will allow some stuff, and then drop everything else. see more examples here:Code: Select alladd chain=forward action=accept protocol=tcp dst-port=80 comment="Allow HTTP" add chain=forward action=accept protocol=tcp dst-port=25 comment="Allow SMTP" add chain=forward action=drop comment="drop everything else"
http://wiki.mikrotik.com/wiki/Firewall
Hi Normis ;you have to find out what ports those programs use, and add similar rules yourself.
add chain=virus protocol=tcp dst-port=135-139 action=drop comment=";;; Drop \
Blaster Worm" disabled=yes
add chain=virus protocol=udp dst-port=135-139 action=drop comment=";;; Drop \
Messenger Worm" disabled=yes
add chain=virus protocol=tcp dst-port=445 action=drop comment=";;; Drop \
Blaster Worm" disabled=yes
add chain=virus protocol=udp dst-port=445 action=drop comment=";;; Drop \
Blaster Worm" disabled=yes
add chain=virus protocol=tcp dst-port=593 action=drop comment=";;; ________" \
disabled=yes
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment=";;; \
________" disabled=yes
Hi Normin ;Explanation of CHAINS:
1. FORWARD is for traffic going from Internet to LAN and in the other direction (LAN to internet).
2. INPUT is for traffic going to the router itself. Use for protection of router
3. OUTPUT if for traffic coming from router itself (not used often).
will be waiting your reply .do you think that i have to put all the action=drop rules in the beginning and at the bottom the accept rules ?
this will allow some stuff, and then drop everything else. see more examples here:Code: Select alladd chain=forward action=accept protocol=tcp dst-port=80 comment="Allow HTTP" add chain=forward action=accept protocol=tcp dst-port=25 comment="Allow SMTP" add chain=forward action=drop comment="drop everything else"
http://wiki.mikrotik.com/wiki/Firewall
No, you don't have to change the rule. All you have to do is to create a "jump" rule on the "forward chain" to the "virus chain"so do you think that i should repeat the rules which it suppose to block the viruses ports and use them with forward chain as well ? while the input chain only protect the router itself .
/ip firewall filter add action=jump chain=forward comment="" disabled=no jump-target=virus
Always place the action=drop rule below your action=accept rule if the traffic can match both rules.do you think that i have to put all the action=drop rules in the beginning and at the bottom the accept rules ?
Hi ;-----
Hello Frens
Yes, that's good ide, but i am so sorry my ports 95% is Open ...
and i dont want lost my resources dropping by any rules firewall
i do not see any port in this rule , if i put it in the top of the list , will it take all the traffic coming from the internet to the virus chain to check it ?No, you don't have to change the rule. All you have to do is to create a "jump" rule on the "forward chain" to the "virus chain"
do you mean that there is a chain called virus in default ?
and do you mean that i should use the chain forward not input ?
place this rule high up.Code: Select all/ip firewall filter add action=jump chain=forward comment="" disabled=no jump-target=virus
as i know if the packet match a rule then it will be processed and it will ignore the reset of the rules .Always place the action=drop rule below your action=accept rule if the traffic can match both rules.
Hi ;
do you mean that you do not use firewall rules ?
do you face attackes from the internet ? , how you protect yourself ?
-----
Hai Achmad....
yes, we used symetric line 256k/256k 1:1 with FO backbone.
to make nice networks, only one answer Mikrotik bandwidth Management will help you to make user enjoy, and priority line must have.
here, we used centralized AAA for pptp [VPN], pppoe, hotspot, dedicated-line with roaming networking...nice over wire and unwire line...
regards
Hasbullah.com
-----