I received 2 emails in 2 days.
I consulted my friends and they said, I have to add some firewall rules to my microtik to avoid this issue.
I use google DNS.
So, what rules to add to microtik ?
Sorry, Im new to microtik and I dont want to touch anything inside winbox, unless I know, what Im doing.Default firewall configuration would be sufficient.
but basically you should restrict connection-state=new in-interface=Public connections, all of them (except ones that you need)
Default firewall configuration would be sufficient.
but basically you should restrict connection-state=new in-interface=Public connections, all of them (except ones that you need)
/ip firewall filter
add chain=input action=accept protocol=icmp comment="default configuration"
add chain=input action=accept connection-state=established in-interface=ether1-gateway comment="default configuration"
add chain=input action=accept connection-state=related in-interface=ether1-gateway comment="default configuration"
add chain=input action=drop in-interface=ether1-gateway comment="default configuration"
....but somehow you did delete the default configuration...
If your ip firewall filter input is clear you shoud replace ether1-gateway with your interface name and paste these rules
This will restrict all connections from outside,except ping.Code: Select all/ip firewall filter add chain=input action=accept protocol=icmp comment="default configuration" add chain=input action=accept connection-state=established in-interface=ether1-gateway comment="default configuration" add chain=input action=accept connection-state=related in-interface=ether1-gateway comment="default configuration" add chain=input action=drop in-interface=ether1-gateway comment="default configuration"
Nop, it will only drop new requests, don't forget that your requests will be initiated by router itself so replies to those will return as connection-state=establishedBut this will drop the DNS requests completely.
I think, we need to add one more rule to redirect the requests ?
Or did I miss something ?
Then Im confused what exactly to add to stop this behavior in future.Nop, it will only drop new requests, don't forget that your requests will be initiated by router itself so replies to those will return as connection-state=establishedBut this will drop the DNS requests completely.
I think, we need to add one more rule to redirect the requests ?
Or did I miss something ?
Macgaiver already posted what you need to add:Then Im confused what exactly to add to stop this behavior in future.
Okay my WAN in NAS Router (Microtik CCR1009) is ether8.Macgaiver already posted what you need to add:Then Im confused what exactly to add to stop this behavior in future.
http://forum.mikrotik.com/viewtopic.php ... 50#p506950
Those rules allow established connections from LAN and block all requests from WAN
Is that correct ?/ip firewall filter
add chain=input action=accept protocol=icmp comment="default configuration"
add chain=input action=accept connection-state=established in-interface=ether8 comment="default configuration"
add chain=input action=accept connection-state=related in-interface=ether8 comment="default configuration"
add chain=input action=drop in-interface=ether8 comment="default configuration"
yes, already enrolled the Microtik training in our country.User traffics goes through forward - this is input, it affects only traffic to router itself.
I really suggest to get some training or hire some consultant.
you have to add accept rules specifically for winbox (protocol=tcp dst-port=8291) i do not suggest to allow access to web config from outside, use winbox.One issue came after this.
The winbox and web both are not accessible from the outside network after this rule.
So, I had to switch off the drop firewall rule.
you have to add accept rules specifically for winbox (protocol=tcp dst-port=8291) i do not suggest to allow access to web config from outside, use winbox.One issue came after this.
The winbox and web both are not accessible from the outside network after this rule.
So, I had to switch off the drop firewall rule.
Place that rule before the last drop
Correct ?add chain=input action=accept protocol=tcp dst-port=8291 in-interface=ether8 comment="default configuration"
add chain=input action=drop in-interface=ether8 comment="default configuration"
You can see the IP is as a block and not even used.You appear to be running an open recursive resolver at IP address 103.194.232.65 that participated in an attack against a customer of ours, generating large UDP responses to spoofed queries, with those responses becoming fragmented because of their size.
Please consider reconfiguring your resolver in one or more of these ways:
- To only serve your customers and not respond to outside IP addresses (in BIND, this is done by defining a limited set of hosts in "allow-query"; with a Windows DNS server, you would need to use firewall rules to block external access to UDP port 53)
- To only serve domains that it is authoritative for (in BIND, this is done by defining a limited set of hosts in "allow-query" for the server overall but setting "allow-query" to "any" for each zone)
- To rate-limit responses to individual source IP addresses (such as by using DNS Response Rate Limiting or iptables rules)
Dont think so!Looks like spam to me. I would ignore such emails, especially if they are not true.
Looks like spam to me. I would ignore such emails, especially if they are not true.
/ip firewall filter
add chain=input in-interface=ether8 protocol=udp dst-port=53 action=drop
add chain=input in-interface=ether8 protocol=tcp dst-port=53 action=drop
/ip firewall filter
add chain=forward protocol=udp dst-port=53 out-interface=!ether8 action=drop
add chain=forward protocol=tcp dst-port=53 out-interface=!ether8 action=drop