Page 1 of 1

Mikrotik's demo system demo.mt.lv firewall Virus rules, worth using???

Posted: Fri Jan 11, 2019 10:51 am
by WeWiNet
Hi,

On Mikrotiks hosted RouterOS demo system (using demo.mt.lv as target in Winbox),
under Firewall there are a long list of "Virus" firewall entries which seems quit interesting, if they do work in real life
(see below).

Now in this demo system they don't get hit by any traffic, so I wonder if it would be worth using them
in my systems? Anyone tried something like that?

And if so, if Mikrotik could provide them in the Wiki pages somewhere ( I searched for it but did not see them).
[attachment=0]Mtik_example_firewall_rules.jpg[/attachment]

Re: Mikrotik's demo system demo.mt.lv firewall Virus rules, worth using???

Posted: Fri Jan 11, 2019 11:52 am
by sebastia
Hi

On input/output I always set default policy of drop/reject, and only allow selective & known traffic. On forward, inbound is denied by default, for outbound it can be tricky. If such a filter set was used for outbound, a hit could mean:
* an actual threat communicating out
* some valid application "reusing" / cycling through available ports. This could result in additional support: why don't it work...

If used, I would at least consolidate it, to ensure minimal impact on firewall throughput.
* if tcp and dst-port=x,xx,xxx,... drop
* if udp and dst-port=x,xx,xxx,... drop

Re: Mikrotik's demo system demo.mt.lv firewall Virus rules, worth using???

Posted: Fri Jan 11, 2019 12:07 pm
by nescafe2002
You can ssh to demo.mt.lv and run export to fetch the running configuration.

Re: Mikrotik's demo system demo.mt.lv firewall Virus rules, worth using???

Posted: Fri Jan 11, 2019 2:42 pm
by anav
I have never used or noticed a chain called VIRUS?
Does anyone actually use this and for what purpose?

Re: Mikrotik's demo system demo.mt.lv firewall Virus rules, worth using???

Posted: Fri Jan 11, 2019 4:18 pm
by R1CH
For forward chain it maybe makes a bit of sense to block new connections to these ports, however most of these are no longer active threats and you risk blocking legitimate services (eg cloud services that pick ephemeral ports). The only ones I use on my network are blocking leaky SMB (137-139,445) from hitting WAN. For input you should be blocking all traffic by default so it's no use.

Re: Mikrotik's demo system demo.mt.lv firewall Virus rules, worth using???

Posted: Sun Jan 20, 2019 1:15 pm
by WeWiNet
Thanks all for your feedback and input.

I was hoping to get some feedback from Mikrotik on how useful THEY think those rules are
(as they don't publish rubbish normally, I would suppose those FW rules are done on purpose and not just for fun
and maybe they have them run on some real world servers?).

Unfortunately you can not (no longer?) export those rules, it says "not enough permissions" when logged in with SSH.
I just thought I could get them somewhere as text and give them a try in my systems, but as some of you say they
might be useless these days I won't waste my time on them for now.

Re: Mikrotik's demo system demo.mt.lv firewall Virus rules, worth using???

Posted: Sun Jan 20, 2019 1:52 pm
by nescafe2002
Here they are, using: $ ssh admin@demo.mt.lv "/export" > demo.mt.lv.rsc

Re: Mikrotik's demo system demo.mt.lv firewall Virus rules, worth using???

Posted: Tue Jan 22, 2019 1:01 pm
by WeWiNet
Thank you very much!