Hi,
I have one mikrotik routerOs AP with Hotspot configured.
I could see that the traffic in bold/underline filters are extremely bigger than in other filter rules. Why? What happens if I delete this bold/underline rules?
I need to accept only traffic listed in accepted rules (like port 80) and chain MSN and count/drop traffic in drop rules (like port 3389). I think this bold/underline rules permit traffic not listed in accept filter rules. why?
I have these filter rules in my firewall:
/ ip firewall filter
add chain=input action=accept connection-state=established comment="accept \
established connection packets" disabled=no
add chain=input action=accept connection-state=related comment="accept related \
connection packets" disabled=no
add chain=input action=drop connection-state=invalid comment="drop invalid \
packets" disabled=no
add chain=input action=drop dst-port=80 protocol=tcp connection-limit=200,0 \
comment=";;; limit total http connections to 200" disabled=no
add chain=input action=drop protocol=tcp psd=21,3s,3,1 comment=";;; detect and \
drop port scan connections" disabled=no
add chain=input action=jump jump-target=ICMP protocol=icmp comment=";;; jump \
to chain ICMP" disabled=no
add chain=input action=jump jump-target=services comment=";;; jump to chain \
services" disabled=no
add chain=input action=drop comment="" disabled=no
add chain=ICMP action=accept protocol=icmp icmp-options=0:0-255 limit=5,5 \
comment=";;; 0:0 and limit for 5pac/s" disabled=no
add chain=ICMP action=accept protocol=icmp icmp-options=3:3 limit=5,5 \
comment=";;; 3:3 and limit for 5pac/s" disabled=no
add chain=ICMP action=accept protocol=icmp icmp-options=3:4 limit=5,5 \
comment=";;; 3:4 and limit for 5pac/s" disabled=no
add chain=ICMP action=accept protocol=icmp icmp-options=8:0-255 limit=5,5 \
comment=";;; 8:0 and limit for 5pac/s" disabled=no
add chain=ICMP action=accept protocol=icmp icmp-options=11:0-255 limit=5,5 \
comment=";;; 11:0 and limit for 5pac/s" disabled=no
add chain=ICMP action=drop protocol=icmp comment=";;; Drop everything else" \
disabled=no
add chain=services action=accept src-address=127.0.0.1 dst-address=127.0.0.1 \
comment=";;; accept localhost" disabled=no
add chain=services action=drop dst-port=20-21 protocol=tcp comment=";;; drop \
ftp" disabled=no
add chain=services action=accept dst-port=22 protocol=tcp comment=";;; allow \
sftp, ssh" disabled=no
add chain=services action=accept dst-port=23 protocol=tcp comment=";;; drop \
telnet" disabled=no
add chain=services action=accept dst-port=80 protocol=tcp comment=";;; allow \
http, webbox" disabled=no
add chain=services action=accept dst-port=8291 protocol=tcp comment=";;; Allow \
winbox" disabled=no
add chain=services action=accept dst-port=20561 protocol=udp comment=";;; \
allow MACwinbox" disabled=no
add chain=services action=accept dst-port=2000 protocol=tcp comment=";;; \
Bandwidth server" disabled=no
add chain=services action=accept dst-port=5678 protocol=udp comment=";;; MT \
Discovery Protocol" disabled=no
add chain=services action=accept dst-port=53 protocol=tcp comment=";;; allow \
DNS request" disabled=no
add chain=services action=accept dst-port=53 protocol=udp comment=";;; Allow \
DNS request" disabled=no
add chain=services action=drop dst-port=1701 protocol=udp comment=";;; drop \
L2TP" disabled=no
add chain=services action=accept dst-port=1723 protocol=tcp comment=";;; allow \
PPTP" disabled=no
add chain=services action=accept protocol=gre comment=";;; allow PPTP and \
EoIP" disabled=no
add chain=services action=accept protocol=ipencap comment=";;; allow IPIP" \
disabled=no
add chain=services action=accept dst-port=1900 protocol=udp comment=";;; UPnP" \
disabled=no
add chain=services action=accept dst-port=2828 protocol=tcp comment=";;; UPnP" \
disabled=no
add chain=services action=accept dst-port=67-68 protocol=udp comment=";;; \
allow DHCP" disabled=no
add chain=services action=accept dst-port=8080 protocol=tcp comment=";;; allow \
Web Proxy" disabled=no
add chain=services action=accept dst-port=123 protocol=tcp comment=";;; allow \
NTP" disabled=no
add chain=services action=accept dst-port=161 protocol=tcp comment=";;; allow \
SNMP" disabled=no
add chain=services action=accept dst-port=443 protocol=tcp comment=";;; allow \
https for Hotspot" disabled=no
add chain=services action=accept dst-port=1080 protocol=tcp comment=";;; allow \
Socks for Hotspot" disabled=no
add chain=services action=accept dst-port=500 protocol=udp comment=";;; allow \
IPSec connections" disabled=no
add chain=services action=accept protocol=ipsec-esp comment=";;; allow IPSec" \
disabled=no
add chain=services action=accept protocol=ipsec-ah comment=";;; allow IPSec" \
disabled=no
add chain=services action=accept dst-port=179 protocol=tcp comment=";;; Allow \
BGP" disabled=no
add chain=services action=accept dst-port=520-521 protocol=udp comment=";;; \
allow RIP" disabled=no
add chain=services action=accept protocol=ospf comment=";;; allow OSPF" \
disabled=no
add chain=services action=accept dst-port=5000-5100 protocol=udp comment=";;; \
allow BGP" disabled=no
add chain=services action=drop dst-port=1720 protocol=tcp comment=";;; drop \
Telephony" disabled=no
add chain=services action=drop dst-port=1719 protocol=udp comment=";;; drop \
Telephony" disabled=no
add chain=services action=drop protocol=vrrp comment=";;; drop VRRP" \
disabled=no
add chain=services action=return comment="" disabled=no
add chain=forward action=accept connection-state=established comment=";;; \
accept established packets" disabled=no
add chain=forward action=accept connection-state=related comment=";;; accept \
related packets" disabled=no
add chain=forward action=drop connection-state=invalid comment=";;; drop \
invalid packets" disabled=no
add chain=forward action=jump jump-target=ICMP protocol=icmp comment=";;; jump \
to chain ICMP" disabled=no
add chain=forward action=jump jump-target=virus comment=";;; jump to virus \
chain" disabled=no
add chain=forward action=jump jump-target=msn comment=";;; jump to msn chain" \
disabled=no
add chain=forward action=jump jump-target=services_OUT comment=";;; jump to \
services_OUT chain" disabled=no
add chain=forward action=drop comment="" disabled=no
add chain=msn action=accept dst-port=1863 protocol=tcp comment=";;; MESSENGER \
OK" disabled=no
add chain=msn action=accept dst-address=207.46.110.0/24 protocol=tcp \
comment=";;; MESSENGER OK servers" disabled=no
add chain=msn action=accept dst-port=5190 protocol=tcp comment=";;; MESSENGER \
OK" disabled=no
add chain=msn action=accept dst-port=6901 protocol=tcp comment=";;; MESSENGER \
OK voz computer-computer" disabled=no
add chain=msn action=accept dst-port=6901 protocol=udp comment=";;; MESSENGER \
OK voz computer-computer" disabled=no
add chain=msn action=accept dst-port=6891-6900 protocol=tcp comment=";;; \
MESSENGER OK transferencia ficheros" disabled=no
add chain=msn action=accept dst-port=2001-2120 protocol=udp comment=";;; \
MESSENGER OK voice computer to phone" disabled=no
add chain=msn action=accept dst-port=6801 protocol=udp comment=";;; MESSENGER \
OK voice computer to phone" disabled=no
add chain=msn action=accept dst-port=6901 protocol=udp comment=";;; MESSENGER \
OK voice computer to phone" disabled=no
add chain=msn action=accept dst-port=5050 protocol=tcp comment=";;; yahoo \
MESSENGER OK" disabled=no
add chain=msn action=accept dst-port=5000-5001 protocol=tcp comment=";;; yahoo \
MESSENGER OK" disabled=no
add chain=msn action=accept dst-port=5100-5101 protocol=tcp comment=";;; yahoo \
MESSENGER OK" disabled=no
add chain=msn action=accept dst-port=5000-5010 protocol=udp comment=";;; yahoo \
MESSENGER OK" disabled=no
add chain=msn action=return comment="" disabled=no
add chain=virus action=drop dst-port=135-139 protocol=tcp comment=";;; Drop \
Blaster Worm" disabled=no
add chain=virus action=drop dst-port=135-139 protocol=udp comment=";;; Drop \
Messenger Worm" disabled=no
add chain=virus action=drop dst-port=445 protocol=tcp comment=";;; Drop \
Blaster Worm" disabled=no
add chain=virus action=drop dst-port=445 protocol=udp comment=";;; Drop \
Blaster Worm" disabled=no
add chain=virus action=drop dst-port=593 protocol=tcp comment=";;; ________" \
disabled=no
add chain=virus action=drop dst-port=1024-1030 protocol=tcp comment=";;; \
________" disabled=no
add chain=virus action=drop dst-port=1080 protocol=tcp comment=";;; Drop \
MyDoom" disabled=no
add chain=virus action=drop dst-port=1214 protocol=tcp comment=";;; ________" \
disabled=no
add chain=virus action=drop dst-port=1363 protocol=tcp comment=";;; ndm \
requester" disabled=no
add chain=virus action=drop dst-port=1364 protocol=tcp comment=";;; ndm \
server" disabled=no
add chain=virus action=drop dst-port=1368 protocol=tcp comment=";;; screen \
cast" disabled=no
add chain=virus action=drop dst-port=1373 protocol=tcp comment=";;; hromgrafx" \
disabled=no
add chain=virus action=drop dst-port=1377 protocol=tcp comment=";;; cichlid" \
disabled=no
add chain=virus action=drop dst-port=1433-1434 protocol=tcp comment=";;; Worm" \
disabled=no
add chain=virus action=drop dst-port=2745 protocol=tcp comment=";;; Bagle \
Virus" disabled=no
add chain=virus action=drop dst-port=2283 protocol=tcp comment=";;; Drop \
Dumaru.Y" disabled=no
add chain=virus action=drop dst-port=2535 protocol=tcp comment=";;; Drop \
Beagle" disabled=no
add chain=virus action=drop dst-port=2745 protocol=tcp comment=";;; Drop \
Beagle.C-K" disabled=no
add chain=virus action=drop dst-port=3127-3128 protocol=tcp comment=";;; Drop \
MyDoom" disabled=no
add chain=virus action=drop dst-port=3410 protocol=tcp comment=";;; Drop \
Backdoor OptixPro" disabled=no
add chain=virus action=drop dst-port=4444 protocol=tcp comment=";;; Worm" \
disabled=no
add chain=virus action=drop dst-port=4444 protocol=udp comment=";;; Worm" \
disabled=no
add chain=virus action=drop dst-port=5554 protocol=tcp comment=";;; Drop \
Sasser" disabled=no
add chain=virus action=drop dst-port=8866 protocol=tcp comment=";;; Drop \
Beagle.B" disabled=no
add chain=virus action=drop dst-port=9898 protocol=tcp comment=";;; Drop \
Dabber.A-B" disabled=no
add chain=virus action=drop dst-port=10000 protocol=tcp comment=";;; Drop \
Dumaru.Y" disabled=no
add chain=virus action=drop dst-port=10080 protocol=tcp comment=";;; Drop \
MyDoom.B" disabled=no
add chain=virus action=drop dst-port=12345 protocol=tcp comment=";;; Drop \
NetBus" disabled=no
add chain=virus action=drop dst-port=17300 protocol=tcp comment=";;; Drop \
Kuang2" disabled=no
add chain=virus action=drop dst-port=27374 protocol=tcp comment=";;; Drop \
SubSeven" disabled=no
add chain=virus action=drop dst-port=65506 protocol=tcp comment=";;; Drop \
PhatBot, Gaobot" disabled=no
add chain=services_OUT action=accept src-address=127.0.0.1 \
dst-address=127.0.0.1 comment=";;; accept localhost" disabled=no
add chain=services_OUT action=drop dst-port=20-21 protocol=tcp comment=";;; \
drop ftp" disabled=no
add chain=services_OUT action=drop dst-port=22 protocol=tcp comment=";;; drop \
sftp, ssh" disabled=no
add chain=services_OUT action=drop dst-port=23 protocol=tcp comment=";;; drop \
telnet" disabled=no
add chain=services_OUT action=accept dst-port=8291 protocol=tcp comment=";;; \
Allow winbox" disabled=no
add chain=services_OUT action=accept dst-port=20561 protocol=udp comment=";;; \
allow MACwinbox" disabled=no
add chain=services_OUT action=accept dst-port=2000 protocol=tcp comment=";;; \
Bandwidth server" disabled=no
add chain=services_OUT action=accept dst-port=5678 protocol=udp comment=";;; \
MT Discovery Protocol" disabled=no
add chain=services_OUT action=accept dst-port=53 protocol=tcp comment=";;; \
allow DNS request" disabled=no
add chain=services_OUT action=accept dst-port=53 protocol=udp comment=";;; \
Allow DNS request" disabled=no
add chain=services_OUT action=drop dst-port=1701 protocol=udp comment=";;; \
drop L2TP" disabled=no
add chain=services_OUT action=drop dst-port=3389 protocol=udp comment=";;; \
drop Remote Desktop" disabled=no
add chain=services_OUT action=drop dst-port=4899 protocol=udp comment=";;; \
drop RADMIN" disabled=no
add chain=services_OUT action=accept dst-port=1723 protocol=tcp comment=";;; \
allow PPTP" disabled=no
add chain=services_OUT action=accept dst-port=6665-6669 protocol=tcp \
comment=";;; allow IRC" disabled=no
add chain=services_OUT action=accept dst-port=6665-6669 protocol=udp \
comment=";;; allow IRC" disabled=no
add chain=services_OUT action=accept protocol=gre comment=";;; allow PPTP and \
EoIP" disabled=no
add chain=services_OUT action=accept protocol=ipencap comment=";;; allow IPIP" \
disabled=no
add chain=services_OUT action=accept dst-port=1900 protocol=udp comment=";;; \
UPnP" disabled=no
add chain=services_OUT action=accept dst-port=2828 protocol=tcp comment=";;; \
UPnP" disabled=no
add chain=services_OUT action=accept dst-port=67-68 protocol=udp comment=";;; \
allow DHCP" disabled=no
add chain=services_OUT action=accept dst-port=8080 protocol=tcp comment=";;; \
allow Web Proxy" disabled=no
add chain=services_OUT action=drop dst-port=36013 protocol=tcp comment=";;; \
drop skype por defecto" disabled=no
add chain=services_OUT action=accept dst-port=123 protocol=tcp comment=";;; \
allow NTP" disabled=no
add chain=services_OUT action=accept dst-port=161 protocol=tcp comment=";;; \
allow SNMP" disabled=no
add chain=services_OUT action=accept dst-port=80 protocol=tcp comment=";;; \
allow http" disabled=no
add chain=services_OUT action=accept dst-port=443 protocol=tcp comment=";;; \
allow https for Hotspot" disabled=no
add chain=services_OUT action=accept dst-port=1080 protocol=tcp comment=";;; \
allow Socks for Hotspot" disabled=no
add chain=services_OUT action=accept dst-port=500 protocol=udp comment=";;; \
allow IPSec connections" disabled=no
add chain=services_OUT action=accept protocol=ipsec-esp comment=";;; allow \
IPSec" disabled=no
add chain=services_OUT action=accept protocol=ipsec-ah comment=";;; allow \
IPSec" disabled=no
add chain=services_OUT action=accept dst-port=179 protocol=tcp comment=";;; \
Allow BGP" disabled=no
add chain=services_OUT action=accept dst-port=520-521 protocol=udp \
comment=";;; allow RIP" disabled=no
add chain=services_OUT action=accept protocol=ospf comment=";;; allow OSPF" \
disabled=no
add chain=services_OUT action=accept dst-port=5000-5100 protocol=udp \
comment=";;; allow BGP" disabled=no
add chain=services_OUT action=drop dst-port=1720 protocol=tcp comment=";;; \
drop Telephony" disabled=no
add chain=services_OUT action=drop dst-port=1719 protocol=udp comment=";;; \
drop Telephony" disabled=no
add chain=services_OUT action=drop protocol=vrrp comment=";;; drop VRRP" \
disabled=no
add chain=services_OUT action=accept dst-port=110 protocol=tcp comment=";;; \
allow email POP3" disabled=no
add chain=services_OUT action=accept dst-port=25 protocol=tcp comment=";;; \
allow email SMTP" disabled=no
add chain=services_OUT action=accept dst-port=465 protocol=tcp comment=";;; \
allow email SMTPs" disabled=no
add chain=services_OUT action=accept dst-port=995 protocol=tcp comment=";;; \
allow email sPOP3" disabled=no
add chain=services_OUT action=accept dst-port=143 protocol=tcp comment=";;; \
allow email IMAP4" disabled=no
add chain=services_OUT action=accept dst-port=993 protocol=tcp comment=";;; \
allow email sIMAP4" disabled=no
add chain=services_OUT action=return comment="" disabled=no
add chain=output action=drop connection-state=invalid comment=";;; drop \
invalid packets" disabled=no
add chain=output action=accept connection-state=established comment=";;; \
accept established packets" disabled=no
add chain=output action=accept connection-state=related comment=";;; accept \
related packets" disabled=no
add chain=output action=jump jump-target=ICMP protocol=icmp comment=";;; jump \
to chain ICMP" disabled=no
add chain=output action=jump jump-target=virus comment=";;; jump to virus \
chain" disabled=no
add chain=output action=jump jump-target=msn comment=";;; jump to msn chain" \
disabled=no
add chain=output action=jump jump-target=services_OUT comment=";;; jump to \
services_OUT chain" disabled=no
add chain=output action=drop comment="" disabled=no
Thanks!
Martín.
-
-
Ibersystems
Forum Guru
- Posts: 1686
- Joined:
- Location: Cabrils, Barcelona - Spain
- Contact:
-
-
Testingpepe
newbie
- Posts: 42
- Joined:
Re: Firewall info/question
There is a lot of established and related state, so if you want to this to work better change the order of your rules. First drop then allow that gonna solve your problem.
-
-
Ibersystems
Forum Guru
- Posts: 1686
- Joined:
- Location: Cabrils, Barcelona - Spain
- Contact:
Re: Firewall info/question
Hi!
an structure like this should work better?
add chain=output action=drop connection-state=invalid comment=";;; drop \
invalid packets" disabled=no
add chain=output action=jump jump-target=ICMP protocol=icmp comment=";;; jump \
to chain ICMP" disabled=no
add chain=output action=jump jump-target=virus comment=";;; jump to virus \
chain" disabled=no
add chain=output action=jump jump-target=msn comment=";;; jump to msn chain" \
disabled=no
add chain=output action=jump jump-target=services_OUT comment=";;; jump to \
services_OUT chain" disabled=no
add chain=output action=accept connection-state=established comment=";;; \
accept established packets" disabled=no
add chain=output action=accept connection-state=related comment=";;; accept \
related packets" disabled=no add chain=output action=drop comment="" disabled=no
Thanks,
Martín.
an structure like this should work better?
add chain=output action=drop connection-state=invalid comment=";;; drop \
invalid packets" disabled=no
add chain=output action=jump jump-target=ICMP protocol=icmp comment=";;; jump \
to chain ICMP" disabled=no
add chain=output action=jump jump-target=virus comment=";;; jump to virus \
chain" disabled=no
add chain=output action=jump jump-target=msn comment=";;; jump to msn chain" \
disabled=no
add chain=output action=jump jump-target=services_OUT comment=";;; jump to \
services_OUT chain" disabled=no
add chain=output action=accept connection-state=established comment=";;; \
accept established packets" disabled=no
add chain=output action=accept connection-state=related comment=";;; accept \
related packets" disabled=no add chain=output action=drop comment="" disabled=no
Thanks,
Martín.