Community discussions

MikroTik App
 
User avatar
Muhammad
Member Candidate
Member Candidate
Topic Author
Posts: 141
Joined: Wed Aug 20, 2008 9:15 pm
Location: Pakistan

Best configured Bridge Filter Rules

Sat Apr 17, 2010 9:47 am

Hi Mikrotik Guro's,

can you share hare your Bridge-Filter-Rules and some examples of bridge filter Rules

you do help others as you want help from some one else


===============================
one example

# apr/17/2010 10:26:22 by RouterOS 4.6
#
#
/interface bridge filter
add action=log chain=forward comment="" disabled=yes in-interface=!ether1 log-prefix="Broudcast from Wireless" out-interface=!ether1

add action=drop chain=forward comment="" disabled=no in-interface=!ether1 out-interface=!ether1

add action=mark-packet chain=forward comment="Mark All Other Traffic" disabled=yes new-packet-mark="All Other Traffic" out-interface=ether1

add action=accept chain=forward comment="Allow All ARP" disabled=no mac-protocol=arp

add action=drop chain=forward comment="Drop Bridge Relaying" disabled=yes in-bridge=bridge1 out-bridge=bridge1

add action=drop chain=forward comment="Especially Drop Anything That Says It Is 10.0" disabled=yes mac-protocol=ip out-interface="(unknown)" src-address=192.168.10.0/24

add action=accept chain=forward comment="Allow DHCP Requests To Pass" disabled=no dst-address=255.255.255.255/32 dst-port=67 ip-protocol=udp mac-protocol=ip out-interface=ether1 src-address=0.0.0.0/32 src-port=68
add action=log chain=input comment="Block DHCP servers on 192.168.0.0/16" disabled=yes dst-address=255.255.255.255/32 ip-protocol=udp log-prefix="ALERT ROGUE DHCP (BLOCKED)" mac-protocol=ip src-address=192.168.0.0/16 src-port=67-68
add action=drop chain=input comment="Block DHCP servers on 192.168.0.0/16" disabled=yes dst-address=255.255.255.255/32 ip-protocol=udp mac-protocol=ip src-address=192.168.0.0/16 src-port=67-68

add action=accept chain=forward comment="Permit Arp Traffic Out bridge1" disabled=no mac-protocol=arp out-interface=ether1

add action=log chain=forward comment="Drop All Non IP Traffic Out bridge1" disabled=yes log-prefix="non ip trafic" mac-protocol=!ip out-interface=ether1
add action=drop chain=forward comment="Drop All Non IP Traffic Out bridge1" disabled=yes mac-protocol=!ip out-interface=ether1

add action=accept chain=forward comment="Accept office Addresses" disabled=yes mac-protocol=ip out-interface=ether1 src-address=192.168.102.0/24
add action=accept chain=forward comment="Accept office Addresses" disabled=yes mac-protocol=ip out-interface=ether1 src-address=192.168.202.0/24
add action=drop chain=forward comment="Drop All Other Addresses" disabled=yes mac-protocol=ip out-interface=ether1


===============================

Thanks
Last edited by Muhammad on Sat Apr 17, 2010 10:29 am, edited 3 times in total.
any thoughts ???
think about Karma
 
SWERabbiT
just joined
Posts: 4
Joined: Sat Mar 27, 2010 8:09 pm

Re: Best configured Bridge Filter Rules

Sat Apr 17, 2010 9:55 am

Hi Mikrotik Guro's,

can you share hare your Bridge-Filter-Rules and some examples of bridge filter Rules

you do help others as you want help from some one else

Thanks
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Established connections
chain=input action=accept connection-state=established

1 ;;; Related connections
chain=input action=accept connection-state=related

2 ;;; Log invalid connections
chain=input action=log connection-state=invalid log-prefix=""

3 ;;; Drop invalid connections
chain=input action=drop connection-state=invalid

4 ;;; Drop Blaster Worm
chain=forward action=drop dst-port=135-139 protocol=tcp

5 ;;; Drop Messenger Worm
chain=forward action=drop dst-port=135-139 protocol=udp

6 ;;; Drop Blaster Worm
chain=forward action=drop dst-port=445 protocol=tcp

7 ;;; Drop Blaster Worm
chain=forward action=drop dst-port=445 protocol=udp

8 chain=forward action=drop dst-port=593 protocol=tcp

9 chain=forward action=drop dst-port=1024-1030 protocol=tcp

10 chain=forward action=drop dst-port=1080 protocol=tcp

11 chain=forward action=drop dst-port=1214 protocol=tcp

12 chain=forward action=drop dst-port=1363 protocol=tcp

13 chain=forward action=drop dst-port=1368 protocol=tcp

14 chain=forward action=drop dst-port=1373 protocol=tcp

15 chain=forward action=drop dst-port=1433-1334 protocol=tcp

16 chain=forward action=drop dst-port=2283 protocol=tcp

17 chain=forward action=drop dst-port=2535 protocol=tcp

18 chain=forward action=drop dst-port=2745 protocol=tcp

19 chain=forward action=drop dst-port=3127-3128 protocol=tcp

20 chain=forward action=drop dst-port=3410 protocol=tcp

21 chain=forward action=drop dst-port=4444 protocol=tcp

22 chain=forward action=drop dst-port=4444 protocol=udp

23 chain=forward action=drop dst-port=5554 protocol=tcp

24 chain=forward action=drop dst-port=8866 protocol=tcp

25 chain=forward action=drop dst-port=9898 protocol=tcp

26 chain=forward action=drop dst-port=10000 protocol=tcp

27 chain=forward action=drop dst-port=10080 protocol=tcp

28 chain=forward action=drop dst-port=9000 protocol=udp

29 chain=forward action=drop dst-port=5000 protocol=udp

i hope this helps
30 chain=forward action=drop dst-port=1900 protocol=udp
 
kazanova
Member
Member
Posts: 407
Joined: Tue Sep 06, 2005 11:52 am

Re: Best configured Bridge Filter Rules

Sat Apr 17, 2010 6:51 pm

idea must build on your goal
what is your goal so friend can help u
انا انزلنا التوراه فيها هدى ونور يحكم بها النبيون الذين اسلموا للذين هادوا والربانيون والاحبار بما استحفظوا من كتاب الله وكانوا عليه شهداء فلا تخشوا الناس واخشون ولا تشتروا باياتي ثمنا قليلا ومن لم يحكم بما انزل الله فاولئك هم الكافرون
 
samansenju
just joined
Posts: 23
Joined: Thu Oct 23, 2014 10:35 am

Re: Best configured Bridge Filter Rules

Thu Jan 22, 2015 1:41 am

hi folks,

would you like to share bridge filtering to block loop between two bridge ?
and what protocol or port causing loop usually ? and what happend/effect if i drop it ?
 
samansenju
just joined
Posts: 23
Joined: Thu Oct 23, 2014 10:35 am

Re: Best configured Bridge Filter Rules

Thu Jan 22, 2015 2:01 am

is it enough like this ?
0 chain=forward action=drop
dst-mac-address=01:00:0C:CC:CC:CC/FF:FF:FF:FF:FF:FF

1 chain=forward action=accept in-interface=EOIP-400-ANTP mac-protocol=ip
dst-port=5678 ip-protocol=udp

2 chain=input action=accept in-interface=EOIP-400-ANTP mac-protocol=ip
dst-port=5678 ip-protocol=udp

3 chain=output action=accept mac-protocol=ip dst-port=5678 ip-protocol=udp

4 chain=forward action=drop mac-protocol=ip packet-type=broadcast

5 chain=forward action=drop mac-protocol=ipv6 packet-type=broadcast
 
kujo
Member Candidate
Member Candidate
Posts: 164
Joined: Sat Jun 18, 2016 10:17 am
Location: Ukraine

Re: Best configured Bridge Filter Rules

Fri Dec 09, 2016 10:53 am

Drop client to client talk in bridge, also drop fake dhcp (if dhcp on bridge interface). For guest wifi network
/interface bridge filter
add action=drop chain=forward comment="Drop all to !bridge self host" in-bridge=bridge-guest  out-bridge=bridge-guest packet-type=!host
 
johnsilver
newbie
Posts: 33
Joined: Tue Aug 23, 2011 12:53 pm

Re: Best configured Bridge Filter Rules

Thu Jan 05, 2017 6:06 pm

Drop client to client talk in bridge, also drop fake dhcp (if dhcp on bridge interface). For guest wifi network
/interface bridge filter
add action=drop chain=forward comment="Drop all to !bridge self host" in-bridge=bridge-guest  out-bridge=bridge-guest packet-type=!host
this way you will block not only dhcp, but all traffic from wlan hosts to lan hosts, for example smb

Who is online

Users browsing this forum: mktkRB, sindy and 184 guests