Firewall Help

lkaroly · Sat Aug 07, 2010 4:26 pm

Hello Guys , I need a litle help to setup a firewall , here is the situation , I using this firewall:
/ip firewall filter
add chain=input protocol=tcp connection-limit=100,32 \ action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d
add chain=input protocol=tcp src-address-list=blocked-addr connection-limit=3,32 action=tarpit
add chain=forward protocol=tcp tcp-flags=syn connection-state=new action=jump jump-target=SYN-Protect comment="SYN Flood protect" disabled=yes
add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5 connection-state=new action=accept comment="" disabled=no
add chain=SYN-Protect protocol=tcp tcp-flags=syn connection-state=new action=drop comment="" disabled=no
add action=accept chain=forward comment="allow established connections" \ connection-state=established disabled=no
add action=accept chain=forward comment="allow related connections" \ connection-state=related disabled=no
add action=drop chain=forward comment="drop invalid connections" \ connection-state=invalid disabled=no
add action=jump chain=forward comment="jump to the virus chain" disabled=no \ jump-target=virus
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port=\ 135-139 protocol=tcp
add action=drop chain=virus comment="Drop Messenger Worm" disabled=no \ dst-port=135-139 protocol=udp
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port=\ 445 protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port=\ 445 protocol=udp
add action=drop chain=virus comment=________ disabled=no dst-port=593 \ protocol=tcp
add action=drop chain=virus comment=________ disabled=no dst-port=1024-1030 \ protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" disabled=no dst-port=1080 \ protocol=tcp
add action=drop chain=virus comment=________ disabled=no dst-port=1214 \ protocol=tcp
add action=drop chain=virus comment="ndm requester" disabled=no dst-port=1363 \ protocol=tcp
add action=drop chain=virus comment="ndm server" disabled=no dst-port=1364 \ protocol=tcp
add action=drop chain=virus comment="screen cast" disabled=no dst-port=1368 \ protocol=tcp
add action=drop chain=virus comment=hromgrafx disabled=no dst-port=1373 \ protocol=tcp
add action=drop chain=virus comment=cichlid disabled=no dst-port=1377 \ protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=1433-1434 \ protocol=tcp
add action=drop chain=virus comment="Bagle Virus" disabled=no dst-port=2745 \ protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" disabled=no dst-port=2283 \ protocol=tcp
add action=drop chain=virus comment="Drop Beagle" disabled=no dst-port=2535 \ protocol=tcp
add action=drop chain=virus comment="Drop Beagle.C-K" disabled=no dst-port=\ 2745 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" disabled=no dst-port=\ 3127-3128 protocol=tcp
add action=drop chain=virus comment="Drop Backdoor OptixPro" disabled=no \ dst-port=3410 protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=\ tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=\ udp
add action=drop chain=virus comment="Drop Sasser" disabled=no dst-port=5554 \ protocol=tcp
add action=drop chain=virus comment="Drop Beagle.B" disabled=no dst-port=8866 \ protocol=tcp
add action=drop chain=virus comment="Drop Dabber.A-B" disabled=no dst-port=\ 9898 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" disabled=no dst-port=\ 10000 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom.B" disabled=no dst-port=\ 10080 protocol=tcp
add action=drop chain=virus comment="Drop NetBus" disabled=no dst-port=12345 \ protocol=tcp
add action=drop chain=virus comment="Drop Virus" disabled=no dst-port=12667 \ protocol=udp
add action=drop chain=virus comment="Drop Kuang2" disabled=no dst-port=17300 \ protocol=tcp
add action=drop chain=virus comment="Drop SubSeven" disabled=no dst-port=\ 27374 protocol=tcp
add action=drop chain=virus comment="Drop PhatBot, Agobot, Gaobot" disabled=\ no dst-port=65506 protocol=tcp
add action=accept chain=forward comment="Allow HTTP" disabled=no dst-port=80 \ protocol=tcp
add action=accept chain=forward comment="Authorised Mail" disabled=no \ dst-address-list="safe mailers" dst-port=25 protocol=tcp
add action=drop chain=forward comment="Unauthorised Mail " disabled=no \ dst-address-list="!safe mailers" dst-port=25 protocol=tcp
add action=add-src-to-address-list address-list=spammer address-list-timeout=\ 1d chain=forward comment="Detect and add-list SMTP virus or spammers" \ connection-limit=30,24 disabled=no dst-port=25 limit=50,5 protocol=tcp
add action=drop chain=forward comment="BLOCK SPAMMERS OR INFECTED USERS" \ disabled=no dst-port=25 protocol=tcp src-address-list=spammer
add action=accept chain=forward comment="allow TCP" disabled=no protocol=tcp
add action=accept chain=forward comment="allow ping" disabled=no protocol=\ icmp
add action=accept chain=forward comment="allow udp" disabled=no protocol=udp
add action=accept chain=forward comment="VPN pptp (GRE)" disabled=no
add chain=input protocol=tcp dst-port=8291 connection-state=new action=accept comment="Allow WinBox "
add chain=input action=drop comment="Drop everything else"

And my problem is that my ISP is closing my internet connection due to flood protection , I searchd for suspicion pachets but I didnt find anything wrong , my ISP have an automatic script whitch close my internet connection , what am I doin wrong? Please Help .
The Routerboards whitch am I using are RB450G..
Thanks ..

usmc58xx · Sat Aug 07, 2010 11:46 pm

Have you contacted your ISP to find out if that is in fact what is going on?

lkaroly · Sat Aug 14, 2010 7:00 pm

Yes , I contacted my ISP and they sad that they don,t have logs about the trafic , and cant tell from where is it, but it looks like is comming from my network and not from outside , but the problem is that in don't see any strange trafic , and with current fierewall setting is passing my routers ,, I apreciate some help ,, Thanks

fewi · Sat Aug 14, 2010 7:03 pm

Without much more specific details it'll be hard to help you.

Right now I would suggest switching ISPs so that you partner with someone competent who can help you troubleshoot perceived issues with your connection.

adrianatkins · Sat Aug 14, 2010 7:09 pm

Your ISP sounds nasty.

Telefonica (in Spain) are very helpful. If you send too many emails, they block port 25.

lkaroly · Sun Aug 15, 2010 11:11 am

Yeah , they are a litle nasty , but it looks like is a icmp , or udp flood , can you tell me a firewall rule to stop thease , and is comming from inside the network ..

lkaroly · Sun Aug 15, 2010 11:15 am

And i searchd the forum for how to stop the ping of death but didnt find any informationas, thanks

SurferTim · Sun Aug 15, 2010 1:13 pm

You can try blocking icmp forwarding temporarily to see if that helps. Change the icmp forward rule to drop or reject rather than accept.

lkaroly · Sun Aug 15, 2010 1:25 pm

Now I didnt stopt the icmp but i made a rule to accept only 5 packets / sec , to see what happening ,
Thanks for help...
Later I will post the results...

lkaroly · Sun Aug 15, 2010 6:58 pm

this doesnt helpt , the problem persist , it remains the udp pachets , now I can find a filter for udp packets, thanks

fewi · Sun Aug 15, 2010 8:39 pm

Read the wiki and learn how to construct firewall rules.

To drop all UDP, thats something like

/ip firewall filter
add chain=forward protocol=udp action=drop

Of course that's a horrible idea so you'll have to be more specific by port.

adrianatkins · Mon Aug 16, 2010 12:32 am

Sounds like a Great Idea.

TCP only Internet. Bliss.

Firewall Help

Firewall Help

Re: Firewall Help

Re: Firewall Help

Re: Firewall Help

Re: Firewall Help

Re: Firewall Help

Re: Firewall Help

Re: Firewall Help

Re: Firewall Help

Re: Firewall Help

Re: Firewall Help

Re: Firewall Help

Who is online