Page 1 of 1

[req] 2.9.6 spyware n virus ports

Posted: Tue Oct 25, 2005 10:31 am
by larmaid
anyone knows the spyware n virus port....?
and how can we block them in mikrotik....is it in forward...!

Posted: Tue Oct 25, 2005 1:19 pm
by andrewluck
There are various lists of ports used by viruses and worms available on the Internet and they're getting longer by the day.

A far better approach is to determine the traffic that your network is legitimately using and then set rules to allow that traffic and deny everything else.

Regards

Andrew

Posted: Thu Oct 27, 2005 12:22 pm
by larmaid
thx andrew....!
i ve blok every port except 80 for http..!
the script is like this

ip firewall>add src-address=10.10.0.0/16 dst-port=!80 action=drop chain=forward

why is port 80 also drop....?

Posted: Thu Oct 27, 2005 1:44 pm
by yancho
Your internet is for free? Droping all except standart web port is very cruelly...
You should specify port, like /ip firewall filter add src-address=10.10.0.0/16 dst-port=!80 action=drop chain=forward protocol=tcp

Posted: Thu Oct 27, 2005 1:58 pm
by lastguru
thx andrew....!
i ve blok every port except 80 for http..!
the script is like this

ip firewall>add src-address=10.10.0.0/16 dst-port=!80 action=drop chain=forward

why is port 80 also drop....?
because you did not specify the protocol

Posted: Thu Oct 27, 2005 2:01 pm
by normis
yes, you don't allow your users to use email and ftp? how about secure websites like banks?

Posted: Sun Oct 30, 2005 4:05 pm
by larmaid
thx for the answer......im sorry i did spesifik the protocol soo this is my original script....:

ip firewall>add src-address=10.10.0.0/16 protocol=tcp dst-port=!80 action=drop chain=forward

still port 80 also drop......? :(

@normis yes i want to let other port to allow like 25 n 110 but i want some user cannot use anything except internet(80)...!

btw what is the diffrent input and forward.....and web-proxy...!

Posted: Sun Oct 30, 2005 7:17 pm
by andrewluck
You need to allow the return traffic with rules similar to these:
28   ;;; Accept Internet Established
     chain=forward in-interface=Internet connection-state=established 
     action=accept 

29   ;;; Accept Internet Related
     chain=forward in-interface=Internet connection-state=related 
     action=accept

Posted: Sun Oct 30, 2005 8:07 pm
by larmaid
do i need to enable or disable ip proxy....?

Posted: Sun Oct 30, 2005 8:34 pm
by wildbill442
Here's a list of protocols I allow for restricted free use areas...
add chain=guest-network connection-state=invalid action=drop comment="Drop Invalid" disabled=no 
add chain=guest-network connection-state=established action=accept comment="Accept Established" disabled=no 
add chain=guest-network connection-state=related action=accept comment="Accept Related" disabled=no 
add chain=guest-network protocol=tcp dst-port=80 action=accept comment="HTTP" disabled=no 
add chain=guest-network protocol=tcp dst-port=20-21 action=accept comment="FTP" disabled=no 
add chain=guest-network protocol=tcp dst-port=110 action=accept comment="POP3" disabled=no 
add chain=guest-network protocol=tcp dst-port=25 action=accept comment="SMTP" disabled=no 
add chain=guest-network protocol=udp action=accept comment="UDP" disabled=no 
add chain=guest-network protocol=tcp dst-port=5190 action=accept comment="AIM" disabled=no 
add chain=guest-network protocol=tcp dst-port=443 action=accept comment="SSL" disabled=no 
add chain=guest-network protocol=tcp dst-port=1863 action=accept comment="MSN Messenger" disabled=no 
add chain=guest-network protocol=tcp dst-port=6891-6901 action=accept comment="MSN Messenger" disabled=no
add chain=guest-network protocol=tcp dst-port=143 action=accept comment="IMAP" disabled=no 
add chain=guest-network protocol=tcp dst-port=993 action=accept comment="IMAP-SSL" disabled=no 
add chain=guest-network action=log log-prefix="Guest Chain" comment="Log Dropped Packets" disabled=no 
add chain=guest-network action=drop comment="Drop Everything" disabled=no 
That will only allow those specified ports to be used on the guest network.. If you want to allow all outgoing connections, but block any incoming it would look something like this...
add chain=customer connection-state=invalid action=drop comment="Drop Invalid" disabled=no 
add chain=customer connection-state=established action=accept comment="Accept Established" disabled=no 
add chain=customer connection-state=related action=accept comment="Accept Related" disabled=no 
add chain=customer in-interface="LAN" out-interface=WAN action=accept comment="Accept Outgoing Connections" \
    disabled=no 
add chain=customer action=log log-prefix="Customer Chain" comment="Log Dropped" disabled=no 
add chain=customer action=drop comment="Drop and log everything else" disabled=no 
If you don't have the "accept established" and "accept related" your clients for example would be able to send packets out on port 80 but the packets returning would be dropped because they're coming back on a dynamic port that isn't allowed in the firewall...

Posted: Mon Oct 31, 2005 3:31 am
by jager
I think that simply dropping all traffic on ports 135,137,138,139,445 (tcp and udp) will do the job :)

Posted: Mon Oct 31, 2005 6:02 pm
by larmaid
thanx a million @wildbill442 n @jager.....!
the script works....... :D

Posted: Mon Oct 31, 2005 11:30 pm
by larmaid
@wildbill442 >

1. chain=forward ; connect-state=invalid ; action=drop
2. chain=forward ; in-interface=wan ; connect-state=established ; action=accept
3. chain=forward ; in-interface=wan ; connct-state=invalid ; action=accept
4. chain=forward ; protocol=tcp ; dst-port=80 ; in-interface=lan ; out-interface=wan ; src-address=x.x.x.x/x ; action=accept
5. chain=forward ; in-interface=lan ; out-interface=wan ; action=accept
6. chain=forward ; action=drop
7. chain=dst-nat ; protocol=tcp ; dst-port=80 ; in-interface=wan ; action=redirect ; to-port=8080(proxy)

port 80 still wont work.....something wrong.....!
:(

Posted: Tue Nov 01, 2005 1:45 am
by nowoxi
well i can see you have everything all joggled up. you see the way the table works is if a packets comes in throiugh a partucular port the header and a few other stuff are compared with each rule in the table and once one rule is carried out it wont go to the next rule thats the end of it another packet is picked and if no rule corresponds then it takes the default policy of the chain.
so looking at what you have there
  • line 3 is useless cos you already dropped everything invalid in 1
    then the spellin in 3 is even wrong
    then you have to accept both related nd established coming from both sides of the network which u didnt do.
yeah also on line 4 make the in-interface is the internal interfaceand vice a verse
thn following the theory i put up 4 n 5 v conflicting interest (there is no need for 1 of them)then i dont think ur data is flowing in the right direction(correct with previous direction)[/list]


i think u should getting workin after that. ps i need help with hotspot

Posted: Tue Nov 01, 2005 4:34 pm
by larmaid
@nowoxi im sorry my script should be like this.....:

1. chain=forward ; connect-state=invalid ; action=drop
2. chain=forward ; in-interface=wan ; connect-state=established ; action=accept
3. chain=forward ; in-interface=wan ; connct-state=related ; action=accept
4. chain=forward ; protocol=tcp ; dst-port=80 ; src-address=x.x.x.x/x ; action=accept
5. chain=forward ; in-interface=lan ; out-interface=wan ; action=accept
6. chain=forward ; action=drop
7. chain=dst-nat ; protocol=tcp ; dst-port=80 ; in-interface=wan ; action=redirect ; to-port=8080(proxy)

@5 my in-interface is my local network....!

still port 80 drop....!
:( :(

Posted: Tue Nov 01, 2005 6:56 pm
by nowoxi
well i think the problem is that you should accept established and related connections in all directions. i think its dropping replies to connections made to 8080. so if u accept related and established in both directions the problem should be solved

2. chain=forward ; connect-state=established ; action=accept
3. chain=forward ; connct-state=related ; action=accept

that should be ur new line 2 n 3

Posted: Tue Nov 01, 2005 8:01 pm
by wildbill442
well i think the problem is that you should accept established and related connections in all directions. i think its dropping replies to connections made to 8080. so if u accept related and established in both directions the problem should be solved

2. chain=forward ; connect-state=established ; action=accept
3. chain=forward ; connct-state=related ; action=accept

that should be ur new line 2 n 3
Yeah you do not need to specify the interface..

You could've just copy and pasted the rules i had on there to your router (as long as your using 2.9.x) and then just added this rule to the forward chain:
add chain=forward action=jump jump-target=customer comment="Jump to customer chain"
Or rename the chains to whatever you'd like.

ALSO MAKE SURE YOU TAKE NOTE...

where ever I specified an interface make sure that the interface name matches the interface you're trying to apply the rule to, otherwise you'll get an error, or the rule just wont do anything.

Oh, another thing, why are you redirecting incoming port 80 traffic (from the WAN) to your proxy server? Shouldn't it be the other way around ?

Do this first.. disable the proxy server and related rules for now, get the firewall working and test it make sure you can make a connection on the ports you need (80 and whatever else) THEN once you've verified that everything is working without the proxy, enable it and then test...

You've got too many things going on which is going to make it difficult to troubleshoot and figure out the root cause of your problems...

Posted: Tue Nov 01, 2005 9:02 pm
by larmaid
okay i did like this:

1. chain=forward ; connect-state=invalid ; action=drop
2. chain=forward ; connect-state=established ; action=accept
3. chain=forward ; connct-state=related ; action=accept
4. chain=forward ; protocol=tcp ; dst-port=!80 ; src-address=x.x.x.x/x ; action=drop
5. chain=forward ; action=add src to address list ; address list=…. ; timeout=00:00:01
6. chain=dst-nat ; protocol=tcp ; dst-port=80 ; in-interface=wan ; action=redirect ; to-port=8080(proxy)

in proxy:
src-address=x.x.x.x/x ; dst-port=80 ; action=allow
src-address=x.x.x.x/x ; action=deny

and i dont know its working very well all ip that r not specific in proxy will be blok by mikrotik httpProxy...!

Posted: Tue Nov 01, 2005 10:32 pm
by wildbill442
So its working or you're still having problems? I didn't quite understand your last post...

Posted: Tue Nov 01, 2005 10:37 pm
by larmaid
i mean its 100% working....!
no problem until now....!
my questions is why i cant just drop all other port insted moving to src-address-list.....!
makes me so confused..... :evil:

Posted: Wed Nov 02, 2005 5:04 pm
by nowoxi
i also didnt understand ur last post. then line 4 on the post before the last is either uselss if ur policy is drop then u dont need it then if its not its better u perform drops at the end of the scripts not before the end so u dont get undesired effects

NEED HELP WITH HOTSPOTS. IF YOU KNOW AN ARTICLE OR TUTORIAL INEED TO KNOW ITS CAPABILITIES AND USES.

Posted: Thu Nov 03, 2005 11:21 am
by larmaid
okay nowoxis what is ur problem ill try to crack it...!