On the MT site they list the following firewall rules to help protect your boxes.
ip firewall rule input add connection-state=invalid action=drop \
comment="Drop invalid connections"
/ip firewall rule input add connection-state=established \
comment="Allow established connections"
/ip firewall rule input add connection-state=related \
comment="Allow related connections"
/ip firewall rule input add protocol=udp comment="Allow UDP"
/ip firewall rule input add protocol=icmp comment="Allow ICMP Ping"
/ip firewall rule input add src-address=10.0.0.0/24 \
comment="Allow access from our local network. Edit this!"
/ip firewall rule input add src-address=192.168.0.0/24 protocol=tcp dst-port=8080 \
comment="This is web proxy service for our customers. Edit this!"
/ip firewall rule input add action=drop log=yes \
comment="Log and drop everything else"
My question is follows.
The command
/ip firewall rule input add src-address=10.0.0.0/24 \
comment="Allow access from our local network. Edit this!"
Do I edit and add each class C address that should go through this box? ie the 10.0.0.0/24 shoudl be replaced with x.x.x.x/24 and one rule added for each class that is being send through it?
Also it talks about a web proxy.. though i'm running hotspot i don't think i have a web proxy.. so i just leave it out?
Also, if I make a mistake with the firewalls any way to have them reset to previous state upon reboot or something? My unit is up on the tower, be kina hard to go plug into the console to go turn the rule back off.
Thanks,
Michael
-
-
Hugh Hartman
Frequent Visitor
- Posts: 92
- Joined:
- Location: Fort Kent, Maine
you only edit the firewall rule to reflect the IP (or class) that you are allowing router access for configuration. input rules= to the router only.
I leave out web-proxy.
If you use safe mode, then you will erase the last 100 entries made in the current session, bringing you back to square one, should you get disconnected.
keep in mind it takes 30-60- seconds before changes take place--go slow.
add/enable the allow rules first.
if you get locked out--use neighborviewer.exe to telnet in (layer 2), thus bypassing any firewall rules.
regards, Hugh
I would suggest trying any changes on the bench,,not in a production router for the first time.
I leave out web-proxy.
If you use safe mode, then you will erase the last 100 entries made in the current session, bringing you back to square one, should you get disconnected.
keep in mind it takes 30-60- seconds before changes take place--go slow.
add/enable the allow rules first.
if you get locked out--use neighborviewer.exe to telnet in (layer 2), thus bypassing any firewall rules.
regards, Hugh
I would suggest trying any changes on the bench,,not in a production router for the first time.
Who is online
Users browsing this forum: SGBIPL and 112 guests