• Thursday, January 14, 2010

    Home Wireless Mikrotik Firewall configuration to make the Internet safe

    Mikrotik Firewall configuration to make the Internet safe

    Creating a simple proxy firewalls but powerful.
    Here for firewall management

    1. Brute forces of the filter

    / Ip firewall filter
    add chain = input protocol = tcp dst-port = 22 src-address-list = ssh_blacklist action = drop comment = "drop ssh brute forcers" disabled = no
    add chain = input protocol = tcp dst-port = 22 connection-state = new src-address-list = ssh_stage3 action = add-src-to-address-list address-list = ssh_blacklist \
    address-list-timeout = 1w3d comment = "" disabled = no
    add chain = input protocol = tcp dst-port = 22 connection-state = new src-address-list = ssh_stage2 action = add-src-to-address-list address-list = ssh_stage3 \
    address-list-timeout = 1m comment = "" disabled = no
    add chain = input protocol = tcp dst-port = 22 connection-state = new src-address-list = ssh_stage1 action = add-src-to-address-list address-list = ssh_stage2 \
    address-list-timeout = 1m comment = "" disabled = no
    add chain = input protocol = tcp dst-port = 22 connection-state = new action = add-src-to-address-list address-list = ssh_stage1 address-list-timeout = 1m comment = "" \
    disabled = no

    2. To filter port scaning
    / Ip firewall filter

    add chain = input protocol = tcp psd = 21.3 s, 3.1 action = add-src-to-address-list address-list = "port scanners" address-list-timeout = 2w comment = "Port scanners to list \
    "Disabled = no
    add chain = input protocol = tcp tcp-flags = fin,! syn,! RST,! psh,! ack,! urg action = add-src-to-address-list address-list = "port scanners" address-list - timeout = 2w \
    comment = "" disabled = no
    add chain = input protocol = tcp tcp-flags = fin, syn action = add-src-to-address-list address-list = "port scanners" address-list-timeout = 2w comment = "" disabled = no
    add chain = input protocol = tcp tcp-flags = syn, RST action = add-src-to-address-list address-list = "port scanners" address-list-timeout = 2w comment = "" disabled = no
    add chain = input protocol = tcp tcp-flags = fin, psh, urg,! syn,! RST,! ack action = add-src-to-address-list address-list = "port scanners" address-list-timeout = 2w \
    comment = "" disabled = no
    add chain = input protocol = tcp tcp-flags = fin, syn, RST, psh, ack, urg action = add-src-to-address-list address-list = "port scanners" address-list-timeout = 2w comment = "" \
    disabled = no
    add chain = input protocol = tcp tcp-flags =! fin,! syn,! RST,! psh,! ack,! urg action = add-src-to-address-list address-list = "port scanners" address-list -timeout = 2w \
    comment = "" disabled = no
    add chain = input src-address-list = "port scanners" action = drop comment = "" disabled = no

    3. To filter FTP port

    / Ip firewall filter

    add chain = input protocol = tcp dst-port = 21 src-address-list = ftp_blacklist action = drop comment = "Filter FTP to Box" disabled = no
    add chain = output protocol = tcp content = "530 Login incorrect" dst-limit = 1/1m, 9, dst-address/1m action = accept comment = "" disabled = no
    add chain = output protocol = tcp content = "530 Login incorrect" action = add-dst-to-address-list address-list = ftp_blacklist address-list-timeout = 3h comment = "" \
    disabled = no

    4. To separate packet flag

    / Ip firewall filter

    add chain = forward protocol = tcp action = jump jump-target = tcp comment = "Separated into Chains Protocol" disabled = no
    add chain = forward protocol = udp action = jump jump-target = udp comment = "" disabled = no
    add chain = forward protocol = icmp action = jump jump-target = icmp comment = "" disabled = no

    5. Blocking UDP traffic for the devil

    / Ip firewall filter
    add chain = udp protocol = udp dst-port = 69 action = drop comment = "Blocking UDP Packet" disabled = no
    add chain = udp protocol = udp dst-port = 111 action = drop comment = "" disabled = no
    add chain = udp protocol = udp dst-port = 135 action = drop comment = "" disabled = no
    add chain = udp protocol = udp dst-port = 137-139 action = drop comment = "" disabled = no
    add chain = tcp protocol = tcp dst-port = 2049 action = drop comment = "" disabled = no
    add chain = udp protocol = udp dst-port = 3133 action = drop comment = "" disabled = no

    6. Tcp blocking traffic for the devil

    / Ip firewall filter

    add chain = tcp protocol = tcp dst-port = 69 action = drop comment = "Bloking TCP Packet" disabled = no
    add chain = tcp protocol = tcp dst-port = 111 action = drop comment = "" disabled = no
    add chain = tcp protocol = tcp dst-port = 119 action = drop comment = "" disabled = no
    add chain = tcp protocol = tcp dst-port = 135 action = drop comment = "" disabled = no
    add chain = tcp protocol = tcp dst-port = 137-139 action = drop comment = "" disabled = no
    add chain = tcp protocol = tcp dst-port = 445 action = drop comment = "" disabled = no
    add chain = tcp protocol = tcp dst-port = 2049 action = drop comment = "" disabled = no
    add chain = tcp protocol = tcp dst-port = 12345-12346 action = drop comment = "" disabled = no
    add chain = tcp protocol = tcp dst-port = 20034 action = drop comment = "" disabled = no
    add chain = tcp protocol = tcp dst-port = 3133 action = drop comment = "" disabled = no
    add chain = tcp protocol = tcp dst-port = 67-68 action = drop comment = "" disabled = no

    7. To bukis mail traffic bloking

    / Ip firewall filter

    add chain = forward protocol = tcp dst-port = 25 action = drop comment = "Allow SMTP" disabled = no

    8. To create a filter DOS

    / Ip firewall filter

    add chain = icmp protocol = icmp icmp-options = 0:0-255 limit = 5.5 action = accept comment = "Ping Flood Limited" disabled = no
    add chain = icmp protocol = icmp icmp-options = 3:3 limit = 5.5 action = accept comment = "" disabled = no
    add chain = icmp protocol = icmp icmp-options = 3:4 limit = 5.5 action = accept comment = "" disabled = no
    add chain = icmp protocol = icmp icmp-options = 8:0-255 limit = 5.5 action = accept comment = "" disabled = no
    add chain = icmp protocol = icmp icmp-options = 11:0-255 limit = 5.5 action = accept comment = "" disabled = no
    add chain = icmp protocol = icmp action = drop comment = "" disabled = no

    9. To create a P2P connection fileter

    / Ip firewall filter

    add chain = forward p2p = all-p2p action = accept comment = "P2P traffic" disabled = no

    10. To create a filter mapping network access point

    / Ip firewall filter
    add chain = input dst-address-type = broadcast, multicast action = accept comment = "Allow Broadcast Traffic" disabled = no
    add chain = input src-address = 192.168.0.0/28 action = accept comment = "Allow access to router from known network" disabled = no
    add chain = input src-address = 192.168.1.0/24 action = accept comment = "" disabled = no
    add chain = input src-address = 192.168.2.0/30 action = accept comment = "" disabled = no
    add chain = input src-address = 125.162.0.0/16 action = accept comment = "" disabled = no

    11. To create a connection filter junk and the correct connection path

    / Ip firewall filter

    add chain = input connection-state = established action = accept comment = "Connection State" disabled = no
    add chain = input connection-state = related action = accept comment = "" disabled = no
    add chain = input connection-state = invalid action = drop comment = "" disabled = no
    Read more
    Diposkan oleh
    Label:

    5 comments:

    1. AnonymousMay 17, 2013 at 2:22 PM

      I am not capable of view this web site properly on saffari I
      feel there is a downside

      my homepage :: having Trouble getting pregnant

      ReplyDelete
    2. AnonymousJune 2, 2013 at 9:33 AM

      We tend to ignore this sort of thing, do we really care what happened in 'their day'.
      The most famous ones being the solitaires in prong
      settings. Like color, we can settle for impure diamonds because our normal, human eyes won't be able to see them.

      My site ... vintage style engagement rings

      ReplyDelete
    3. AnonymousJune 14, 2013 at 9:32 AM

      So as opposed to going through every one of the trouble of utilizing home tips it
      is usually best to use plastic flatware to nibble
      on such issues that are not best for other types of flatware.
      This will prevent scratching and also other damage whilst not in use.

      Red wine glasses tend to get shorter and rounder,
      white wine a bit taller and thinner.

      ReplyDelete
    4. AnonymousJune 14, 2013 at 10:34 AM

      This scaled-down, inexpensive unit is perfect for your home brewer as well.
      The people who review or assess the coffeemakers are all very knowledgeable concerning the coffee machines or are normally referred to as gurus
      inside field of coffee. A minute later you have a cup of freshly brewed coffee, with just a pod to throw away.


      My site: coffee maker *scuttlebutt360.com*

      ReplyDelete
    5. Pierre SUrmontJune 19, 2013 at 2:48 PM

      why authorizing all p2p and blocking all SMTP???

      ReplyDelete

    Subscribe to: Post Comments (Atom)
    semarang jawa tengah indonesia service keyboard service computer komputer kendal bali setting hotspot hacking password mysql protected username jasa setting jual beli
    bobol password phpmyadmin debian 5 lenny ubuntu server surabaya sumatera american inggris access point microtic MikroTik jawa barat yamaha roland casio korg technic floppy disk emulator usb www universal cara ganti broadcast editing wireless Wi-Fi handphone novel health facebook Sepeda Fixie Jual Beli Sepeda Fixie Rose Network Sepeda Fixie Murah Wimax Wimax Indonesia, Long time waktu lorong waktu facebook twitter

    Followers

    Created By Sora Templates | Distributed By Gooyaabi Templates