Script firewall completo e atualizado!
Amigos... o q vou propor nao sei se já não tem.. pelo menos não achei..
poderíamos deixar um post fixo aki com um script de firewall completo.. para quem queira somente copiar e colar?
Digo isso pq eu uso o script do curso q fiz com os malukos da Mikrotik Brasil (S, E e M) e com eles trouxe um firewall completo.. com os drops das invalidas... accepts nas relacionadas e estabelicidas... bate bate bate na porta do céu... bloqueio de atakes ssh, virus... etc... etc...
com tudo isso pronto... eu achei q tinha tudo.. mas conversando com outro maluko.. (esse eh maluko mesmo...) ele disse q meu firewall ainda tah muito incompleto... faltava muita coisa... e ele ateh se propôs.. a completar ele semana q vem... Eh um maluko beleza.. Tb gosta de contribuir... gente boa..
enquanto isso na sala da justiça...
Macacos me mordam Batman.. como podemos fazer um script completo e disponibilizar para todo mundo?
Simples.. vamos até a comunidade Underlinux, Robin!
bom...
vou postar o script com as regras desabilitadas.. pq cada caso eh um caso...
mas meu intuito aki eh chegar a um único firewall, completo e funcional para todos.
então por favor.. contribuam..
Detalhe: meu firewall nao eh meu como falei.. copiei do curso e adicionei outras coisas q achei aki mesmo no forum.
gracias a todos,
/ip firewall filter
add action=drop chain=input comment="Descarta invalidas" connection-state=\
invalid disabled=yes
add action=add-src-to-address-list address-list=temp1 address-list-timeout=\
15s chain=input comment="" disabled=yes dst-port=1111 protocol=tcp
add action=add-src-to-address-list address-list=temp2 address-list-timeout=\
15s chain=input comment="" disabled=yes dst-port=2222 protocol=tcp \
src-address-list=temp1
add action=add-src-to-address-list address-list=liberado \
address-list-timeout=2h chain=input comment="" disabled=yes dst-port=3333 \
protocol=tcp src-address-list=temp2
add action=add-src-to-address-list address-list=bloqueado-por-SSH \
address-list-timeout=1d chain=input comment="" disabled=yes dst-port=22 \
protocol=tcp src-address=!10.0.0.200
add action=add-src-to-address-list address-list=bloqueado-por-telnet \
address-list-timeout=1d chain=input comment="" disabled=yes dst-port=23 \
protocol=tcp src-address=!10.0.0.200
add action=accept chain=input comment="Aceita winbox da lista liberado" \
disabled=yes dst-port=8291 protocol=tcp src-address-list=liberado
add action=drop chain=input comment="nega acesso winbox" disabled=yes \
dst-port=8291 protocol=tcp
add action=jump chain=input comment="Salta para canal icmp" disabled=yes \
jump-target=ICMP protocol=icmp
add action=accept chain=input comment="Aceita pings 1/segundo" disabled=yes \
in-interface=ether2 limit=1,3 protocol=icmp
add action=drop chain=input comment="Descarta restante pings" disabled=yes \
in-interface=ether2 protocol=icmp
add action=jump chain=input comment="Salta para o canal virus" disabled=yes \
jump-target=VIRUS
add action=accept chain=input comment="Aceita estabelecidas" \
connection-state=established disabled=yes
add action=accept chain=input comment="Aceita relacionadas" connection-state=\
related disabled=yes
add action=accept chain=input comment="Aceita redes internas" disabled=yes \
in-interface=!wlan1
add action=accept chain=input comment="Aceita winbox Externo" disabled=yes \
dst-port=8291 in-interface=ether2 protocol=tcp
add action=accept chain=input comment="Aceita SSH" disabled=yes dst-port=22 \
protocol=tcp
add action=accept chain=input comment="Aceita telnet" disabled=yes dst-port=\
23 protocol=tcp
add action=drop chain=input comment="Descarta Restante" disabled=yes
add action=drop chain=forward comment="Descarta Invalidas" connection-state=\
invalid disabled=yes
add action=drop chain=forward comment="" disabled=yes src-address-list=\
bloqueado-por-telnet
add action=jump chain=forward comment="Salta para canal icmp" disabled=yes \
jump-target=ICMP
add action=jump chain=forward comment="Salta para o canal virus" disabled=yes \
jump-target=VIRUS
add action=accept chain=forward comment="Aceita estabelecidas" \
connection-state=established disabled=yes
add action=accept chain=forward comment="Aceita relacionadas" \
connection-state=related disabled=yes
add action=drop chain=VIRUS comment="" disabled=yes protocol=tcp src-port=445
add action=drop chain=VIRUS comment="" disabled=yes dst-port=445 protocol=tcp
add action=drop chain=VIRUS comment="Drop Blaster Worm" disabled=yes \
protocol=udp src-port=445
add action=drop chain=VIRUS comment="Drop Blaster Worm" disabled=yes \
dst-port=445 protocol=udp
add action=drop chain=VIRUS comment="" disabled=yes protocol=tcp src-port=\
135-139
add action=drop chain=VIRUS comment="" disabled=yes protocol=udp src-port=\
135-139
add action=drop chain=VIRUS comment="" disabled=yes dst-port=135-139 \
protocol=tcp
add action=drop chain=VIRUS comment="" disabled=yes dst-port=135-139 \
protocol=udp
add action=drop chain=VIRUS comment=________ disabled=yes dst-port=593 \
protocol=tcp
add action=drop chain=VIRUS comment=________ disabled=yes dst-port=1024-1030 \
protocol=tcp
add action=drop chain=VIRUS comment="Drop MyDoom" disabled=yes dst-port=1080 \
protocol=tcp
add action=drop chain=VIRUS comment=________ disabled=yes dst-port=1214 \
protocol=tcp
add action=drop chain=VIRUS comment="ndm requester" disabled=yes dst-port=\
1363 protocol=tcp
add action=drop chain=VIRUS comment="ndm server" disabled=yes dst-port=1364 \
protocol=tcp
add action=drop chain=VIRUS comment="screen cast" disabled=yes dst-port=1368 \
protocol=tcp
add action=drop chain=VIRUS comment=hromgrafx disabled=yes dst-port=1373 \
protocol=tcp
add action=drop chain=VIRUS comment=cichlid disabled=yes dst-port=1377 \
protocol=tcp
add action=drop chain=VIRUS comment="Bagle VIRUS" disabled=yes dst-port=2745 \
protocol=tcp
add action=drop chain=VIRUS comment="Drop Dumaru.Y" disabled=yes dst-port=\
2283 protocol=tcp
add action=drop chain=VIRUS comment="Drop Beagle" disabled=yes dst-port=2535 \
protocol=tcp
add action=drop chain=VIRUS comment="Drop Beagle.C-K" disabled=yes dst-port=\
2745 protocol=tcp
add action=drop chain=VIRUS comment="Drop MyDoom" disabled=yes dst-port=3127 \
protocol=tcp
add action=drop chain=VIRUS comment="Drop Backdoor OptixPro" disabled=yes \
dst-port=3410 protocol=tcp
add action=drop chain=VIRUS comment=Worm disabled=yes dst-port=4444 protocol=\
tcp
add action=drop chain=VIRUS comment=Worm disabled=yes dst-port=4444 protocol=\
udp
add action=drop chain=VIRUS comment="Drop Sasser" disabled=yes dst-port=5554 \
protocol=tcp
add action=drop chain=VIRUS comment="Drop Beagle.B" disabled=yes dst-port=\
8866 protocol=tcp
add action=drop chain=VIRUS comment="Drop Dabber.A-B" disabled=yes dst-port=\
9898 protocol=tcp
add action=drop chain=VIRUS comment="Drop Dumaru.Y" disabled=yes dst-port=\
10000 protocol=tcp
add action=drop chain=VIRUS comment="Drop MyDoom.B" disabled=yes dst-port=\
10080 protocol=tcp
add action=drop chain=VIRUS comment="Drop NetBus" disabled=yes dst-port=12345 \
protocol=tcp
add action=drop chain=VIRUS comment="Drop Kuang2" disabled=yes dst-port=17300 \
protocol=tcp
add action=drop chain=VIRUS comment="Drop SubSeven" disabled=yes dst-port=\
27374 protocol=tcp
add action=drop chain=VIRUS comment="Drop PhatBot, Agobot, Gaobot" disabled=\
yes dst-port=65506 protocol=tcp
add action=drop chain=VIRUS comment="" disabled=yes dst-port=513 protocol=tcp
add action=drop chain=VIRUS comment="" disabled=yes dst-port=513 protocol=udp
add action=drop chain=VIRUS comment="" disabled=yes dst-port=525 protocol=tcp
add action=drop chain=VIRUS comment="" disabled=yes dst-port=525 protocol=udp
add action=drop chain=VIRUS comment="" disabled=yes dst-port=568-569 \
protocol=tcp
add action=drop chain=VIRUS comment="" disabled=yes dst-port=568-569 \
protocol=udp
add action=drop chain=VIRUS comment="" disabled=yes dst-port=1512 protocol=\
tcp
add action=drop chain=VIRUS comment="" disabled=yes dst-port=1512 protocol=\
udp
add action=drop chain=VIRUS comment="" disabled=yes dst-port=396 protocol=tcp
add action=drop chain=VIRUS comment="" disabled=yes dst-port=396 protocol=udp
add action=drop chain=VIRUS comment="" disabled=yes dst-port=1366 protocol=\
tcp
add action=drop chain=VIRUS comment="" disabled=yes dst-port=1366 protocol=\
udp
add action=drop chain=VIRUS comment="" disabled=yes dst-port=1416 protocol=\
tcp
add action=drop chain=VIRUS comment="" disabled=yes dst-port=1416 protocol=\
udp
add action=drop chain=VIRUS comment="" disabled=yes dst-port=201-209 \
protocol=tcp
add action=drop chain=VIRUS comment="" disabled=yes dst-port=201-209 \
protocol=udp
add action=drop chain=VIRUS comment="" disabled=yes dst-port=545 protocol=tcp
add action=drop chain=VIRUS comment="" disabled=yes dst-port=545 protocol=udp
add action=drop chain=VIRUS comment="" disabled=yes dst-port=1381 protocol=\
udp
add action=drop chain=VIRUS comment="" disabled=yes dst-port=1381 protocol=\
tcp
add action=drop chain=VIRUS comment="" disabled=yes dst-port=3031 protocol=\
tcp
add action=drop chain=VIRUS comment="" disabled=yes dst-port=3031 protocol=\
udp
add action=accept chain=ICMP comment="" disabled=yes icmp-options=0:0 \
protocol=icmp
add action=accept chain=ICMP comment="" disabled=yes icmp-options=8:0 \
protocol=icmp
add action=accept chain=ICMP comment="" disabled=yes icmp-options=11:0 \
protocol=icmp
add action=accept chain=ICMP comment="" disabled=yes icmp-options=3:3 \
protocol=icmp
add action=accept chain=ICMP comment="" disabled=yes icmp-options=3:4 \
protocol=icmp
add action=drop chain=ICMP comment="" disabled=yes protocol=icmp
Vc se parece com o Raul Seixas antes de escrever maluco beleza...
Concordo com vc!!!
Sim! Existe um firewall perfeito!!!
As regras do Hotspot entram antes das regras que vc já tem, assim que vc desativa o hotspot elas desaparecem, é só por isto que são DINÂMICAS. Vou te dar uma DICONA: "Vc já parou para analizar as regras de firewall do hotspot?" Estas dinâmicas que aparecem e desaparecem junto com o hotspot, pois é, elas são perfeitas!!!!!
Cuidado com quem ensina por partes!!!! O Aluno é que tem de aprender por partes, conforme sua capacidade mental e emocional, já o instrutor tem de ensinar TUDO!
vou postar um aqui que é para um cliente que está em ambiente totalmente seguro" dentro de um "walled garden", tá uma M mas para o cara é perfeito... :
/ ip firewall mangle
add chain=prerouting p2p=all-p2p action=mark-connection new-connection-mark=P2P-CONECTION passthrough=yes \
comment=";;;;;;;;;;;;;;;;;;; CONTROLE P2P" disabled=no
add chain=prerouting connection-mark=P2P-CONECTION action=mark-packet new-packet-mark=P2P-PACK passthrough=yes \
comment="" disabled=no
add chain=forward src-address=192.168.2.0/24 protocol=tcp dst-port=21 action=mark-packet new-packet-mark=semlimite \
passthrough=yes comment=";;;;;;;;;;;;;;;;;;; Marcando Pacotes Sem Limite Conexao" disabled=no
add chain=forward src-address=192.168.2.0/24 protocol=tcp dst-port=22 action=mark-packet new-packet-mark=semlimite \
passthrough=yes comment="" disabled=no
add chain=forward src-address=192.168.2.0/24 protocol=tcp dst-port=23 action=mark-packet new-packet-mark=semlimite \
passthrough=yes comment="" disabled=no
add chain=forward src-address=192.168.2.0/24 protocol=tcp dst-port=25 action=mark-packet new-packet-mark=semlimite \
passthrough=yes comment="" disabled=no
add chain=forward src-address=192.168.2.0/24 protocol=tcp dst-port=53 action=mark-packet new-packet-mark=semlimite \
passthrough=yes comment="" disabled=no
add chain=forward src-address=192.168.2.0/24 protocol=tcp dst-port=110 action=mark-packet new-packet-mark=semlimite \
passthrough=yes comment="" disabled=no
add chain=forward src-address=192.168.2.0/24 protocol=tcp dst-port=443 action=mark-packet new-packet-mark=semlimite \
passthrough=yes comment="" disabled=no
add chain=forward src-address=192.168.2.0/24 protocol=tcp dst-port=8080 action=mark-packet new-packet-mark=semlimite \
passthrough=yes comment="" disabled=no
add chain=forward src-address=192.168.2.0/24 protocol=tcp dst-port=6891-6901 action=mark-packet \
new-packet-mark=semlimite passthrough=yes comment="" disabled=no
add chain=output protocol=tcp src-port=6688 content="X-Cache: HIT" action=mark-connection \
new-connection-mark=conn_squid_up passthrough=yes comment=";;;;;;;;;;;; Marca conex o Web-Proxy Cache" disabled=no
add chain=output connection-mark=conn_squid_up action=mark-packet new-packet-mark=pack_squid_up passthrough=yes \
comment="" disabled=no
add chain=prerouting protocol=tcp dst-port=6688 action=mark-connection new-connection-mark=conn_squid_down \
passthrough=yes comment="" disabled=no
add chain=prerouting connection-mark=conn_squid_down action=mark-packet new-packet-mark=pack_squid_down passthrough=yes \
comment="" disabled=no
add chain=prerouting content=youtube action=mark-connection new-connection-mark=YTB passthrough=yes \
comment=";;;;;;;;;;;;;;;;;; YOUTUBE" disabled=no
add chain=prerouting connection-mark=YTB action=mark-packet new-packet-mark=youtube passthrough=yes comment="" \
disabled=no
add chain=forward src-address=192.168.2.103 protocol=udp src-port=44155-44156 action=mark-packet \
new-packet-mark="limite uploadthais" passthrough=yes comment=";;;;;;;;;;;;;;;;;;;;;; WAREZ SANDRA THAIS 1" \
disabled=no
add chain=forward src-address=192.168.2.171 protocol=udp src-port=35551-35552 action=mark-packet \
new-packet-mark="limite uploaddavid" passthrough=yes comment=";;;;;;;;;;;;;;;;;;;;;; WAREZ SANDRA THAIS 1" \
disabled=no
/ ip firewall nat
add chain=dstnat in-interface=LAN src-address=192.168.2.0/24 protocol=tcp dst-port=80 action=redirect to-ports=6688 \
comment=";;; Redirecionamento do Web-Proxy" disabled=no
add chain=srcnat src-address=192.168.2.0/24 action=masquerade comment=";;;;;;;;;; NAT MASCARADO" disabled=no
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s \
udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m tcp-syncookie=no
/ ip firewall filter
add chain=input in-interface=WAN protocol=tcp dst-port=6688 action=drop comment=";;; BLOQUEIA ACESSO EXTERNO AO PROXY" \
disabled=no
add chain=input protocol=tcp dst-port=6688 action=accept comment=";;;;;ACEITA ACESSO PROXY " disabled=no
add chain=input protocol=tcp action=accept comment="ACEITA TUDO" disabled=no
add chain=forward protocol=tcp action=accept comment="ACEITA TUDO" disabled=no
add chain=output protocol=tcp action=accept comment="ACEITA TUDO" disabled=no
add chain=forward connection-state=established action=accept comment=";;; permite estabelecer conex es" disabled=no
add chain=forward connection-state=related action=accept comment=";;; permitir conex es relacionadas" disabled=no
add chain=forward connection-state=invalid action=drop comment=";;; Bloqueia conex es inv lidas" disabled=no
add chain=forward src-address=0.0.0.0/0 protocol=tcp tcp-flags=syn packet-mark=!semlimite connection-limit=9,32 \
action=drop comment="Limitando numero conexoes simultaneas" disabled=no
add chain=input protocol=icmp limit=50/5s,2 action=accept comment="aceitando 50 pings a cada 5 segundos" disabled=no
add chain=input protocol=icmp action=drop comment="bloqueando o excesso" disabled=no
add chain=input in-interface=WAN protocol=tcp dst-port=53 action=drop comment=";;;;;DROPA DNS EXTERNO" disabled=no
add chain=forward src-address=192.168.2.80-192.168.2.99 action=reject reject-with=icmp-net-prohibited comment="" \
disabled=no
add chain=input src-address=192.168.2.80-192.168.2.99 action=reject reject-with=icmp-net-prohibited comment="" \
disabled=no
/ ip firewall service-port
set ftp ports=21 disabled=no
set tftp ports=69 disabled=no
set irc ports=6667 disabled=no
set h323 disabled=no
set quake3 disabled=no
set gre disabled=no
set pptp disabled=no
Outra coisa muito importante...
NÃO ADIANTA VC ANALIZAR O FIREWALL FILTER SEM O MANGLE E O NAT E O RESTO JUNTOS... falo isto pois vc se preocupou em postar o filter, mas não o mangle e o nat e o resto...
O FIREWALL É UM SÓ! E ELE TEIMA EM FUNCIONAR TUDO JUNTO! rsss....
Abraços!