Regras de firewall mikrotik
Olá galera, para os bons entendedores de mikrotik preciso de uma avaliação do firewall criado para minha rede, gostaria que descem uma olhada e me digam se esta correto as regras ou caso precise mudar algo que estiver errado, desde já agradeço.
aqui está o firewall inteiro
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="SSH WEBMIKROTIK" disabled=no dst-port=\
2222 protocol=tcp
add action=accept chain=input comment="conexoes de entrada estabilizadas" \
connection-state=established disabled=no
add action=accept chain=forward comment=";;; permite estabelecer conexoes" \
connection-state=established disabled=no
add action=accept chain=forward comment=";;; permitir conex es relacionadas" \
connection-state=related disabled=no
add action=accept chain=forward comment=";;; Allow HTTP" disabled=no \
dst-port=80 protocol=tcp
add action=accept chain=forward comment=";;; Allow SMTP" disabled=no \
dst-port=25 protocol=tcp
add action=accept chain=forward comment=";;; allow TCP" disabled=no protocol=\
tcp
add action=accept chain=forward comment=";;; allow ping" disabled=no \
protocol=icmp
add action=accept chain=forward comment=";;; allow udp" disabled=no protocol=\
udp
add action=accept chain=input comment="aceitando 50 pings a cada 5 segundos" \
disabled=no limit=50/5s,2 protocol=icmp
add action=accept chain=input comment="Aceita Rede Local" disabled=no \
src-address=192.168.10.0/24
add action=accept chain=input comment="allow ips radios" connection-state=\
established disabled=no src-address=10.1.230.0/24
add action=accept chain=input comment="Accept related " connection-state=\
related disabled=no protocol=tcp
add action=accept chain=input comment=winbox disabled=no dst-port=8291 \
protocol=tcp
add action=drop chain=input comment="Descarta invalidas" connection-state=\
invalid disabled=no
add action=drop chain=forward comment="Net Bios bloqueado" disabled=no \
dst-address=192.168.10.0/24 dst-port=137,138,139,445 protocol=tcp \
src-address=192.168.10.0/24 src-port=137,138,139,445
add action=drop chain=forward comment="bloqueio Net Bios UDP" disabled=no \
dst-address=192.168.10.0/24 dst-port=137,138,139,445 protocol=udp \
src-address=192.168.10.0/24 src-port=137,138,139,445
add action=drop chain=input comment="bloqueando o excesso" disabled=no \
protocol=icmp
add action=jump chain=forward comment=";;; jump to the virus chain" disabled=\
yes jump-target=virus
add action=accept chain=input comment="" disabled=no dst-port=2211 protocol=\
tcp
add action=drop chain=forward comment=";;; Bloqueia conex es inv lidas" \
connection-state=invalid disabled=no
add action=drop chain=VIRUS comment="One of the last TrojanOOTLT" disabled=no \
dst-port=5011 protocol=tcp
add action=accept chain=forward comment="" disabled=no
add action=drop chain=input comment="" disabled=no dst-port=22-23 protocol=\
tcp
add action=drop chain=input comment="BLOQ. PINGS NO SERV." disabled=no \
protocol=icmp
add action=drop chain=input comment=";;; Drop Blaster Worm" disabled=no \
dst-port=135-139 protocol=tcp
add action=drop chain=input comment=";;; Drop Messenger Worm" disabled=no \
dst-port=135-139 protocol=udp
add action=drop chain=input comment=";;; Drop Blaster Worm" disabled=no \
dst-port=445 protocol=tcp
add action=drop chain=input comment=";;; Drop Blaster Worm" disabled=no \
dst-port=445 protocol=udp
add action=drop chain=input comment=";;; ________" disabled=no dst-port=593 \
protocol=tcp
add action=drop chain=input comment=";;; ________" disabled=no dst-port=\
1024-1030 protocol=tcp
add action=drop chain=input comment=";;; Drop MyDoom" disabled=no dst-port=\
1080 protocol=tcp
add action=drop chain=input comment=";;; ________" disabled=no dst-port=1214 \
protocol=tcp
add action=drop chain=input comment=";;; ndm requester" disabled=no dst-port=\
1363 protocol=tcp
add action=drop chain=input comment=" ;;; ndm server" disabled=no dst-port=\
1364 protocol=tcp
add action=drop chain=input comment=";;; screen cast" disabled=no dst-port=\
1368 protocol=tcp
add action=drop chain=input comment=";;; hromgrafx" disabled=no dst-port=1373 \
protocol=tcp
add action=drop chain=input comment=";;; cichlid" disabled=no dst-port=1377 \
protocol=tcp
add action=drop chain=input comment=";;; Worm" disabled=no dst-port=1433-1434 \
protocol=tcp
add action=drop chain=input comment=";;; Bagle Virus" disabled=no dst-port=\
2745 protocol=tcp
add action=drop chain=input comment=";;; Drop Dumaru.Y" disabled=no dst-port=\
2283 protocol=tcp
add action=drop chain=input comment=";;; Drop Beagle" disabled=no dst-port=\
2535 protocol=tcp
add action=drop chain=input comment=";;; Drop Beagle.C-K" disabled=no \
dst-port=2745 protocol=tcp
add action=drop chain=input comment=";;; Drop MyDoom" disabled=no dst-port=\
3127-3128 protocol=tcp
add action=drop chain=input comment=";;; Drop Backdoor OptixPro" disabled=no \
dst-port=3410 protocol=tcp
add action=drop chain=input comment=";;; Worm" disabled=no dst-port=4444 \
protocol=tcp
add action=drop chain=input comment=";;; Worm" disabled=no dst-port=4444 \
protocol=udp
add action=drop chain=input comment=";;; Drop Sasser" disabled=no dst-port=\
5554 protocol=tcp
add action=drop chain=forward comment="netbios windows7" disabled=no \
dst-port=5357 protocol=tcp
add action=drop chain=input comment="Drop Beagle.B" disabled=no dst-port=8866 \
protocol=tcp
add action=drop chain=input comment=";;; Drop Dabber.A-B" disabled=no \
dst-port=9898 protocol=tcp
add action=drop chain=input comment=";;; Drop Dumaru.Y" disabled=no dst-port=\
10000 protocol=tcp
add action=drop chain=input comment=";;; Drop MyDoom.B" disabled=no dst-port=\
10080 protocol=tcp
add action=drop chain=input comment=";;; Drop NetBus" disabled=no dst-port=\
12345 protocol=tcp
add action=drop chain=input comment=";;; Drop Kuang2" disabled=no dst-port=\
17300 protocol=tcp
add action=drop chain=input comment=";;; Drop SubSeven" disabled=no dst-port=\
27374 protocol=tcp
add action=drop chain=input comment=";;; Drop PhatBot, Agobot, Gaobot" \
disabled=no dst-port=65506 protocol=tcp
add action=log chain=input comment="Log everything else" disabled=yes \
log-prefix="DROP INPUT"
Re: Regras de firewall mikrotik
/ip firewall mangle
add action=accept chain=prerouting comment=WebMikrotik disabled=no \
dst-address=187.61.9.240/28
add action=mark-packet chain=prerouting comment=www disabled=no \
new-packet-mark=www_in passthrough=yes protocol=tcp src-port=80
add action=mark-packet chain=postrouting comment="" disabled=no dst-port=80 \
new-packet-mark=www_out passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment=p2p disabled=no \
new-packet-mark=p2p_in p2p=all-p2p passthrough=yes
add action=mark-packet chain=postrouting comment="" disabled=no \
new-packet-mark=p2p_out p2p=all-p2p passthrough=yes
add action=mark-packet chain=prerouting comment=dns disabled=no \
new-packet-mark=dns_in passthrough=yes protocol=tcp src-port=53
add action=mark-packet chain=postrouting comment="" disabled=no dst-port=53 \
new-packet-mark=dns_out passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment="" disabled=no \
new-packet-mark=dns_in passthrough=yes protocol=udp src-port=53
add action=mark-packet chain=postrouting comment="" disabled=no dst-port=53 \
new-packet-mark=dns_out passthrough=yes protocol=udp
add action=mark-connection chain=prerouting comment="CONTROLE MESSENGER" \
disabled=no dst-port=1863 new-connection-mark=Messenger-Conexao \
passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no dst-port=\
1863 new-connection-mark=Messenger-Conexao passthrough=yes protocol=udp
add action=mark-connection chain=prerouting comment="" disabled=no dst-port=\
6891-6901 new-connection-mark=Messenger-Conexao passthrough=yes protocol=\
tcp
add action=mark-connection chain=prerouting comment="" disabled=no dst-port=\
6891-6901 new-connection-mark=Messenger-Conexao passthrough=yes protocol=\
udp
add action=mark-connection chain=prerouting comment="" disabled=no dst-port=\
5190 new-connection-mark=Messenger-Conexao passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment="" connection-mark=\
Messenger-Conexao disabled=no new-packet-mark=Messenger-Pacotes \
passthrough=no
add action=mark-connection chain=prerouting comment="CONTROLE ACESSO REMOTO" \
disabled=no dst-port=2222 new-connection-mark=Acesso-Remoto-Conexao \
passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no dst-port=\
23 new-connection-mark=Acesso-Remoto-Conexao passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="Terminal Server" \
disabled=no dst-port=3389 new-connection-mark=Acesso-Remoto-Conexao \
passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment=VNC disabled=no dst-port=\
5800 new-connection-mark=Acesso-Remoto-Conexao passthrough=yes protocol=\
tcp
add action=mark-connection chain=prerouting comment="" disabled=no dst-port=\
5900 new-connection-mark=Acesso-Remoto-Conexao passthrough=yes protocol=\
tcp
add action=mark-connection chain=prerouting comment=Winbox disabled=no \
dst-port=8291 new-connection-mark=Acesso-Remoto-Conexao passthrough=yes \
protocol=tcp
add action=mark-packet chain=prerouting comment="" connection-mark=\
Acesso-Remoto-Conexao disabled=no new-packet-mark=Acesso-Remoto-Pacotes \
passthrough=no
add action=mark-connection chain=prerouting comment=\
"CONTROLE BANCO DE DADOS - SQL" disabled=no dst-port=3306 \
new-connection-mark=Banco-Dados-Conexao passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment=Oracle disabled=no \
dst-port=1521 new-connection-mark=Banco-Dados-Conexao passthrough=yes \
protocol=tcp
add action=mark-connection chain=prerouting comment="Microsoft SQL Server" \
disabled=no dst-port=1433-1434 new-connection-mark=Banco-Dados-Conexao \
passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment="" connection-mark=\
Banco-Dados-Conexao disabled=no new-packet-mark=Banco-Dados-Pacotes \
passthrough=no
add action=mark-connection chain=prerouting comment="CONTROLE JOGOS" \
disabled=no dst-port=7171 new-connection-mark=Jogos-Conexao passthrough=\
yes protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no dst-port=\
27015 new-connection-mark=Jogos-Conexao passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting comment="Mu Online" disabled=no \
dst-port=55905 new-connection-mark=Jogos-Conexao passthrough=yes \
protocol=tcp
add action=mark-connection chain=prerouting comment="" disabled=no dst-port=\
55905 new-connection-mark=Jogos-Conexao passthrough=yes protocol=udp
add action=mark-connection chain=prerouting comment="Line Age" disabled=no \
dst-port=4376 new-connection-mark=Jogos-Conexao passthrough=yes protocol=\
tcp
add action=mark-connection chain=prerouting comment="" disabled=no dst-port=\
4376 new-connection-mark=Jogos-Conexao passthrough=yes protocol=udp
add action=mark-connection chain=prerouting comment=WarCraft disabled=no \
dst-port=6112 new-connection-mark=Jogos-Conexao passthrough=yes protocol=\
tcp
Re: Regras de firewall mikrotik
affff deu ate dor de cabeça ,e olha que eu não entendo nada de mikrotik
Re: Regras de firewall mikrotik
cara seria mais facil postar um bloco de notas com essas configurações pois está muito dificil de entender qualquer coisa nesse meio!!
Re: Regras de firewall mikrotik
ok amigos, desculpas ae ! vou arruma valeu