Página 1 de 2 12 ÚltimoÚltimo
+ Responder ao Tópico



  1. Bom, vamos la.
    Estou pensando em fazer uma lista de firewall para bloqueios de portas problematicas por virus ou alguma outra opção...
    Pois bem, será que realmente vale a pena? Sei que tem um custo de hardware, mas realmente reduz o uso do link? Se existe redução ela é consideravel? Alguem tem uma lista que pode ser usada? Eu tenho uma lista aqui já, mas to com receio de não ficar legal.
    Tem que se levar em consideração que é uma rede de mais de 500 clientes atuais, então o custo de hardware com uma lista dessa é significativa.
    Ja possuo bloqueios NETBios, port scanners, ataque DOS e do ARES, também bloqueio acesso ssh, telnet de fora da rede, e serviços web e ftp são desativados.


    A proposito... HOJE É SEXTA... FINALMENTE...
    Última edição por cooperrj; 20-03-2009 às 09:47.

  2. Posta a lista ae para o pessoal dá uma olhada, assim fica melhor.



  3. Eu so quero saber se realmente vale a pena esse tipo de configuração.
    Estou fazendo uma coletania, e juntando com umas regras que eu ja tinha, coisas do tipo bloquear protocolo netbios, limite de conexao por cliente, etc...

  4. Citação Postado originalmente por cooperrj Ver Post
    Eu so quero saber se realmente vale a pena esse tipo de configuração.
    Estou fazendo uma coletania, e juntando com umas regras que eu ja tinha, coisas do tipo bloquear protocolo netbios, limite de conexao por cliente, etc...
    /ip firewall filter
    add action=passthrough chain=pre-hs-input comment="place hotspot rules here" \
    disabled=no

    add action=drop chain=output comment="Dropar Proxy Externo" disabled=no \
    protocol=tcp src-address=!192.168.0.0/16 src-port=3128
    add action=drop chain=input comment="" disabled=no icmp-options=8:0 limit=1,5 \
    protocol=tcp src-address=!192.168.0.0/16 src-port=3128
    add action=drop chain=forward comment="" disabled=no protocol=tcp \
    src-address=!192.168.0.0/16 src-port=3128
    add action=drop chain=forward comment="Conex\F5es Inv\E1lidas" \
    connection-state=invalid disabled=no
    add action=drop chain=forward comment="" disabled=no dst-address=\
    192.168.0.0/16 in-interface=Cliente out-interface=Cliente protocol=udp \
    src-address=192.168.0.0/16 src-port=135-140
    add action=drop chain=input comment="" disabled=no dst-address=192.168.0.0/16 \
    dst-port=135-140 in-interface=Cliente protocol=udp src-address=\
    192.168.0.0/16
    add action=drop chain=output comment="" disabled=no dst-address=\
    192.168.0.0/16 out-interface=Cliente protocol=tcp src-address=\
    192.168.0.0/16 src-port=135-140
    add action=drop chain=output comment="" disabled=no dst-address=\
    192.168.0.0/16 dst-port=135-140 out-interface=Cliente protocol=tcp \
    src-address=192.168.0.0/16
    add action=drop chain=output comment="" disabled=no dst-address=\
    192.168.0.0/16 dst-port=135-140 out-interface=Cliente protocol=udp \
    src-address=192.168.0.0/16
    add action=jump chain=forward comment=" Ares" disabled=no jump-target=Ares \
    p2p=warez protocol=tcp
    add action=jump chain=forward comment="Cria jumps para novas chains" \
    disabled=no jump-target=virus protocol=tcp
    add action=drop chain=forward comment="Dropar conexo P2p por horrio" \
    connection-mark=P2P-Conexao disabled=no p2p=all-p2p protocol=tcp time=\
    7h-23h59m,sun,mon,tue,wed,thu,fri,sat
    add action=drop chain=Ares comment="Bloqueio de Ares por horrio" \
    connection-mark=P2P-Conexao disabled=no p2p=warez protocol=tcp time=\
    7h-23h59m,sun,mon,tue,wed,thu,fri,sat
    add action=drop chain=forward comment="" connection-mark=P2P-Conexao \
    disabled=no dst-port=0 protocol=udp
    add action=drop chain=forward comment="" connection-mark=P2P-Conexao \
    disabled=no p2p=blubster
    add action=drop chain=forward comment="" connection-mark=P2P-Conexao \
    disabled=no p2p=direct-connect
    add action=drop chain=forward comment="" disabled=no p2p=fasttrack
    add action=drop chain=forward comment="" disabled=no p2p=fasttrack
    add action=drop chain=forward comment="" connection-limit=10,32 \
    connection-mark=P2P-Conexao disabled=no limit=1,3 p2p=gnutella protocol=\
    tcp
    add action=drop chain=forward comment="" connection-limit=10,32 \
    connection-mark=P2P-Conexao connection-state=new disabled=no limit=1,3 \
    p2p=edonkey protocol=tcp
    add action=drop chain=forward comment="" connection-mark=P2P-Conexao \
    disabled=no p2p=bit-torrent
    add action=drop chain=forward comment="" connection-limit=10,32 \
    connection-mark=P2P-Conexao disabled=no limit=1,3 p2p=warez protocol=tcp
    add action=drop chain=forward comment="" connection-mark=P2P-Conexao \
    disabled=no p2p=winmx
    add action=log chain=input comment="Log everything else" disabled=yes \
    log-prefix="DROP INPUT"
    add action=drop chain=forward comment="Bloqueios principais" disabled=no \
    protocol=tcp src-port=135-140
    add action=drop chain=forward comment="" disabled=no protocol=udp src-port=\
    135-140
    add action=drop chain=forward comment="" disabled=no dst-port=135-140 \
    protocol=tcp
    add action=drop chain=forward comment="" disabled=no dst-port=135-140 \
    protocol=udp
    add action=drop chain=input comment="" disabled=no protocol=udp src-port=\
    135-140
    add action=drop chain=input comment="" disabled=no dst-port=135-140 protocol=\
    tcp
    add action=drop chain=input comment="" disabled=no dst-port=135-140 protocol=\
    udp
    add action=drop chain=virus comment="" disabled=no dst-port=1080 protocol=tcp
    add action=drop chain=virus comment="" disabled=no dst-port=1363 protocol=tcp
    add action=drop chain=virus comment="" disabled=no dst-port=1364 protocol=tcp
    add action=drop chain=virus comment="" disabled=no dst-port=1373 protocol=tcp
    add action=drop chain=virus comment="" disabled=no dst-port=1377 protocol=tcp
    add action=drop chain=virus comment="" disabled=no dst-port=1368 protocol=tcp
    add action=drop chain=virus comment="" disabled=no dst-port=3306 protocol=tcp
    add action=drop chain=virus comment="" disabled=no dst-port=1025 protocol=tcp
    add action=drop chain=virus comment="" disabled=no dst-port=1433-1434 \
    protocol=tcp
    add action=drop chain=virus comment="" disabled=no dst-port=1024-1030 \
    protocol=tcp
    add action=drop chain=input comment="dropar e salvar na lista Negra" \
    disabled=no dst-port=21,22,23,25 protocol=tcp src-address-list=\
    Lista_Negra
    add action=add-src-to-address-list address-list=Lista_Negra \
    address-list-timeout=1w3d chain=input comment="Regra da Lista Negra" \
    connection-limit=1,32 disabled=no dst-port=21,22,23,25 protocol=tcp
    add action=accept chain=input comment="Acesso Admin Local" disabled=no \
    src-address=192.168.10.200
    add action=accept chain=output comment="" disabled=no dst-address=\
    192.168.10.200
    add action=accept chain=input comment="" disabled=no protocol=icmp
    add action=accept chain=output comment="" disabled=no protocol=icmp
    add action=drop chain=input comment=\
    "Bloqueia scan via local / para todos abaixo." disabled=no dst-port=5678 \
    protocol=udp src-address=!192.168.10.200
    add action=drop chain=forward comment="Limitar Conexoes" connection-limit=\
    15,32 disabled=no dst-port=!80 protocol=tcp src-address=192.168.0.0/16 \
    tcp-flags=syn
    add action=add-src-to-address-list address-list=pscanners \
    address-list-timeout=2w chain=input comment="PORT SCANNERS TO LIST" \
    disabled=no protocol=tcp psd=21,3s,3,1
    add action=add-src-to-address-list address-list=pscanners \
    address-list-timeout=2w chain=input comment="NMAP FIN STEALTH" disabled=\
    no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
    add action=add-src-to-address-list address-list=pscanners \
    address-list-timeout=2w chain=input comment=SYN/FINn disabled=no \
    protocol=tcp tcp-flags=fin,syn
    add action=add-src-to-address-list address-list=pscanners \
    address-list-timeout=2w chain=input comment=FIN/PSH/URG disabled=no \
    protocol=tcp tcp-flags=fin,psh,urg,!syn,!ack
    add action=add-src-to-address-list address-list=pscanners \
    address-list-timeout=2w chain=input comment=ALL/ALL disabled=no protocol=\
    tcp tcp-flags=fin,syn,rst,psh,ack,urg
    add action=add-src-to-address-list address-list=pscanners \
    address-list-timeout=2w chain=input comment=SYN/RST disabled=no protocol=\
    tcp tcp-flags=syn,rst
    add action=add-src-to-address-list address-list=pscanners \
    address-list-timeout=2w chain=input comment="NMAP NULL" disabled=no \
    protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
    add action=drop chain=input comment="DROP CONECC\C3O INVALIDO" \
    connection-state=invalid disabled=no
    add action=accept chain=customer comment="ALLOW ESTABLISHED CONNECTIONS" \
    connection-state=established disabled=no
    add action=accept chain=customer comment="ALLOW RELATED CONNECTIONS" \
    connection-state=related disabled=no
    add action=log chain=customer comment="LOG DROPPED CONNECTIONS" disabled=no \
    log-prefix=customer_drop
    add action=drop chain=customer comment="DROP AND LOG EVERYTHING ELSE" \
    disabled=no
    add action=accept chain=forward comment="" disabled=no limit=1,5 protocol=tcp \
    tcp-flags=fin,syn,rst,ack
    add action=accept chain=input comment=SYN-FLOOD disabled=no limit=1,5 \
    protocol=tcp tcp-flags=fin,syn,rst,ack
    add action=accept chain=input comment="DOS ATTACK" disabled=no icmp-options=\
    8:0 limit=1,5 protocol=icmp
    add action=accept chain=forward comment="" disabled=no icmp-options=8:0 \
    limit=1,5 protocol=icmp
    add action=drop chain=input comment="DROPPING PORT SCANNERS" disabled=no \
    src-address-list=pscanners
    add action=drop chain=customer comment="DROP PACOTES DE CONEC O INVALIDOS" \
    connection-state=invalid disabled=no
    add action=accept chain=customer comment="ACEITAR CONEC O ESTABELECIDAS" \
    connection-state=established disabled=no
    add action=accept chain=customer comment="ALLOW RELATED CONNECTIONS" \
    connection-state=related disabled=no
    add action=drop chain=customer comment="DROP AND LOG EVERYTHING ELSE" \
    disabled=no
    add action=accept chain=input comment="ACEITA CONEC OES RELACIONADAS" \
    connection-state=related disabled=no
    add action=drop chain=input comment="NEGAR CONECC\D5ES INVALIDAS" \
    connection-state=invalid disabled=no
    add action=accept chain=input comment=UDP disabled=no protocol=udp
    add action=accept chain=input comment="ACEITAR LIMITES DE PINGS" disabled=no \
    limit=50/5s,2 protocol=icmp
    add action=accept chain=input comment="SSH for secure shell" disabled=no \
    dst-port=22 protocol=tcp
    add action=accept chain=input comment=winbox disabled=no dst-port=8291 \
    protocol=tcp
    add action=drop chain=input comment="Conex\F5es Inv\E1lidas" \
    connection-state=invalid disabled=no
    add action=drop chain=customer comment="DROP INVALID CONNEECTION PACKETS" \
    connection-state=invalid disabled=no
    add action=accept chain=customer comment="ALLOW ESTABLISHED CONNECTIONS" \
    connection-state=established disabled=no
    add action=accept chain=customer comment="ALLOW RELATED CONNECTIONS" \
    connection-state=related disabled=no
    add action=accept chain=forward comment="" disabled=no limit=1,5 protocol=tcp \
    tcp-flags=fin,syn,rst,ack
    add action=accept chain=input comment=SYN-FLOOD disabled=no limit=1,5 \
    protocol=tcp tcp-flags=fin,syn,rst,ack
    add action=accept chain=input comment="DOS ATTACK" disabled=no icmp-options=\
    8:0 limit=1,5 protocol=icmp



  5. Bom dia a Todos!

    Como fazer para bloquear todas as portas é só liberar de acordo com a necessidade.

    Agradeço a todos.






Tópicos Similares

  1. Bloqueio de portas no Star-os
    Por iacosta no fórum Redes
    Respostas: 3
    Último Post: 28-09-2005, 20:57
  2. Bloqueio de portas por horários previamente determinados!
    Por speedfull no fórum Servidores de Rede
    Respostas: 16
    Último Post: 12-10-2004, 10:10
  3. Bloqueio de Portas
    Por Kandango no fórum Servidores de Rede
    Respostas: 2
    Último Post: 08-10-2004, 08:00
  4. bloqueio de porta 6588
    Por max_mori no fórum Servidores de Rede
    Respostas: 1
    Último Post: 22-09-2004, 01:04
  5. Bloqueio de Portas e Serviços com IPTables
    Por Hawthorn no fórum Servidores de Rede
    Respostas: 3
    Último Post: 22-07-2003, 08:42

Visite: BR-Linux ·  VivaOLinux ·  Dicas-L