+ Responder ao Tópico



  1. Citação Postado originalmente por SempreOnLine Ver Post
    NÃO ADIANTA VC ANALIZAR O FIREWALL FILTER SEM O MANGLE E O NAT E O RESTO JUNTOS...

    Abraços!
    Citação Postado originalmente por catvbrasil Ver Post
    Vixe!!! .....
    Eh disso q eu falo... isso eh q eh comunidade...

    nem sei como agradecer....

  2. bom pra colaborar segue alguma coisa se for util
    / ip firewall mangle
    add chain=output protocol=tcp src-port=3128 content="X-Cache: HIT" \
    action=mark-connection new-connection-mark=cachefull passthrough=yes \
    comment="cache full" disabled=no
    add chain=output connection-mark=cachefull action=mark-packet \
    new-packet-mark=cachefull passthrough=yes comment="" disabled=no
    add chain=output connection-mark=cachefull action=return comment="" \
    disabled=no
    add chain=output out-interface=REDE protocol=tcp src-port=64872 \
    action=mark-connection new-connection-mark=hotspot-out passthrough=yes \
    comment="hotspot full" disabled=no
    add chain=output out-interface=REDE protocol=tcp src-port=64873 \
    action=mark-connection new-connection-mark=hotspot-out passthrough=yes \
    comment="" disabled=no
    add chain=output out-interface=REDE protocol=tcp src-port=64874 \
    action=mark-connection new-connection-mark=hotspot-out passthrough=yes \
    comment="" disabled=no
    add chain=output out-interface=REDE protocol=tcp src-port=64875 \
    action=mark-connection new-connection-mark=hotspot-out passthrough=yes \
    comment="" disabled=no
    add chain=output out-interface=REDE protocol=tcp src-port=64872 \
    connection-mark=hotspot-out action=mark-packet new-packet-mark=hotspot \
    passthrough=no comment="" disabled=no
    add chain=output out-interface=REDE protocol=tcp src-port=64873 \
    connection-mark=hotspot-out action=mark-packet new-packet-mark=hotspot \
    passthrough=no comment="" disabled=no
    add chain=output out-interface=REDE protocol=tcp src-port=64874 \
    connection-mark=hotspot-out action=mark-packet new-packet-mark=hotspot \
    passthrough=no comment="" disabled=no
    add chain=output out-interface=REDE protocol=tcp src-port=64875 \
    connection-mark=hotspot-out action=mark-packet new-packet-mark=hotspot \
    passthrough=no comment="" disabled=no
    add chain=prerouting protocol=tcp p2p=all-p2p action=mark-routing \
    new-routing-mark=link passthrough=yes comment="p2p 1 redirecionado link2" \
    disabled=yes
    add chain=prerouting content=youtube action=mark-connection \
    new-connection-mark=YTB passthrough=yes comment="YOUTUBE" disabled=no
    add chain=prerouting connection-mark=YTB action=mark-packet \
    new-packet-mark=youtube passthrough=yes comment="" disabled=no
    add chain=prerouting connection-mark=YTB action=mark-routing \
    new-routing-mark=YTB passthrough=no comment="" disabled=no
    add chain=prerouting protocol=tcp src-port=1863 action=mark-packet \
    new-packet-mark=msn-out passthrough=yes comment="MSN" disabled=no
    add chain=prerouting protocol=tcp dst-port=1863 action=mark-packet \
    new-packet-mark=msn-in passthrough=yes comment="" disabled=no
    add chain=forward protocol=tcp tcp-flags=syn action=change-mss new-mss=1360 \
    comment="" disabled=no
    add chain=prerouting protocol=udp dst-port=5060 action=mark-connection \
    new-connection-mark=voip_in passthrough=yes comment="VOIP-IN" disabled=no
    add chain=prerouting connection-mark=voip_in action=mark-packet \
    new-packet-mark=VOIP_IN passthrough=yes comment="" disabled=no
    add chain=prerouting protocol=udp src-port=5060 action=mark-connection \
    new-connection-mark=voip_out passthrough=yes comment="VOIP-OUT" \
    disabled=no
    add chain=prerouting connection-mark=voip_out action=mark-packet \
    new-packet-mark=VOIP_OUT passthrough=yes comment="" disabled=no
    add chain=prerouting protocol=tcp dst-port=80 action=mark-connection \
    new-connection-mark=http-down passthrough=yes comment="HTTP" disabled=no
    add chain=prerouting connection-mark=http-down action=mark-packet \
    new-packet-mark=HTTP passthrough=yes comment="" disabled=no
    add chain=prerouting protocol=tcp dst-port=443 action=mark-connection \
    new-connection-mark=443_conn passthrough=yes comment="SSL" disabled=no
    add chain=forward p2p=bit-torrent action=mark-connection \
    new-connection-mark=bit-torrent_conn passthrough=yes comment="habilitado \
    Marca Conn bit-torrent" disabled=no
    add chain=forward connection-mark=bit-torrent_conn action=mark-packet \
    new-packet-mark=bit-torrent passthrough=yes comment="" disabled=no
    add chain=forward p2p=warez action=mark-connection \
    new-connection-mark=warez_conn passthrough=yes comment="Marca Conn warez" \
    disabled=no
    add chain=forward connection-mark=warez_conn action=mark-packet \
    new-packet-mark=warez passthrough=yes comment="" disabled=no
    add chain=prerouting dst-address=200.201.174.0/24 protocol=tcp dst-port=80 \
    action=mark-packet new-packet-mark=semproxy passthrough=yes \
    comment="Conectivade Social" disabled=no
    add chain=prerouting dst-address=200.221.8.0/24 protocol=tcp dst-port=80 \
    action=mark-packet new-packet-mark=semproxy passthrough=yes comment="" \
    disabled=no
    add chain=prerouting p2p=warez action=mark-connection new-connection-mark=ares \
    passthrough=yes comment="ARES" disabled=no
    add chain=prerouting p2p=all-p2p action=mark-connection \
    new-connection-mark=conexao_p2p passthrough=yes comment="conexao_p2p" \
    disabled=no
    add chain=prerouting connection-mark=conexao_p2p action=mark-packet \
    new-packet-mark=pacotes_p2p passthrough=yes comment="" disabled=no



  3. / ip firewall nat
    add chain=dstnat protocol=tcp dst-port=80 content="!X-Cache: HIT" \
    action=redirect to-ports=3128 comment="CACHE_SQUID" disabled=no
    add chain=dstnat in-interface=!LINK src-address=192.168.10.0/24 protocol=tcp \
    dst-port=80 action=redirect to-ports=3128 comment="CACHE_SQUID EXTERNO" \
    disabled=yes
    add chain=srcnat src-address=10.1.1.0/24 action=masquerade comment="masquerade \
    hotspot network" disabled=no
    add chain=dstnat protocol=tcp dst-port=222 action=dst-nat \
    to-addresses=192.168.254.2 to-ports=222 comment="nat firewall" \
    disabled=yes
    add chain=srcnat src-address=192.168.10.0/24 action=masquerade comment="range \
    individual clientes" disabled=no
    / ip firewall connection tracking
    set enabled=yes tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s \
    tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
    tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s \
    udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m \
    tcp-syncookie=no
    / ip firewall filter
    add chain=input in-interface=LINK protocol=tcp dst-port=3128 action=drop \
    comment="BLOQUEIO DO PROXY EXTERNO" disabled=no
    add chain=forward p2p=warez action=drop comment="quebra de criptografia" \
    disabled=no
    add chain=forward connection-mark=ares action=drop comment="" disabled=no
    add chain=forward p2p=fasttrack action=drop comment="" disabled=no
    add chain=forward p2p=gnutella action=drop comment="" disabled=no
    add chain=forward p2p=bit-torrent action=drop comment="" disabled=no
    add chain=forward p2p=blubster action=drop comment="" disabled=no
    add chain=forward p2p=edonkey action=drop comment="" disabled=no
    add chain=forward p2p=soulseek action=drop comment="" disabled=no
    add chain=forward p2p=winmx action=drop comment="" disabled=no
    add chain=forward p2p=direct-connect action=drop comment="" disabled=no
    add chain=forward connection-state=related action=accept comment="" \
    disabled=no
    add chain=forward connection-state=established action=accept comment="" \
    disabled=no
    add chain=forward protocol=icmp action=accept comment="" disabled=no
    add chain=input protocol=tcp tcp-flags=fin,syn,rst,ack limit=1,5 action=accept \
    comment="" disabled=no
    add chain=forward protocol=tcp tcp-flags=fin,syn,rst,ack limit=1,5 \
    action=accept comment="" disabled=no
    add chain=input protocol=icmp icmp-options=8:0 limit=1,5 action=accept \
    comment="" disabled=no
    add chain=forward protocol=icmp icmp-options=8:0 limit=1,5 action=accept \
    comment="" disabled=no
    add chain=input action=jump jump-target=virus comment="" disabled=no
    add chain=forward action=jump jump-target=drop_protocols comment="" \
    disabled=no
    add chain=forward action=log log-prefix="" comment="" disabled=no
    add chain=output protocol=tcp tcp-flags=fin,syn,rst,psh,ack action=log \
    log-prefix="" comment="" disabled=no
    add chain=forward action=jump jump-target=virus comment="jump to the virus \
    chain" disabled=no
    add chain=virus protocol=tcp dst-port=135-139 action=drop comment="" \
    disabled=no
    add chain=virus protocol=udp dst-port=135-139 action=drop comment="" \
    disabled=no
    add chain=virus protocol=tcp dst-port=445 action=drop comment="" disabled=no
    add chain=virus protocol=udp dst-port=445 action=drop comment="" disabled=no
    add chain=virus protocol=tcp dst-port=593 action=drop comment="" disabled=no
    add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="" \
    disabled=no
    add chain=virus protocol=tcp dst-port=1080 action=drop comment="" disabled=no
    add chain=virus protocol=tcp dst-port=1214 action=drop comment="" disabled=no
    add chain=virus protocol=tcp dst-port=1363 action=drop comment="" disabled=no
    add chain=virus protocol=tcp dst-port=1364 action=drop comment="" disabled=no
    add chain=virus protocol=tcp dst-port=1368 action=drop comment="" disabled=no
    add chain=virus protocol=tcp dst-port=1373 action=drop comment="" disabled=no
    add chain=virus protocol=tcp dst-port=1377 action=drop comment="" disabled=no
    add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="" \
    disabled=no
    add chain=virus protocol=tcp dst-port=2283 action=drop comment="" disabled=no
    add chain=virus protocol=tcp dst-port=2535 action=drop comment="" disabled=no
    add chain=virus protocol=tcp dst-port=2745 action=drop comment="" disabled=no
    add chain=virus protocol=tcp dst-port=3410 action=drop comment="" disabled=no
    add chain=virus protocol=tcp dst-port=4444 action=drop comment="" disabled=no
    add chain=virus protocol=udp dst-port=4444 action=drop comment="" disabled=no
    add chain=virus protocol=tcp dst-port=5554 action=drop comment="" disabled=no
    add chain=virus protocol=tcp dst-port=8866 action=drop comment="" disabled=no
    add chain=virus protocol=tcp dst-port=9898 action=drop comment="" disabled=no
    add chain=virus protocol=tcp dst-port=10000 action=drop comment="" disabled=no
    add chain=virus protocol=tcp dst-port=10080 action=drop comment="" disabled=no
    add chain=virus protocol=tcp dst-port=12345 action=drop comment="" disabled=no
    add chain=virus protocol=tcp dst-port=17300 action=drop comment="" disabled=no
    add chain=virus protocol=tcp dst-port=27374 action=drop comment="" disabled=no
    add chain=virus protocol=tcp dst-port=65506 action=drop comment="" disabled=no
    add chain=virus protocol=tcp dst-port=27374 action=drop comment="SubSeven \
    Trojan" disabled=no
    add chain=forward connection-mark=ares action=drop comment="DROP_ARES" \
    disabled=no
    / ip firewall service-port
    set ftp ports=21 disabled=no
    set tftp ports=69 disabled=no
    set irc ports=6667 disabled=no
    set h323 disabled=no
    set quake3 disabled=no
    set gre disabled=no
    set pptp disabled=no

  4. Aqui eu deixo as minhas regras de firewall... grato jean msn djjeantechno@hotmail.com
    Arquivos Anexos Arquivos Anexos



  5. Citação Postado originalmente por catvbrasil Ver Post
    As regras apresentadas no treinamento da MD não são de forma alguma consideradas completas. Elas são o ínício ou mínimo do que um bom firewall realmente precisa.
    Justamente... nunca disse q eram completas e absolutas... por isso a ideia de montar um bom firewall como inicio..

    Citação Postado originalmente por catvbrasil Ver Post
    Essa idéia de "o melhor" firewall ou "o mais completo" firewall é meio que uma utopia. O que pode acontecer é que alguma coisa chegue perto, mas perfeito mesmo, só feito na unha e de acordo com sua rede.
    Exatamente isso.. chegar perto... que tal se tentassemos isso juntos?

    Chegar perto eh exatamente do q precisamos aki...

    Citação Postado originalmente por catvbrasil Ver Post
    Usem os conceitos!!! Com conceitos nem é necessário compartilhar firewall ou regras.
    Bom.. te garanto q estou tentando... jah li muitos posts seus.. e de outros tantos aki.. e tento chegar numa especie de script quase-completo..

    um grande abraço






Tópicos Similares

  1. script firewall 02 links!!
    Por jrctec no fórum Servidores de Rede
    Respostas: 34
    Último Post: 30-05-2005, 10:10
  2. Script Firewall
    Por Kandango no fórum Servidores de Rede
    Respostas: 2
    Último Post: 10-10-2004, 12:31
  3. Rodar script firewall.sh na inicialização do sistema.
    Por goncalvesanderson no fórum Servidores de Rede
    Respostas: 5
    Último Post: 13-07-2004, 14:59
  4. Erro no script Firewall
    Por danielvbhp no fórum Servidores de Rede
    Respostas: 5
    Último Post: 01-02-2004, 09:33
  5. Vejam esse script firewall/nat, aonde tá o erro?
    Por no fórum Servidores de Rede
    Respostas: 5
    Último Post: 02-11-2002, 21:47

Visite: BR-Linux ·  VivaOLinux ·  Dicas-L