Página 7 de 7 PrimeiroPrimeiro ... 234567
+ Responder ao Tópico



  1. aqui vai o meu, foi um maluko aqui de juazeiro-ba que configurou, pra minha rede ta funcionando blz.

    ñ esquece de agradecer.

    /ip firewall filter
    add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
    add action=drop chain=input comment="Bloqueia Proxy" disabled=no dst-port=\
    3128 in-interface=velox- protocol=tcp
    add action=drop chain=input comment="Descarta invalidas" connection-state=\
    invalid disabled=no
    add action=add-src-to-address-list address-list=temp1 address-list-timeout=\
    10s chain=input comment="" disabled=no dst-port= protocol=tcp
    add action=add-src-to-address-list address-list=temp2 address-list-timeout=\
    10s chain=input comment="" disabled=no dst-port= protocol=tcp \
    src-address-list=temp1
    add action=add-src-to-address-list address-list=liberado \
    address-list-timeout=2h chain=input comment="" disabled=no dst-port=\
    protocol=tcp src-address-list=temp2
    add action=accept chain=input comment="Aceita winbox da lista liberado" \
    disabled=no dst-port=8291 protocol=tcp src-address-list=liberado
    add action=drop chain=input comment="nega acesso winbox" disabled=no \
    dst-port=8291 protocol=tcp
    add action=accept chain=input comment="Aceita ftp" disabled=no dst-port=21 \
    protocol=tcp src-address-list=liberado
    add action=add-src-to-address-list address-list=bloqueado \
    address-list-timeout=1d chain=input comment="" disabled=no dst-port=21 \
    protocol=tcp
    add action=drop chain=input comment="" disabled=no dst-port=21 protocol=tcp
    add action=accept chain=input comment="Aceita SSH" disabled=no dst-port=4142 \
    protocol=tcp src-address-list=liberado
    add action=add-src-to-address-list address-list=bloqueado \
    address-list-timeout=1d chain=input comment="" disabled=no dst-port=22 \
    protocol=tcp
    add action=drop chain=input comment="" disabled=no dst-port=22 protocol=tcp \
    src-address-list=bloqueado-por-SSH
    add action=accept chain=input comment="Aceita telnet" disabled=no dst-port=23 \
    protocol=tcp src-address-list=liberado
    add action=add-src-to-address-list address-list=bloqueado \
    address-list-timeout=1d chain=input comment="" disabled=no dst-port=23 \
    protocol=tcp
    add action=drop chain=input comment="" disabled=no dst-port=23 protocol=tcp \
    src-address-list=bloqueado-por-SSH
    add action=drop chain=input comment="Log quem Pinga" disabled=no limit=0/0s,0 \
    protocol=icmp
    add action=drop chain=input comment="aceitando 1 ping a cada 5 segundos" \
    disabled=no limit=1/5s,1 protocol=icmp
    add action=drop chain=input comment="bloqueando o excesso" disabled=no \
    protocol=icmp
    add action=jump chain=input comment="Salta para canal icmp" disabled=no \
    jump-target=ICMP protocol=icmp
    add action=jump chain=input comment="Salta para o canal virus" disabled=no \
    jump-target=VIRUS
    add action=accept chain=input comment="Aceita estabelecidas" \
    connection-state=established disabled=no
    add action=accept chain=input comment="Aceita relacionadas" connection-state=\
    related disabled=no
    add action=accept chain=input comment="Aceita redes internas" disabled=no \
    in-interface=bridge1
    add action=accept chain=input comment="Aceita winbox Externo" disabled=no \
    dst-port=8291 in-interface=ether2 protocol=tcp
    add action=drop chain=forward comment="Descarta Invalidas" connection-state=\
    invalid disabled=no
    add action=drop chain=forward comment="" disabled=no src-address-list=\
    bloqueado
    add action=jump chain=forward comment="Salta para canal icmp" disabled=no \
    jump-target=ICMP
    add action=jump chain=forward comment="Salta para o canal virus" disabled=no \
    jump-target=VIRUS
    add action=drop chain=VIRUS comment="Drop Blaster Worm" disabled=no protocol=\
    udp src-port=445
    add action=accept chain=forward comment="Aceita estabelecidas" \
    connection-state=established disabled=no
    add action=accept chain=forward comment="Aceita relacionadas" \
    connection-state=related disabled=no
    add action=drop chain=VIRUS comment="" disabled=no protocol=tcp src-port=445
    add action=drop chain=VIRUS comment="" disabled=no dst-port=445 protocol=tcp
    add action=drop chain=VIRUS comment="Drop Blaster Worm" disabled=no dst-port=\
    445 protocol=udp
    add action=drop chain=VIRUS comment="" disabled=no protocol=tcp src-port=\
    135-139
    add action=drop chain=VIRUS comment="" disabled=no protocol=udp src-port=\
    135-139
    add action=drop chain=VIRUS comment="" disabled=no dst-port=135-139 protocol=\
    tcp
    add action=drop chain=VIRUS comment="" disabled=no dst-port=135-139 protocol=\
    udp
    add action=drop chain=VIRUS comment=________ disabled=no dst-port=593 \
    protocol=tcp
    add action=drop chain=VIRUS comment=________ disabled=no dst-port=1024-1030 \
    protocol=tcp
    add action=drop chain=VIRUS comment="Drop MyDoom" disabled=no dst-port=1080 \
    protocol=tcp
    add action=drop chain=VIRUS comment=________ disabled=no dst-port=1214 \
    protocol=tcp
    add action=drop chain=VIRUS comment="ndm requester" disabled=no dst-port=1363 \
    protocol=tcp
    add action=drop chain=VIRUS comment="ndm server" disabled=no dst-port=1364 \
    protocol=tcp
    add action=drop chain=VIRUS comment="screen cast" disabled=no dst-port=1368 \
    protocol=tcp
    add action=drop chain=VIRUS comment=hromgrafx disabled=no dst-port=1373 \
    protocol=tcp
    add action=drop chain=VIRUS comment=cichlid disabled=no dst-port=1377 \
    protocol=tcp
    add action=drop chain=VIRUS comment="Bagle VIRUS" disabled=no dst-port=2745 \
    protocol=tcp
    add action=drop chain=VIRUS comment="Drop Dumaru.Y" disabled=no dst-port=2283 \
    protocol=tcp
    add action=drop chain=VIRUS comment="Drop Beagle" disabled=no dst-port=2535 \
    protocol=tcp
    add action=drop chain=VIRUS comment="Drop Beagle.C-K" disabled=no dst-port=\
    2745 protocol=tcp
    add action=drop chain=VIRUS comment="Drop MyDoom" disabled=no dst-port=3127 \
    protocol=tcp
    add action=drop chain=VIRUS comment="Drop Backdoor OptixPro" disabled=no \
    dst-port=3410 protocol=tcp
    add action=drop chain=VIRUS comment=Worm disabled=no dst-port=4444 protocol=\
    tcp
    add action=drop chain=VIRUS comment=Worm disabled=no dst-port=4444 protocol=\
    udp
    add action=drop chain=VIRUS comment="Drop Sasser" disabled=no dst-port=5554 \
    protocol=tcp
    add action=drop chain=VIRUS comment="Drop Beagle.B" disabled=no dst-port=8866 \
    protocol=tcp
    add action=drop chain=VIRUS comment="Drop Dabber.A-B" disabled=no dst-port=\
    9898 protocol=tcp
    add action=drop chain=VIRUS comment="Drop Dumaru.Y" disabled=no dst-port=\
    10000 protocol=tcp
    add action=drop chain=VIRUS comment="Drop MyDoom.B" disabled=no dst-port=\
    10080 protocol=tcp
    add action=drop chain=VIRUS comment="Drop NetBus" disabled=no dst-port=12345 \
    protocol=tcp
    add action=drop chain=VIRUS comment="Drop Kuang2" disabled=no dst-port=17300 \
    protocol=tcp
    add action=drop chain=VIRUS comment="Drop SubSeven" disabled=no dst-port=\
    27374 protocol=tcp
    add action=drop chain=VIRUS comment="Drop PhatBot, Agobot, Gaobot" disabled=\
    no dst-port=65506 protocol=tcp
    add action=drop chain=VIRUS comment="" disabled=no dst-port=513 protocol=tcp
    add action=drop chain=VIRUS comment="" disabled=no dst-port=513 protocol=udp
    add action=drop chain=VIRUS comment="" disabled=no dst-port=525 protocol=tcp
    add action=drop chain=VIRUS comment="" disabled=no dst-port=525 protocol=udp
    add action=drop chain=VIRUS comment="" disabled=no dst-port=568-569 protocol=\
    tcp
    add action=drop chain=VIRUS comment="" disabled=no dst-port=568-569 protocol=\
    udp
    add action=drop chain=VIRUS comment="" disabled=no dst-port=1512 protocol=tcp
    add action=drop chain=VIRUS comment="" disabled=no dst-port=1512 protocol=udp
    add action=drop chain=VIRUS comment="" disabled=no dst-port=396 protocol=tcp
    add action=drop chain=VIRUS comment="" disabled=no dst-port=396 protocol=udp
    add action=drop chain=VIRUS comment="" disabled=no dst-port=1366 protocol=tcp
    add action=drop chain=VIRUS comment="" disabled=no dst-port=1366 protocol=udp
    add action=drop chain=VIRUS comment="" disabled=no dst-port=1416 protocol=tcp
    add action=drop chain=VIRUS comment="" disabled=no dst-port=1416 protocol=udp
    add action=drop chain=VIRUS comment="" disabled=no dst-port=201-209 protocol=\
    tcp
    add action=drop chain=VIRUS comment="" disabled=no dst-port=201-209 protocol=\
    udp
    add action=drop chain=VIRUS comment="" disabled=no dst-port=545 protocol=tcp
    add action=drop chain=VIRUS comment="" disabled=no dst-port=545 protocol=udp
    add action=drop chain=VIRUS comment="" disabled=no dst-port=1381 protocol=udp
    add action=drop chain=VIRUS comment="" disabled=no dst-port=1381 protocol=tcp
    add action=drop chain=VIRUS comment="" disabled=no dst-port=3031 protocol=tcp
    add action=drop chain=VIRUS comment="" disabled=no dst-port=3031 protocol=udp
    add action=accept chain=ICMP comment="" disabled=no icmp-options=0:0 \
    protocol=icmp
    add action=accept chain=ICMP comment="" disabled=no icmp-options=8:0 \
    protocol=icmp
    add action=accept chain=ICMP comment="" disabled=no icmp-options=11:0 \
    protocol=icmp
    add action=accept chain=ICMP comment="" disabled=no icmp-options=3:3 \
    protocol=icmp
    add action=accept chain=ICMP comment="" disabled=no icmp-options=3:4 \
    protocol=icmp
    add action=drop chain=ICMP comment="" disabled=no protocol=icmp
    add action=drop chain=input comment="Descarta Restante" disabled=yes
    add action=drop chain=input comment="" disabled=yes dst-address=10.0.0.254 \
    dst-port=3128 in-interface="(unknown)" protocol=tcp
    Última edição por kasatek; 11-08-2009 às 18:45.

  2. Bom talvez alguem aqui poderia me dizer uma coisa que esta dificeil de eu conseguir me localizar no firewall do mikrotik , bom ja testei varias regras e quase todas deram alguma dor de cabeça , pois usei o velho cvtrl+c ctrl+v , bom ja passei desta face e quero crescer e aprender,bom minha pergunta ,



    so tenho que saber uma coisa o principal , coloco a parte de liberação no inicio do firewall ou no fim exmplos



    bloqueo varios portas tcp com drop e na ultima linha coloco para liberar o resto , ou isso é vice versa



    coloco primeiro liberar e depois drop o resto


    ja olhei milhoes de post e nao consegui acimilar o fulcoinamento de forma clara .



  3. amigo é o seguinte, primeiro libera tudo o que voce quer depois dropa tudo no final. Isso tanto faz no mikrotik como no velho iptables no linux.

  4. Citação Postado originalmente por eugeniomarques Ver Post
    Amigos... o q vou propor nao sei se já não tem.. pelo menos não achei..

    poderíamos deixar um post fixo aki com um script de firewall completo.. para quem queira somente copiar e colar?

    Digo isso pq eu uso o script do curso q fiz com os malukos da Mikrotik Brasil (S, E e M) e com eles trouxe um firewall completo.. com os drops das invalidas... accepts nas relacionadas e estabelicidas... bate bate bate na porta do céu... bloqueio de atakes ssh, virus... etc... etc...

    com tudo isso pronto... eu achei q tinha tudo.. mas conversando com outro maluko.. (esse eh maluko mesmo...) ele disse q meu firewall ainda tah muito incompleto... faltava muita coisa... e ele ateh se propôs.. a completar ele semana q vem... Eh um maluko beleza.. Tb gosta de contribuir... gente boa..

    enquanto isso na sala da justiça...

    Macacos me mordam Batman.. como podemos fazer um script completo e disponibilizar para todo mundo?

    Simples.. vamos até a comunidade Underlinux, Robin!

    bom...

    vou postar o script com as regras desabilitadas.. pq cada caso eh um caso...

    mas meu intuito aki eh chegar a um único firewall, completo e funcional para todos.

    então por favor.. contribuam..

    Detalhe: meu firewall nao eh meu como falei.. copiei do curso e adicionei outras coisas q achei aki mesmo no forum.

    gracias a todos,



    /ip firewall filter
    add action=drop chain=input comment="Descarta invalidas" connection-state=\
    invalid disabled=yes
    add action=add-src-to-address-list address-list=temp1 address-list-timeout=\
    15s chain=input comment="" disabled=yes dst-port=1111 protocol=tcp
    add action=add-src-to-address-list address-list=temp2 address-list-timeout=\
    15s chain=input comment="" disabled=yes dst-port=2222 protocol=tcp \
    src-address-list=temp1
    add action=add-src-to-address-list address-list=liberado \
    address-list-timeout=2h chain=input comment="" disabled=yes dst-port=3333 \
    protocol=tcp src-address-list=temp2
    add action=add-src-to-address-list address-list=bloqueado-por-SSH \
    address-list-timeout=1d chain=input comment="" disabled=yes dst-port=22 \
    protocol=tcp src-address=!10.0.0.200
    add action=add-src-to-address-list address-list=bloqueado-por-telnet \
    address-list-timeout=1d chain=input comment="" disabled=yes dst-port=23 \
    protocol=tcp src-address=!10.0.0.200
    add action=accept chain=input comment="Aceita winbox da lista liberado" \
    disabled=yes dst-port=8291 protocol=tcp src-address-list=liberado
    add action=drop chain=input comment="nega acesso winbox" disabled=yes \
    dst-port=8291 protocol=tcp
    add action=jump chain=input comment="Salta para canal icmp" disabled=yes \
    jump-target=ICMP protocol=icmp
    add action=accept chain=input comment="Aceita pings 1/segundo" disabled=yes \
    in-interface=ether2 limit=1,3 protocol=icmp
    add action=drop chain=input comment="Descarta restante pings" disabled=yes \
    in-interface=ether2 protocol=icmp
    add action=jump chain=input comment="Salta para o canal virus" disabled=yes \
    jump-target=VIRUS
    add action=accept chain=input comment="Aceita estabelecidas" \
    connection-state=established disabled=yes
    add action=accept chain=input comment="Aceita relacionadas" connection-state=\
    related disabled=yes
    add action=accept chain=input comment="Aceita redes internas" disabled=yes \
    in-interface=!wlan1
    add action=accept chain=input comment="Aceita winbox Externo" disabled=yes \
    dst-port=8291 in-interface=ether2 protocol=tcp
    add action=accept chain=input comment="Aceita SSH" disabled=yes dst-port=22 \
    protocol=tcp
    add action=accept chain=input comment="Aceita telnet" disabled=yes dst-port=\
    23 protocol=tcp
    add action=drop chain=input comment="Descarta Restante" disabled=yes
    add action=drop chain=forward comment="Descarta Invalidas" connection-state=\
    invalid disabled=yes
    add action=drop chain=forward comment="" disabled=yes src-address-list=\
    bloqueado-por-telnet
    add action=jump chain=forward comment="Salta para canal icmp" disabled=yes \
    jump-target=ICMP
    add action=jump chain=forward comment="Salta para o canal virus" disabled=yes \
    jump-target=VIRUS
    add action=accept chain=forward comment="Aceita estabelecidas" \
    connection-state=established disabled=yes
    add action=accept chain=forward comment="Aceita relacionadas" \
    connection-state=related disabled=yes
    add action=drop chain=VIRUS comment="" disabled=yes protocol=tcp src-port=445
    add action=drop chain=VIRUS comment="" disabled=yes dst-port=445 protocol=tcp
    add action=drop chain=VIRUS comment="Drop Blaster Worm" disabled=yes \
    protocol=udp src-port=445
    add action=drop chain=VIRUS comment="Drop Blaster Worm" disabled=yes \
    dst-port=445 protocol=udp
    add action=drop chain=VIRUS comment="" disabled=yes protocol=tcp src-port=\
    135-139
    add action=drop chain=VIRUS comment="" disabled=yes protocol=udp src-port=\
    135-139
    add action=drop chain=VIRUS comment="" disabled=yes dst-port=135-139 \
    protocol=tcp
    add action=drop chain=VIRUS comment="" disabled=yes dst-port=135-139 \
    protocol=udp
    add action=drop chain=VIRUS comment=________ disabled=yes dst-port=593 \
    protocol=tcp
    add action=drop chain=VIRUS comment=________ disabled=yes dst-port=1024-1030 \
    protocol=tcp
    add action=drop chain=VIRUS comment="Drop MyDoom" disabled=yes dst-port=1080 \
    protocol=tcp
    add action=drop chain=VIRUS comment=________ disabled=yes dst-port=1214 \
    protocol=tcp
    add action=drop chain=VIRUS comment="ndm requester" disabled=yes dst-port=\
    1363 protocol=tcp
    add action=drop chain=VIRUS comment="ndm server" disabled=yes dst-port=1364 \
    protocol=tcp
    add action=drop chain=VIRUS comment="screen cast" disabled=yes dst-port=1368 \
    protocol=tcp
    add action=drop chain=VIRUS comment=hromgrafx disabled=yes dst-port=1373 \
    protocol=tcp
    add action=drop chain=VIRUS comment=cichlid disabled=yes dst-port=1377 \
    protocol=tcp
    add action=drop chain=VIRUS comment="Bagle VIRUS" disabled=yes dst-port=2745 \
    protocol=tcp
    add action=drop chain=VIRUS comment="Drop Dumaru.Y" disabled=yes dst-port=\
    2283 protocol=tcp
    add action=drop chain=VIRUS comment="Drop Beagle" disabled=yes dst-port=2535 \
    protocol=tcp
    add action=drop chain=VIRUS comment="Drop Beagle.C-K" disabled=yes dst-port=\
    2745 protocol=tcp
    add action=drop chain=VIRUS comment="Drop MyDoom" disabled=yes dst-port=3127 \
    protocol=tcp
    add action=drop chain=VIRUS comment="Drop Backdoor OptixPro" disabled=yes \
    dst-port=3410 protocol=tcp
    add action=drop chain=VIRUS comment=Worm disabled=yes dst-port=4444 protocol=\
    tcp
    add action=drop chain=VIRUS comment=Worm disabled=yes dst-port=4444 protocol=\
    udp
    add action=drop chain=VIRUS comment="Drop Sasser" disabled=yes dst-port=5554 \
    protocol=tcp
    add action=drop chain=VIRUS comment="Drop Beagle.B" disabled=yes dst-port=\
    8866 protocol=tcp
    add action=drop chain=VIRUS comment="Drop Dabber.A-B" disabled=yes dst-port=\
    9898 protocol=tcp
    add action=drop chain=VIRUS comment="Drop Dumaru.Y" disabled=yes dst-port=\
    10000 protocol=tcp
    add action=drop chain=VIRUS comment="Drop MyDoom.B" disabled=yes dst-port=\
    10080 protocol=tcp
    add action=drop chain=VIRUS comment="Drop NetBus" disabled=yes dst-port=12345 \
    protocol=tcp
    add action=drop chain=VIRUS comment="Drop Kuang2" disabled=yes dst-port=17300 \
    protocol=tcp
    add action=drop chain=VIRUS comment="Drop SubSeven" disabled=yes dst-port=\
    27374 protocol=tcp
    add action=drop chain=VIRUS comment="Drop PhatBot, Agobot, Gaobot" disabled=\
    yes dst-port=65506 protocol=tcp
    add action=drop chain=VIRUS comment="" disabled=yes dst-port=513 protocol=tcp
    add action=drop chain=VIRUS comment="" disabled=yes dst-port=513 protocol=udp
    add action=drop chain=VIRUS comment="" disabled=yes dst-port=525 protocol=tcp
    add action=drop chain=VIRUS comment="" disabled=yes dst-port=525 protocol=udp
    add action=drop chain=VIRUS comment="" disabled=yes dst-port=568-569 \
    protocol=tcp
    add action=drop chain=VIRUS comment="" disabled=yes dst-port=568-569 \
    protocol=udp
    add action=drop chain=VIRUS comment="" disabled=yes dst-port=1512 protocol=\
    tcp
    add action=drop chain=VIRUS comment="" disabled=yes dst-port=1512 protocol=\
    udp
    add action=drop chain=VIRUS comment="" disabled=yes dst-port=396 protocol=tcp
    add action=drop chain=VIRUS comment="" disabled=yes dst-port=396 protocol=udp
    add action=drop chain=VIRUS comment="" disabled=yes dst-port=1366 protocol=\
    tcp
    add action=drop chain=VIRUS comment="" disabled=yes dst-port=1366 protocol=\
    udp
    add action=drop chain=VIRUS comment="" disabled=yes dst-port=1416 protocol=\
    tcp
    add action=drop chain=VIRUS comment="" disabled=yes dst-port=1416 protocol=\
    udp
    add action=drop chain=VIRUS comment="" disabled=yes dst-port=201-209 \
    protocol=tcp
    add action=drop chain=VIRUS comment="" disabled=yes dst-port=201-209 \
    protocol=udp
    add action=drop chain=VIRUS comment="" disabled=yes dst-port=545 protocol=tcp
    add action=drop chain=VIRUS comment="" disabled=yes dst-port=545 protocol=udp
    add action=drop chain=VIRUS comment="" disabled=yes dst-port=1381 protocol=\
    udp
    add action=drop chain=VIRUS comment="" disabled=yes dst-port=1381 protocol=\
    tcp
    add action=drop chain=VIRUS comment="" disabled=yes dst-port=3031 protocol=\
    tcp
    add action=drop chain=VIRUS comment="" disabled=yes dst-port=3031 protocol=\
    udp
    add action=accept chain=ICMP comment="" disabled=yes icmp-options=0:0 \
    protocol=icmp
    add action=accept chain=ICMP comment="" disabled=yes icmp-options=8:0 \
    protocol=icmp
    add action=accept chain=ICMP comment="" disabled=yes icmp-options=11:0 \
    protocol=icmp
    add action=accept chain=ICMP comment="" disabled=yes icmp-options=3:3 \
    protocol=icmp
    add action=accept chain=ICMP comment="" disabled=yes icmp-options=3:4 \
    protocol=icmp
    add action=drop chain=ICMP comment="" disabled=yes protocol=icmp


    Amigo tua Ether2 é entrada do seu link ou saida para os clientes ?






Tópicos Similares

  1. script firewall 02 links!!
    Por jrctec no fórum Servidores de Rede
    Respostas: 34
    Último Post: 30-05-2005, 10:10
  2. Script Firewall
    Por Kandango no fórum Servidores de Rede
    Respostas: 2
    Último Post: 10-10-2004, 12:31
  3. Rodar script firewall.sh na inicialização do sistema.
    Por goncalvesanderson no fórum Servidores de Rede
    Respostas: 5
    Último Post: 13-07-2004, 14:59
  4. Erro no script Firewall
    Por danielvbhp no fórum Servidores de Rede
    Respostas: 5
    Último Post: 01-02-2004, 09:33
  5. Vejam esse script firewall/nat, aonde tá o erro?
    Por no fórum Servidores de Rede
    Respostas: 5
    Último Post: 02-11-2002, 21:47

Visite: BR-Linux ·  VivaOLinux ·  Dicas-L