Página 1 de 2 12 ÚltimoÚltimo
+ Responder ao Tópico



  1. Olá galera, para os bons entendedores de mikrotik preciso de uma avaliação do firewall criado para minha rede, gostaria que descem uma olhada e me digam se esta correto as regras ou caso precise mudar algo que estiver errado, desde já agradeço.

    aqui está o firewall inteiro
    /ip firewall connection tracking
    set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
    /ip firewall filter
    add action=accept chain=input comment="SSH WEBMIKROTIK" disabled=no dst-port=\
    2222 protocol=tcp
    add action=accept chain=input comment="conexoes de entrada estabilizadas" \
    connection-state=established disabled=no
    add action=accept chain=forward comment=";;; permite estabelecer conexoes" \
    connection-state=established disabled=no
    add action=accept chain=forward comment=";;; permitir conex es relacionadas" \
    connection-state=related disabled=no
    add action=accept chain=forward comment=";;; Allow HTTP" disabled=no \
    dst-port=80 protocol=tcp
    add action=accept chain=forward comment=";;; Allow SMTP" disabled=no \
    dst-port=25 protocol=tcp
    add action=accept chain=forward comment=";;; allow TCP" disabled=no protocol=\
    tcp
    add action=accept chain=forward comment=";;; allow ping" disabled=no \
    protocol=icmp
    add action=accept chain=forward comment=";;; allow udp" disabled=no protocol=\
    udp
    add action=accept chain=input comment="aceitando 50 pings a cada 5 segundos" \
    disabled=no limit=50/5s,2 protocol=icmp
    add action=accept chain=input comment="Aceita Rede Local" disabled=no \
    src-address=192.168.10.0/24
    add action=accept chain=input comment="allow ips radios" connection-state=\
    established disabled=no src-address=10.1.230.0/24
    add action=accept chain=input comment="Accept related " connection-state=\
    related disabled=no protocol=tcp
    add action=accept chain=input comment=winbox disabled=no dst-port=8291 \
    protocol=tcp
    add action=drop chain=input comment="Descarta invalidas" connection-state=\
    invalid disabled=no
    add action=drop chain=forward comment="Net Bios bloqueado" disabled=no \
    dst-address=192.168.10.0/24 dst-port=137,138,139,445 protocol=tcp \
    src-address=192.168.10.0/24 src-port=137,138,139,445
    add action=drop chain=forward comment="bloqueio Net Bios UDP" disabled=no \
    dst-address=192.168.10.0/24 dst-port=137,138,139,445 protocol=udp \
    src-address=192.168.10.0/24 src-port=137,138,139,445
    add action=drop chain=input comment="bloqueando o excesso" disabled=no \
    protocol=icmp
    add action=jump chain=forward comment=";;; jump to the virus chain" disabled=\
    yes jump-target=virus
    add action=accept chain=input comment="" disabled=no dst-port=2211 protocol=\
    tcp
    add action=drop chain=forward comment=";;; Bloqueia conex es inv lidas" \
    connection-state=invalid disabled=no
    add action=drop chain=VIRUS comment="One of the last TrojanOOTLT" disabled=no \
    dst-port=5011 protocol=tcp
    add action=accept chain=forward comment="" disabled=no
    add action=drop chain=input comment="" disabled=no dst-port=22-23 protocol=\
    tcp
    add action=drop chain=input comment="BLOQ. PINGS NO SERV." disabled=no \
    protocol=icmp
    add action=drop chain=input comment=";;; Drop Blaster Worm" disabled=no \
    dst-port=135-139 protocol=tcp
    add action=drop chain=input comment=";;; Drop Messenger Worm" disabled=no \
    dst-port=135-139 protocol=udp
    add action=drop chain=input comment=";;; Drop Blaster Worm" disabled=no \
    dst-port=445 protocol=tcp
    add action=drop chain=input comment=";;; Drop Blaster Worm" disabled=no \
    dst-port=445 protocol=udp
    add action=drop chain=input comment=";;; ________" disabled=no dst-port=593 \
    protocol=tcp
    add action=drop chain=input comment=";;; ________" disabled=no dst-port=\
    1024-1030 protocol=tcp
    add action=drop chain=input comment=";;; Drop MyDoom" disabled=no dst-port=\
    1080 protocol=tcp
    add action=drop chain=input comment=";;; ________" disabled=no dst-port=1214 \
    protocol=tcp
    add action=drop chain=input comment=";;; ndm requester" disabled=no dst-port=\
    1363 protocol=tcp
    add action=drop chain=input comment=" ;;; ndm server" disabled=no dst-port=\
    1364 protocol=tcp
    add action=drop chain=input comment=";;; screen cast" disabled=no dst-port=\
    1368 protocol=tcp
    add action=drop chain=input comment=";;; hromgrafx" disabled=no dst-port=1373 \
    protocol=tcp
    add action=drop chain=input comment=";;; cichlid" disabled=no dst-port=1377 \
    protocol=tcp
    add action=drop chain=input comment=";;; Worm" disabled=no dst-port=1433-1434 \
    protocol=tcp
    add action=drop chain=input comment=";;; Bagle Virus" disabled=no dst-port=\
    2745 protocol=tcp
    add action=drop chain=input comment=";;; Drop Dumaru.Y" disabled=no dst-port=\
    2283 protocol=tcp
    add action=drop chain=input comment=";;; Drop Beagle" disabled=no dst-port=\
    2535 protocol=tcp
    add action=drop chain=input comment=";;; Drop Beagle.C-K" disabled=no \
    dst-port=2745 protocol=tcp
    add action=drop chain=input comment=";;; Drop MyDoom" disabled=no dst-port=\
    3127-3128 protocol=tcp
    add action=drop chain=input comment=";;; Drop Backdoor OptixPro" disabled=no \
    dst-port=3410 protocol=tcp
    add action=drop chain=input comment=";;; Worm" disabled=no dst-port=4444 \
    protocol=tcp
    add action=drop chain=input comment=";;; Worm" disabled=no dst-port=4444 \
    protocol=udp
    add action=drop chain=input comment=";;; Drop Sasser" disabled=no dst-port=\
    5554 protocol=tcp
    add action=drop chain=forward comment="netbios windows7" disabled=no \
    dst-port=5357 protocol=tcp
    add action=drop chain=input comment="Drop Beagle.B" disabled=no dst-port=8866 \
    protocol=tcp
    add action=drop chain=input comment=";;; Drop Dabber.A-B" disabled=no \
    dst-port=9898 protocol=tcp
    add action=drop chain=input comment=";;; Drop Dumaru.Y" disabled=no dst-port=\
    10000 protocol=tcp
    add action=drop chain=input comment=";;; Drop MyDoom.B" disabled=no dst-port=\
    10080 protocol=tcp
    add action=drop chain=input comment=";;; Drop NetBus" disabled=no dst-port=\
    12345 protocol=tcp
    add action=drop chain=input comment=";;; Drop Kuang2" disabled=no dst-port=\
    17300 protocol=tcp
    add action=drop chain=input comment=";;; Drop SubSeven" disabled=no dst-port=\
    27374 protocol=tcp
    add action=drop chain=input comment=";;; Drop PhatBot, Agobot, Gaobot" \
    disabled=no dst-port=65506 protocol=tcp
    add action=log chain=input comment="Log everything else" disabled=yes \
    log-prefix="DROP INPUT"

  2. /ip firewall mangle
    add action=accept chain=prerouting comment=WebMikrotik disabled=no \
    dst-address=187.61.9.240/28
    add action=mark-packet chain=prerouting comment=www disabled=no \
    new-packet-mark=www_in passthrough=yes protocol=tcp src-port=80
    add action=mark-packet chain=postrouting comment="" disabled=no dst-port=80 \
    new-packet-mark=www_out passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting comment=p2p disabled=no \
    new-packet-mark=p2p_in p2p=all-p2p passthrough=yes
    add action=mark-packet chain=postrouting comment="" disabled=no \
    new-packet-mark=p2p_out p2p=all-p2p passthrough=yes
    add action=mark-packet chain=prerouting comment=dns disabled=no \
    new-packet-mark=dns_in passthrough=yes protocol=tcp src-port=53
    add action=mark-packet chain=postrouting comment="" disabled=no dst-port=53 \
    new-packet-mark=dns_out passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting comment="" disabled=no \
    new-packet-mark=dns_in passthrough=yes protocol=udp src-port=53
    add action=mark-packet chain=postrouting comment="" disabled=no dst-port=53 \
    new-packet-mark=dns_out passthrough=yes protocol=udp
    add action=mark-connection chain=prerouting comment="CONTROLE MESSENGER" \
    disabled=no dst-port=1863 new-connection-mark=Messenger-Conexao \
    passthrough=yes protocol=tcp
    add action=mark-connection chain=prerouting comment="" disabled=no dst-port=\
    1863 new-connection-mark=Messenger-Conexao passthrough=yes protocol=udp
    add action=mark-connection chain=prerouting comment="" disabled=no dst-port=\
    6891-6901 new-connection-mark=Messenger-Conexao passthrough=yes protocol=\
    tcp
    add action=mark-connection chain=prerouting comment="" disabled=no dst-port=\
    6891-6901 new-connection-mark=Messenger-Conexao passthrough=yes protocol=\
    udp
    add action=mark-connection chain=prerouting comment="" disabled=no dst-port=\
    5190 new-connection-mark=Messenger-Conexao passthrough=yes protocol=udp
    add action=mark-packet chain=prerouting comment="" connection-mark=\
    Messenger-Conexao disabled=no new-packet-mark=Messenger-Pacotes \
    passthrough=no
    add action=mark-connection chain=prerouting comment="CONTROLE ACESSO REMOTO" \
    disabled=no dst-port=2222 new-connection-mark=Acesso-Remoto-Conexao \
    passthrough=yes protocol=tcp
    add action=mark-connection chain=prerouting comment="" disabled=no dst-port=\
    23 new-connection-mark=Acesso-Remoto-Conexao passthrough=yes protocol=tcp
    add action=mark-connection chain=prerouting comment="Terminal Server" \
    disabled=no dst-port=3389 new-connection-mark=Acesso-Remoto-Conexao \
    passthrough=yes protocol=tcp
    add action=mark-connection chain=prerouting comment=VNC disabled=no dst-port=\
    5800 new-connection-mark=Acesso-Remoto-Conexao passthrough=yes protocol=\
    tcp
    add action=mark-connection chain=prerouting comment="" disabled=no dst-port=\
    5900 new-connection-mark=Acesso-Remoto-Conexao passthrough=yes protocol=\
    tcp
    add action=mark-connection chain=prerouting comment=Winbox disabled=no \
    dst-port=8291 new-connection-mark=Acesso-Remoto-Conexao passthrough=yes \
    protocol=tcp
    add action=mark-packet chain=prerouting comment="" connection-mark=\
    Acesso-Remoto-Conexao disabled=no new-packet-mark=Acesso-Remoto-Pacotes \
    passthrough=no
    add action=mark-connection chain=prerouting comment=\
    "CONTROLE BANCO DE DADOS - SQL" disabled=no dst-port=3306 \
    new-connection-mark=Banco-Dados-Conexao passthrough=yes protocol=tcp
    add action=mark-connection chain=prerouting comment=Oracle disabled=no \
    dst-port=1521 new-connection-mark=Banco-Dados-Conexao passthrough=yes \
    protocol=tcp
    add action=mark-connection chain=prerouting comment="Microsoft SQL Server" \
    disabled=no dst-port=1433-1434 new-connection-mark=Banco-Dados-Conexao \
    passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting comment="" connection-mark=\
    Banco-Dados-Conexao disabled=no new-packet-mark=Banco-Dados-Pacotes \
    passthrough=no
    add action=mark-connection chain=prerouting comment="CONTROLE JOGOS" \
    disabled=no dst-port=7171 new-connection-mark=Jogos-Conexao passthrough=\
    yes protocol=tcp
    add action=mark-connection chain=prerouting comment="" disabled=no dst-port=\
    27015 new-connection-mark=Jogos-Conexao passthrough=yes protocol=tcp
    add action=mark-connection chain=prerouting comment="Mu Online" disabled=no \
    dst-port=55905 new-connection-mark=Jogos-Conexao passthrough=yes \
    protocol=tcp
    add action=mark-connection chain=prerouting comment="" disabled=no dst-port=\
    55905 new-connection-mark=Jogos-Conexao passthrough=yes protocol=udp
    add action=mark-connection chain=prerouting comment="Line Age" disabled=no \
    dst-port=4376 new-connection-mark=Jogos-Conexao passthrough=yes protocol=\
    tcp
    add action=mark-connection chain=prerouting comment="" disabled=no dst-port=\
    4376 new-connection-mark=Jogos-Conexao passthrough=yes protocol=udp
    add action=mark-connection chain=prerouting comment=WarCraft disabled=no \
    dst-port=6112 new-connection-mark=Jogos-Conexao passthrough=yes protocol=\
    tcp



  3. affff deu ate dor de cabeça ,e olha que eu não entendo nada de mikrotik

  4. cara seria mais facil postar um bloco de notas com essas configurações pois está muito dificil de entender qualquer coisa nesse meio!!



  5. ok amigos, desculpas ae ! vou arruma valeu






Tópicos Similares

  1. Regra de Firewall Mikrotik
    Por carlos1985 no fórum Redes
    Respostas: 6
    Último Post: 29-06-2015, 16:57
  2. Regras de Firewall para Mikrotik
    Por renantrix no fórum Redes
    Respostas: 6
    Último Post: 08-09-2011, 10:00
  3. regras de firewall
    Por roggy no fórum Servidores de Rede
    Respostas: 1
    Último Post: 17-05-2003, 10:47
  4. Respostas: 3
    Último Post: 27-03-2003, 12:17
  5. Regras de firewall
    Por Skill no fórum Servidores de Rede
    Respostas: 1
    Último Post: 26-02-2003, 10:49

Visite: BR-Linux ·  VivaOLinux ·  Dicas-L