+ Responder ao Tópico



  1. #1

    Padrão Regras de firewall mikrotik

    Olá galera, para os bons entendedores de mikrotik preciso de uma avaliação do firewall criado para minha rede, gostaria que descem uma olhada e me digam se esta correto as regras ou caso precise mudar algo que estiver errado, desde já agradeço.

    aqui está o firewall inteiro
    /ip firewall connection tracking
    set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
    /ip firewall filter
    add action=accept chain=input comment="SSH WEBMIKROTIK" disabled=no dst-port=\
    2222 protocol=tcp
    add action=accept chain=input comment="conexoes de entrada estabilizadas" \
    connection-state=established disabled=no
    add action=accept chain=forward comment=";;; permite estabelecer conexoes" \
    connection-state=established disabled=no
    add action=accept chain=forward comment=";;; permitir conex es relacionadas" \
    connection-state=related disabled=no
    add action=accept chain=forward comment=";;; Allow HTTP" disabled=no \
    dst-port=80 protocol=tcp
    add action=accept chain=forward comment=";;; Allow SMTP" disabled=no \
    dst-port=25 protocol=tcp
    add action=accept chain=forward comment=";;; allow TCP" disabled=no protocol=\
    tcp
    add action=accept chain=forward comment=";;; allow ping" disabled=no \
    protocol=icmp
    add action=accept chain=forward comment=";;; allow udp" disabled=no protocol=\
    udp
    add action=accept chain=input comment="aceitando 50 pings a cada 5 segundos" \
    disabled=no limit=50/5s,2 protocol=icmp
    add action=accept chain=input comment="Aceita Rede Local" disabled=no \
    src-address=192.168.10.0/24
    add action=accept chain=input comment="allow ips radios" connection-state=\
    established disabled=no src-address=10.1.230.0/24
    add action=accept chain=input comment="Accept related " connection-state=\
    related disabled=no protocol=tcp
    add action=accept chain=input comment=winbox disabled=no dst-port=8291 \
    protocol=tcp
    add action=drop chain=input comment="Descarta invalidas" connection-state=\
    invalid disabled=no
    add action=drop chain=forward comment="Net Bios bloqueado" disabled=no \
    dst-address=192.168.10.0/24 dst-port=137,138,139,445 protocol=tcp \
    src-address=192.168.10.0/24 src-port=137,138,139,445
    add action=drop chain=forward comment="bloqueio Net Bios UDP" disabled=no \
    dst-address=192.168.10.0/24 dst-port=137,138,139,445 protocol=udp \
    src-address=192.168.10.0/24 src-port=137,138,139,445
    add action=drop chain=input comment="bloqueando o excesso" disabled=no \
    protocol=icmp
    add action=jump chain=forward comment=";;; jump to the virus chain" disabled=\
    yes jump-target=virus
    add action=accept chain=input comment="" disabled=no dst-port=2211 protocol=\
    tcp
    add action=drop chain=forward comment=";;; Bloqueia conex es inv lidas" \
    connection-state=invalid disabled=no
    add action=drop chain=VIRUS comment="One of the last TrojanOOTLT" disabled=no \
    dst-port=5011 protocol=tcp
    add action=accept chain=forward comment="" disabled=no
    add action=drop chain=input comment="" disabled=no dst-port=22-23 protocol=\
    tcp
    add action=drop chain=input comment="BLOQ. PINGS NO SERV." disabled=no \
    protocol=icmp
    add action=drop chain=input comment=";;; Drop Blaster Worm" disabled=no \
    dst-port=135-139 protocol=tcp
    add action=drop chain=input comment=";;; Drop Messenger Worm" disabled=no \
    dst-port=135-139 protocol=udp
    add action=drop chain=input comment=";;; Drop Blaster Worm" disabled=no \
    dst-port=445 protocol=tcp
    add action=drop chain=input comment=";;; Drop Blaster Worm" disabled=no \
    dst-port=445 protocol=udp
    add action=drop chain=input comment=";;; ________" disabled=no dst-port=593 \
    protocol=tcp
    add action=drop chain=input comment=";;; ________" disabled=no dst-port=\
    1024-1030 protocol=tcp
    add action=drop chain=input comment=";;; Drop MyDoom" disabled=no dst-port=\
    1080 protocol=tcp
    add action=drop chain=input comment=";;; ________" disabled=no dst-port=1214 \
    protocol=tcp
    add action=drop chain=input comment=";;; ndm requester" disabled=no dst-port=\
    1363 protocol=tcp
    add action=drop chain=input comment=" ;;; ndm server" disabled=no dst-port=\
    1364 protocol=tcp
    add action=drop chain=input comment=";;; screen cast" disabled=no dst-port=\
    1368 protocol=tcp
    add action=drop chain=input comment=";;; hromgrafx" disabled=no dst-port=1373 \
    protocol=tcp
    add action=drop chain=input comment=";;; cichlid" disabled=no dst-port=1377 \
    protocol=tcp
    add action=drop chain=input comment=";;; Worm" disabled=no dst-port=1433-1434 \
    protocol=tcp
    add action=drop chain=input comment=";;; Bagle Virus" disabled=no dst-port=\
    2745 protocol=tcp
    add action=drop chain=input comment=";;; Drop Dumaru.Y" disabled=no dst-port=\
    2283 protocol=tcp
    add action=drop chain=input comment=";;; Drop Beagle" disabled=no dst-port=\
    2535 protocol=tcp
    add action=drop chain=input comment=";;; Drop Beagle.C-K" disabled=no \
    dst-port=2745 protocol=tcp
    add action=drop chain=input comment=";;; Drop MyDoom" disabled=no dst-port=\
    3127-3128 protocol=tcp
    add action=drop chain=input comment=";;; Drop Backdoor OptixPro" disabled=no \
    dst-port=3410 protocol=tcp
    add action=drop chain=input comment=";;; Worm" disabled=no dst-port=4444 \
    protocol=tcp
    add action=drop chain=input comment=";;; Worm" disabled=no dst-port=4444 \
    protocol=udp
    add action=drop chain=input comment=";;; Drop Sasser" disabled=no dst-port=\
    5554 protocol=tcp
    add action=drop chain=forward comment="netbios windows7" disabled=no \
    dst-port=5357 protocol=tcp
    add action=drop chain=input comment="Drop Beagle.B" disabled=no dst-port=8866 \
    protocol=tcp
    add action=drop chain=input comment=";;; Drop Dabber.A-B" disabled=no \
    dst-port=9898 protocol=tcp
    add action=drop chain=input comment=";;; Drop Dumaru.Y" disabled=no dst-port=\
    10000 protocol=tcp
    add action=drop chain=input comment=";;; Drop MyDoom.B" disabled=no dst-port=\
    10080 protocol=tcp
    add action=drop chain=input comment=";;; Drop NetBus" disabled=no dst-port=\
    12345 protocol=tcp
    add action=drop chain=input comment=";;; Drop Kuang2" disabled=no dst-port=\
    17300 protocol=tcp
    add action=drop chain=input comment=";;; Drop SubSeven" disabled=no dst-port=\
    27374 protocol=tcp
    add action=drop chain=input comment=";;; Drop PhatBot, Agobot, Gaobot" \
    disabled=no dst-port=65506 protocol=tcp
    add action=log chain=input comment="Log everything else" disabled=yes \
    log-prefix="DROP INPUT"

  2. #2

    Padrão Re: Regras de firewall mikrotik

    /ip firewall mangle
    add action=accept chain=prerouting comment=WebMikrotik disabled=no \
    dst-address=187.61.9.240/28
    add action=mark-packet chain=prerouting comment=www disabled=no \
    new-packet-mark=www_in passthrough=yes protocol=tcp src-port=80
    add action=mark-packet chain=postrouting comment="" disabled=no dst-port=80 \
    new-packet-mark=www_out passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting comment=p2p disabled=no \
    new-packet-mark=p2p_in p2p=all-p2p passthrough=yes
    add action=mark-packet chain=postrouting comment="" disabled=no \
    new-packet-mark=p2p_out p2p=all-p2p passthrough=yes
    add action=mark-packet chain=prerouting comment=dns disabled=no \
    new-packet-mark=dns_in passthrough=yes protocol=tcp src-port=53
    add action=mark-packet chain=postrouting comment="" disabled=no dst-port=53 \
    new-packet-mark=dns_out passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting comment="" disabled=no \
    new-packet-mark=dns_in passthrough=yes protocol=udp src-port=53
    add action=mark-packet chain=postrouting comment="" disabled=no dst-port=53 \
    new-packet-mark=dns_out passthrough=yes protocol=udp
    add action=mark-connection chain=prerouting comment="CONTROLE MESSENGER" \
    disabled=no dst-port=1863 new-connection-mark=Messenger-Conexao \
    passthrough=yes protocol=tcp
    add action=mark-connection chain=prerouting comment="" disabled=no dst-port=\
    1863 new-connection-mark=Messenger-Conexao passthrough=yes protocol=udp
    add action=mark-connection chain=prerouting comment="" disabled=no dst-port=\
    6891-6901 new-connection-mark=Messenger-Conexao passthrough=yes protocol=\
    tcp
    add action=mark-connection chain=prerouting comment="" disabled=no dst-port=\
    6891-6901 new-connection-mark=Messenger-Conexao passthrough=yes protocol=\
    udp
    add action=mark-connection chain=prerouting comment="" disabled=no dst-port=\
    5190 new-connection-mark=Messenger-Conexao passthrough=yes protocol=udp
    add action=mark-packet chain=prerouting comment="" connection-mark=\
    Messenger-Conexao disabled=no new-packet-mark=Messenger-Pacotes \
    passthrough=no
    add action=mark-connection chain=prerouting comment="CONTROLE ACESSO REMOTO" \
    disabled=no dst-port=2222 new-connection-mark=Acesso-Remoto-Conexao \
    passthrough=yes protocol=tcp
    add action=mark-connection chain=prerouting comment="" disabled=no dst-port=\
    23 new-connection-mark=Acesso-Remoto-Conexao passthrough=yes protocol=tcp
    add action=mark-connection chain=prerouting comment="Terminal Server" \
    disabled=no dst-port=3389 new-connection-mark=Acesso-Remoto-Conexao \
    passthrough=yes protocol=tcp
    add action=mark-connection chain=prerouting comment=VNC disabled=no dst-port=\
    5800 new-connection-mark=Acesso-Remoto-Conexao passthrough=yes protocol=\
    tcp
    add action=mark-connection chain=prerouting comment="" disabled=no dst-port=\
    5900 new-connection-mark=Acesso-Remoto-Conexao passthrough=yes protocol=\
    tcp
    add action=mark-connection chain=prerouting comment=Winbox disabled=no \
    dst-port=8291 new-connection-mark=Acesso-Remoto-Conexao passthrough=yes \
    protocol=tcp
    add action=mark-packet chain=prerouting comment="" connection-mark=\
    Acesso-Remoto-Conexao disabled=no new-packet-mark=Acesso-Remoto-Pacotes \
    passthrough=no
    add action=mark-connection chain=prerouting comment=\
    "CONTROLE BANCO DE DADOS - SQL" disabled=no dst-port=3306 \
    new-connection-mark=Banco-Dados-Conexao passthrough=yes protocol=tcp
    add action=mark-connection chain=prerouting comment=Oracle disabled=no \
    dst-port=1521 new-connection-mark=Banco-Dados-Conexao passthrough=yes \
    protocol=tcp
    add action=mark-connection chain=prerouting comment="Microsoft SQL Server" \
    disabled=no dst-port=1433-1434 new-connection-mark=Banco-Dados-Conexao \
    passthrough=yes protocol=tcp
    add action=mark-packet chain=prerouting comment="" connection-mark=\
    Banco-Dados-Conexao disabled=no new-packet-mark=Banco-Dados-Pacotes \
    passthrough=no
    add action=mark-connection chain=prerouting comment="CONTROLE JOGOS" \
    disabled=no dst-port=7171 new-connection-mark=Jogos-Conexao passthrough=\
    yes protocol=tcp
    add action=mark-connection chain=prerouting comment="" disabled=no dst-port=\
    27015 new-connection-mark=Jogos-Conexao passthrough=yes protocol=tcp
    add action=mark-connection chain=prerouting comment="Mu Online" disabled=no \
    dst-port=55905 new-connection-mark=Jogos-Conexao passthrough=yes \
    protocol=tcp
    add action=mark-connection chain=prerouting comment="" disabled=no dst-port=\
    55905 new-connection-mark=Jogos-Conexao passthrough=yes protocol=udp
    add action=mark-connection chain=prerouting comment="Line Age" disabled=no \
    dst-port=4376 new-connection-mark=Jogos-Conexao passthrough=yes protocol=\
    tcp
    add action=mark-connection chain=prerouting comment="" disabled=no dst-port=\
    4376 new-connection-mark=Jogos-Conexao passthrough=yes protocol=udp
    add action=mark-connection chain=prerouting comment=WarCraft disabled=no \
    dst-port=6112 new-connection-mark=Jogos-Conexao passthrough=yes protocol=\
    tcp



  3. #3
    tecnico chefe Avatar de naldo864
    Ingresso
    May 2010
    Localização
    Carapicuíba, Brazil, Brazil
    Posts
    3.104
    Posts de Blog
    1

    Padrão Re: Regras de firewall mikrotik

    affff deu ate dor de cabeça ,e olha que eu não entendo nada de mikrotik

  4. #4

    Padrão Re: Regras de firewall mikrotik

    cara seria mais facil postar um bloco de notas com essas configurações pois está muito dificil de entender qualquer coisa nesse meio!!



  5. #5

    Padrão Re: Regras de firewall mikrotik

    ok amigos, desculpas ae ! vou arruma valeu

  6. #6

    Padrão Re: Regras de firewall mikrotik

    Muitas Regras Atrapalhao outras validas....