+ Responder ao Tópico



  1. 03-08-2007, 16:13 #1
    Mundo_digital
    Mundo_digital está desconectado
    Avatar de Mundo_digital
    Ingresso
    Dec 2006
    Posts
    6

    Padrão Firewall

    Ola amigos;
    to tendo momentos de lentidão na minha rede, tem horas q o ap chega a travar (quando olho no log tem la "critical router was rebooted"), o pessoal da suspeitando das minhas regras de firewall, abaixo tem todas as regras q tem em filter rules no meu servidor. quem puder ajudar eu agradeço:

    0 chain=forward in-interface=Entrada src-address=XXX.XXX.XXX.XXX/29
    action=accept

    1 chain=forward in-interface=Saida src-address=192.168.1.0/24 action=accep>

    2 chain=forward in-interface=Entrada src-address=CCC.CCC.CCC.CCC/25
    action=accept

    3 chain=forward in-interface=Entrada src-address=CCC.CCC.CCC/29
    action=accept

    4 X chain=forward action=drop

    5 chain=forward protocol=tcp dst-port=135 action=drop

    6 ;;; Allow Established connections
    chain=input connection-state=established action=accept

    7 ;;; Allow UDP
    chain=input protocol=udp action=accept

    8 X chain=input protocol=tcp dst-port=23 action=drop

    9 ;;; Allow ICMP
    chain=input protocol=icmp action=accept

    10 ;;; Allow access to router from known network
    chain=input src-address=192.168.0.0/24 action=accept

    11 ;;; drop invalid connections
    chain=forward protocol=tcp connection-state=invalid action=drop

    12 ;;; allow already established connections
    chain=forward connection-state=established action=accept

    13 ;;; allow related connections
    chain=forward connection-state=related action=accept

    14 chain=forward src-address=0.0.0.0/8 action=drop

    15 chain=forward dst-address=0.0.0.0/8 action=drop

    16 chain=forward src-address=127.0.0.0/8 action=drop

    17 chain=forward dst-address=127.0.0.0/8 action=drop

    18 chain=forward src-address=224.0.0.0/3 action=drop

    19 chain=forward dst-address=224.0.0.0/3 action=drop

    20 chain=forward protocol=tcp action=jump jump-target=tcp

    21 chain=forward protocol=udp action=jump jump-target=udp

    22 chain=forward protocol=icmp action=jump jump-target=icmp

    23 ;;; deny TFTP
    chain=tcp protocol=tcp dst-port=69 action=drop

    24 ;;; deny RPC portmapper
    chain=tcp protocol=tcp dst-port=111 action=drop

    25 ;;; deny RPC portmapper
    chain=tcp protocol=tcp dst-port=135 action=drop

    26 ;;; deny NBT
    chain=tcp protocol=tcp dst-port=137-139 action=drop

    27 ;;; deny cifs
    chain=tcp protocol=tcp dst-port=445 action=drop

    28 ;;; deny NFS
    chain=tcp protocol=tcp dst-port=2049 action=drop

    29 ;;; deny NetBus
    chain=tcp protocol=tcp dst-port=12345-12346 action=drop

    30 ;;; deny NetBus
    chain=tcp protocol=tcp dst-port=20034 action=drop

    31 ;;; deny BackOriffice
    chain=tcp protocol=tcp dst-port=3133 action=drop

    32 ;;; deny DHCP
    chain=tcp protocol=tcp dst-port=67-68 action=drop

    33 ;;; deny TFTP
    chain=udp protocol=udp dst-port=69 action=drop

    34 ;;; deny PRC portmapper
    chain=udp protocol=udp dst-port=111 action=drop

    35 ;;; deny PRC portmapper
    chain=udp protocol=udp dst-port=135 action=drop

    36 ;;; deny NBT
    chain=udp protocol=udp dst-port=137-139 action=drop

    37 ;;; deny NFS
    chain=udp protocol=udp dst-port=2049 action=drop

    38 ;;; deny BackOriffice
    chain=udp protocol=udp dst-port=3133 action=drop

    39 ;;; drop invalid connections
    chain=icmp protocol=icmp icmp-options=0:0 action=accept

    40 ;;; allow established connections
    chain=icmp protocol=icmp icmp-options=3:0 action=accept

    41 ;;; allow already established connections
    chain=icmp protocol=icmp icmp-options=3:1 action=accept

    42 ;;; allow source quench
    chain=icmp protocol=icmp icmp-options=4:0 action=accept

    43 ;;; allow echo request
    chain=icmp protocol=icmp icmp-options=8:0 action=accept

    44 ;;; allow time exceed
    chain=icmp protocol=icmp icmp-options=11:0 action=accept

    45 ;;; allow parameter bad
    chain=icmp protocol=icmp icmp-options=12:0 action=accept

    46 ;;; deny all other types
    chain=icmp action=drop

    47 ;;; Bloqueio acesso entre usuarios
    chain=forward src-address=192.168.1.0/24 dst-address=192.168.1.0/24
    action=drop

    48 chain=forward protocol=tcp dst-port=135-139 action=drop action=accept

    49 chain=forward protocol=udp dst-port=135-139 action=drop action=accept

    50 chain=forward protocol=tcp dst-port=445-449 action=drop action=accept

    51 chain=forward protocol=udp dst-port=445-449 action=drop action=accept

    52 ;;; Allow access to router from known network 2
    chain=input src-address=192.168.1.0/24 action=accept

    53 ;;; Bloqueio acesso entre usuarios 2
    chain=forward src-address=192.168.1.0/24 dst-address=192.168.1.0/24
    action=drop

    54 ;;; Sanity Check
    chain=forward action=jump jump-target=sanity-check

    55 ;;; Deny illegal NAT traversal
    chain=sanity-check packet-mark=nat-traversal action=jump
    jump-target=drop

    56 ;;; Block port scans
    chain=sanity-check protocol=tcp psd=20,3s,3,1
    action=add-src-to-address-list address-list=blocked-addr
    address-list-timeout=1d

    57 ;;; Block TCP Null scan
    chain=sanity-check protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
    action=add-src-to-address-list address-list=blocked-addr
    address-list-timeout=1d

    58 ;;; Block TCP Xmas scan
    chain=sanity-check protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
    action=add-src-to-address-list address-list=blocked-addr
    address-list-timeout=1d

    59 chain=sanity-check protocol=tcp src-address-list=blocked-addr action=jum>
    jump-target=drop



    ....to be continued.....
    Última edição por Mundo_digital; 03-08-2007 às 18:47.
    Citação Citação
  2. 03-08-2007, 16:15 #2
    Mundo_digital
    Mundo_digital está desconectado
    Avatar de Mundo_digital
    Ingresso
    Dec 2006
    Posts
    6

    Padrão continuação...

    continuação...


    60 ;;; Drop TCP RST
    chain=sanity-check protocol=tcp tcp-flags=rst action=jump
    jump-target=drop

    61 ;;; Drop TCP SYN+FIN
    chain=sanity-check protocol=tcp tcp-flags=fin,syn action=jump
    jump-target=drop

    62 ;;; Dropping invalid connections at once
    chain=sanity-check connection-state=invalid action=jump
    jump-target=drop

    63 ;;; Accepting already established connections
    chain=sanity-check connection-state=established action=accept

    64 ;;; Also accepting related connections
    chain=sanity-check connection-state=related action=accept

    65 ;;; Drop all traffic that goes to multicast or broadcast addresses
    chain=sanity-check dst-address-type=broadcast,multicast action=jump
    jump-target=drop

    66 ;;; Drop all traffic that goes from multicast or broadcast addresses
    chain=sanity-check src-address-type=broadcast,multicast action=jump
    jump-target=drop

    67 chain=forward protocol=tcp action=jump jump-target=restrict-tcp

    68 chain=forward protocol=udp action=jump jump-target=restrict-udp

    69 chain=forward action=jump jump-target=restrict-ip

    70 chain=restrict-tcp connection-mark=auth action=reject
    reject-with=icmp-network-unreachable

    71 ;;; anti-spam policy
    chain=restrict-tcp connection-mark=smtp action=jump
    jump-target=smtp-first-drop

    72 chain=smtp-first-drop src-address-list=first-smtp
    action=add-src-to-address-list address-list=approved-smtp
    address-list-timeout=0s

    73 chain=smtp-first-drop src-address-list=approved-smtp action=return

    74 chain=smtp-first-drop action=add-src-to-address-list
    address-list=first-smtp address-list-timeout=0s

    75 chain=smtp-first-drop action=reject reject-with=icmp-network-unreachable

    76 chain=restrict-tcp connection-mark=other-tcp action=jump jump-target=dro>

    77 chain=restrict-udp connection-mark=other-udp action=jump jump-target=dro>

    78 chain=restrict-ip connection-mark=other action=jump jump-target=drop

    79 ;;; Allow local traffic (between router applications)
    chain=input src-address-type=local dst-address-type=local action=accept

    80 ;;; Sanity Check
    chain=input action=jump jump-target=sanity-check

    81 ;;; Dropping packets not destined to the router itself, including all br>
    cast traffic
    chain=input dst-address-type=!local action=jump jump-target=drop

    82 ;;; Allow pings, but at a very limited rate (5 per sec)
    chain=input connection-mark=ping limit=5,5 action=accept

    83 chain=input action=jump jump-target=drop

    84 chain=dhcp src-address=0.0.0.0 dst-address=255.255.255.255 action=accept

    85 chain=dhcp src-address=0.0.0.0 dst-address-type=local action=accept

    86 chain=dhcp dst-address-type=local src-address-list=local-addr
    action=accept

    87 ;;; SSH (22/TCP)
    chain=local-services connection-mark=ssh action=accept

    88 ;;; DNS
    chain=local-services connection-mark=dns action=accept

    89 ;;; HTTP Proxy (3128/TCP)
    chain=local-services connection-mark=proxy action=accept

    90 ;;; Winbox (8291/TCP)
    chain=local-services connection-mark=winbox action=accept

    91 ;;; Drop Other Local Services
    chain=local-services action=drop

    92 ;;; SSH (22/TCP)
    chain=public-services connection-mark=ssh action=accept

    93 ;;; PPTP (1723/TCP)
    chain=public-services connection-mark=pptp action=accept

    94 ;;; GRE for PPTP
    chain=public-services connection-mark=gre action=accept

    95 ;;; Drop Other Public Services
    chain=public-services action=drop

    96 ;;; Drop Blaster Worm
    chain=virus protocol=tcp dst-port=135-139 action=drop

    97 ;;; Drop Messenger Worm
    chain=virus protocol=udp dst-port=135-139 action=drop

    98 ;;; Drop Blaster Worm
    chain=virus protocol=tcp dst-port=445 action=drop

    99 ;;; Drop Blaster Worm
    chain=virus protocol=udp dst-port=445 action=drop

    100 ;;; ________
    chain=virus protocol=tcp dst-port=593 action=drop

    101 ;;; ________
    chain=virus protocol=tcp dst-port=1024-1030 action=drop

    102 ;;; Drop MyDoom
    chain=virus protocol=tcp dst-port=1080 action=drop

    103 ;;; ________
    chain=virus protocol=tcp dst-port=1214 action=drop

    104 ;;; ndm requester
    chain=virus protocol=tcp dst-port=1363 action=drop

    105 ;;; ndm server
    chain=virus protocol=tcp dst-port=1364 action=drop

    106 ;;; screen cast
    chain=virus protocol=tcp dst-port=1368 action=drop

    107 ;;; hromgrafx
    chain=virus protocol=tcp dst-port=1373 action=drop

    108 ;;; cichlid
    chain=virus protocol=tcp dst-port=1377 action=drop

    109 ;;; Worm
    chain=virus protocol=tcp dst-port=1433-1434 action=drop

    110 ;;; Bagle Virus
    chain=virus protocol=tcp dst-port=2745 action=drop

    111 ;;; Drop Dumaru.Y
    chain=virus protocol=tcp dst-port=2283 action=drop

    112 ;;; Drop Beagle
    chain=virus protocol=tcp dst-port=2535 action=drop

    113 ;;; Drop Beagle.C-K
    chain=virus protocol=tcp dst-port=2745 action=drop

    114 ;;; Drop MyDoom
    chain=virus protocol=tcp dst-port=3127-3128 action=drop

    115 ;;; Drop Backdoor OptixPro
    chain=virus protocol=tcp dst-port=3410 action=drop

    116 ;;; Worm
    chain=virus protocol=tcp dst-port=4444 action=drop

    117 ;;; Worm
    chain=virus protocol=udp dst-port=4444 action=drop

    118 ;;; Drop Sasser
    chain=virus protocol=tcp dst-port=5554 action=drop

    119 ;;; Drop Beagle.B
    chain=virus protocol=tcp dst-port=8866 action=drop

    120 ;;; Drop Dabber.A-B
    chain=virus protocol=tcp dst-port=9898 action=drop

    121 ;;; Drop Dumaru.Y
    chain=virus protocol=tcp dst-port=10000 action=drop

    122 ;;; Drop MyDoom.B
    chain=virus protocol=tcp dst-port=10080 action=drop

    123 ;;; Drop NetBus
    chain=virus protocol=tcp dst-port=12345 action=drop

    124 ;;; Drop Kuang2
    chain=virus protocol=tcp dst-port=17300 action=drop

    125 ;;; Drop SubSeven
    chain=virus protocol=tcp dst-port=27374 action=drop

    126 ;;; Drop PhatBot, Agobot, Gaobot
    chain=virus protocol=tcp dst-port=65506 action=drop

    127 X ;;; jump to the virus chain
    chain=forward action=jump jump-target=virus

    128 ;;; allow established connections
    chain=forward connection-state=established action=accept

    129 ;;; allow related connections
    chain=forward connection-state=related action=accept

    130 ;;; drop invalid connections
    chain=forward connection-state=invalid action=drop

    131 ;;; allow ping
    chain=forward protocol=icmp action=accept

    132 ;;; allow udp
    chain=forward protocol=udp action=accept

    133 chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list
    address-list=port scanners address-list-timeout=0s

    134 X ;;; drop everything else
    chain=forward action=drop

    135 chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
    action=accept

    136 chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
    action=accept

    137 X ;;; limitar conexoes simultaneas
    chain=forward src-address=192.168.1.10 protocol=tcp tcp-flags=syn
    connection-limit=30,32 action=drop

    138 ;;; CONTROLE CONEXOES SIMULTANEAS
    chain=forward src-address=192.168.1.37 protocol=tcp dst-port=1024-65535
    tcp-flags=syn connection-limit=10,32 action=drop

    ------------------------------------------------------------
    pronto, vale lembrar que apesar de ter regra pra clientes nao se enchergarem, e a opcao ta marcada no cartao, os clientes continuam se enchergando

    Aguardo a ajuda de vcs com ansiedade.
    Citação Citação
  3. 04-08-2007, 08:34 #3
    lmriga
    lmriga está desconectado
    Avatar de lmriga
    Ingresso
    Mar 2007
    Posts
    294

    Padrão

    Amigo, analisando o seu problema, vc criou duas regras para a mesma coisa emuito mais trabalhoso, me procure que passo um conjunto de regras simples e extremamente eficiente.
    Citação Citação
  4. 04-08-2007, 16:22 #4
    parreira13
    parreira13 está desconectado
    Avatar de parreira13
    Ingresso
    May 2007
    Posts
    338

    Padrão boa tarde

    amigo, não será que o seu link está com cargalo, poste mais a respeito de seus link quantidade de clientes.
    Citação Citação



« Tópico Anterior | Próximo Tópico »