Olá, galera, resolvi criar esse tópico pra todos postarem dicas de segurança p/ os usuários mikrotik, como Filter Rules do Firewall, dicas de segurança Radius, PPPoE, enfim...
Quem quiser se disponibilizar, será de grande ajuda...
-
25-08-2007, 23:56 #1
- Ingresso
- Jun 2007
- Posts
- 35
Dicas De SeguranÇa
-
26-08-2007, 00:02 #2
- Ingresso
- Jun 2007
- Posts
- 35
Pra começar....
bom, sobre PPPoE, pra quem utiliza esse recurso pros clientes.. A maioria já sabe, mas pra quem não conheçe::
PPPoE Server::
- Sempre utilize o método de autenticação MsCHAPv2.. o método PAP não é confiável.
- Utilize sempre 1480 em MAX MTU e MRU, principalmente se vc usa AP's pra transmitir, use 1500 só p casos InDoor.
- Sempre deixe marcado a opção "one session per host". Evita clonagens e mais de uma autenticação por usuário.
bom.. por enquanto é só isso... Espero que ajude alguém...
-
26-08-2007, 10:08 #3
Outra pra pppoe:
Aplica -se esses filtros ae que ajuda demais na segurança e no trafego
/ interface bridge filter
add chain=input in-interface=NHServer mac-protocol=0x8863 action=accept comment="" disabled=yes
add chain=input in-interface=NHServer mac-protocol=0x8864 action=accept comment="" disabled=yes
add chain=input in-interface=NHServer action=drop comment="" disabled=yes
Obs: NHServer é o nome da minha interface pppoe
-
26-08-2007, 10:14 #4
- Ingresso
- Jun 2007
- Posts
- 35
rp67 , legal a dica, se tivesse como vc comentar ela, pra que serve e oq faz.
valeu
-
26-08-2007, 11:38 #5
- Ingresso
- Jul 2007
- Posts
- 4
Mikrotik , invasao .Tela de log nao para de Subir invasao
Pessoal estou quase loouco , tenho uma lp 2048 e de um dia para ca estou com a banda no limite, fui no log do mikrotik e descobri que ha invasao sugando minha banda, alguem sabe como faco pra bloquear isso.
-
26-08-2007, 12:52 #6
- Ingresso
- Aug 2007
- Posts
- 98
Postado originalmente por lazernet
Amigo vc ja fez o bloqueio de proxy externo?
faça tbm o bloqueio de virus q ele deve ta comendo toda sua banda
eu tenho uma relação de virus e as portas q ele usa se interessar eu te mando por e-mail.
-
26-08-2007, 13:06 #7
- Ingresso
- Aug 2006
- Posts
- 312
ola amigo se der manda esse email pra mim de bloqueio de virus e seguranca, uso pppoe. Obrigado Postado originalmente por Skylinelan
[email protected]
-
26-08-2007, 13:52 #8
- Ingresso
- Jan 2006
- Localização
- São Lourenço do Sul, Brazil
- Posts
- 1.471
Seria interessante as soluções ficarem dentro do forum, se suas regras já existem em outro tópico poste o link... Postado originalmente por Skylinelan
-
26-08-2007, 15:55 #9
- Ingresso
- Aug 2007
- Posts
- 98
Postado originalmente por marcelomg
realmente vc tem razão...
seu eu post o link será favorecido muito mais pessoas e não apenas o amigo q tem duvidas...
valeu e desculpas
-
26-08-2007, 16:09 #10
- Ingresso
- Jan 2006
- Localização
- São Lourenço do Sul, Brazil
- Posts
- 1.471
Filters Firewall
Alguns filtros que uso no firewall, pra add é só ir no terminal e digitar ip firewall filter e colar as regras, antes adapte as mesmas para a classe ip de vc´s flw´s.
-
26-08-2007, 16:14 #11
- Ingresso
- Aug 2007
- Posts
- 1.559
Regras
Bom o que estou postando aqui são regras de firewall que peguei no forum, fiz uma seleção do que eu precisava em minha rede e adicionei essas regras, antes de aplicar regras observem se elas se encaixam nas suas necessidadades, o que peguei no forum tinham muito mais regras, mas como não precisei de todas estou postando só as minhas. (não esqueçam de mudar os ip's para a seu range.
NÃO PEGUEM SIMPLISMENTE E APLIQUEM EM SEUS MK, ANALIZEM E ADICIONEM O QUE PRECISAM.
###################Bom pessoal, regras de firewall ##############################
/ ip firewall filter
add chain=forward protocol=tcp dst-port=135 action=drop comment="" disabled=no
add chain=input connection-state=invalid action=drop comment="Drop Invalid connections" disabled=no
add chain=input connection-state=established action=accept comment="Allow Established connections" disabled=no
add chain=input protocol=udp action=accept comment="Allow UDP" disabled=no
add chain=input protocol=tcp dst-port=23 action=drop comment="" disabled=yes
add chain=input protocol=icmp action=accept comment="Allow ICMP" disabled=no
add chain=forward protocol=tcp connection-state=invalid action=drop comment="drop invalid connections" disabled=no
add chain=forward connection-state=established action=accept comment="allow already established connections" disabled=no
add chain=forward connection-state=related action=accept comment="allow related connections" disabled=no
add chain=forward src-address=0.0.0.0/8 action=drop comment="" disabled=no
add chain=forward dst-address=0.0.0.0/8 action=drop comment="" disabled=no
add chain=forward src-address=127.0.0.0/8 action=drop comment="" disabled=no
add chain=forward dst-address=127.0.0.0/8 action=drop comment="" disabled=no
add chain=forward src-address=224.0.0.0/3 action=drop comment="" disabled=no
add chain=forward dst-address=224.0.0.0/3 action=drop comment="" disabled=no
add chain=forward protocol=tcp action=jump jump-target=tcp comment="" disabled=no
add chain=forward protocol=udp action=jump jump-target=udp comment="" disabled=no
add chain=forward protocol=icmp action=jump jump-target=icmp comment="" disabled=no
add chain=tcp protocol=tcp dst-port=69 action=drop comment="deny TFTP" disabled=no
add chain=tcp protocol=tcp dst-port=111 action=drop comment="deny RPC portmapper" disabled=no
add chain=tcp protocol=tcp dst-port=135 action=drop comment="deny RPC portmapper" disabled=no
add chain=tcp protocol=tcp dst-port=137-139 action=drop comment="deny NBT" disabled=no
add chain=tcp protocol=tcp dst-port=445 action=drop comment="deny cifs" disabled=no
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS" disabled=no
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus" disabled=no
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice" disabled=no
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP" disabled=no
add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP" disabled=no
add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper" disabled=no
add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS" disabled=no
add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice" disabled=no
add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment="drop invalid connections" disabled=no
add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment="allow established connections" disabled=no
add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment="allow already established connections" disabled=no
add chain=icmp protocol=icmp icmp-options=4:0 action=accept comment="allow source quench" disabled=no
add chain=icmp protocol=icmp icmp-options=8:0 action=accept comment="allow echo request" disabled=no
add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment="allow time exceed" disabled=no
add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment="allow parameter bad" disabled=no
add chain=icmp action=drop comment="deny all other types" disabled=no
add chain=forward src-address=172.16.0.1/24 dst-address=172.16.0.1/24 action=drop comment="Bloqueio acesso entre \
usuarios" disabled=no
-
26-08-2007, 16:17 #12
- Ingresso
- Aug 2007
- Posts
- 1.559
add chain="forward protocol=tcp dst-port=135-139 action=drop" action=accept comment="" disabled=no
add chain="forward protocol=udp dst-port=135-139 action=drop" action=accept comment="" disabled=no
add chain="forward protocol=tcp dst-port=445-449 action=drop" action=accept comment="" disabled=no
add chain="forward protocol=udp dst-port=445-449 action=drop" action=accept comment="" disabled=no
add chain=input in-interface=Local protocol=tcp src-port=6776 action=drop comment="2000 Cracks " disabled=no
add chain=input in-interface=Local protocol=tcp src-port=32418 action=drop comment="Acid Battery " disabled=no
add chain=input in-interface=Local protocol=tcp src-port=0-65535 action=drop comment="" disabled=no
add chain=forward action=jump jump-target=sanity-check comment="Sanity Check" disabled=no
add chain=sanity-check packet-mark=nat-traversal action=jump jump-target=drop comment="Deny illegal NAT traversal" \
disabled=no
add chain=sanity-check protocol=tcp psd=20,3s,3,1 action=add-src-to-address-list address-list=blocked-addr \
address-list-timeout=1d comment="Block port scans" disabled=no
add chain=sanity-check protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list \
address-list=blocked-addr address-list-timeout=1d comment="Block TCP Null scan" disabled=no
add chain=sanity-check protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list \
address-list=blocked-addr address-list-timeout=1d comment="Block TCP Xmas scan" disabled=no
add chain=sanity-check protocol=tcp src-address-list=blocked-addr action=jump jump-target=drop comment="" disabled=no
add chain=sanity-check protocol=tcp tcp-flags=rst action=jump jump-target=drop comment="Drop TCP RST" disabled=no
add chain=sanity-check protocol=tcp tcp-flags=fin,syn action=jump jump-target=drop comment="Drop TCP SYN+FIN" disabled=no
add chain=sanity-check connection-state=invalid action=jump jump-target=drop comment="Dropping invalid connections at \
once" disabled=no
add chain=sanity-check connection-state=established action=accept comment="Accepting already established connections" \
disabled=no
add chain=sanity-check connection-state=related action=accept comment="Also accepting related connections" disabled=no
add chain=sanity-check dst-address-type=broadcast,multicast action=jump jump-target=drop comment="Drop all traffic that \
goes to multicast or broadcast addresses" disabled=no
add chain=sanity-check in-interface=Local dst-address-type=!local dst-address-list=illegal-addr action=jump \
jump-target=drop comment="Drop illegal destination addresses" disabled=no
add chain=sanity-check in-interface=Local src-address-list=!local-addr action=jump jump-target=drop comment="Drop \
everything that goes from local interface but not from local address" disabled=no
add chain=sanity-check in-interface=Public src-address-list=illegal-addr action=jump jump-target=drop comment="Drop \
illegal source addresses" disabled=no
add chain=sanity-check in-interface=Public dst-address-list=!local-addr action=jump jump-target=drop comment="Drop \
everything that goes from public interface but not to local address" disabled=no
add chain=sanity-check src-address-type=broadcast,multicast action=jump jump-target=drop comment="Drop all traffic that \
goes from multicast or broadcast addresses" disabled=no
add chain=forward protocol=tcp action=jump jump-target=restrict-tcp comment="" disabled=no
add chain=forward protocol=udp action=jump jump-target=restrict-udp comment="" disabled=no
add chain=forward action=jump jump-target=restrict-ip comment="" disabled=no
add chain=restrict-tcp connection-mark=auth action=reject reject-with=icmp-network-unreachable comment="" disabled=no
add chain=restrict-tcp connection-mark=smtp action=jump jump-target=smtp-first-drop comment="anti-spam policy" disabled=no
add chain=smtp-first-drop src-address-list=first-smtp action=add-src-to-address-list address-list=approved-smtp \
address-list-timeout=0s comment="" disabled=no
add chain=smtp-first-drop src-address-list=approved-smtp action=return comment="" disabled=no
add chain=smtp-first-drop action=add-src-to-address-list address-list=first-smtp address-list-timeout=0s comment="" \
disabled=no
add chain=smtp-first-drop action=reject reject-with=icmp-network-unreachable comment="" disabled=no
add chain=restrict-tcp connection-mark=other-tcp action=jump jump-target=drop comment="" disabled=no
add chain=restrict-udp connection-mark=other-udp action=jump jump-target=drop comment="" disabled=no
add chain=restrict-ip connection-mark=other action=jump jump-target=drop comment="" disabled=no
add chain=input src-address-type=local dst-address-type=local action=accept comment="Allow local traffic \(between router \
applications\)" disabled=no
add chain=input in-interface=Local protocol=udp src-port=68 dst-port=67 action=jump jump-target=dhcp comment="DHCP \
protocol would not pass sanity checking, so enabling it explicitly before other checks" disabled=no
add chain=input action=jump jump-target=sanity-check comment="Sanity Check" disabled=no
add chain=input dst-address-type=!local action=jump jump-target=drop comment="Dropping packets not destined to the router \
itself, including all broadcast traffic" disabled=no
add chain=input in-interface=Local action=jump jump-target=local-services comment="Allowing some services to be accessible \
from the local network" disabled=no
add chain=input in-interface=Public action=jump jump-target=public-services comment="Allowing some services to be \
accessible from the Internet" disabled=no
add chain=input connection-mark=ping limit=5,5 action=accept comment="Allow pings, but at a very limited rate \(5 per \
sec\)" disabled=no
add chain=input action=jump jump-target=drop comment="" disabled=no
add chain=dhcp src-address=0.0.0.0 dst-address=255.255.255.255 action=accept comment="" disabled=no
add chain=dhcp src-address=0.0.0.0 dst-address-type=local action=accept comment="" disabled=no
add chain=dhcp dst-address-type=local src-address-list=local-addr action=accept comment="" disabled=no
add chain=local-services connection-mark=ssh action=accept comment="SSH \(22/TCP\)" disabled=no
add chain=local-services connection-mark=dns action=accept comment="DNS" disabled=no
add chain=local-services connection-mark=proxy action=accept comment="HTTP Proxy \(3128/TCP\)" disabled=no
add chain=local-services connection-mark=winbox action=accept comment="Winbox \(8291/TCP\)" disabled=no
add chain=local-services action=drop comment="Drop Other Local Services" disabled=no
add chain=public-services connection-mark=ssh action=accept comment="SSH \(22/TCP\)" disabled=no
add chain=public-services connection-mark=pptp action=accept comment="PPTP \(1723/TCP\)" disabled=no
add chain=public-services connection-mark=gre action=accept comment="GRE for PPTP" disabled=no
add chain=public-services action=drop comment="Drop Other Public Services" disabled=no
add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop Blaster Worm" disabled=no
add chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop Messenger Worm" disabled=no
add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster Worm" disabled=no
add chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster Worm" disabled=no
add chain=virus protocol=tcp dst-port=593 action=drop comment="________" disabled=no
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="________" disabled=no
add chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop MyDoom" disabled=no
add chain=virus protocol=tcp dst-port=1214 action=drop comment="________" disabled=no
add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester" disabled=no
add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server" disabled=no
add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast" disabled=no
add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx" disabled=no
add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid" disabled=no
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm" disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus" disabled=no
add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y" disabled=no
add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Beagle" disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop Beagle.C-K" disabled=no
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop MyDoom" disabled=no
add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor OptixPro" disabled=no
add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm" disabled=no
add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm" disabled=no
add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser" disabled=no
add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B" disabled=no
add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop Dabber.A-B" disabled=no
add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop Dumaru.Y" disabled=no
add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop MyDoom.B" disabled=no
add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus" disabled=no
add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2" disabled=no
add chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop SubSeven" disabled=no
-
26-08-2007, 16:18 #13
- Ingresso
- Aug 2007
- Posts
- 1.559
add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot, Agobot, Gaobot" disabled=no
add chain=forward action=jump jump-target=virus comment="jump to the virus chain" disabled=yes
add chain=forward connection-state=established action=accept comment="allow established connections" disabled=no
add chain=forward connection-state=related action=accept comment="allow related connections" disabled=no
add chain=forward connection-state=invalid action=drop comment="drop invalid connections" disabled=no
add chain=forward protocol=icmp action=accept comment="allow ping" disabled=no
add chain=forward protocol=udp action=accept comment="allow udp" disabled=no
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=0s comment="" disabled=no
add chain=forward action=drop comment="drop everything else" disabled=yes
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=accept comment="" disabled=no
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=accept comment="" disabled=no
################### Essas são do mangle
ip firewall mangle
add chain=forward src-address=172.128.254.0/24 action=mark-connection new-connection-mark=users-con passthrough=yes \
comment="Marca o pacotes Usuarios" disabled=no
add chain=forward connection-mark=users-con action=mark-packet new-packet-mark=users passthrough=yes comment="" \
disabled=no
add chain=prerouting protocol=tcp connection-state=new action=jump jump-target=tcp-services comment="" disabled=no
add chain=prerouting protocol=udp connection-state=new action=jump jump-target=udp-services comment="" disabled=no
add chain=prerouting connection-state=new action=jump jump-target=other-services comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=20-21 action=mark-connection new-connection-mark=ftp \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=513-65535 dst-port=22 action=mark-connection new-connection-mark=ssh \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=23 action=mark-connection new-connection-mark=telnet \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=25 action=mark-connection new-connection-mark=smtp \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=53 dst-port=53 action=mark-connection new-connection-mark=dns passthrough=no \
comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=53 action=mark-connection new-connection-mark=dns \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=80 action=mark-connection new-connection-mark=http \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=110 action=mark-connection new-connection-mark=pop3 \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=113 action=mark-connection new-connection-mark=auth \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=119 action=mark-connection new-connection-mark=nntp \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=143 action=mark-connection new-connection-mark=imap \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=161-162 action=mark-connection new-connection-mark=snmp \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=443 action=mark-connection new-connection-mark=https \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=465 action=mark-connection new-connection-mark=smtps \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=993 action=mark-connection new-connection-mark=imaps \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=995 action=mark-connection new-connection-mark=pop3s \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=1723 action=mark-connection new-connection-mark=pptp \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=2379 action=mark-connection new-connection-mark=kgs \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=3128 action=mark-connection new-connection-mark=proxy \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=3987 action=mark-connection new-connection-mark=win-ts \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=4242-4243 action=mark-connection \
new-connection-mark=emule passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=4661-4662 dst-port=1024-65535 action=mark-connection \
new-connection-mark=overnet passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=4711 dst-port=1024-65535 action=mark-connection new-connection-mark=emule \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=5900-5901 action=mark-connection new-connection-mark=vnc \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=6667-6669 action=mark-connection new-connection-mark=irc \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=6881-6889 action=mark-connection \
new-connection-mark=bittorrent passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=8080 action=mark-connection new-connection-mark=http \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=8291 action=mark-connection new-connection-mark=winbox \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp action=mark-connection new-connection-mark=other-tcp passthrough=no comment="" \
disabled=no
add chain=udp-services protocol=udp src-port=1024-65535 dst-port=53 action=mark-connection new-connection-mark=dns \
passthrough=no comment="" disabled=no
add chain=udp-services protocol=udp src-port=1024-65535 dst-port=123 action=mark-connection new-connection-mark=ntp \
passthrough=no comment="" disabled=no
add chain=udp-services protocol=udp src-port=1024-65535 dst-port=1701 action=mark-connection new-connection-mark=l2tp \
passthrough=no comment="" disabled=no
add chain=udp-services protocol=udp src-port=1024-65535 dst-port=4665 action=mark-connection new-connection-mark=emule \
passthrough=no comment="" disabled=no
add chain=udp-services protocol=udp src-port=1024-65535 dst-port=4672 action=mark-connection new-connection-mark=emule \
passthrough=no comment="" disabled=no
add chain=udp-services protocol=udp src-port=4672 dst-port=1024-65535 action=mark-connection new-connection-mark=emule \
passthrough=no comment="" disabled=no
add chain=udp-services protocol=udp src-port=1024-65535 dst-port=12053 action=mark-connection new-connection-mark=overnet \
passthrough=no comment="" disabled=no
add chain=udp-services protocol=udp src-port=12053 dst-port=1024-65535 action=mark-connection new-connection-mark=overnet \
passthrough=no comment="" disabled=no
add chain=udp-services protocol=udp src-port=36725 dst-port=1024-65535 action=mark-connection new-connection-mark=skype \
passthrough=no comment="" disabled=no
add chain=udp-services protocol=udp connection-state=new action=mark-connection new-connection-mark=other-udp \
passthrough=no comment="" disabled=no
add chain=other-services protocol=icmp icmp-options=8:0-255 action=mark-connection new-connection-mark=ping passthrough=no \
comment="" disabled=no
add chain=other-services protocol=gre action=mark-connection new-connection-mark=gre passthrough=no comment="" disabled=no
add chain=other-services action=mark-connection new-connection-mark=other passthrough=no comment="" disabled=no
add chain=prerouting in-interface=Public dst-address-list=nat-addr action=mark-packet new-packet-mark=nat-traversal \
passthrough=no comment="" disabled=no
##############################################################
Bom pessoal essa coletanea de regras de firewal são utilizadas pelo meu servidor e gostaria de informar que todas elas estão nos documentos do sistema mikrotik.
outra coisa tambem que depois que eu add essas regras o rendimento de meu servidor aumentou.
nessas regras constan proteção ao proprio roteador
protecao aos seus cliente
monitoramento do servicos de rede
drop de pacotes mal intencionados
protecao na rede contra virus e etc
espero que essas informações sirvam para outra pessoa pois lutei muito para deixar a minha rede do jeito que esta perfeita com mais de 100 clientes no cabo mesmo
-
26-08-2007, 18:17 #14
- Ingresso
- Jun 2007
- Posts
- 16
segurança
Opa já que estamos falando sobre sergurança eu gosataria de saber como faço para resolver uma parada no MK, tenho uma rede de 20 clientes com MK só que tem uma coisa que eu ainda ñ resolvi, os clintes tem acesso a outro clinte, em pastas compartilhadas e impressoras compartilhadas como faço pra resolvre isso. mim ajuda ai galera
-
26-08-2007, 20:11 #15
- Ingresso
- Aug 2007
- Posts
- 98
ola só esse problema é uma regra de firewall se eu naum to enganado Postado originalmente por jrwireless
Opa já que estamos falando sobre sergurança eu gosataria de saber como faço para resolver uma parada no MK, tenho uma rede de 20 clientes com MK só que tem uma coisa que eu ainda ñ resolvi, os clintes tem acesso a outro clinte, em pastas compartilhadas e impressoras compartilhadas como faço pra resolvre isso. mim ajuda ai galera
eu vi aqui mesmo no forum..
desculpa mas agora naum me lembro pra te falar o link
-
26-08-2007, 20:13 #16
- Ingresso
- Jun 2007
- Posts
- 35
Cara, vc usar DHCP-Server?? em network, seleciona o dhcp, propriedades e coloca em netmask=32. Acho q resolve...
se der certo retorna...
abraços!
-
26-08-2007, 23:40 #17
- Ingresso
- Aug 2007
- Posts
- 1.559
Postado originalmente por jrwireless
Opa já que estamos falando sobre sergurança eu gosataria de saber como faço para resolver uma parada no MK, tenho uma rede de 20 clientes com MK só que tem uma coisa que eu ainda ñ resolvi, os clintes tem acesso a outro clinte, em pastas compartilhadas e impressoras compartilhadas como faço pra resolvre isso. mim ajuda ai galera
Olá camarada!!
Essa regra eu tenho e está nessas regras que postei ai acima, mas aqui está ela:
add chain=forward src-address=172.16.0.1/24 dst-address=172.16.0.1/24 action=drop comment="Bloqueio acesso entre \
usuarios" disabled=no
Mude a classe de ip para o do seu mk, vá em new terminal e adicione essa regra que ninguém mais vê ninguém.
Abração e espero ter ajudado.
Roberto--- Natal-RN
-
27-08-2007, 00:07 #18
- Ingresso
- Jan 2006
- Localização
- São Lourenço do Sul, Brazil
- Posts
- 1.471
Uma coisa simples e eficaz e bloquar todas portas e ir liberando so o que for conhecido, poupa tempo.
-
27-08-2007, 00:43 #19
- Ingresso
- Aug 2007
- Posts
- 98
ola roberto... Postado originalmente por Roberto21
olha só eu add essa regrar ai e continua os clientes se inxergando tem algo mais a fazer????
mas uma pergunta
essa regra aqui por exemploadd chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server" disabled=no
onde ta virus protocol o q quer dizer isso por q la em chain so tem forward-input-output.
amigo desculpe a minha iginorancia mas e como eu te falei eu so leigo em mk e td q eu to aprendendo é aqui...
valeu amigo
-
27-08-2007, 00:54 #20
- Ingresso
- Aug 2007
- Posts
- 1.559
Postado originalmente por Skylinelan
Olá brother!!
Essa regra tem que ser adicionada da seguinte forma:
Onde você vê os ip's 172.128.254..../24 você tem que mudar esses ip's para a sua classe de ip's senão não irá funcionar, copie e cole a regra dentro do bloco de notas, modifique para o ip de sua interface local e ai abra um ''new terminal'' e digite: ip firewall filter copie novamente a regra do seu bloco de notas e dentro de new terminal no mk clique com o botão direio e clique em paste,pronto resolverá o problema de clientes se enchergar, até por que alguns clientes meus reclamaram que estavam se enchergando e após aplicar essa regra acabou o problema.
Acho que você não aplicou direitinho por isso não funcionou, faz com mais calma e atenção, e qualquer coisa é só postar aqui que vejo de imediato a sua resposta no meu pc, tenho um software que fica monitorando a caixa de e-mail, quando vc coloca a resposta e o e-mail chega sou avisado de imediato, então se fizer agora estarei aqui para ajudar.
Abração.
Citação
