Regra Bloquear "ataques e scanners de fora" ???

[jodrix]

Pessoal, preciso de uma regra pra bloquear requisições de fora (internet) ao meu mk e permitir que somente ele faça requições para fora...Não sei se consegui me expressar direito... por ex: minha faixa é 200.x.x.65/26 meu mkda net seria o address 200.x.x.100 dai analiso e percebo um trafego demasiado no addres da net ...vou lá e troco address para 200.x.x.101 e pronto resolvo por algumas semanas...depois começa a gerar trafego de novo...outra coisa que percebo é que exitem muitos ips de fora (net) scaneando a rede.....como fazer para bloquear definitivamente esse tipo de ação????

[kryseck]

tmb tenho interesse em saber de algumas boas regras para amenizar isto.
Alguém nos ajuda?!

[alexandrecorrea]

Código :

/ip firewall filter add chain=input action=accept dst-port=8291 protocol=tcp
/ip firewall filter add chain=input action=accept dst-port=8291 protocol=udp
/ip firewall filter add chain=input action=accept dst-port=21 protocol=tcp
/ip firewall filter add chain=input action=drop

ele vai dar um accept na porta do mikrotik... e negar o RESTO..

mas nao sei se eh uma boa ideia nao :P

[kryseck]

acho q deve-se especificar tmb a "interface in", pq deste jeito irá bloquear os clientes tmb.

[jodrix]

alexandrecorrea .... obrigado pela ajuda....mas com certeza não seria uma boa ideia...estive pensando em "dropar" tudo depois permitir somente o trafego que necessito, tipo liberar somente as portas http, https, icq, ftp,ssh ...etc, pq estive analisando o trafego de novo e tao scaneando direto todas as portas. Alguem mais se habilita????

[alexandrecorrea]

coloca uma maquina firewall em bridge antes ... eh mais seguro...

[nilsonalvernaz]

jodrix é o seguinte, dois clientes meus tiveram o mesmo problema, note o seguinte se vc tirar o MK da rede dos clientes e deixar so em uma maquina (no meu casa coloquei o MK direto no meu note) o seu proxy vai rodar que nem louco... isso acontece por que algumas pessoas usam seu endereço ip da internet e uma porta especifica por exemplo a 80 para onfigurar o navegador e acessar internet pelo seu proxy.

Bloqueio Externo do proxy
/ip firewall filter add chain=input protocol=6 dst-port=3128 in-interface=Internet action=drop comment="Bloqueio de Proxy Externo"

Winbox externo
/ip firewall nat add chain=dstnat dst-address=189.10.81.70 (internet) protocol=tcp dst-port=4040 action=dst-nat to-addresses=10.0.0.2 (cliente) to-ports=23 comment=”Liberar porta TCP – MK”
/ip firewall nat add chain=dstnat dst-address=189.10.81.70 (internet)protocol=udp dst-port=4040 action=dst-nat to-addresses=10.0.0.2 (cliente) to-ports=23 comment=”Liberar porta UDP - MK”
/ip firewall nat add chain=dstnat dst-address=189.10.81.70 (internet)protocol=tcp dst-port=8291 action=dst-nat to-addresses=10.0.0.2 (cliente) to-ports=8291 comment=”Acesso Remoto WIBOX ”

Firewall Portas
/ip firewall filter add chain=virus protocol=tcp dst-port=445 action=drop comment="bloqueio de \VIRUS conhecidos" disabled=no
/ip firewall filter add chain=virus protocol=udp dst-port=445 action=drop comment="" disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=593 action=drop comment="" disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=1080 action=drop comment="" disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=1363 action=drop comment="" disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=1364 action=drop comment="" disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=1373 action=drop comment="" disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=1377 action=drop comment="" disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=1368 action=drop comment="" disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="" \
disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="" \
disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=1214 action=drop comment="" disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop \
Blaster Worm" disabled=no
/ip firewall filter add chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop \
Messenger Worm" disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster \
Worm" disabled=no
/ip firewall filter add chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster \
Worm" disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=593 action=drop comment="________" \
disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="________" \
disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop MyDoom" \
disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=1214 action=drop comment="________" \
disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester" \
disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server" \
disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast" \
disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx" \
disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid" \
disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm" \
disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus" \
disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y" \
disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Beagle" \
disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop \
Beagle.C-K" disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop \
porta proxy" disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor \
OptixPro" disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm" \
disabled=no
/ip firewall filter add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm" \
disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser" \
disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B" \
disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop \
Dabber.A-B" disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop \
Dumaru.Y" disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop \
MyDoom.B" disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus" \
disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2" \
disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop \
SubSeven" disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot, \
Agobot, Gaobot" disabled=no
/ip firewall filter add chain=forward dst-port=135 protocol=tcp action=drop comment="Nega acesso a porta 135" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=23 action=drop comment="Nega acesso externo via TELNET" disabled=no
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-limit=6,32 action=drop comment="5 conexões simutaneas por cliente" disabled=no
/ip firewall filter add chain=forward src-/ip firewall filter address=0.0.0.0/8 action=drop comment “Block IP /ip firewall filter addreses called bogons" disabled=no
/ip firewall filter add chain=forward dst-/ip firewall filter address=0.0.0.0/8 action=drop
/ip firewall filter add chain=forward src-/ip firewall filter address=127.0.0.0/8 action=drop
/ip firewall filter add chain=forward dst-/ip firewall filter address=127.0.0.0/8 action=drop
/ip firewall filter add chain=forward src-/ip firewall filter address=224.0.0.0/3 action=drop
/ip firewall filter add chain=forward dst-/ip firewall filter address=224.0.0.0/3 action=drop
/ip firewall filter add chain=forward protocol=tcp action=jump jump-target=tcp comment “Make jumps to new chains " disabled=no
/ip firewall filter add chain=forward protocol=udp action=jump jump-target=udp
/ip firewall filter add chain=forward protocol=icmp action=jump jump-target=icmp
/ip firewall filter add chain=tcp protocol=tcp dst-port=69 action=drop \
comment="deny TFTP"
/ip firewall filter add chain=tcp protocol=tcp dst-port=111 action=drop \
comment="deny RPC portmapper"
/ip firewall filter add chain=tcp protocol=tcp dst-port=135 action=drop \
comment="deny RPC portmapper"
/ip firewall filter add chain=tcp protocol=tcp dst-port=137-139 action=drop \
comment="deny NBT"
/ip firewall filter add chain=tcp protocol=tcp dst-port=445 action=drop \
comment="deny cifs"
/ip firewall filter add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS"
/ip firewall filter add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"
/ip firewall filter add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus"
/ip firewall filter add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice"
/ip firewall filter add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"
/ip firewall filter add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"
/ip firewall filter add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"
/ip firewall filter add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper"
/ip firewall filter add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"
/ip firewall filter add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"
/ip firewall filter add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"
/ip firewall filter add chain=icmp protocol=icmp icmp-options=0:0 action=accept \
comment="drop invalid connections"
/ip firewall filter add chain=icmp protocol=icmp icmp-options=3:0 action=accept \
comment="allow established connections"
/ip firewall filter add chain=icmp protocol=icmp icmp-options=3:1 action=accept \
comment="allow already established connections"
/ip firewall filter add chain=icmp protocol=icmp icmp-options=4:0 action=accept \
comment="allow source quench"
/ip firewall filter add chain=icmp protocol=icmp icmp-options=8:0 action=accept \
comment="allow echo request"
/ip firewall filter add chain=icmp protocol=icmp icmp-options=11:0 action=accept \
comment="allow time exceed"
/ip firewall filter add chain=icmp protocol=icmp icmp-options=12:0 action=accept \
comment="allow parameter bad"
/ip firewall filter add chain=icmp action=drop comment="deny all other types"

[kryseck]

Estudando o manual, versão mias recente, encotrei o seguinte:

Protect your RouterOS router
To protect your router, you should not only change admin's password
filtering. All packets with destination to the router are processed against
Note, that the input chain does not affect packets which are being transferred
/ ip firewall filter
add chain=input connection-state=invalid action=drop \
comment="Drop Invalid connections"
add chain=input connection-state=established action=accept
comment="Allow Established connections"
add chain=input protocol=udp action=accept \
comment="Allow UDP"
add chain=input protocol=icmp action=accept \
comment="Allow ICMP"
add chain=input src-address=192.168.0.0/24 action=accept \
comment="Allow access to router from known network"
add chain=input action=drop comment="Drop anything else"