Página 2 de 2 PrimeiroPrimeiro 12
+ Responder ao Tópico



  1. coloca uma maquina firewall em bridge antes ... eh mais seguro...

  2. jodrix é o seguinte, dois clientes meus tiveram o mesmo problema, note o seguinte se vc tirar o MK da rede dos clientes e deixar so em uma maquina (no meu casa coloquei o MK direto no meu note) o seu proxy vai rodar que nem louco... isso acontece por que algumas pessoas usam seu endereço ip da internet e uma porta especifica por exemplo a 80 para onfigurar o navegador e acessar internet pelo seu proxy.

    Bloqueio Externo do proxy
    /ip firewall filter add chain=input protocol=6 dst-port=3128 in-interface=Internet action=drop comment="Bloqueio de Proxy Externo"

    Winbox externo
    /ip firewall nat add chain=dstnat dst-address=189.10.81.70 (internet) protocol=tcp dst-port=4040 action=dst-nat to-addresses=10.0.0.2 (cliente) to-ports=23 comment=”Liberar porta TCP – MK”
    /ip firewall nat add chain=dstnat dst-address=189.10.81.70 (internet)protocol=udp dst-port=4040 action=dst-nat to-addresses=10.0.0.2 (cliente) to-ports=23 comment=”Liberar porta UDP - MK”
    /ip firewall nat add chain=dstnat dst-address=189.10.81.70 (internet)protocol=tcp dst-port=8291 action=dst-nat to-addresses=10.0.0.2 (cliente) to-ports=8291 comment=”Acesso Remoto WIBOX ”

    Firewall Portas
    /ip firewall filter add chain=virus protocol=tcp dst-port=445 action=drop comment="bloqueio de \VIRUS conhecidos" disabled=no
    /ip firewall filter add chain=virus protocol=udp dst-port=445 action=drop comment="" disabled=no
    /ip firewall filter add chain=virus protocol=tcp dst-port=593 action=drop comment="" disabled=no
    /ip firewall filter add chain=virus protocol=tcp dst-port=1080 action=drop comment="" disabled=no
    /ip firewall filter add chain=virus protocol=tcp dst-port=1363 action=drop comment="" disabled=no
    /ip firewall filter add chain=virus protocol=tcp dst-port=1364 action=drop comment="" disabled=no
    /ip firewall filter add chain=virus protocol=tcp dst-port=1373 action=drop comment="" disabled=no
    /ip firewall filter add chain=virus protocol=tcp dst-port=1377 action=drop comment="" disabled=no
    /ip firewall filter add chain=virus protocol=tcp dst-port=1368 action=drop comment="" disabled=no
    /ip firewall filter add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="" \
    disabled=no
    /ip firewall filter add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="" \
    disabled=no
    /ip firewall filter add chain=virus protocol=tcp dst-port=1214 action=drop comment="" disabled=no
    /ip firewall filter add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop \
    Blaster Worm" disabled=no
    /ip firewall filter add chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop \
    Messenger Worm" disabled=no
    /ip firewall filter add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster \
    Worm" disabled=no
    /ip firewall filter add chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster \
    Worm" disabled=no
    /ip firewall filter add chain=virus protocol=tcp dst-port=593 action=drop comment="________" \
    disabled=no
    /ip firewall filter add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="________" \
    disabled=no
    /ip firewall filter add chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop MyDoom" \
    disabled=no
    /ip firewall filter add chain=virus protocol=tcp dst-port=1214 action=drop comment="________" \
    disabled=no
    /ip firewall filter add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester" \
    disabled=no
    /ip firewall filter add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server" \
    disabled=no
    /ip firewall filter add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast" \
    disabled=no
    /ip firewall filter add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx" \
    disabled=no
    /ip firewall filter add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid" \
    disabled=no
    /ip firewall filter add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm" \
    disabled=no
    /ip firewall filter add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus" \
    disabled=no
    /ip firewall filter add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y" \
    disabled=no
    /ip firewall filter add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Beagle" \
    disabled=no
    /ip firewall filter add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop \
    Beagle.C-K" disabled=no
    /ip firewall filter add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop \
    porta proxy" disabled=no
    /ip firewall filter add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor \
    OptixPro" disabled=no
    /ip firewall filter add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm" \
    disabled=no
    /ip firewall filter add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm" \
    disabled=no
    /ip firewall filter add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser" \
    disabled=no
    /ip firewall filter add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B" \
    disabled=no
    /ip firewall filter add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop \
    Dabber.A-B" disabled=no
    /ip firewall filter add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop \
    Dumaru.Y" disabled=no
    /ip firewall filter add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop \
    MyDoom.B" disabled=no
    /ip firewall filter add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus" \
    disabled=no
    /ip firewall filter add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2" \
    disabled=no
    /ip firewall filter add chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop \
    SubSeven" disabled=no
    /ip firewall filter add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot, \
    Agobot, Gaobot" disabled=no
    /ip firewall filter add chain=forward dst-port=135 protocol=tcp action=drop comment="Nega acesso a porta 135" disabled=no
    /ip firewall filter add chain=input protocol=tcp dst-port=23 action=drop comment="Nega acesso externo via TELNET" disabled=no
    /ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-limit=6,32 action=drop comment="5 conexões simutaneas por cliente" disabled=no
    /ip firewall filter add chain=forward src-/ip firewall filter address=0.0.0.0/8 action=drop comment “Block IP /ip firewall filter addreses called bogons" disabled=no
    /ip firewall filter add chain=forward dst-/ip firewall filter address=0.0.0.0/8 action=drop
    /ip firewall filter add chain=forward src-/ip firewall filter address=127.0.0.0/8 action=drop
    /ip firewall filter add chain=forward dst-/ip firewall filter address=127.0.0.0/8 action=drop
    /ip firewall filter add chain=forward src-/ip firewall filter address=224.0.0.0/3 action=drop
    /ip firewall filter add chain=forward dst-/ip firewall filter address=224.0.0.0/3 action=drop
    /ip firewall filter add chain=forward protocol=tcp action=jump jump-target=tcp comment “Make jumps to new chains " disabled=no
    /ip firewall filter add chain=forward protocol=udp action=jump jump-target=udp
    /ip firewall filter add chain=forward protocol=icmp action=jump jump-target=icmp
    /ip firewall filter add chain=tcp protocol=tcp dst-port=69 action=drop \
    comment="deny TFTP"
    /ip firewall filter add chain=tcp protocol=tcp dst-port=111 action=drop \
    comment="deny RPC portmapper"
    /ip firewall filter add chain=tcp protocol=tcp dst-port=135 action=drop \
    comment="deny RPC portmapper"
    /ip firewall filter add chain=tcp protocol=tcp dst-port=137-139 action=drop \
    comment="deny NBT"
    /ip firewall filter add chain=tcp protocol=tcp dst-port=445 action=drop \
    comment="deny cifs"
    /ip firewall filter add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS"
    /ip firewall filter add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"
    /ip firewall filter add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus"
    /ip firewall filter add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice"
    /ip firewall filter add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"
    /ip firewall filter add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"
    /ip firewall filter add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"
    /ip firewall filter add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper"
    /ip firewall filter add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"
    /ip firewall filter add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"
    /ip firewall filter add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"
    /ip firewall filter add chain=icmp protocol=icmp icmp-options=0:0 action=accept \
    comment="drop invalid connections"
    /ip firewall filter add chain=icmp protocol=icmp icmp-options=3:0 action=accept \
    comment="allow established connections"
    /ip firewall filter add chain=icmp protocol=icmp icmp-options=3:1 action=accept \
    comment="allow already established connections"
    /ip firewall filter add chain=icmp protocol=icmp icmp-options=4:0 action=accept \
    comment="allow source quench"
    /ip firewall filter add chain=icmp protocol=icmp icmp-options=8:0 action=accept \
    comment="allow echo request"
    /ip firewall filter add chain=icmp protocol=icmp icmp-options=11:0 action=accept \
    comment="allow time exceed"
    /ip firewall filter add chain=icmp protocol=icmp icmp-options=12:0 action=accept \
    comment="allow parameter bad"
    /ip firewall filter add chain=icmp action=drop comment="deny all other types"



  3. Estudando o manual, versão mias recente, encotrei o seguinte:

    Protect your RouterOS router
    To protect your router, you should not only change admin's password
    filtering. All packets with destination to the router are processed against
    Note, that the input chain does not affect packets which are being transferred
    / ip firewall filter
    add chain=input connection-state=invalid action=drop \
    comment="Drop Invalid connections"
    add chain=input connection-state=established action=accept
    comment="Allow Established connections"
    add chain=input protocol=udp action=accept \
    comment="Allow UDP"
    add chain=input protocol=icmp action=accept \
    comment="Allow ICMP"
    add chain=input src-address=192.168.0.0/24 action=accept \
    comment="Allow access to router from known network"
    add chain=input action=drop comment="Drop anything else"






Tópicos Similares

  1. Respostas: 4
    Último Post: 04-10-2011, 23:16
  2. bloquear envio para aliases de fora da rede..(postfix)
    Por quecosuix no fórum Servidores de Rede
    Respostas: 1
    Último Post: 28-04-2005, 15:05
  3. Scanner de Mão ScanPlus SP UBI
    Por ricardorocha no fórum Sistemas Operacionais
    Respostas: 0
    Último Post: 22-01-2004, 16:41
  4. Qual o melhor scanner de e-mail?
    Por Hacinn no fórum Servidores de Rede
    Respostas: 20
    Último Post: 16-09-2003, 10:03
  5. regra iptables para envio e recebimento de e-mail
    Por Wal no fórum Servidores de Rede
    Respostas: 11
    Último Post: 04-09-2003, 07:10

Visite: BR-Linux ·  VivaOLinux ·  Dicas-L