classic.ISPforum.cz

Napsal: **18 Mar 2009 01:45**

S RouterOS začínám, mám zkušenost jen s klasickým systémovým firewalem nad BSD, teď jsem se dostal k Mikrotiku a přiznám se že logika firewall je nějaká zvláštní.

Procházel jsem dokumentaci a snad jediné co mě zaujalo je něco co nazývají home firewall, což je tohle:

Kód: Vybrat vše

/ip firewall connection tracking 
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s 
/ip firewall filter 
add action=accept chain=accept_list comment="Forward HTTP to webserver" disabled=no dst-address=192.168.11.10 dst-port=80 protocol=tcp 
add action=accept chain=accept_list comment="Forward HTTPS to webserver" disabled=no dst-address=192.168.11.10 dst-port=443 \
    protocol=tcp 
add action=accept chain=accept_list comment="Forward FTP to Server" disabled=no dst-address=192.168.11.10 dst-port=21 protocol=tcp 
add action=accept chain=accept_list comment="Forward RDP to Server" disabled=no dst-address=192.168.11.10 dst-port=3389 protocol=tcp \
    src-port=3389 
add action=drop chain=known_viruses comment="windows - not EXACTLY a virus" disabled=no dst-port=135-139 protocol=tcp 
add action=drop chain=known_viruses comment="windows - not EXACTLY a virus" disabled=no dst-port=135-139 protocol=udp 
add action=drop chain=known_viruses comment="winXP netbios not EXACTLY a virus" disabled=no dst-port=445 protocol=udp 
add action=drop chain=known_viruses comment="winXP netbios not EXACTLY a virus" disabled=no dst-port=445 protocol=tcp 
add action=drop chain=known_viruses comment="msblast worm" disabled=no dst-port=593 protocol=tcp 
add action=drop chain=known_viruses comment="msblast worm" disabled=no dst-port=4444 protocol=tcp 
add action=drop chain=known_viruses comment="WITTY worm" disabled=no dst-port=4000 protocol=tcp 
add action=drop chain=known_viruses comment="SoBig.f worm" disabled=no dst-port=995-999 protocol=tcp 
add action=drop chain=known_viruses comment="SoBig.f worm" disabled=no dst-port=8998 protocol=tcp 
add action=drop chain=known_viruses comment="beagle worm" disabled=no dst-port=2745 protocol=tcp 
add action=drop chain=known_viruses comment="beagle worm" disabled=no dst-port=4751 protocol=tcp 
add action=drop chain=known_viruses comment="SQL Slammer" disabled=no dst-port=1434 protocol=tcp 
add action=drop chain=bad_people comment="Known Spammer" disabled=no src-address=81.180.98.3 
add action=drop chain=bad_people comment="Known Spammer" disabled=no src-address=24.73.97.226 
add action=drop chain=bad_people comment="http://isc.incidents.org/top10.html listed" disabled=no src-address=67.75.20.112 
add action=drop chain=bad_people comment="" disabled=no src-address=218.104.138.166 
add action=drop chain=bad_people comment="" disabled=no src-address=212.3.250.194 
add action=drop chain=bad_people comment="" disabled=no src-address=203.94.243.191 
add action=drop chain=bad_people comment="" disabled=no src-address=202.101.235.100 
add action=drop chain=bad_people comment="" disabled=no src-address=58.16.228.42 
add action=drop chain=bad_people comment="" disabled=no src-address=58.248.8.2 
add action=drop chain=bad_people comment="" disabled=no src-address=202.99.11.99 
add action=drop chain=bad_people comment="" disabled=no src-address=218.52.237.219 
add action=drop chain=bad_people comment="" disabled=no src-address=222.173.101.157 
add action=drop chain=bad_people comment="" disabled=no src-address=58.242.34.235 
add action=drop chain=bad_people comment="" disabled=no src-address=222.80.184.23 
add action=accept chain=forward comment="Allow WIFI access to ALL" disabled=no src-address=192.168.22.0/24 
add action=drop chain=input comment="drop ssh brute forcers" disabled=no dst-port=22 protocol=tcp src-address-list=ssh_blacklist 
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input comment="" connection-state=new \
    disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3 
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input comment="" connection-state=new \
    disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2 
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input comment="" connection-state=new \
    disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1 
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input comment="" connection-state=new \
    disabled=no dst-port=22 protocol=tcp 
add action=drop chain=input comment="allows only 10 FTP login incorrect answers per minute" disabled=no dst-port=21 protocol=tcp \
    src-address-list=ftp_blacklist 
add action=accept chain=output comment="" content="530 Login incorrect" disabled=no dst-limit=1/1m,9,dst-address/1m protocol=tcp 
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output comment="" content="530 Login \
    incorrect" disabled=no protocol=tcp 
add action=drop chain=forward comment="drop invalid connections DELETE" connection-state=invalid disabled=no 
add action=drop chain=forward comment="Blocks SSH" disabled=no dst-port=22 protocol=tcp 
add action=jump chain=forward comment="Known virus ports DELETE" disabled=no jump-target=known_viruses 
add action=jump chain=forward comment="kill known bad source addresses DELETE" disabled=no jump-target=bad_people 
add action=jump chain=forward comment="Jump to Accepted List" disabled=no jump-target=accept_list 
add action=accept chain=forward comment="allow established connections DELETE" connection-state=established disabled=no 
add action=accept chain=forward comment="allow related connections DELETE" connection-state=related disabled=no 
add action=accept chain=forward comment="Allow All" disabled=no 
/ip firewall nat 
add action=masquerade chain=srcnat comment="" disabled=no src-address=192.168.11.0/24 
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=24.16.119.193 dst-port=3389 protocol=tcp to-addresses=192.168.11.10 \
    to-ports=3389 
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=24.16.119.193 dst-port=80 protocol=tcp to-addresses=192.168.11.10 \
    to-ports=80 
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=24.16.119.193 dst-port=21 protocol=tcp to-addresses=192.168.11.10 \
    to-ports=21 
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=24.16.119.193 dst-port=443 protocol=tcp to-addresses=192.168.11.10 \
    to-ports=443 
/ip firewall service-port 
set ftp disabled=no ports=21 
set tftp disabled=no ports=69 
set irc disabled=no ports=6667 
set h323 disabled=no 
set sip disabled=no 
set pptp disabled=no

ale jestli dobře chápu toto nastavení, tak je nastaven connection tracking, lze toto nějak komentovat co je optimum ??

Ale dál je to horší, chápu přesměrování na porty viz první accept s cílovou adresou, tady je to OK
Potom chápu zahození konkrétních portů + uživatelů (IP)
Dále vidím povolení rozsahu jako WiFi ...
Pak si hrají s SSH přístupem, OK ...

následuje:

Kód: Vybrat vše

add action=accept chain=forward comment="allow established connections DELETE" connection-state=established disabled=no 
add action=accept chain=forward comment="allow related connections DELETE" connection-state=related disabled=no 
add action=accept chain=forward comment="Allow All" disabled=no

a tím končí ... ale nevidím nikde klasické zakázání všeho ostatního, to je default stav ?? to tak přece není ...

A ještě poddotaz, jaké má být správné pořadí, jde se vždy od prvních pravidel dále ? Nebo existuje nějaké doporučení, nebo tak něco ... v demo účtech těchto věcí moc není ...

Prostě něco jako jednoduchý firewall pro bránu, který umožní jen konkrétní porty dovnitř (forward) a cokoliv zevnitř ven ...

Díky za jakékoliv nasměrování ...

Napsal: **18 Mar 2009 07:01**

firewall na MK mi prijde mnohem jednodusi na ovladani nezli na klasickych linux masinach (vcetne bsd). Zkusenosti s nimi mam.
V mikrotiku je to jak se rika polopate a pritom prehledne a funkcni.

Default stav je permanetne povolen, nenasel jsem nikde mozno default stav zmenit.
Coz neni zase takovy problem, na konec vsechn pravidel nej drop a mas vystarano

Napsal: **19 Mar 2009 14:47**

Takže tohle by mohlo být schůdné ?? Díky za každý postřeh a připomínku ...

Kód: Vybrat vše

/ip firewall filter
add action=accept chain=forward comment="Presmerovat HTTP na server" disabled=no dst-address-list=PUBLIC_SERVER dst-port=80 protocol=tcp
add action=accept chain=forward comment="Presmerovat SMTP na server" disabled=no dst-address-list=PUBLIC_SERVER dst-port=25 protocol=tcp
add action=accept chain=forward comment="Presmerovat HTTP(mail) na server" disabled=no dst-address-list=PUBLIC_SERVER dst-port=8080 protocol=tcp
add action=accept chain=forward comment="Presmerovat SIP na VoIP klient" disabled=no dst-address-list=VOIP_CLIENT dst-port=5060 protocol=udp 
add action=accept chain=forward comment="Presmerovat RTP na VoIP klient" disabled=no dst-address-list=VOIP_CLIENT dst-port=5004 protocol=tcp 
add action=accept chain=forward comment="Povolit rozsah adres - LOCAL" disabled=no src-address-list=LOCAL_SUBNET
add action=accept chain=forward comment="Povolit rozsah adres - IPSEC" disabled=no src-address-list=IPSEC_SUBNET
add action=accept chain=forward comment="Povolit established spojení" connection-state=established disabled=no
add action=accept chain=forward comment="Povolit related spojení" connection-state=related disabled=no
add action=drop chain=forward comment="Zbytek (forward) zahodit" disabled=no

add action=accept chain=input comment="Povolit WinBOX na WAN i LAN" disabled=no protocol=tcp dst-port=8291 in-interface=WAN
add action=accept chain=output disabled=no protocol=tcp src-port=8291 out-interface=WAN
add action=accept chain=input disabled=no protocol=tcp dst-port=8291 in-interface=LAN
add action=accept chain=output disabled=no protocol=tcp src-port=8291 out-interface=LAN

add action=accept chain=input comment="Povolit SSH pro LAN rozsah" disabled=no protocol=tcp dst-port=22 in-interface=LAN
add action=accept chain=output disabled=no protocol=tcp src-port=22 out-interface=LAN


add action=accept chain=output comment="Povolit NTP klienta pro tik.cesnet.cz" disabled=no dst-address=195.113.144.201 out-interface=WAN

add action=accept chain=input disabled=no src-address=195.113.144.201 in-interface=WAN connection-state=established
add action=accept chain=output disabled=no dst-address=195.113.144.238 out-interface=WAN

add action=accept chain=input disabled=no src-address=195.113.144.238 in-interface=WAN connection-state=established
add action=accept chain=input comment="Povolit NTP server pro LAN rozsah" disabled=no protocol=udp src-port=123 in-interface=LAN
add action=accept chain=output disabled=no protocol=udp dst-port=123 out-interface=LAN

add action=accept chain=output comment="Povolit DNS pro klienta i pro LAN" disabled=no dst-port=53 out-interface=WAN protocol=udp

add action=accept chain=input disabled=no src-port=53 in-interface=WAN connection-state=established protocol=udp
add action=accept chain=output disabled=no src-port=53 out-interface=LAN protocol=udp

add action=accept chain=input disabled=no dst-port=53 in-interface=LAN protocol=udp

add action=accept chain=output comment="Povolit ICMP komunikaci" disabled=no out-interface=WAN protocol=icmp

add action=accept chain=input disabled=no in-interface=WAN protocol=icmp
add action=accept chain=output disabled=no out-interface=LAN protocol=icmp

add action=accept chain=input disabled=no in-interface=LAN protocol=icmp

add action=accept chain=input comment="Povolit IPSEC komunikaci" disabled=no protocol=ipsec-esp in-interface=WAN
add action=accept chain=output disabled=no protocol=ipsec-esp out-interface=WAN
add action=accept chain=input disabled=no protocol=ipsec-ah in-interface=WAN
add action=accept chain=output disabled=no protocol=ipsec-ah out-interface=WAN

add action=drop chain=input comment="Ostatni na INPUT/OUTPUT zahodit" in-interface=WAN
add action=drop chain=output out-interface=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no src-address-list=LOCAL_SUBNET out-interface=WAN
add action=add-dst-to-address-list chain=dstnat comment="" disabled=no dst-address-list=PUBLIC_IP dst-port=80 protocol=tcp address-list=PUBLIC_SERVER to-ports=80
add action=add-dst-to-address-list chain=dstnat comment="" disabled=no dst-address-list=PUBLIC_IP dst-port=25 protocol=tcp address-list=PUBLIC_SERVER to-ports=25
add action=add-dst-to-address-list chain=dstnat comment="" disabled=no dst-address-list=PUBLIC_IP dst-port=8080 protocol=tcp address-list=PUBLIC_SERVER to-ports=8080
add action=add-dst-to-address-list chain=dstnat comment="" disabled=no dst-address-list=PUBLIC_IP dst-port=5060 protocol=udp address-list=PUBLIC_SERVER to-ports=5060
add action=add-dst-to-address-list chain=dstnat comment="" disabled=no dst-address-list=PUBLIC_IP dst-port=5004 protocol=udp address-list=PUBLIC_SERVER to-ports=5004

classic.ISPforum.cz

Jak na jednoduchý firewall ?

Jak na jednoduchý firewall ?

Re: Jak na jednoduchý firewall ?

Re: Jak na jednoduchý firewall ?