Nastavení FW RB600
Napsal: 04 Jan 2016 18:17
Zdravím,
Mohl bych poprosit, jestli byste mohli kouknout na nastavení Firewallu? Jestli byste něco přidali, něco je zbytečné, případně přeházeli pořadí pravidel? Něco je okouknuté z netu, něco ode mne samotného. RB600 jako domácí AP/router. Eth1 veřejná IP. Eth2+3+wifi s NATem (maškaráda), každý interface má svůj adresní rozsah (nic není v bridge). Ze služeb běží pouze Winbox a www (www povolené pouze z LAN segmentu). RouterOS 5.26, FW 2.20.
Cílem je mít základně ochráněný samotný RB i lidi za ním v LAN.
Myšlenka je chránit proti DoS (DDoS) útoku, zneužití jako DNS server (na RB běží DNS pro LAN a jsou povolené remote requests), SyncFlood útoku, skenování otevřených portů atd.
Předem díky
H.
/ip firewall filter
add action=accept chain=input comment="SNTP na Mikrotik" disabled=no dst-port=123 protocol=udp
add action=accept chain=input comment="OVPN na Mikrotik" disabled=no dst-address=xx.xx.xx.xx dst-port=1194 protocol=tcp (xxx je moje veřejná IP)
add action=accept chain=input comment="Allow Established connections" connection-state=established disabled=no
add action=accept chain=input comment="Allow related connections" connection-state=related disabled=no
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid disabled=no
add action=drop chain=input comment=DNS disabled=no port=53 protocol=tcp src-address-list=!povolene
add action=drop chain=input comment=DNS disabled=no port=53 protocol=udp src-address-list=!povolene
add action=drop chain=input disabled=no dst-address=xx.xx.xx.xx (xxx je moje veřejná IP)
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=30,32 disabled=no protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" disabled=no src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect" disabled=no protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" disabled=no src-address-list=Port_Scanner
add action=add-src-to-address-list address-list=black_list_DoS_attack address-list-timeout=1d chain=input comment="detect DoS attack - input" connection-limit=10,32 disabled=no protocol=tcp
add action=tarpit chain=input comment="suppress DoS attack - input" connection-limit=3,32 disabled=no protocol=tcp src-address-list=black_list_DoS_attack
add action=accept chain=input comment="P\F8\EDstup na Mikrotik pro povolen\E9 segmenty" disabled=no src-address-list=povolene
add action=jump chain=input comment="Jump for icmp input flow" disabled=no jump-target=ICMP protocol=icmp
add action=jump chain=input comment="Jump to virus for input flow" disabled=no jump-target=virus
add action=drop chain=input comment="Drop anything else!" disabled=no
add action=jump chain=output comment="Jump for icmp output" disabled=no jump-target=ICMP protocol=icmp
add action=accept chain=output disabled=no dst-port=53 limit=10,10 protocol=tcp
add action=drop chain=output disabled=no dst-port=53 protocol=tcp
add action=accept chain=output disabled=no dst-port=53 limit=10,10 protocol=udp
add action=drop chain=output disabled=no dst-port=53 protocol=udp
add action=jump chain=forward comment="detect DoS attack - forward" connection-state=new disabled=no jump-target=detect-ddos
add action=return chain=detect-ddos comment="detect DoS attack - forward" disabled=no dst-limit=32,64,src-and-dst-addresses/1m40s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m chain=detect-ddos comment="detect DoS attack - forward" disabled=no
add action=add-src-to-address-list address-list=ddoser address-list-timeout=10m chain=detect-ddos comment="detect DoS attack - forward" disabled=no
add action=drop chain=forward comment="drop DoS attack - forward" connection-state=new disabled=no dst-address-list=ddosed src-address-list=ddoser
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 hours" connection-limit=30,32 disabled=no dst-port=25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" disabled=no dst-port=25,587 protocol=tcp src-address-list=spammers
add action=jump chain=forward comment="\"SYN Flood protect\"" connection-state=new disabled=no jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=accept chain=SYN-Protect comment="\"\"" connection-state=new disabled=no limit=400,5 protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect comment="\"\"" connection-state=new disabled=no protocol=tcp tcp-flags=syn
add action=jump chain=forward comment="jump to the virus chain" disabled=no jump-target=virus
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no port=135-139 protocol=tcp
xxxxxxx – zde je x pravidel na různé porty
add action=drop chain=virus comment="AOL Trojan" disabled=no port=30029 protocol=tcp
add action=return chain=virus comment="return from virus chain" disabled=no
add action=drop chain=forward comment="Self-Identification [RFC 3330]" disabled=no src-address=0.0.0.0/8
add action=drop chain=forward disabled=no dst-address=0.0.0.0/8
add action=drop chain=forward comment=Localhost disabled=yes src-address=127.0.0.0/8
add action=drop chain=forward disabled=yes dst-address=127.0.0.0/8
add action=drop chain=forward comment="Loopback [RFC 3330]" disabled=no src-address=127.0.0.0/16
add action=drop chain=forward disabled=no dst-address=127.0.0.0/16
add action=drop chain=forward disabled=no src-address=224.0.0.0/3
add action=drop chain=forward disabled=no dst-address=224.0.0.0/3
add action=drop chain=forward comment="Link Local [RFC 3330]" disabled=no src-address=169.254.0.0/16
add action=drop chain=forward disabled=no dst-address=169.254.0.0/16
add action=drop chain=forward comment="6to4 Relay Anycast [RFC 3068]" disabled=no src-address=192.88.99.0/24
add action=drop chain=forward disabled=no dst-address=192.88.99.0/24
add action=drop chain=forward comment="NIDB Testing" disabled=no src-address=198.18.0.0/15
add action=drop chain=forward disabled=no dst-address=198.18.0.0/15
add action=drop chain=forward comment="Reserved - IANA - TestNet1" disabled=no src-address=192.0.2.0/24
add action=drop chain=forward disabled=no dst-address=192.0.2.0/24
add action=drop chain=forward comment="Reserved - IANA - TestNet2" disabled=no src-address=198.51.100.0/24
add action=drop chain=forward disabled=no dst-address=198.51.100.0/24
add action=drop chain=forward comment="Reserved - IANA - TestNet3" disabled=no src-address=203.0.113.0/24
add action=drop chain=forward disabled=no dst-address=203.0.113.0/24
add action=drop chain=forward comment="deny TFTP" disabled=no dst-port=69 protocol=tcp
add action=drop chain=forward comment="deny RPC portmapper" disabled=no dst-port=111 protocol=tcp
add action=drop chain=forward comment="deny PRC portmapper" disabled=no dst-port=111 protocol=udp
add action=drop chain=forward comment="deny RPC portmapper" disabled=no dst-port=135 protocol=tcp
add action=drop chain=forward comment="deny PRC portmapper" disabled=no dst-port=135 protocol=udp
add action=drop chain=forward comment="deny NBT" disabled=no dst-port=137-139 protocol=tcp
add action=drop chain=forward comment="deny cifs" disabled=no dst-port=445 protocol=tcp
add action=drop chain=forward comment="deny NFS" disabled=no dst-port=2049 protocol=tcp
add action=drop chain=forward comment="deny NetBus" disabled=no dst-port=12345-12346 protocol=tcp
add action=drop chain=forward comment="deny NetBus" disabled=no dst-port=20034 protocol=tcp
add action=drop chain=forward comment="deny BackOriffice" disabled=no dst-port=3133 protocol=tcp
add action=drop chain=forward comment="deny DHCP" disabled=no dst-port=67-68 protocol=tcp
add action=drop chain=forward comment="deny TFTP" disabled=no dst-port=69 protocol=udp
add action=drop chain=forward comment="deny NBT" disabled=no dst-port=137-139 protocol=udp
add action=drop chain=forward comment="deny NFS" disabled=no dst-port=2049 protocol=udp
add action=drop chain=forward comment="deny BackOriffice" disabled=no dst-port=3133 protocol=udp
add action=accept chain=forward comment="allow established connections" connection-state=established disabled=no protocol=!icmp
add action=accept chain=forward comment="allow related connections" connection-state=related disabled=no
add action=drop chain=forward comment="drop invalid connections" connection-state=invalid disabled=no
add action=jump chain=forward comment="Jump for icmp forward flow" disabled=no jump-target=ICMP protocol=icmp
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" disabled=no icmp-options=8:0 limit=1,5 protocol=icmp
add action=accept chain=ICMP comment="Echo reply" disabled=no icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" disabled=no icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" disabled=no icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD disabled=no icmp-options=3:4 protocol=icmp
add action=accept chain=ICMP comment="allow parameter bad" disabled=no icmp-options=12:0 protocol=icmp
add action=accept chain=ICMP comment="allow source quench" disabled=no icmp-options=4:0 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" disabled=no protocol=icmp
add action=accept chain=forward disabled=yes dst-port=53 protocol=tcp
add action=accept chain=forward disabled=yes dst-port=53 protocol=udp
add action=drop chain=forward comment="drop everything else" disabled=no
Mohl bych poprosit, jestli byste mohli kouknout na nastavení Firewallu? Jestli byste něco přidali, něco je zbytečné, případně přeházeli pořadí pravidel? Něco je okouknuté z netu, něco ode mne samotného. RB600 jako domácí AP/router. Eth1 veřejná IP. Eth2+3+wifi s NATem (maškaráda), každý interface má svůj adresní rozsah (nic není v bridge). Ze služeb běží pouze Winbox a www (www povolené pouze z LAN segmentu). RouterOS 5.26, FW 2.20.
Cílem je mít základně ochráněný samotný RB i lidi za ním v LAN.
Myšlenka je chránit proti DoS (DDoS) útoku, zneužití jako DNS server (na RB běží DNS pro LAN a jsou povolené remote requests), SyncFlood útoku, skenování otevřených portů atd.
Předem díky
H.
/ip firewall filter
add action=accept chain=input comment="SNTP na Mikrotik" disabled=no dst-port=123 protocol=udp
add action=accept chain=input comment="OVPN na Mikrotik" disabled=no dst-address=xx.xx.xx.xx dst-port=1194 protocol=tcp (xxx je moje veřejná IP)
add action=accept chain=input comment="Allow Established connections" connection-state=established disabled=no
add action=accept chain=input comment="Allow related connections" connection-state=related disabled=no
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid disabled=no
add action=drop chain=input comment=DNS disabled=no port=53 protocol=tcp src-address-list=!povolene
add action=drop chain=input comment=DNS disabled=no port=53 protocol=udp src-address-list=!povolene
add action=drop chain=input disabled=no dst-address=xx.xx.xx.xx (xxx je moje veřejná IP)
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=30,32 disabled=no protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" disabled=no src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect" disabled=no protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" disabled=no src-address-list=Port_Scanner
add action=add-src-to-address-list address-list=black_list_DoS_attack address-list-timeout=1d chain=input comment="detect DoS attack - input" connection-limit=10,32 disabled=no protocol=tcp
add action=tarpit chain=input comment="suppress DoS attack - input" connection-limit=3,32 disabled=no protocol=tcp src-address-list=black_list_DoS_attack
add action=accept chain=input comment="P\F8\EDstup na Mikrotik pro povolen\E9 segmenty" disabled=no src-address-list=povolene
add action=jump chain=input comment="Jump for icmp input flow" disabled=no jump-target=ICMP protocol=icmp
add action=jump chain=input comment="Jump to virus for input flow" disabled=no jump-target=virus
add action=drop chain=input comment="Drop anything else!" disabled=no
add action=jump chain=output comment="Jump for icmp output" disabled=no jump-target=ICMP protocol=icmp
add action=accept chain=output disabled=no dst-port=53 limit=10,10 protocol=tcp
add action=drop chain=output disabled=no dst-port=53 protocol=tcp
add action=accept chain=output disabled=no dst-port=53 limit=10,10 protocol=udp
add action=drop chain=output disabled=no dst-port=53 protocol=udp
add action=jump chain=forward comment="detect DoS attack - forward" connection-state=new disabled=no jump-target=detect-ddos
add action=return chain=detect-ddos comment="detect DoS attack - forward" disabled=no dst-limit=32,64,src-and-dst-addresses/1m40s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m chain=detect-ddos comment="detect DoS attack - forward" disabled=no
add action=add-src-to-address-list address-list=ddoser address-list-timeout=10m chain=detect-ddos comment="detect DoS attack - forward" disabled=no
add action=drop chain=forward comment="drop DoS attack - forward" connection-state=new disabled=no dst-address-list=ddosed src-address-list=ddoser
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 hours" connection-limit=30,32 disabled=no dst-port=25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" disabled=no dst-port=25,587 protocol=tcp src-address-list=spammers
add action=jump chain=forward comment="\"SYN Flood protect\"" connection-state=new disabled=no jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=accept chain=SYN-Protect comment="\"\"" connection-state=new disabled=no limit=400,5 protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect comment="\"\"" connection-state=new disabled=no protocol=tcp tcp-flags=syn
add action=jump chain=forward comment="jump to the virus chain" disabled=no jump-target=virus
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no port=135-139 protocol=tcp
xxxxxxx – zde je x pravidel na různé porty
add action=drop chain=virus comment="AOL Trojan" disabled=no port=30029 protocol=tcp
add action=return chain=virus comment="return from virus chain" disabled=no
add action=drop chain=forward comment="Self-Identification [RFC 3330]" disabled=no src-address=0.0.0.0/8
add action=drop chain=forward disabled=no dst-address=0.0.0.0/8
add action=drop chain=forward comment=Localhost disabled=yes src-address=127.0.0.0/8
add action=drop chain=forward disabled=yes dst-address=127.0.0.0/8
add action=drop chain=forward comment="Loopback [RFC 3330]" disabled=no src-address=127.0.0.0/16
add action=drop chain=forward disabled=no dst-address=127.0.0.0/16
add action=drop chain=forward disabled=no src-address=224.0.0.0/3
add action=drop chain=forward disabled=no dst-address=224.0.0.0/3
add action=drop chain=forward comment="Link Local [RFC 3330]" disabled=no src-address=169.254.0.0/16
add action=drop chain=forward disabled=no dst-address=169.254.0.0/16
add action=drop chain=forward comment="6to4 Relay Anycast [RFC 3068]" disabled=no src-address=192.88.99.0/24
add action=drop chain=forward disabled=no dst-address=192.88.99.0/24
add action=drop chain=forward comment="NIDB Testing" disabled=no src-address=198.18.0.0/15
add action=drop chain=forward disabled=no dst-address=198.18.0.0/15
add action=drop chain=forward comment="Reserved - IANA - TestNet1" disabled=no src-address=192.0.2.0/24
add action=drop chain=forward disabled=no dst-address=192.0.2.0/24
add action=drop chain=forward comment="Reserved - IANA - TestNet2" disabled=no src-address=198.51.100.0/24
add action=drop chain=forward disabled=no dst-address=198.51.100.0/24
add action=drop chain=forward comment="Reserved - IANA - TestNet3" disabled=no src-address=203.0.113.0/24
add action=drop chain=forward disabled=no dst-address=203.0.113.0/24
add action=drop chain=forward comment="deny TFTP" disabled=no dst-port=69 protocol=tcp
add action=drop chain=forward comment="deny RPC portmapper" disabled=no dst-port=111 protocol=tcp
add action=drop chain=forward comment="deny PRC portmapper" disabled=no dst-port=111 protocol=udp
add action=drop chain=forward comment="deny RPC portmapper" disabled=no dst-port=135 protocol=tcp
add action=drop chain=forward comment="deny PRC portmapper" disabled=no dst-port=135 protocol=udp
add action=drop chain=forward comment="deny NBT" disabled=no dst-port=137-139 protocol=tcp
add action=drop chain=forward comment="deny cifs" disabled=no dst-port=445 protocol=tcp
add action=drop chain=forward comment="deny NFS" disabled=no dst-port=2049 protocol=tcp
add action=drop chain=forward comment="deny NetBus" disabled=no dst-port=12345-12346 protocol=tcp
add action=drop chain=forward comment="deny NetBus" disabled=no dst-port=20034 protocol=tcp
add action=drop chain=forward comment="deny BackOriffice" disabled=no dst-port=3133 protocol=tcp
add action=drop chain=forward comment="deny DHCP" disabled=no dst-port=67-68 protocol=tcp
add action=drop chain=forward comment="deny TFTP" disabled=no dst-port=69 protocol=udp
add action=drop chain=forward comment="deny NBT" disabled=no dst-port=137-139 protocol=udp
add action=drop chain=forward comment="deny NFS" disabled=no dst-port=2049 protocol=udp
add action=drop chain=forward comment="deny BackOriffice" disabled=no dst-port=3133 protocol=udp
add action=accept chain=forward comment="allow established connections" connection-state=established disabled=no protocol=!icmp
add action=accept chain=forward comment="allow related connections" connection-state=related disabled=no
add action=drop chain=forward comment="drop invalid connections" connection-state=invalid disabled=no
add action=jump chain=forward comment="Jump for icmp forward flow" disabled=no jump-target=ICMP protocol=icmp
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" disabled=no icmp-options=8:0 limit=1,5 protocol=icmp
add action=accept chain=ICMP comment="Echo reply" disabled=no icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" disabled=no icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" disabled=no icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD disabled=no icmp-options=3:4 protocol=icmp
add action=accept chain=ICMP comment="allow parameter bad" disabled=no icmp-options=12:0 protocol=icmp
add action=accept chain=ICMP comment="allow source quench" disabled=no icmp-options=4:0 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" disabled=no protocol=icmp
add action=accept chain=forward disabled=yes dst-port=53 protocol=tcp
add action=accept chain=forward disabled=yes dst-port=53 protocol=udp
add action=drop chain=forward comment="drop everything else" disabled=no
