Toto je původní verze internetového fóra ISPforum.cz do února 2020 bez možnosti registrace nových uživatelů. Aktivní verzi fóra naleznete na adrese https://telekomunikace.cz
Mikrotik VPN PPTP
Mikrotik VPN PPTP
Ahoj , mám otázku když použiju do domácí sítě nějaký free PPTP server a nastavil ho na mikrotiku jako client ,,nemůže se přes ten PPTP server mikrotik nakazit virem a nebo se zapojit do Botnetu ?? Dekuji
0 x
To dost dobře nejde. Doporučuji s VPN někam na free server rozhraním zacházet stejně, jako s WAN rozhraním.
0 x
Myslíte že bude stačit toto?
/interface pptp-client add name=pptp-hm user=pptp-hm password=123 connect-to=10.1.101.100 disabled=no
/interface pptp-client print detail
Flags: X - disabled, R - running
0 name="pptp-hm" max-mtu=1460 max-mru=1460 mrru=disabled
connect-to=10.1.101.100 user="pptp-hm" password="123"
profile=default-encryption add-default-route=no dial-on-demand=no
allow=pap,chap,mschap1,mschap2
/ip firewall filter add chain=forward protocol=tcp dst-port=135-139 action=drop comment="Drop Blaster Worm"
/ip firewall filter add chain=forward protocol=udp dst-port=135-139 action=drop comment="Drop Messenger Worm"
/ip firewall filter add chain=forward protocol=tcp dst-port=445 action=drop comment="Drop Blaster Worm"
/ip firewall filter add chain=forward protocol=udp dst-port=445 action=drop comment="Drop Blaster Worm"
/ip firewall filter add chain=forward protocol=tcp dst-port=593 action=drop comment="________"
/ip firewall filter add chain=forward protocol=tcp dst-port=1024-1030 action=drop comment="________"
/ip firewall filter add chain=forward protocol=tcp dst-port=1080 action=drop comment="Drop MyDoom"
/ip firewall filter add chain=forward protocol=tcp dst-port=1214 action=drop comment="________"
/ip firewall filter add chain=forward protocol=tcp dst-port=1363 action=drop comment="ndm requester"
/ip firewall filter add chain=forward protocol=tcp dst-port=1364 action=drop comment="ndm server"
/ip firewall filter add chain=forward protocol=tcp dst-port=1368 action=drop comment="screen cast"
/ip firewall filter add chain=forward protocol=tcp dst-port=1373 action=drop comment="hromgrafx"
/ip firewall filter add chain=forward protocol=tcp dst-port=1377 action=drop comment="cichlid"
/ip firewall filter add chain=forward protocol=tcp dst-port=1433-1434 action=drop comment="Worm"
/ip firewall filter add chain=forward protocol=tcp dst-port=2745 action=drop comment="Bagle forward"
/ip firewall filter add chain=forward protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y"
/ip firewall filter add chain=forward protocol=tcp dst-port=2535 action=drop comment="Drop Beagle"
/ip firewall filter add chain=forward protocol=tcp dst-port=2745 action=drop comment="Drop Beagle.C-K"
/ip firewall filter add chain=forward protocol=tcp dst-port=3127-3128 action=drop comment="Drop MyDoom"
/ip firewall filter add chain=forward protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor OptixPro"
/ip firewall filter add chain=forward protocol=tcp dst-port=4444 action=drop comment="Worm"
/ip firewall filter add chain=forward protocol=udp dst-port=4444 action=drop comment="Worm"
/ip firewall filter add chain=forward protocol=tcp dst-port=5554 action=drop comment="Drop Sasser"
/ip firewall filter add chain=forward protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B"
/ip firewall filter add chain=forward protocol=tcp dst-port=9898 action=drop comment="Drop Dabber.A-B"
/ip firewall filter add chain=forward protocol=tcp dst-port=10000 action=drop comment="Drop Dumaru.Y"
/ip firewall filter add chain=forward protocol=tcp dst-port=10080 action=drop comment="Drop MyDoom.B"
/ip firewall filter add chain=forward protocol=tcp dst-port=12345 action=drop comment="Drop NetBus"
/ip firewall filter add chain=forward protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2"
/ip firewall filter add chain=forward protocol=tcp dst-port=27374 action=drop comment="Drop SubSeven"
/ip firewall filter add chain=forward protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot, Agobot, Gaobot"
add action=log chain=notes comment="START DDOS Detection and Nurf"
add action=jump chain=forward connection-state=new disabled=yes in-interface="ether1 - [Fiber1]" jump-target=detect-ddos
add action=return chain=detect-ddos disabled=yes dst-address-list=DNS_Servers
add action=return chain=detect-ddos disabled=yes src-address-list=DNS_Servers
add action=return chain=detect-ddos disabled=yes dst-limit=5000,6000,dst-address/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m chain=detect-ddos connection-state=new disabled=yes dst-address-list=ddos_stage1
add action=add-dst-to-address-list address-list=ddos_stage1 address-list-timeout=1m chain=detect-ddos disabled=yes dst-address-list=NuskopeInternal
add action=add-src-to-address-list address-list=ddoser address-list-timeout=5m chain=detect-ddos disabled=yes src-address-list=!NuskopeInternal
add action=drop chain=forward connection-state=new disabled=yes dst-address-list=ddosed src-address-list=ddoser
add action=drop chain=output connection-state=new disabled=yes dst-address-list=ddosed src-address-list=ddoser
add action=log chain=notes comment="END DDOS Detection and Nurf"
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \
comment="drop ftp brute forcers"
add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m
add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \
address-list=ftp_blacklist address-list-timeout=3h
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
##########################################################################
#### Remove HASH # sign if you want to apply the required rule #
#### Syed Jahanzaib / aacable@<span class="skimlinks-unlinked">hotmail.com</span> / <span class="skimlinks-unlinked">http://aacabel.wordpress.com</span> #
##########################################################################
/ip firewall filter
add chain=input connection-state=established comment="Accept established connections"
add chain=input connection-state=related comment="Accept related connections"
add chain=input connection-state=invalid action=drop comment="invalid connections"
add chain=input protocol=udp action=accept comment="UDP" disabled=no
add chain=forward connection-state=invalid action=drop comment="invalid connections"
#### ALLOW VPN (PPTP) CONNECTIONS TO MIKROTIK VPN SERVER
#add action=accept chain=input disabled=no dst-port=1723 protocol=tcp
#add action=accept chain=input disabled=no protocol=gre
#### TO BLOCK DNS ATTACK on WAN INTERFACE
#/ip firewall filter
#add chain=input action=drop dst-port=53 protocol=udp in-interface=ether1 # WAN INTERFACE
#add chain=input action=drop dst-port=53 protocol=tcp in-interface=ether1 # WAN INTERFACE
#### TO BLOCK PROXY ACCESS PORT 8080 / ATTACK on WAN INTERFACE
#add chain=input action=drop dst-port=8080 protocol=tcp in-interface=ether1 # WAN INTERFACE
#### TO BLOCK ICMP TRAFFIC EXCEPT FROM THE Management PC IP
# Blocking ICMP Traffic, saves you from many headaches
# add action=drop chain=input comment="PING REPLY" disabled=no protocol=icmp src-address=!10.10.0.4
#### TO BLOCK TRACEROUTE TRAFFIC
#/ip firewall add action=drop chain=forward comment="Traceroute" disabled=no \
# icmp-options=11:0 protocol=icmp
# add action=drop chain=forward comment="" disabled=no icmp-options=3:3 \
# protocol=icmp
# add action=drop chain=input comment="Disable ICMP ping" disabled=no protocol=\
# icmp
#### TO BLOCK COMMON VIRUS PORTS
add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Blaster Worm"
add chain=virus protocol=udp dst-port=135-139 action=drop comment="Messenger Worm"
add chain=virus protocol=tcp dst-port=445 action=drop comment="Blaster Worm"
add chain=virus protocol=udp dst-port=445 action=drop comment="Blaster Worm"
add chain=virus protocol=tcp dst-port=593 action=drop comment="________"
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="________"
add chain=virus protocol=tcp dst-port=1080 action=drop comment="MyDoom"
add chain=virus protocol=tcp dst-port=1214 action=drop comment="________"
add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester"
add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server"
add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast"
add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx"
add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid"
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm"
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus"
add chain=virus protocol=tcp dst-port=2283 action=drop comment="Dumaru.Y"
add chain=virus protocol=tcp dst-port=2535 action=drop comment="Beagle"
add chain=virus protocol=tcp dst-port=2745 action=drop comment="<span class="skimlinks-unlinked">Beagle.C-K</span>"
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="MyDoom"
add chain=virus protocol=tcp dst-port=3410 action=drop comment="Backdoor OptixPro"
add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm"
add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm"
add chain=virus protocol=tcp dst-port=5554 action=drop comment="Sasser"
add chain=virus protocol=tcp dst-port=8866 action=drop comment="Beagle.B"
add chain=virus protocol=tcp dst-port=9898 action=drop comment="<span class="skimlinks-unlinked">Dabber.A-B</span>"
add chain=virus protocol=tcp dst-port=10000 action=drop comment="Dumaru.Y"
add chain=virus protocol=tcp dst-port=10080 action=drop comment="MyDoom.B"
add chain=virus protocol=tcp dst-port=12345 action=drop comment="NetBus"
add chain=virus protocol=tcp dst-port=17300 action=drop comment="Kuang2"
add chain=virus protocol=tcp dst-port=27374 action=drop comment="SubSeven"
add chain=virus protocol=tcp dst-port=65506 action=drop comment="PhatBot, Agobot, Gaobot"
add chain=forward action=jump jump-target=virus comment="jump to the virus chain"
#Drop port scanners
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list " disabled=no
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan"
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan"
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan"
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan"
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan"
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan"
add chain=input src-address-list="port scanners" action=drop comment="ping port scanners" disabled=no
#Bruteforce login prevention
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop comment="ftp brute forcers"
add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m
add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" address-list=ftp_blacklist address-list-timeout=3h
#This will prevent a SSH brute forcer to be banned for 10 days after repetitive attempts.
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment="ssh brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=10d comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=10m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=10m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
#If you want to block downstream access as well, you need to block the with the forward chain:
add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment="ssh brute downstream" disabled=no
/interface pptp-client add name=pptp-hm user=pptp-hm password=123 connect-to=10.1.101.100 disabled=no
/interface pptp-client print detail
Flags: X - disabled, R - running
0 name="pptp-hm" max-mtu=1460 max-mru=1460 mrru=disabled
connect-to=10.1.101.100 user="pptp-hm" password="123"
profile=default-encryption add-default-route=no dial-on-demand=no
allow=pap,chap,mschap1,mschap2
/ip firewall filter add chain=forward protocol=tcp dst-port=135-139 action=drop comment="Drop Blaster Worm"
/ip firewall filter add chain=forward protocol=udp dst-port=135-139 action=drop comment="Drop Messenger Worm"
/ip firewall filter add chain=forward protocol=tcp dst-port=445 action=drop comment="Drop Blaster Worm"
/ip firewall filter add chain=forward protocol=udp dst-port=445 action=drop comment="Drop Blaster Worm"
/ip firewall filter add chain=forward protocol=tcp dst-port=593 action=drop comment="________"
/ip firewall filter add chain=forward protocol=tcp dst-port=1024-1030 action=drop comment="________"
/ip firewall filter add chain=forward protocol=tcp dst-port=1080 action=drop comment="Drop MyDoom"
/ip firewall filter add chain=forward protocol=tcp dst-port=1214 action=drop comment="________"
/ip firewall filter add chain=forward protocol=tcp dst-port=1363 action=drop comment="ndm requester"
/ip firewall filter add chain=forward protocol=tcp dst-port=1364 action=drop comment="ndm server"
/ip firewall filter add chain=forward protocol=tcp dst-port=1368 action=drop comment="screen cast"
/ip firewall filter add chain=forward protocol=tcp dst-port=1373 action=drop comment="hromgrafx"
/ip firewall filter add chain=forward protocol=tcp dst-port=1377 action=drop comment="cichlid"
/ip firewall filter add chain=forward protocol=tcp dst-port=1433-1434 action=drop comment="Worm"
/ip firewall filter add chain=forward protocol=tcp dst-port=2745 action=drop comment="Bagle forward"
/ip firewall filter add chain=forward protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y"
/ip firewall filter add chain=forward protocol=tcp dst-port=2535 action=drop comment="Drop Beagle"
/ip firewall filter add chain=forward protocol=tcp dst-port=2745 action=drop comment="Drop Beagle.C-K"
/ip firewall filter add chain=forward protocol=tcp dst-port=3127-3128 action=drop comment="Drop MyDoom"
/ip firewall filter add chain=forward protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor OptixPro"
/ip firewall filter add chain=forward protocol=tcp dst-port=4444 action=drop comment="Worm"
/ip firewall filter add chain=forward protocol=udp dst-port=4444 action=drop comment="Worm"
/ip firewall filter add chain=forward protocol=tcp dst-port=5554 action=drop comment="Drop Sasser"
/ip firewall filter add chain=forward protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B"
/ip firewall filter add chain=forward protocol=tcp dst-port=9898 action=drop comment="Drop Dabber.A-B"
/ip firewall filter add chain=forward protocol=tcp dst-port=10000 action=drop comment="Drop Dumaru.Y"
/ip firewall filter add chain=forward protocol=tcp dst-port=10080 action=drop comment="Drop MyDoom.B"
/ip firewall filter add chain=forward protocol=tcp dst-port=12345 action=drop comment="Drop NetBus"
/ip firewall filter add chain=forward protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2"
/ip firewall filter add chain=forward protocol=tcp dst-port=27374 action=drop comment="Drop SubSeven"
/ip firewall filter add chain=forward protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot, Agobot, Gaobot"
add action=log chain=notes comment="START DDOS Detection and Nurf"
add action=jump chain=forward connection-state=new disabled=yes in-interface="ether1 - [Fiber1]" jump-target=detect-ddos
add action=return chain=detect-ddos disabled=yes dst-address-list=DNS_Servers
add action=return chain=detect-ddos disabled=yes src-address-list=DNS_Servers
add action=return chain=detect-ddos disabled=yes dst-limit=5000,6000,dst-address/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m chain=detect-ddos connection-state=new disabled=yes dst-address-list=ddos_stage1
add action=add-dst-to-address-list address-list=ddos_stage1 address-list-timeout=1m chain=detect-ddos disabled=yes dst-address-list=NuskopeInternal
add action=add-src-to-address-list address-list=ddoser address-list-timeout=5m chain=detect-ddos disabled=yes src-address-list=!NuskopeInternal
add action=drop chain=forward connection-state=new disabled=yes dst-address-list=ddosed src-address-list=ddoser
add action=drop chain=output connection-state=new disabled=yes dst-address-list=ddosed src-address-list=ddoser
add action=log chain=notes comment="END DDOS Detection and Nurf"
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \
comment="drop ftp brute forcers"
add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m
add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \
address-list=ftp_blacklist address-list-timeout=3h
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
##########################################################################
#### Remove HASH # sign if you want to apply the required rule #
#### Syed Jahanzaib / aacable@<span class="skimlinks-unlinked">hotmail.com</span> / <span class="skimlinks-unlinked">http://aacabel.wordpress.com</span> #
##########################################################################
/ip firewall filter
add chain=input connection-state=established comment="Accept established connections"
add chain=input connection-state=related comment="Accept related connections"
add chain=input connection-state=invalid action=drop comment="invalid connections"
add chain=input protocol=udp action=accept comment="UDP" disabled=no
add chain=forward connection-state=invalid action=drop comment="invalid connections"
#### ALLOW VPN (PPTP) CONNECTIONS TO MIKROTIK VPN SERVER
#add action=accept chain=input disabled=no dst-port=1723 protocol=tcp
#add action=accept chain=input disabled=no protocol=gre
#### TO BLOCK DNS ATTACK on WAN INTERFACE
#/ip firewall filter
#add chain=input action=drop dst-port=53 protocol=udp in-interface=ether1 # WAN INTERFACE
#add chain=input action=drop dst-port=53 protocol=tcp in-interface=ether1 # WAN INTERFACE
#### TO BLOCK PROXY ACCESS PORT 8080 / ATTACK on WAN INTERFACE
#add chain=input action=drop dst-port=8080 protocol=tcp in-interface=ether1 # WAN INTERFACE
#### TO BLOCK ICMP TRAFFIC EXCEPT FROM THE Management PC IP
# Blocking ICMP Traffic, saves you from many headaches
# add action=drop chain=input comment="PING REPLY" disabled=no protocol=icmp src-address=!10.10.0.4
#### TO BLOCK TRACEROUTE TRAFFIC
#/ip firewall add action=drop chain=forward comment="Traceroute" disabled=no \
# icmp-options=11:0 protocol=icmp
# add action=drop chain=forward comment="" disabled=no icmp-options=3:3 \
# protocol=icmp
# add action=drop chain=input comment="Disable ICMP ping" disabled=no protocol=\
# icmp
#### TO BLOCK COMMON VIRUS PORTS
add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Blaster Worm"
add chain=virus protocol=udp dst-port=135-139 action=drop comment="Messenger Worm"
add chain=virus protocol=tcp dst-port=445 action=drop comment="Blaster Worm"
add chain=virus protocol=udp dst-port=445 action=drop comment="Blaster Worm"
add chain=virus protocol=tcp dst-port=593 action=drop comment="________"
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="________"
add chain=virus protocol=tcp dst-port=1080 action=drop comment="MyDoom"
add chain=virus protocol=tcp dst-port=1214 action=drop comment="________"
add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester"
add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server"
add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast"
add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx"
add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid"
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm"
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus"
add chain=virus protocol=tcp dst-port=2283 action=drop comment="Dumaru.Y"
add chain=virus protocol=tcp dst-port=2535 action=drop comment="Beagle"
add chain=virus protocol=tcp dst-port=2745 action=drop comment="<span class="skimlinks-unlinked">Beagle.C-K</span>"
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="MyDoom"
add chain=virus protocol=tcp dst-port=3410 action=drop comment="Backdoor OptixPro"
add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm"
add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm"
add chain=virus protocol=tcp dst-port=5554 action=drop comment="Sasser"
add chain=virus protocol=tcp dst-port=8866 action=drop comment="Beagle.B"
add chain=virus protocol=tcp dst-port=9898 action=drop comment="<span class="skimlinks-unlinked">Dabber.A-B</span>"
add chain=virus protocol=tcp dst-port=10000 action=drop comment="Dumaru.Y"
add chain=virus protocol=tcp dst-port=10080 action=drop comment="MyDoom.B"
add chain=virus protocol=tcp dst-port=12345 action=drop comment="NetBus"
add chain=virus protocol=tcp dst-port=17300 action=drop comment="Kuang2"
add chain=virus protocol=tcp dst-port=27374 action=drop comment="SubSeven"
add chain=virus protocol=tcp dst-port=65506 action=drop comment="PhatBot, Agobot, Gaobot"
add chain=forward action=jump jump-target=virus comment="jump to the virus chain"
#Drop port scanners
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list " disabled=no
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan"
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan"
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan"
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan"
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan"
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan"
add chain=input src-address-list="port scanners" action=drop comment="ping port scanners" disabled=no
#Bruteforce login prevention
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop comment="ftp brute forcers"
add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m
add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" address-list=ftp_blacklist address-list-timeout=3h
#This will prevent a SSH brute forcer to be banned for 10 days after repetitive attempts.
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment="ssh brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=10d comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=10m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=10m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
#If you want to block downstream access as well, you need to block the with the forward chain:
add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment="ssh brute downstream" disabled=no
0 x
šílenost .... proč to dělat složitě, když to jde jednoduše ... input na wanu povol estab,related a pak drop, na forwardu z znitrku site povol vše, z venku pouze estab,related, zbytek drop .... tyhle super hyper mega firewally mi akorát pijou krev +x je to zabiják výkonu
1 x