Procházel jsem dokumentaci a snad jediné co mě zaujalo je něco co nazývají home firewall, což je tohle:
Kód: Vybrat vše
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=accept_list comment="Forward HTTP to webserver" disabled=no dst-address=192.168.11.10 dst-port=80 protocol=tcp
add action=accept chain=accept_list comment="Forward HTTPS to webserver" disabled=no dst-address=192.168.11.10 dst-port=443 \
protocol=tcp
add action=accept chain=accept_list comment="Forward FTP to Server" disabled=no dst-address=192.168.11.10 dst-port=21 protocol=tcp
add action=accept chain=accept_list comment="Forward RDP to Server" disabled=no dst-address=192.168.11.10 dst-port=3389 protocol=tcp \
src-port=3389
add action=drop chain=known_viruses comment="windows - not EXACTLY a virus" disabled=no dst-port=135-139 protocol=tcp
add action=drop chain=known_viruses comment="windows - not EXACTLY a virus" disabled=no dst-port=135-139 protocol=udp
add action=drop chain=known_viruses comment="winXP netbios not EXACTLY a virus" disabled=no dst-port=445 protocol=udp
add action=drop chain=known_viruses comment="winXP netbios not EXACTLY a virus" disabled=no dst-port=445 protocol=tcp
add action=drop chain=known_viruses comment="msblast worm" disabled=no dst-port=593 protocol=tcp
add action=drop chain=known_viruses comment="msblast worm" disabled=no dst-port=4444 protocol=tcp
add action=drop chain=known_viruses comment="WITTY worm" disabled=no dst-port=4000 protocol=tcp
add action=drop chain=known_viruses comment="SoBig.f worm" disabled=no dst-port=995-999 protocol=tcp
add action=drop chain=known_viruses comment="SoBig.f worm" disabled=no dst-port=8998 protocol=tcp
add action=drop chain=known_viruses comment="beagle worm" disabled=no dst-port=2745 protocol=tcp
add action=drop chain=known_viruses comment="beagle worm" disabled=no dst-port=4751 protocol=tcp
add action=drop chain=known_viruses comment="SQL Slammer" disabled=no dst-port=1434 protocol=tcp
add action=drop chain=bad_people comment="Known Spammer" disabled=no src-address=81.180.98.3
add action=drop chain=bad_people comment="Known Spammer" disabled=no src-address=24.73.97.226
add action=drop chain=bad_people comment="http://isc.incidents.org/top10.html listed" disabled=no src-address=67.75.20.112
add action=drop chain=bad_people comment="" disabled=no src-address=218.104.138.166
add action=drop chain=bad_people comment="" disabled=no src-address=212.3.250.194
add action=drop chain=bad_people comment="" disabled=no src-address=203.94.243.191
add action=drop chain=bad_people comment="" disabled=no src-address=202.101.235.100
add action=drop chain=bad_people comment="" disabled=no src-address=58.16.228.42
add action=drop chain=bad_people comment="" disabled=no src-address=58.248.8.2
add action=drop chain=bad_people comment="" disabled=no src-address=202.99.11.99
add action=drop chain=bad_people comment="" disabled=no src-address=218.52.237.219
add action=drop chain=bad_people comment="" disabled=no src-address=222.173.101.157
add action=drop chain=bad_people comment="" disabled=no src-address=58.242.34.235
add action=drop chain=bad_people comment="" disabled=no src-address=222.80.184.23
add action=accept chain=forward comment="Allow WIFI access to ALL" disabled=no src-address=192.168.22.0/24
add action=drop chain=input comment="drop ssh brute forcers" disabled=no dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input comment="" connection-state=new \
disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input comment="" connection-state=new \
disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input comment="" connection-state=new \
disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input comment="" connection-state=new \
disabled=no dst-port=22 protocol=tcp
add action=drop chain=input comment="allows only 10 FTP login incorrect answers per minute" disabled=no dst-port=21 protocol=tcp \
src-address-list=ftp_blacklist
add action=accept chain=output comment="" content="530 Login incorrect" disabled=no dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output comment="" content="530 Login \
incorrect" disabled=no protocol=tcp
add action=drop chain=forward comment="drop invalid connections DELETE" connection-state=invalid disabled=no
add action=drop chain=forward comment="Blocks SSH" disabled=no dst-port=22 protocol=tcp
add action=jump chain=forward comment="Known virus ports DELETE" disabled=no jump-target=known_viruses
add action=jump chain=forward comment="kill known bad source addresses DELETE" disabled=no jump-target=bad_people
add action=jump chain=forward comment="Jump to Accepted List" disabled=no jump-target=accept_list
add action=accept chain=forward comment="allow established connections DELETE" connection-state=established disabled=no
add action=accept chain=forward comment="allow related connections DELETE" connection-state=related disabled=no
add action=accept chain=forward comment="Allow All" disabled=no
/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no src-address=192.168.11.0/24
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=24.16.119.193 dst-port=3389 protocol=tcp to-addresses=192.168.11.10 \
to-ports=3389
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=24.16.119.193 dst-port=80 protocol=tcp to-addresses=192.168.11.10 \
to-ports=80
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=24.16.119.193 dst-port=21 protocol=tcp to-addresses=192.168.11.10 \
to-ports=21
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=24.16.119.193 dst-port=443 protocol=tcp to-addresses=192.168.11.10 \
to-ports=443
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no
set pptp disabled=no
ale jestli dobře chápu toto nastavení, tak je nastaven connection tracking, lze toto nějak komentovat co je optimum ??
Ale dál je to horší, chápu přesměrování na porty viz první accept s cílovou adresou, tady je to OK
Potom chápu zahození konkrétních portů + uživatelů (IP)
Dále vidím povolení rozsahu jako WiFi ...
Pak si hrají s SSH přístupem, OK ...
následuje:
Kód: Vybrat vše
add action=accept chain=forward comment="allow established connections DELETE" connection-state=established disabled=no
add action=accept chain=forward comment="allow related connections DELETE" connection-state=related disabled=no
add action=accept chain=forward comment="Allow All" disabled=no
a tím končí ... ale nevidím nikde klasické zakázání všeho ostatního, to je default stav ?? to tak přece není ...
A ještě poddotaz, jaké má být správné pořadí, jde se vždy od prvních pravidel dále ? Nebo existuje nějaké doporučení, nebo tak něco ... v demo účtech těchto věcí moc není ...
Prostě něco jako jednoduchý firewall pro bránu, který umožní jen konkrétní porty dovnitř (forward) a cokoliv zevnitř ven ...
Díky za jakékoliv nasměrování ...
