[Chexov]

Есть ошибки в этом конфиге firewall, а так же по безопасности, все правильно сделано?

Настройка firewall все запрещено, что не разрешено!

 

#fasttrack-connection input
/ip firewall filter
add action=fasttrack-connection chain=input connection-state=established,related disabled=yes



# access to winbox разрешение доступа для Winbox
/ip firewall filter 
add chain=input action=accept protocol=tcp in-interface=ether1 dst-port=8291 comment="access to winbox"


#BOGON запрещаем с этих подсетей соединения на WAN-порт(in-interface=ether1) маршрутизатора
/ip firewall filter
add action=drop chain=input in-interface=ether1 src-address-list=BOGON
#список BOGON
/ip firewall address-list
add list=BOGON address=1.0.0.0/8 disabled=no 
add list=BOGON address=2.0.0.0/8 disabled=no 
add list=BOGON address=5.0.0.0/8 disabled=no 
add list=BOGON address=7.0.0.0/8 disabled=no 
add list=BOGON address=10.0.0.0/8 disabled=no


# INPUT
#Разрешаем все уже установленные подключения (connection state=established)
add chain=input connection-state=established action=accept comment="allow established connections"  
# Разрешаем все зависимые подключения (connection state=related)
add chain=input connection-state=related action=accept comment="allow related connections"
#Запрещаем недействительные соединения для цепочек input
add chain=input connection-state=invalid action=drop comment="drop invalid connections"
# ext input


# Блокируем DNS запросы на внешний интерфейс (запрещающее правило для дропа флуда на 53 порту)
/ip firewall filter
add action=add-src-to-address-list address-list="dns flood" address-list-timeout=30d chain=input dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp src-address-list="dns flood"
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp src-address-list="dns flood"

# Защита от сканера портов
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w comment="Port scanners to list" disabled=no
# Комбинации TCP флагов, указывающих на использование сканера портов
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w comment="NMAP FIN Stealth scan"
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w comment="SYN/FIN scan"
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w comment="SYN/RST scan"
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w comment="FIN/PSH/URG scan"
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w comment="ALL/ALL scan"
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w comment="NMAP NULL scan"
# Запрет подключений сканеров портов
add chain=input src-address-list=port_scanners action=drop comment="dropping port scanners" disabled=no
add chain=forward src-address-list=port_scanners action=drop comment="dropping port scanners" disabled=no

#Защита winbox -  drop winbox brute forcers
/ip firewall filter 
add chain=input action=drop protocol=tcp src-address-list=winbox_blacklist dst-port=8291 comment="drop winbox brute forcers"
/ip firewall filter 
add chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=winbox_stage3 address-list=winbox_blacklist address-list-timeout=60m dst-port=8291
/ip firewall filter 
add chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=winbox_stage2 address-list=winbox_stage3 address-list-timeout=1m dst-port=8291
/ip firewall filter 
add chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=winbox_stage1 address-list=winbox_stage2 address-list-timeout=1m dst-port=8291
/ip firewall filter 
add chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=winbox_stage1 address-list-timeout=1m dst-port=8291

# Открываем порты для VPN L2TP 
/ip firewall filter
add chain=input action=accept protocol=udp port=1701,500,4500 comment="Allow L2TP - 1"
add chain=input action=accept protocol=ipsec-esp comment="Allow L2TP - 2"

# проброс портов для торентов
/ ip firewall nat 
add chain=dstnat in-interface=ether1 protocol=tcp dst-port=6881 action=netmap to-addresses=192.168.88.3 to-ports=6881 comment="torrent" disabled=no
/ ip firewall nat 
add chain=dstnat in-interface=ether1 protocol=udp dst-port=6881 action=netmap to-addresses=192.168.88.3 to-ports=6881 comment="torrent UDP" disabled=no
/ ip firewall filter 
add chain=forward in-interface=ether1 protocol=tcp dst-port=6881 action=accept comment="torrent" disabled=no
/ ip firewall filter 
add chain=forward in-interface=ether1 protocol=udp dst-port=6881 action=accept comment="torrent UDP" disabled=no


# local input
/ip firewall filter
add chain=input src-address=192.168.88.0/24 action=accept in-interface=!ether1


# Запрет всех входящих на маршрутизатор  
add chain=input in-interface=ether1 action=drop comment="Drop everything else"

# OUTPUT
add chain=output action=accept out-interface=ether1 comment="accept everything to internet"
add chain=output action=accept out-interface=!ether1 comment="accept everything to non internet"
add chain=output action=accept comment="accept everything"

# FORWARD
#fasttrack-connection forward
add action=fasttrack-connection chain=forward connection-state=established,related

# Запрет транзита '''битых''' и '''неправильных''' пакетов
add chain=forward connection-state=invalid action=drop comment="drop invalid connections"  
# Разрешаем уже установленные подключения и связанные
add chain=forward connection-state=established action=accept comment="allow already established connections"  
add chain=forward connection-state=related action=accept comment="allow related connections"


# (1) jumping
add chain=forward protocol=tcp action=jump jump-target=tcp  
add chain=forward protocol=udp action=jump jump-target=udp  
add chain=forward protocol=icmp action=jump jump-target=icmp

# (3) accept forward from local to internet
add chain=forward action=accept in-interface=!ether1 out-interface=ether1 
  comment="accept from local to internet"

# (4) drop all other forward
add chain=forward action=drop comment="drop everything else"

# (2) deny some types common types
add chain=tcp protocol=tcp dst-port=69 action=drop comment="deny TFTP"
add chain=tcp protocol=tcp dst-port=111 action=drop comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=135 action=drop comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=137-139 action=drop comment="deny NBT"
add chain=tcp protocol=tcp dst-port=445 action=drop comment="deny cifs"
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS"
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice"
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"

add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"
add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"
add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"
add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"


# Фильтруем полезный ICMP
add action=accept chain=icmp comment="ICMP (0:0) echo reply" disabled=no icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="ICMP (3:0) dest / net unreachable" disabled=no icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="ICMP (3:1) dest / host unreachable" disabled=no icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="ICMP (3:3) dest / port unreachable" disabled=no icmp-options=3:3 protocol=icmp
add action=accept chain=icmp comment="ICMP (3:4) dest / fragment. needed" disabled=no icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="ICMP (3:10) dest / comm. with-dst-host prohibited" disabled=no icmp-options=3:10 protocol=icmp
add action=accept chain=icmp comment="ICMP (3:13) dest / communication prohibited" disabled=no icmp-options=3:13 protocol=icmp
add action=accept chain=icmp comment="ICMP (4:0) source quench" disabled=no icmp-options=4:0 protocol=icmp
add action=accept chain=icmp comment="ICMP (8:0) echo request" disabled=no icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="ICMP (11:0) time exceeded / TTL" disabled=no icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="ICMP (12:0) parameter problem / error" disabled=no icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="ICMP - deny ALL other types" disabled=no protocol=icmp



# (5) drop all other forward
add chain=forward action=drop comment="drop (2) everything else"

Edited May 24, 2016 by Chexov

[mafijs]

Мож это добавить ?

/ip firewall filter
add action=drop chain=forward comment="Block spammers or infected users" \
   dst-port=25 protocol=tcp src-address-list=spammer
add action=add-src-to-address-list address-list=spammer chain=forward \
   comment="Detect and add-list SMTP virus or spammers" connection-limit=\
   30,32 dst-port=25 limit=50,5:packet protocol=tcp

Edited May 23, 2016 by mafijs

[Chexov]

Не используют 25 порт, 21, 69, 23

 

Мож это добавить ?

[Chexov]

Уважаемые гуру, нужна помощь!

Почему не открываться порты на этом конфиге, вот правило для видео камеры, оно стоит на верху:

add chain=forward port=8000,8200,554,443,465 protocol=tcp src-address=192.168.0.90 comment="Hikvision"

если убрать

src-address=192.168.0.90

то начинает работать

 

или это правило выключить, тоже начинает работать:

# (4) drop all other forward
add chain=forward action=drop comment="drop everything else"

Edited May 24, 2016 by Chexov