Community discussions

MikroTik App
  4. RouterOS
  5. General

what are Important firewall rules needed for hotspot

Post Reply
 
namo
Long time Member
Long time Member
Topic Author
Posts: 530
Joined: Sat Oct 03, 2009 4:44 pm

what are Important firewall rules needed for hotspot

Sun Dec 12, 2010 5:18 am

I have Mikrotik RouterOS v4.13 with hotspot. Here are the firewall rules that I got from /ip firewall filter print. Please tell me of the rules that I need to remove and any extra that I should add:
Code: Select all
chain=input action=drop protocol=tcp dst-port=22,23,80,443,8728

4 X ;;; Reject if in the 24-hour-list
chain=forward action=reject reject-with=icmp-network-unreachable
src-address-list=24-hour-list dst-address-list=0.0.0.0


5 I ;;; Check if dest is an open customer
chain=forward action=jump jump-target=open-customers
dst-address-list=open-customers

6 I ;;; Check Known Bad Hosts
chain=forward action=jump jump-target=bad-hosts

7 X ;;; Reject if in the 24-hour-list
chain=forward action=reject reject-with=icmp-network-unreachable
src-address-list=24-hour-list

8 ;;; Take no action on bogons
chain=bad-host-detection action=return src-address-list=bogons

9 ;;; Add to the 24 hours list
chain=bad-host-detection action=add-src-to-address-list protocol=udp
src-address=192.168.2.0/24 dst-address=192.168.2.0/24
address-list=24-hour-list address-list-timeout=1d src-port=137
dst-port=137

10 chain=bad-host-detection action=return

11 ;;; jump to the bad-host-detection chain
chain=forward action=jump jump-target=bad-host-detection
src-address-list=!our-networks

12 ;;; jump to the bad-host-detection chain
chain=forward action=jump jump-target=bad-host-detection
src-address-list=!our-networks

13 X ;;; log and reject the rest
chain=forward action=log log-prefix=""

14 chain=forward action=accept protocol=tcp dst-port=1863

15 chain=forward action=accept protocol=tcp dst-port=443

16 chain=output action=drop protocol=udp src-port=5678

17 ;;; ADD to address-list src-conficker
chain=forward action=add-src-to-address-list dst-address-list=conficker
address-list=src-conficker address-list-timeout=3d

18 I chain=forward action=jump jump-target=drop src-address-list=local-addr
dst-address-list=local-addr in-interface=lan out-interface=lan

19 I chain=input action=jump jump-target=drop src-address=192.168.2.0/24
src-address-type=broadcast dst-address-type=local
src-address-list=local-addr in-interface=lan

20 I chain=forward action=jump jump-target=drop src-address=192.168.2.0/24
src-address-type=broadcast dst-address-type=local

21 ;;; Port scanners to list
chain=forward action=add-src-to-address-list protocol=tcp psd=21,3s,3,1
address-list=port scanners address-list-timeout=2w

22 ;;; NMAP FIN Stealth scan
chain=forward action=add-src-to-address-list
tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
address-list=port scanners address-list-timeout=2w

23 ;;; SYN/FIN scan
chain=forward action=add-src-to-address-list tcp-flags=fin,syn
protocol=tcp address-list=port scanners address-list-timeout=2w

24 ;;; SYN/RST scan
chain=forward action=add-src-to-address-list tcp-flags=syn,rst
protocol=tcp address-list=port scanners address-list-timeout=2w

25 ;;; FIN/PSH/URG scan
chain=forward action=add-src-to-address-list
tcp-flags=fin,psh,urg,!syn,!rst,!ack protocol=tcp
address-list=port scanners address-list-timeout=2w

26 ;;; ALL/ALL scan
chain=forward action=add-src-to-address-list
tcp-flags=fin,syn,rst,psh,ack,urg protocol=tcp
address-list=port scanners address-list-timeout=2w

27 ;;; NMAP NULL scan
chain=forward action=add-src-to-address-list
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
address-list=port scanners address-list-timeout=2w

28 ;;; dropping port scanners
chain=forward action=drop src-address-list=port scanners

29 ;;; allow established connections
chain=forward action=accept connection-state=established

30 ;;; allow related connections
chain=forward action=accept connection-state=related

31 ;;; drop invalid connections
chain=forward action=drop connection-state=invalid

32 ;;; Drop Blaster Worm
chain=virus action=drop protocol=tcp dst-port=135-139

33 ;;; Drop Messenger Worm
chain=virus action=drop protocol=udp dst-port=135-139

34 ;;; Drop Blaster Worm
chain=virus action=drop protocol=tcp dst-port=445

35 ;;; Drop Blaster Worm
chain=virus action=drop protocol=udp dst-port=445

36 ;;; ________
chain=virus action=drop protocol=tcp dst-port=593

37 ;;; ________
chain=virus action=drop protocol=tcp dst-port=1024-1030

38 ;;; Drop MyDoom
chain=virus action=drop protocol=tcp dst-port=1080

40 ;;; ndm requester
chain=virus action=drop protocol=tcp dst-port=1363

41 ;;; ndm server
chain=virus action=drop protocol=tcp dst-port=1364

42 ;;; screen cast
chain=virus action=drop protocol=tcp dst-port=1368

43 ;;; hromgrafx
chain=virus action=drop protocol=tcp dst-port=1373

44 ;;; cichlid
chain=virus action=drop protocol=tcp dst-port=1377

45 ;;; Worm
chain=virus action=drop protocol=tcp dst-port=1433-1434

46 ;;; Bagle Virus
chain=virus action=drop protocol=tcp dst-port=2745

47 ;;; Drop Dumaru.Y
chain=virus action=drop protocol=tcp dst-port=2283

48 ;;; Drop Beagle
chain=virus action=drop protocol=tcp dst-port=2535

49 ;;; Drop Beagle.C-K
chain=virus action=drop protocol=tcp dst-port=2745

50 ;;; Drop MyDoom
chain=virus action=drop protocol=tcp dst-port=3127-3128

51 ;;; Drop Backdoor OptixPro
chain=virus action=drop protocol=tcp dst-port=3410

52 ;;; Worm
chain=virus action=drop protocol=udp dst-port=4444

53 ;;; Worm
chain=virus action=drop protocol=tcp dst-port=4444

54 ;;; Drop Sasser
chain=virus action=drop protocol=tcp dst-port=5554

55 ;;; Drop Beagle.B
chain=virus action=drop protocol=tcp dst-port=8866

56 ;;; Drop Dabber.A-B
chain=virus action=drop protocol=tcp dst-port=9898

57 ;;; Drop Dumaru.Y
chain=virus action=drop protocol=tcp dst-port=10000

58 ;;; Drop MyDoom.B
chain=virus action=drop protocol=tcp dst-port=10080

59 ;;; Drop NetBus
chain=virus action=drop protocol=tcp dst-port=12345

60 ;;; Drop Kuang2
chain=virus action=drop protocol=tcp dst-port=17300

61 ;;; Drop SubSeven
chain=virus action=drop protocol=tcp dst-port=27374

62 ;;; Drop PhatBot, Agobot, Gaobot
chain=virus action=drop protocol=tcp dst-port=65506

63 ;;; jump to the virus chain
chain=forward action=jump jump-target=virus

64 ;;; Allow HTTP
chain=forward action=accept protocol=tcp dst-port=80

65 ;;; Allow SMTP
chain=forward action=accept protocol=tcp dst-port=25

66 ;;; allow ping
chain=forward action=accept protocol=icmp

67 ;;; allow TCP
chain=forward action=accept protocol=tcp

68 ;;; allow udp
chain=forward action=accept protocol=udp

69 ;;; drop everything else
chain=forward action=drop

70 ;;; drop ftp brute forcers
chain=input action=drop protocol=tcp src-address-list=ftp_blacklist
dst-port=21

71 chain=output action=accept protocol=tcp content=530 Login incorrect
dst-limit=1/1m,9,dst-address/1m

72 chain=output action=add-dst-to-address-list protocol=tcp
address-list=ftp_blacklist address-list-timeout=3h
content=530 Login incorrect

73 ;;; drop ssh brute forcers
chain=input action=drop protocol=tcp src-address-list=ssh_blacklist
dst-port=22

74 chain=input action=add-src-to-address-list connection-state=new
protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist
address-list-timeout=1w3d dst-port=22

75 ;;; drop ssh brute downstream
chain=forward action=drop protocol=tcp src-address-list=ssh_blacklist
dst-port=22

76 chain=pre-hs-input action=drop protocol=tcp dst-port=64872-64875
connection-limit=5,32

77 chain=pre-hs-input action=drop protocol=tcp dst-port=64872-64875
connection-limit=100,24

78 chain=input action=accept protocol=icmp limit=50/5s,2

79 ;;; Drop Traceroute
chain=forward action=drop protocol=icmp icmp-options=11:0

80 ;;; Drop Traceroute
chain=forward action=drop protocol=icmp icmp-options=3:3
I have disabled the rules with I since they are invalid (I just disable them because you might give correction)
Top
Post Reply

Who is online

Users browsing this forum: asm, Bastianshipship, kristovskis and 31 guests
  4. RouterOS
  5. General