Please can anyone help me how to block Blaster and anyother know worm/virus from sending trafic to and from my network.
Thanks you
Good, I tried it but all of a sudden i am get a Mising Plug-in error for winbox.
This is what I have:-
1. The MT has two interfaces bridged
2. The MT is only used to monitor and shape bandwidth
Now I want to create a Firewall Chain that would caused all traffic that are suspected to have virus/worm to be dropped and logged.
I saw soemthing like that on demo.mt.lv - Virus. I dont know if those ports specified there are real and if the firewall chain would work?
Please I am confused, blaster has eaten up my over 512kbps VSAT uplink and its costing me a hell of money.
Thank you
This is what I have:-
1. The MT has two interfaces bridged
2. The MT is only used to monitor and shape bandwidth
Now I want to create a Firewall Chain that would caused all traffic that are suspected to have virus/worm to be dropped and logged.
I saw soemthing like that on demo.mt.lv - Virus. I dont know if those ports specified there are real and if the firewall chain would work?
Please I am confused, blaster has eaten up my over 512kbps VSAT uplink and its costing me a hell of money.
Thank you
here is code from demo.mt.lv
here is code from demo.mt.lv , only thing to keep on mind is to change web proxy port if use 3128 (otherwise it wil be block web trafic).
Code: Select all
ip firewall add name=virus
ip firewall rule input add in-interface=all action=jump \ jump-target=virus comment="!!! Check for well-known viruses !!!"
ip firewall rule forward add in-interface=all action=jump \ jump-target=virus comment="!!! Check for well-known viruses !!!"
ip firewall rule virus add dst-address=:135-139 protocol=tcp action=drop comment="Drop Blaster Worm."
ip firewall rule virus add dst-address=:135-139 protocol=udp action=drop comment="Drop Messenger Worm."
ip firewall rule virus add dst-address=:445 protocol=tcp action=drop comment="Drop Blaster Worm."
ip firewall rule virus add dst-address=:445 protocol=udp action=drop comment="Drop Blaster Worm."
ip firewall rule virus add dst-address=:593 protocol=tcp action=drop comment=".........."
ip firewall rule virus add dst-address=:1024-1030 protocol=tcp action=drop comment=".........."
ip firewall rule virus add dst-address=:1080 protocol=tcp action=drop comment="Drop MyDoom"
ip firewall rule virus add dst-address=:1214 protocol=tcp action=drop comment=".........."
ip firewall rule virus add dst-address=:1363 protocol=tcp action=drop comment="ndm requester"
ip firewall rule virus add dst-address=:1364 protocol=tcp action=drop comment="ndm server"
ip firewall rule virus add dst-address=:1368 protocol=tcp action=drop comment="screen cast"
ip firewall rule virus add dst-address=:1373 protocol=tcp action=drop comment="hromgrafx"
ip firewall rule virus add dst-address=:1377 protocol=tcp action=drop comment="cichlid"
ip firewall rule virus add dst-address=:1433-1434 protocol=tcp action=drop comment="Worm"
ip firewall rule virus add dst-address=:2745 protocol=tcp action=drop comment="Bagle Virus"
ip firewall rule virus add dst-address=:2283 protocol=tcp action=drop comment="Drop Dumaru.Y"
ip firewall rule virus add dst-address=:2535 protocol=tcp action=drop comment="Drop Beagle"
ip firewall rule virus add dst-address=:3127-3128 protocol=tcp action=drop comment="Drop MyDoom"
ip firewall rule virus add dst-address=:3410 protocol=tcp action=drop comment="Drop Backdoor OptixPro"
ip firewall rule virus add dst-address=:4444 protocol=tcp action=drop comment="Worm"
ip firewall rule virus add dst-address=:4444 protocol=udp action=drop comment="Worm"
ip firewall rule virus add dst-address=:5554 protocol=tcp action=drop comment="Drop Sasser"
ip firewall rule virus add dst-address=:8866 protocol=tcp action=drop comment="Drop Beagle.B"
ip firewall rule virus add dst-address=:10000 protocol=tcp action=drop comment="Drop Dumaru.Y"
ip firewall rule virus add dst-address=:10080 protocol=tcp action=drop comment="Drop MyDoom.B"
ip firewall rule virus add dst-address=:12345 protocol=tcp action=drop comment="Drop NetBus"
ip firewall rule virus add dst-address=:17300 protocol=tcp action=drop comment="Drop Kuang2"
ip firewall rule virus add dst-address=:27374 protocol=tcp action=drop comment="Drop SubSeven"
ip firewall rule virus add dst-address=:65506 protocol=tcp action=drop comment="Drop PhatBot, Agobot, Gaobot"
-
-
stephenpatrick
Forum Veteran
- Posts: 702
- Joined:
- Location: UK
- Contact:
I can vouch for AVG, it's kept several organisations I know virus-free for 3+ years since we used it.
A very small "gotcha", AVG6 ran on Windows-anything, the new AVG7 (6 about to be canned) won't run on a server. Not a huge cost though, and it works.
General point (possibly should be in BETA section):
It seems ISPs are relying on routers such as MT to block excessive traffic from viruses and P2P applications. End users rely on apps such as AVG, etc which update regularly - but a "smart router" could do the same for the ISP, protecting all users + service provision.
Thought: some sort of script that would "apply" sensible traffic rules (bandwidth use, ports) which can be automatically be pasted to routers in an ISP/WISP network?
Some sort of semi-automatic download? with some "switches" that differentiate the role of router in the network, scale, etc?
Or a "panic kit" of scripts that could be downloaded for certian virus cases?
Is that feasible? ...
Regards
A very small "gotcha", AVG6 ran on Windows-anything, the new AVG7 (6 about to be canned) won't run on a server. Not a huge cost though, and it works.
General point (possibly should be in BETA section):
It seems ISPs are relying on routers such as MT to block excessive traffic from viruses and P2P applications. End users rely on apps such as AVG, etc which update regularly - but a "smart router" could do the same for the ISP, protecting all users + service provision.
Thought: some sort of script that would "apply" sensible traffic rules (bandwidth use, ports) which can be automatically be pasted to routers in an ISP/WISP network?
Some sort of semi-automatic download? with some "switches" that differentiate the role of router in the network, scale, etc?
Or a "panic kit" of scripts that could be downloaded for certian virus cases?
Is that feasible? ...
Regards
Re: work
i tried it and it is looking good. (had to allow 3128/tcp for squid in rule 18)Will this setting work on a public interface and not drop any legitimate traffic ?? Please advise