Hello all,
Can any one explain to me what is the benefit of these 2 rules
ip firewall filter/
add chain=input action=drop protocol=tcp connection-limit=2,32 \
src-address-list=black_list comment="suppress DoS attack from 1 IP" \
disabled=no
add chain=input action=add-src-to-address-list protocol=tcp \
connection-limit=10,32 address-list=black_list address-list-timeout=1d \
comment="detect DoS attack 1 IP" disabled=no
Re: firewall filter
I dont know much about it but the first rule allow only 1 tcp connection for the ips in your black list to prevent Denial of Service attacks with establish a lot of tcp connections to bring down the service
the second rule add to your black list the ip of machines who attempt more than 10 connections, I could be wrong in the this one but I think 10 connections of tcp are very few. I have set my MT to 50 connections cause the P2P brings up a lot of them.
Maybe some Guru can explain it to you correctly =P, bye.
the second rule add to your black list the ip of machines who attempt more than 10 connections, I could be wrong in the this one but I think 10 connections of tcp are very few. I have set my MT to 50 connections cause the P2P brings up a lot of them.
Maybe some Guru can explain it to you correctly =P, bye.
-
-
navibaghdad
newbie
- Posts: 27
- Joined:
Re: firewall filter
thanks for your reply but more than 40% of my client added on the black list so do u think that all of them r attacking the network ? please if any one can advice and explain to me
Regards,
Regards,
Re: firewall filter
no I think the tcp limit is set to low, as I said before any P2P software could easly establish 100 tcp connections and your rule is set to 10 connections and above.
Re: firewall filter
I don't know where did u get these rules from but i think there is a mistake with detecting the DoS attack , its not like that ..
if you want to limit per IP connections by 11 connections as an example you have yo use this rule :
if you want to limit per IP connections by 11 connections as an example you have yo use this rule :
Code: Select all
add action=drop chain=forward comment="" connection-limit=10,32 disabled=no in-interface=((local )) protocol=tcp tcp-flags=syn Re: firewall filter
the correct rules are
add chain=input action=tarpit protocol=tcp src-address-list=Add_Ddos \
comment="TARPIT new connections from the dos source ip" disabled=no
add chain=input action=add-src-to-address-list protocol=tcp \
connection-limit=10,32 src-address-list=!IPsListaBranca \
address-list=Add_Ddos address-list-timeout=12h comment="Create a list of IPS trying to open more then 10 conections TO(IMPUT CHAIN) the router" \
disabled=no
add chain=input action=tarpit protocol=tcp src-address-list=Add_Ddos \
comment="TARPIT new connections from the dos source ip" disabled=no
add chain=input action=add-src-to-address-list protocol=tcp \
connection-limit=10,32 src-address-list=!IPsListaBranca \
address-list=Add_Ddos address-list-timeout=12h comment="Create a list of IPS trying to open more then 10 conections TO(IMPUT CHAIN) the router" \
disabled=no
Re: firewall filter
this rule is only for limiting connection not for detecting DoS attack , many softwares needs more than 10 connections like Skyp and P2P ..
and you have to add tcp flag = syn ..
and you have to add tcp flag = syn ..
Re: firewall filter
to(input) the router with more then 10 conections per second its a DOS for sure!!!! P2P and users connections go Throug the router (forward)!!!! syn its another kind of atack.... you can deal with that to. Limit for no more then 25 TCP syn per second (forward and input)
But what you whant prevent a dos or limit a p2p user number of connections ?
But what you whant prevent a dos or limit a p2p user number of connections ?
Re: firewall filter
i just tested input 10 connections per second .. its too limited !! many (( cannot display page )) will appear , while opening normal sites + msn and yahoo messengers , which is most of users do .. as navibaghdad said all users will be in the black list !!!
Re: firewall filter
what chain forward or input ?
Re: firewall filter
you are nating your clients ? If yes you have a problem, cant use my filters because every connection gos to the router then nated.... Try using two diferent routers or interfaces and routing betwen then. Using the rules on the external e nating the internal...Its a idea...
-
-
navibaghdad
newbie
- Posts: 27
- Joined:
Re: firewall filter
ok jrogatis u mean this rules r wrong ? or what ? please advice
Re: firewall filter
Dear navibaghdad don't limit INPUT becouse you are NATting , it will kill your customer connections , just use limit forward connections ..
هذوله تره ما يسوون نات ديربالك اغلب اقتراحاتهم و امثلتهم ما تنطبق علينا عبالهم احنه مثلهم كله ريل اي بي ههههههههه
هذوله تره ما يسوون نات ديربالك اغلب اقتراحاتهم و امثلتهم ما تنطبق علينا عبالهم احنه مثلهم كله ريل اي بي ههههههههه
-
-
navibaghdad
newbie
- Posts: 27
- Joined:
Re: firewall filter
Thanks sam for ur clarification . ( sorry i will write in Arabic to explain some thing to sam)
رحمة الله والديك خالوا غير تكلي السالفة هيجي نص يوزريتي صاروا بلاك لست وبالمناسبة ترة والله ما ناسيك على سالفة الكيسات ديدورولي بعدهم
رحمة الله والديك خالوا غير تكلي السالفة هيجي نص يوزريتي صاروا بلاك لست وبالمناسبة ترة والله ما ناسيك على سالفة الكيسات ديدورولي بعدهم
-
-
digicomtech
Frequent Visitor
- Posts: 77
- Joined:
- Location: Alma, Qc, Canada
- Contact:
Re: firewall filter
Dear firewall users,
According to the manual :
http://www.mikrotik.com/testdocs/ros/2.9/ip/flow.php
Prerouting chain is perform before INPUT chain, so even if you Nat client address it doesn't matter; every packet reaching the INPUT chain is destinated to router himself. I have many router that NAT client and i have put these rules on it to block http,ftp,ssh and telnet access to the router himself:
Client still have access to ftp or http, cause these rules are in INPUT and USE PUBLIC dst-address of the router... i repeat public address of the router. Don't use local interface address of the NAT router as it was probably the gateway of your client
The 2 rules you have decribed in your first post:
missing one important parameter i think: the dst-address you want to protect against attack !
Try adding dst-address parameter and give feed back please !
Regards,
Michael
According to the manual :
http://www.mikrotik.com/testdocs/ros/2.9/ip/flow.php
Prerouting chain is perform before INPUT chain, so even if you Nat client address it doesn't matter; every packet reaching the INPUT chain is destinated to router himself. I have many router that NAT client and i have put these rules on it to block http,ftp,ssh and telnet access to the router himself:
Code: Select all
/ip firewall filter
add action=accept chain=input comment="" disabled=no dst-address=xxx.xxx.xxx.x \
src-address-list=DIGICOM
add action=tarpit chain=input comment="" disabled=no dst-address=xxx.xxx.xxx.x \
dst-port=20-23,80 protocol=tcpClient still have access to ftp or http, cause these rules are in INPUT and USE PUBLIC dst-address of the router... i repeat public address of the router. Don't use local interface address of the NAT router as it was probably the gateway of your client
The 2 rules you have decribed in your first post:
Code: Select all
add chain=input action=drop protocol=tcp connection-limit=2,32 \
src-address-list=black_list comment="suppress DoS attack from 1 IP" \
disabled=no
add chain=input action=add-src-to-address-list protocol=tcp \
connection-limit=10,32 address-list=black_list address-list-timeout=1d \
comment="detect DoS attack 1 IP" disabled=noTry adding dst-address parameter and give feed back please !
Regards,
Michael