Dear All,
one of my clients have an e-mail server and its behind a mikrotik router os, he is blacklisted now on SORBS.net and I contacted SORBS and I found the reason why the server is blacklisted, because there an open socks proxy.
I checked everything on the e-mail server concerning the relay issues, and I also checked the mikrotik for any socks servers and it was turned off only added a rule deny all on socks server and changed the port.
what do you think the problem is? and how it can be solved?
thanks you guys for your support
Regards,
-
-
andrewluck
Forum Veteran
- Posts: 700
- Joined:
- Location: Norfolk, UK
Block all access to the router from the Internet.
In the Input chain, you want a rule that allows Connection Established packets, then one that denys everything entering the router from the Internet.
The Established rule allows replies to things like DNS requests.
If you require remote management, then use the VPN server to access the router, or use SSH.
Regards
Andrew
In the Input chain, you want a rule that allows Connection Established packets, then one that denys everything entering the router from the Internet.
The Established rule allows replies to things like DNS requests.
If you require remote management, then use the VPN server to access the router, or use SSH.
Regards
Andrew
Blocking input to the router does not stop people from accessing the proxy. I argued in another thread about this when someone told me to do the same thing. It does not work. The proxy service gets priority over the firewall rules.
The only way to stop people from using the router as an open proxy is to deny ALL traffic under "/ip proxy access" except from the specific IP addresses or networks that you do allow to use the proxy.
[maroon] Changing the ports will not help. People will scan out the ports and eventually find it on the different port.
If MT enforced the input firewall rules in front of the proxy service, then blocking the ports in the input chain would work. They told me to try it that way in the past, and I explained to them that it did NOT work. Eventually they said to put the deny statement in "/ip proxy access" and told me that I should not be worried about it. I protested, but the point was still dropped.
At least it is nice to hear that I am not the only one who thinks it should work blocking the ports the input chain...
The only way to stop people from using the router as an open proxy is to deny ALL traffic under "/ip proxy access" except from the specific IP addresses or networks that you do allow to use the proxy.
[maroon] Changing the ports will not help. People will scan out the ports and eventually find it on the different port.
If MT enforced the input firewall rules in front of the proxy service, then blocking the ports in the input chain would work. They told me to try it that way in the past, and I explained to them that it did NOT work. Eventually they said to put the deny statement in "/ip proxy access" and told me that I should not be worried about it. I protested, but the point was still dropped.
At least it is nice to hear that I am not the only one who thinks it should work blocking the ports the input chain...
-
-
andrewluck
Forum Veteran
- Posts: 700
- Joined:
- Location: Norfolk, UK