MikroTik

Community discussions
https://forum.mikrotik.com/

open socks proxy!

https://forum.mikrotik.com/viewtopic.php?t=10656

Page 1 of 1

open socks proxy!

Posted: Mon Sep 04, 2006 9:36 pm
by maroon
Dear All,

one of my clients have an e-mail server and its behind a mikrotik router os, he is blacklisted now on SORBS.net and I contacted SORBS and I found the reason why the server is blacklisted, because there an open socks proxy.

I checked everything on the e-mail server concerning the relay issues, and I also checked the mikrotik for any socks servers and it was turned off only added a rule deny all on socks server and changed the port.

what do you think the problem is? and how it can be solved?

thanks you guys for your support

Regards,

Posted: Mon Sep 04, 2006 11:15 pm
by andrewluck
Block all access to the router from the Internet.

In the Input chain, you want a rule that allows Connection Established packets, then one that denys everything entering the router from the Internet.

The Established rule allows replies to things like DNS requests.

If you require remote management, then use the VPN server to access the router, or use SSH.

Regards

Andrew

Posted: Tue Sep 05, 2006 3:34 am
by hecklertm
Blocking input to the router does not stop people from accessing the proxy. I argued in another thread about this when someone told me to do the same thing. It does not work. The proxy service gets priority over the firewall rules.

The only way to stop people from using the router as an open proxy is to deny ALL traffic under "/ip proxy access" except from the specific IP addresses or networks that you do allow to use the proxy.

[maroon] Changing the ports will not help. People will scan out the ports and eventually find it on the different port.

If MT enforced the input firewall rules in front of the proxy service, then blocking the ports in the input chain would work. They told me to try it that way in the past, and I explained to them that it did NOT work. Eventually they said to put the deny statement in "/ip proxy access" and told me that I should not be worried about it. I protested, but the point was still dropped.

At least it is nice to hear that I am not the only one who thinks it should work blocking the ports the input chain...

Posted: Tue Sep 05, 2006 10:11 am
by maroon
ok guys,

all your ideas or settings is well configured on the router,

any other ideas?

Posted: Tue Sep 05, 2006 9:56 pm
by andrewluck
Thanks for the heads-up on the firewall rules being bypassed. I certainly wasn't aware of that. A good arguement for always running a port scan on systems to convince yourself that what you've setup is actually what you intended.

Regards

Andrew
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/