Hi There.
I have no idea how to make it so that is way i am here, how can i make a rule to my firewall that every trafic that comes from the internet get's droop , and then i will be open just the ports that i want.
How can i do this?
Thanks
Daniel Abreu
Re: Firewall.
assuming that your LAN is 192.168.0.0/24 I believe this is a good set of rules.
It will allow per-to-per traffic on your lan and will drop all packets from trying to reach your LAN unless the traffic is initiated from the LAN side.
/ip firewall filter
add action=drop chain=forward comment="" connection-state=invalid disabled=no
add action=accept chain=forward comment="" connection-state=established disabled=no
add action=accept chain=forward comment="" connection-state=related disabled=no
add action=accept chain=forward comment="" connection-state=new disabled=no src-address=192.168.0.0/24
add action=log chain=forward comment="" disabled=no dst-address=192.168.0.0/24 log-prefix=UNWANTED src-address=!192.168.0.0/24
add action=drop chain=forward comment="" disabled=no dst-address=192.168.0.0/24 src-address=!192.168.0.0/24
add action=accept chain=input comment="" disabled=no dst-port=22 protocol=tcp src-address=192.168.0.0/24
add action=log chain=input comment="" disabled=no dst-port=22 log-prefix="" protocol=tcp
add action=drop chain=input comment="" disabled=no dst-port=22 protocol=tcp
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
It will allow per-to-per traffic on your lan and will drop all packets from trying to reach your LAN unless the traffic is initiated from the LAN side.
/ip firewall filter
add action=drop chain=forward comment="" connection-state=invalid disabled=no
add action=accept chain=forward comment="" connection-state=established disabled=no
add action=accept chain=forward comment="" connection-state=related disabled=no
add action=accept chain=forward comment="" connection-state=new disabled=no src-address=192.168.0.0/24
add action=log chain=forward comment="" disabled=no dst-address=192.168.0.0/24 log-prefix=UNWANTED src-address=!192.168.0.0/24
add action=drop chain=forward comment="" disabled=no dst-address=192.168.0.0/24 src-address=!192.168.0.0/24
add action=accept chain=input comment="" disabled=no dst-port=22 protocol=tcp src-address=192.168.0.0/24
add action=log chain=input comment="" disabled=no dst-port=22 log-prefix="" protocol=tcp
add action=drop chain=input comment="" disabled=no dst-port=22 protocol=tcp
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
Re: Firewall.
Hi!
Thanks very much for your help , i just want one more favor , i have no idea what each rule does.
Can you please just let me know ? i will be very glad for you help!
Thanks
Daniel Abreu
Thanks very much for your help , i just want one more favor , i have no idea what each rule does.
Can you please just let me know ? i will be very glad for you help!
Thanks
Daniel Abreu
Re: Firewall.
Try to reach me on skype pilgrim_dk then I can explain.
rgs Pilgrim
rgs Pilgrim
Re: Firewall.
wend can i skype you?
Re: Firewall.
Now would be a good time. Or can be any time. If I am online then just skype me. The reason I think it is better with skype is that once you get the firewall in place then you will probably face a new set of problems with the forwarding. That's what happened in my case anyway.
rgs Pilgrim
rgs Pilgrim