Hello mikrotik guys!!
Can you upload script with blocked virus ports from demo router to forum or somewhere else.I can`t login via ftp to demo router and demo user haven`t write priviligy...

copy/paste from the terminal.

Edgars

How do you export them and then import then into another MT box?

Tim

Before few months I was already put on forum full code ... only seach on forum ...
anyway here is again code:
Just copy and paste ...

thx

Plz post virus-rules list for 2.9 terminal input ?
10x

ip firewall filter add chain=input ... etc.
ip firewall filter add chain=forward adn etc.
ip firewall filter add chain=virus... and add whatever you need

No problem, but is very simple to copy & paste from terminal...
only from OS 2.9 because 2.8 input line is different..

another thanks

防火墙策略的内容

/ ip firewall
set input name="input" policy=accept comment=""
set forward name="forward" policy=accept comment=""
set output name="output" policy=accept comment=""
add name="virus" policy=none comment=""
/ ip firewall rule forward
add connection-state=invalid action=drop comment="Drop invalid connections" \
disabled=no
add connection-state=established action=accept comment="Established \
connections" disabled=no
add connection-state=related action=accept comment="Related connections" \
disabled=no
add action=jump jump-target=virus comment="!!! Check for well-known viruses \
!!!" disabled=no
add protocol=udp action=accept comment="UDP" disabled=no
add protocol=icmp limit-count=50 limit-burst=2 limit-time=5s action=accept \
comment="Allow limited pings" disabled=no
add protocol=icmp action=drop comment="Drop excess pings" disabled=no
/ ip firewall rule input
add connection-state=invalid action=drop comment="Drop invalid connections" \
disabled=no
add tcp-options=non-syn-only connection-state=established action=accept \
comment="Accept established connections" disabled=no
add connection-state=related action=accept comment="Accept related \
connections" disabled=no
add action=jump jump-target=virus comment="!!! Check for well-known viruses \
!!!" disabled=no
add protocol=udp action=accept comment="UDP" disabled=no
add protocol=icmp limit-count=50 limit-burst=2 limit-time=5s action=accept \
comment="Allow limited pings" disabled=no
add protocol=icmp action=drop comment="Drop excess pings" disabled=no
add dst-address=:22 protocol=tcp action=accept comment="SSH for demo \
purposes" disabled=no
add dst-address=:23 protocol=tcp action=accept comment="Telnet for demo \
purposes" disabled=no
add dst-address=:80 protocol=tcp action=accept comment="http for demo \
purposes" disabled=no
add dst-address=:3987 protocol=tcp action=accept comment="winbox for demo \
purposes" disabled=no
add action=drop log=yes comment="Log and drop everything else" disabled=no
/ ip firewall rule virus
add dst-address=:135-139 protocol=tcp action=drop comment="Drop Blaster Worm" \
disabled=no
add dst-address=:135-139 protocol=udp action=drop comment="Drop Messenger \
Worm" disabled=no
add dst-address=:445 protocol=tcp action=drop comment="Drop Blaster Worm" \
disabled=no
add dst-address=:445 protocol=udp action=drop comment="Drop Blaster Worm" \
disabled=no
add dst-address=:593 protocol=tcp action=drop comment="________" disabled=no
add dst-address=:1024-1030 protocol=tcp action=drop comment="________" \
disabled=no
add dst-address=:1080 protocol=tcp action=drop comment="Drop MyDoom" \
disabled=no
add dst-address=:1214 protocol=tcp action=drop comment="________" disabled=no
add dst-address=:1363 protocol=tcp action=drop comment="ndm requester" \
disabled=no
add dst-address=:1364 protocol=tcp action=drop comment="ndm server" \
disabled=no
add dst-address=:1368 protocol=tcp action=drop comment="screen cast" \
disabled=no
add dst-address=:1373 protocol=tcp action=drop comment="hromgrafx" \
disabled=no
add dst-address=:1377 protocol=tcp action=drop comment="cichlid" disabled=no
add dst-address=:1433-1434 protocol=tcp action=drop comment="Worm" \
disabled=no
add dst-address=:2745 protocol=tcp action=drop comment="Bagle Virus" \
disabled=no
add dst-address=:2283 protocol=tcp action=drop comment="Drop Dumaru.Y" \
disabled=no
add dst-address=:2535 protocol=tcp action=drop comment="Drop Beagle" \
disabled=no
add dst-address=:2745 protocol=tcp action=drop comment="Drop Beagle.C-K" \
disabled=no
add dst-address=:3127-3128 protocol=tcp action=drop comment="Drop MyDoom" \
disabled=no
add dst-address=:3410 protocol=tcp action=drop comment="Drop Backdoor \
OptixPro" disabled=no
add dst-address=:4444 protocol=tcp action=drop comment="Worm" disabled=no
add dst-address=:4444 protocol=udp action=drop comment="Worm" disabled=no
add dst-address=:5554 protocol=tcp action=drop comment="Drop Sasser" \
disabled=no
add dst-address=:8866 protocol=tcp action=drop comment="Drop Beagle.B" \
disabled=no
add dst-address=:9898 protocol=tcp action=drop comment="Drop Dabber.A-B" \
disabled=no
add dst-address=:10000 protocol=tcp action=drop comment="Drop Dumaru.Y" \
disabled=no
add dst-address=:10080 protocol=tcp action=drop comment="Drop MyDoom.B" \
disabled=no
add dst-address=:12345 protocol=tcp action=drop comment="Drop NetBus" \
disabled=no
add dst-address=:17300 protocol=tcp action=drop comment="Drop Kuang2" \
disabled=no
add dst-address=:27374 protocol=tcp action=drop comment="Drop SubSeven" \
disabled=no
add dst-address=:65506 protocol=tcp action=drop comment="Drop PhatBot, \
Agobot, Gaobot" disabled=no

I suppose that p2p programs (like emule or edonkey or bittorrent) can also use these ports so that blocking virus like that can also block the peer to peer program.

any experience on it?

Plz post list in OS2.9 syntax !
10x

Couldn't any tcp program choose to use a port randomly above 1024 for a return path? Would these mess that up?

that's what I am saying....

[quote="gianluca"]I suppose that p2p programs (like emule or edonkey or bittorrent) can also use these ports so that blocking virus like that can also block the peer to peer program.

any experience on it?[/quote]Yes, that's true, but p2p programs select these ports randomly, and if the port is firewalled, they simply try another one. So, blocking some of these ports wouldn't affect operation of p2p programs.

Got a question for you. Is it possible to get the IP or MAC address of the computer that it finds the known virus on? We only use static ip's for our customers so we would immediately know who it came from and can call or email them informing them a possible virus has been determined from their system.

Hi, Marvin
The easiest way to do this is turning on logging on the firewall rule, that filters unwanted virus activity. Or you can create a forwarding rule for any specific part of traffic with "passthrough" action, and turn on logginig on it.
Be carefull if you do this from winbox on a heavy loaded system. Catching a pair of thousands of packets within some seconds, when the log window is open, can hang your router. Turn logging off before opening a log window.

we are thinking about a deeper solution:

pass all the traffic with a rule called virus (that checks all viruses with the rules here explained)

we also limit the maximum connection per src-address to 120, so if a virus is opening a lot of connections this fill the connection and the customer cannot use the internet.

if a virus is found for a certain IP address we would like to redirect the user to a local web page that says: attention, you have a virus.

extra function can be to have the name of the virus (if we know the rule that blocked the traffic) and also have the pacth of this/all virus downloadable from this page.

is there someone with good ideas on it or that would like to collaborate to such a solution ? we can set up a team and create this very added value solution for the residential market customers.

/ip firewall filter add chain=virus comment="Reglas Antivirus"


/ip firewall filter add chain=forward connection-state=invalid action=drop comment="Drop invalid connections" disabled=no
/ip firewall filter add chain=forward connection-state=established action=accept comment="Established Connections" disabled=no
/ip firewall filter add chain=forward connection-state=related action=accept comment="Related connections" disabled=no
/ip firewall filter add chain=forward action=jump jump-target=virus comment="!!! Check for well-known viruses !!!" disabled=no
/ip firewall filter add chain=forward protocol=udp action=accept comment="UDP" disabled=no
/ip firewall filter add chain=forward protocol=icmp limit=50/5,2 action=accept comment="Allow limited Pings" disabled=no
/ip firewall filter add chain=forward protocol=icmp action=drop comment="Drop excess pings" disabled=no


/ip firewall filter add chain=input connection-state=invalid action=drop comment="Drop invalid connections" disabled=no
/ip firewall filter add chain=input tcp-flags=!syn connection-state=established action=accept comment="Accept established connections" disabled=no
/ip firewall filter add chain=input connection-state=related action=accept comment="Accept related connections" disabled=no
/ip firewall filter add chain=input action=jump jump-target=virus comment="!!! Check for well-known viruses !!!" disabled=no
/ip firewall filter add chain=input protocol=udp action=accept comment="UDP" disabled=no
/ip firewall filter add chain=input protocol=icmp limit=50/5,2 action=accept comment="Allow limited pings" disabled=no
/ip firewall filter add chain=input protocol=icmp action=drop comment="Drop excess pings" disabled=no
/ip firewall filter add chain=input dst-port=22 protocol=tcp action=accept comment="SSH for demo purposes" disabled=no
/ip firewall filter add chain=input dst-port=23 protocol=tcp action=accept comment="Telnet for demo purposes" disabled=no
/ip firewall filter add chain=input dst-port=80 protocol=tcp action=accept comment="http for demo purposes" disabled=no
/ip firewall filter add chain=input dst-port=3987 protocol=tcp action=accept comment="winbox for demo purposes" disabled=no
/ip firewall filter add chain=input action=accept log=yes comment="Log and drop everything else" disabled=no


/ip firewall filter add chain=virus dst-port=135-139 protocol=tcp action=drop comment="Drop Blaster Worm" disabled=no
/ip firewall filter add chain=virus dst-port=135-139 protocol=udp action=drop comment="Drop Messenger Worm" disabled=no
/ip firewall filter add chain=virus dst-port=445 protocol=tcp action=drop comment="Drop Blaster Worm" disabled=no
/ip firewall filter add chain=virus dst-port=445 protocol=udp action=drop comment="Drop Blaster Worm" disabled=no
/ip firewall filter add chain=virus dst-port=593 protocol=tcp action=drop comment="________" disabled=no
/ip firewall filter add chain=virus dst-port=1024-1030 protocol=tcp action=drop comment="________" disabled=no
/ip firewall filter add chain=virus dst-port=1080 protocol=tcp action=drop comment="Drop MyDoom" disabled=no
/ip firewall filter add chain=virus dst-port=1214 protocol=tcp action=drop comment="________" disabled=no
/ip firewall filter add chain=virus dst-port=1363 protocol=tcp action=drop comment="ndm requester" disabled=no
/ip firewall filter add chain=virus dst-port=1364 protocol=tcp action=drop comment="ndm server" disabled=no
/ip firewall filter add chain=virus dst-port=1368 protocol=tcp action=drop comment="screen cast" disabled=no
/ip firewall filter add chain=virus dst-port=1373 protocol=tcp action=drop comment="hromgrafx" disabled=no
/ip firewall filter add chain=virus dst-port=1377 protocol=tcp action=drop comment="cichlid" disabled=no
/ip firewall filter add chain=virus dst-port=1433-1434 protocol=tcp action=drop comment="Worm" disabled=no
/ip firewall filter add chain=virus dst-port=2745 protocol=tcp action=drop comment="Bagle Virus" disabled=no
/ip firewall filter add chain=virus dst-port=2283 protocol=tcp action=drop comment="Drop Dumaru.Y" disabled=no
/ip firewall filter add chain=virus dst-port=2535 protocol=tcp action=drop comment="Drop Beagle" disabled=no
/ip firewall filter add chain=virus dst-port=2745 protocol=tcp action=drop comment="Drop Beagle.C-K" disabled=no
/ip firewall filter add chain=virus dst-port=3127-3128 protocol=tcp action=drop comment="Drop MyDoom" disabled=no
/ip firewall filter add chain=virus dst-port=3410 protocol=tcp action=drop comment="Drop Backdoor OptixPro" disabled=no
/ip firewall filter add chain=virus dst-port=4444 protocol=tcp action=drop comment="Worm" disabled=no
/ip firewall filter add chain=virus dst-port=4444 protocol=udp action=drop comment="Worm" disabled=no
/ip firewall filter add chain=virus dst-port=5554 protocol=tcp action=drop comment="Drop Sasser" disabled=no
/ip firewall filter add chain=virus dst-port=8866 protocol=tcp action=drop comment="Drop Beagle.B" disabled=no
/ip firewall filter add chain=virus dst-port=9898 protocol=tcp action=drop comment="Drop Dabber.A-B" disabled=no
/ip firewall filter add chain=virus dst-port=10000 protocol=tcp action=drop comment="Drop Dumaru.Y" disabled=no
/ip firewall filter add chain=virus dst-port=10080 protocol=tcp action=drop comment="Drop MyDoom.B" disabled=no
/ip firewall filter add chain=virus dst-port=12345 protocol=tcp action=drop comment="Drop NetBus" disabled=no
/ip firewall filter add chain=virus dst-port=17300 protocol=tcp action=drop comment="Drop Kuang2" disabled=no
/ip firewall filter add chain=virus dst-port=27374 protocol=tcp action=drop comment="Drop SubSeven" disabled=no
/ip firewall filter add chain=virus dst-port=65506 protocol=tcp action=drop comment="Drop PhatBot, Agobot, Gaobot" disabled=no

Three questions about timew's filter set

1) In the chain=forward set, the 4th rule does a jump to the virus chain. As the virus chain does not have a return at its end, how do the remaining 3 forward rules ever get tested? (udp accept, limit pings, drop excess pings). I don't see how the chain ever gets back to those rules.

2) In the chain=input section, rule 4 also does a jump to the virus check chain. How can the actual router itself successfully be attacked by a virus/worm? Does the actual router really need protecting by this chain?

3) The last rule in the chain=input section states in the comment that the rule will log and drop everything else. But the action on the rule is accept. Shouldn't it be drop?

Thanks for helping me learn!