34T Forums
34T Forums
Volver a 34T | Mi Perfíl | Registrarse | Temas activos | Buscar
Username:
Password:
Save Password
 Todos los foros
 Lobometrics
 Novedades Lobometrics
 como brindar seguridad a mi lobo
 Forum Locked
 Formato imprimible
Autor Previous Topic Topic Next Topic  

miltoncg

3 Posts

Posted - 05/01/2010 :  17:47:32  Show Profile
Estimados

Tengo un lobo 924 t que esta haciendo nat. he separado la ether y la wlan. Los clientes que se enganchan ami equipo lobo a la wirelles son portatiles. El problema radica en que todos mis clientes pueden acceder a la administracion del winbox del equipo. Lo que quiero es que ninguno de mis clientes puede acceder al equipo. Ojo mis clientes tiene dhcp. Que me sugieren que debo hacer en la parte del firewall para bloquear este acceso. mis inquietudes son las siguientes:

que debo configurar en el firewall del lobo?

Marc

318 Posts

Posted - 06/01/2010 :  21:00:31  Show Profile
Lo que deberías hacer es bloquear el acceso a las direcciones entrantes del rango que da el servidor DHCP al puerto 8291 TCP y 5678 de winbox. También puedes bloquear acceso telnet ssh etc..

Aunque si tienes usuario creado para la administración del equipo ya lo tienes solucionado..
Go to Top of Page

Riccardo

932 Posts

Posted - 07/01/2010 :  10:24:47  Show Profile
Adjunto uno scriptss de firewall:

/ip firewall filter
add action=passthrough chain=unused-hs-chain comment= "######################################INPUT CHAIN#########################################################" disabled=yes
add action=drop chain=input comment="Drop spoofed packets" disabled=no in-interface=wan src-address=127.0.0.0/8
add action=log chain=input comment="Log invalid packets" connection-state=invalid disabled=no log-prefix="FILTER, INVALID PACKET:"
add action=drop chain=input comment="Drop invalid packets" connection-state=invalid disabled=no
add action=accept chain=input comment="Accept established connection packets" connection-state=established disabled=no
add action=accept chain=input comment="Accept related connection packets" connection-state=related disabled=no
add action=jump chain=input comment="Jump to chain ICMP" disabled=no jump-target=ICMP protocol=icmp
add action=jump chain=input comment="Jump to chain VIRUS" disabled=no in-interface=wan jump-target=virus
add action=jump chain=input comment="Jump to chain PORTSCAN TCP" disabled=no in-interface=wan jump-target=portscan protocol=tcp
add action=jump chain=input comment="Jump to chain DDOS TCP" disabled=no in-interface=wan jump-target=portscan protocol=tcp
add action=jump chain=input comment="Jump to chain SERVICES --> Return from chain SERVICES" disabled=no jump-target=services
add action=accept chain=input comment="Allow access to router from known network" disabled=no src-address-list=safe
add action=accept chain=input comment="Allow Broadcast Traffic on Lan" disabled=no dst-address-type=broadcast
add action=accept chain=input comment="Allow Broadcast Traffic on Lan" disabled=no dst-address-type=multicast
add action=log chain=input comment="Log every dropped packet" disabled=no log-prefix=FILTER:
add action=drop chain=input comment="Drop everything else" disabled=no
add action=passthrough chain=unused-hs-chain comment= "######################################FORWARD CHAIN######################################################" disabled=yes
add action=accept chain=forward comment="" connection-state=established disabled=no
add action=accept chain=forward comment="" connection-state=related disabled=no
add action=log chain=forward comment="" connection-state=invalid disabled=yes log-prefix="FORWARD: INVALID"
add action=drop chain=forward comment="" connection-state=invalid disabled=no
add action=drop chain=forward comment="" connection-state=invalid disabled=no
add action=drop chain=forward comment="" disabled=yes dst-port=53 protocol=tcp
add action=drop chain=forward comment="" disabled=yes dst-port=53 protocol=udp
add action=drop chain=forward comment=VIRUS!!!!!! disabled=no dst-address=66.252.5.49
add action=drop chain=forward comment="" disabled=no dst-address=174.36.238.28
add action=drop chain=forward comment="" disabled=yes dst-port=1661 protocol=tcp
add action=drop chain=forward comment="" disabled=yes p2p=all-p2p
add action=passthrough chain=unused-hs-chain comment= "######################################VIRUS CHAIN#######################################################" disabled=yes
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port=135-139 protocol=tcp
add action=drop chain=virus comment="Drop Messenger Worm" disabled=no dst-port=135-139 protocol=udp
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port=445 protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port=445 protocol=udp
add action=drop chain=virus comment=________ disabled=no dst-port=593 protocol=tcp
add action=drop chain=virus comment=________ disabled=no dst-port=1024-1030 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" disabled=no dst-port=1080 protocol=tcp
add action=drop chain=virus comment="ndm requester" disabled=no dst-port=1363 protocol=tcp
add action=drop chain=virus comment=________ disabled=no dst-port=1214 protocol=tcp
add action=drop chain=virus comment="ndm server" disabled=no dst-port=1364 protocol=tcp
add action=drop chain=virus comment="screen cast" disabled=no dst-port=1368 protocol=tcp
add action=drop chain=virus comment=hromgrafx disabled=no dst-port=1373 protocol=tcp
add action=drop chain=virus comment=cichlid disabled=no dst-port=1377 protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=1433-1434 protocol=tcp
add action=drop chain=virus comment="Bagle Virus" disabled=no dst-port=2745 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" disabled=no dst-port=2283 protocol=tcp
add action=drop chain=virus comment="Drop Beagle" disabled=no dst-port=2535 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.C-K" disabled=no dst-port=2745 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" disabled=no dst-port=3127-3128 protocol=tcp
add action=drop chain=virus comment="Drop Backdoor OptixPro" disabled=no dst-port=3410 protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=udp
add action=drop chain=virus comment="Drop Sasser" disabled=no dst-port=5554 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.B" disabled=no dst-port=8866 protocol=tcp
add action=drop chain=virus comment="Drop Dabber.A-B" disabled=no dst-port=9898 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" disabled=no dst-port=10000 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom.B" disabled=no dst-port=10080 protocol=tcp
add action=drop chain=virus comment="Drop NetBus" disabled=no dst-port=12345 protocol=tcp
add action=drop chain=virus comment="Drop Kuang2" disabled=no dst-port=17300 protocol=tcp
add action=drop chain=virus comment="Drop SubSeven" disabled=no dst-port=27374 protocol=tcp
add action=drop chain=virus comment="Drop PhatBot, Agobot, Gaobot" disabled=no dst-port=65506 protocol=tcp
add action=passthrough chain=unused-hs-chain comment= "######################################PORTSCAN CHAIN##########################################################" disabled=yes
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=portscan comment="Add portscanners to address list" disabled= no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=portscan comment="Add NMAP FIN Stealth scan" disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=portscan comment="Add SYN/FIN scan" disabled=no protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=portscan comment="Add SYN/RST scan" disabled=no protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=portscan comment="Add ALL/ALL scan" disabled=no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=portscan comment="Add NMAP NULL scan" disabled=no protocol= tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=log chain=portscan comment="Log portscanners" connection-state=new disabled=no log-prefix="FILTER, PORT SCAN DROPPED:" src-address-list= "port scanners"
add action=drop chain=portscan comment="dropping port scanners" disabled=no src-address-list="port scanners"
add action=passthrough chain=unused-hs-chain comment= "######################################DDOS CHAIN##########################################################" disabled=yes
add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=ddos comment="Add ddos to adress list" connection-limit=10,32 disabled=no protocol=tcp
add action=log chain=ddos comment="Log ddos" connection-limit=3,32 disabled=no log-prefix="FILTER, DOS DROPPED:" protocol=tcp src-address-list=black_list
add action=tarpit chain=ddos comment="Tarpit ddos" connection-limit=3,32 disabled=no protocol=tcp src-address-list=black_list
add action=passthrough chain=unused-hs-chain comment= "######################################ICMP CHAIN##########################################################" disabled=yes
add action=accept chain=ICMP comment="Echo reply 0:0 and limit for 5pac/s" disabled=no icmp-options=0:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable 3:3 and limit for 5pac/s" disabled=no icmp-options=3:3 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable 3:4 and limit for 5pac/s" disabled=no icmp-options=3:4 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="Echo request 8:0 and limit for 5pac/s" disabled=no icmp-options=8:0-255 protocol=icmp
add action=accept chain=ICMP comment="Time exceeded 11:0 and limit for 5pac/s" disabled=no icmp-options=11:0-255 limit=5,5 protocol=icmp
add action=log chain=ICMP comment="Log dropped" disabled=no log-prefix="FILTER, ICMP DROPPED:" protocol=icmp
add action=drop chain=ICMP comment="Drop everything else --> Stop" disabled=no protocol=icmp
add action=passthrough chain=unused-hs-chain comment= "######################################SERVICE CHAIN#######################################################" disabled=yes
add action=accept chain=services comment="allow SNMP" disabled=yes dst-port=161 protocol=tcp
add action=accept chain=services comment="Allow BGP" disabled=yes dst-port=179 protocol=tcp
add action=accept chain=services comment="allow BGP" disabled=yes dst-port=5000-5100 protocol=udp
add action=accept chain=services comment="Allow NTP" disabled=yes dst-port=123 protocol=udp
add action=accept chain=services comment="Allow PPTP" disabled=yes dst-port=1723 protocol=tcp
add action=accept chain=services comment="allow PPTP and EoIP" disabled=no protocol=gre
add action=accept chain=services comment="allow DNS request" disabled=no dst-port=53 protocol=tcp
add action=accept chain=services comment="Allow DNS request" disabled=no dst-port=53 protocol=udp
add action=accept chain=services comment=UPnP disabled=yes dst-port=1900 protocol=udp
add action=accept chain=services comment=UPnP disabled=yes dst-port=2828 protocol=tcp
add action=accept chain=services comment="allow DHCP" disabled=no dst-port=67-68 protocol=udp
add action=accept chain=services comment="allow Web Proxy" disabled=no dst-port=8080 protocol=tcp
add action=accept chain=services comment="allow IPIP" disabled=yes protocol=ipencap
add action=accept chain=services comment="allow https for Hotspot" disabled=yes dst-port=443 protocol=tcp
add action=accept chain=services comment="allow Socks for Hotspot" disabled=yes dst-port=1080 protocol=tcp
add action=accept chain=services comment="allow IPSec connections" disabled=yes dst-port=500 protocol=udp
add action=accept chain=services comment="allow IPSec" disabled=yes protocol=ipsec-esp
add action=accept chain=services comment="allow IPSec" disabled=yes protocol=ipsec-ah
add action=accept chain=services comment="allow RIP" disabled=yes dst-port=520-521 protocol=udp
add action=accept chain=services comment="allow OSPF" disabled=yes protocol=ospf
add action=return chain=services comment="Return to chain INPUT(8)" disabled=no
Go to Top of Page

interlans

1 Posts

Posted - 12/06/2011 :  23:17:27  Show Profile
Hola Ricardo, te cuento que he aplicado este scriptss a mi equipo y SORPRESA no e podido acesar mas la interfase de configuracion , ni por winbox, ni por web podrias decirme alguna solucion para este problema?
Ahora a solucionado el problema de latencia altisima y la red funcionando suelta con 30 clientes simultaneos ping de maximo 4ms con un consumo total en la red de 3Mbits promedio.
Desde ya Grascias
Go to Top of Page

Riccardo

932 Posts

Posted - 04/07/2011 :  12:18:08  Show Profile
Entra por MAC-ADDRESS directamente conectado al lobometrics. El firewall permite acceso desde unas ip que te puede dar de alta en la lista "safe" en /ip fire address-list

La regla que lee esta ACL es:

add action=accept chain=input comment="Allow access to router from known network" disabled=no src-address-list=safe

Go to Top of Page
  Previous Topic Topic Next Topic  
 Forum Locked
 Formato imprimible
Saltar a:
34T Forums © 34T/Snitz Go To Top Of Page
Snitz Forums 2000