Firewall

/ip firewall connection tracking set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-c lose-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s \ tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s
tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m \ udp-timeout=10s /ip firewall filter add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=no add action=drop chain=forward comment="" disabled=yes src-address=10.10.10.2 src -mac-address=!00:11:95:22:99:73 add action=drop chain=forward comment="" disabled=yes src-address=10.10.10.3 src -mac-address=!00:25:22:9B:2E:AD add action=drop chain=forward comment="" disabled=yes src-address=10.10.10.4 src -mac-address=!00:E0:4C:36:27:F6 add action=drop chain=forward comment="" disabled=yes src-address=10.10.10.5 src -mac-address=!00:0C:F1:A2:CF:20 add action=drop chain=forward comment="" disabled=yes src-address=10.10.10.6 src -mac-address=!00:00:00:00:00:00 add action=drop chain=forward comment="" disabled=yes src-address=10.10.10.7 src -mac-address=!00:00:00:00:00:00 add action=drop chain=forward comment="" disabled=yes src-address=10.10.10.8 src -mac-address=!00:E0:4C:36:16:D8 add action=drop chain=forward comment="" disabled=yes src-address=10.10.10.9 src -mac-address=!00:1A:92:E0:D5:6C add action=drop chain=forward comment="" disabled=yes src-address=10.10.10.10 sr c-mac-address=!00:24:8C:87:93:56 add action=drop chain=forward comment="" disabled=yes src-address=10.10.10.11 sr c-mac-address=!00:27:0E:05:9F:31 add action=drop chain=forward comment="" disabled=yes src-address=10.10.10.12 sr c-mac-address=!00:00:00:00:00:00 add action=drop chain=forward comment="" disabled=yes src-address=10.10.10.13 sr c-mac-address=!00:25:22:6F:BB:0D add action=drop chain=forward comment="" disabled=yes src-address=10.10.10.14 sr c-mac-address=!00:27:0E:05:8F:F9 add action=drop chain=forward comment="" disabled=yes src-address=10.10.10.15 sr c-mac-address=!00:27:0E:05:9F:E5 add action=drop chain=forward comment="" disabled=yes src-address=!10.10.10.2 sr c-mac-address=00:11:95:22:99:73 add action=drop chain=forward comment="" disabled=yes src-address=!10.10.10.3 sr c-mac-address=00:25:22:9B:2E:AD add action=drop chain=forward comment="" disabled=yes src-address=!10.10.10.8 sr c-mac-address=00:E0:4C:36:16:D8 add action=drop chain=forward comment="" disabled=yes src-address=!10.10.10.9 sr c-mac-address=00:1A:92:E0:D5:6C add action=drop chain=forward comment="" disabled=yes src-address=!10.10.10.10 s rc-mac-address=00:24:8C:87:93:56 add action=drop chain=forward comment="" disabled=yes src-address=!10.10.10.13 s rc-mac-address=00:25:22:6F:BB:0D add action=drop chain=forward comment="" disabled=yes src-address=!10.10.10.14 s rc-mac-address=00:27:0E:05:8F:F9 add action=drop chain=forward comment="" disabled=yes src-address=!10.10.10.15 s rc-mac-address=00:27:0E:05:9F:E5 add action=accept chain=forward comment="allow established connections" connecti on-state=established disabled=no add action=accept chain=forward comment="allow related connections" connection-s tate=related disabled=no add action=drop chain=virus comment="Drop Messenger Worm" disabled=no dst-port=1 35-139 protocol=udp add action=drop chain=forward comment="drop invalid connections" connection-stat
e=invalid disabled=no add action=drop chain=virus -139 protocol=tcp add action=drop chain=virus =tcp add action=drop chain=virus protocol=tcp add action=drop chain=virus protocol=udp add action=drop chain=virus cp add action=drop chain=virus ocol=tcp add action=drop chain=virus ocol=tcp add action=drop chain=virus tcp add action=drop chain=virus otocol=tcp add action=drop chain=virus col=tcp add action=drop chain=virus ocol=tcp add action=drop chain=virus =tcp add action=drop chain=virus cp add action=drop chain=virus ocol=tcp add action=drop chain=virus otocol=tcp add action=drop chain=virus ocol=tcp add action=drop chain=virus protocol=tcp add action=drop chain=virus ocol=tcp add action=drop chain=virus t=3410 protocol=tcp add action=drop chain=virus add action=drop chain=virus add action=drop chain=virus ocol=tcp add action=drop chain=virus otocol=tcp add action=drop chain=virus protocol=tcp add action=drop chain=virus a juga sering digunakan utk protocol=tcp add action=drop chain=virus rotocol=tcp add action=drop chain=virus tocol=tcp add action=drop chain=virus tocol=tcp add action=drop chain=virus rotocol=tcp add action=drop chain=virus st-port=65506 protocol=tcp
comment="Drop Blaster Worm" disabled=no dst-port=135 comment=Worm disabled=no dst-port=1433-1434 protocol comment="Drop Blaster Worm" disabled=no dst-port=445 comment="Drop Blaster Worm" disabled=no dst-port=445 comment=________ disabled=no dst-port=593 protocol=t comment=________ disabled=no dst-port=1024-1030 prot comment="Drop MyDoom" disabled=no dst-port=1080 prot comment=________ disabled=no dst-port=1214 protocol= comment="ndm requester" disabled=no dst-port=1363 pr comment="ndm server" disabled=no dst-port=1364 proto comment="screen cast" disabled=no dst-port=1368 prot comment=hromgrafx disabled=no dst-port=1373 protocol comment=cichlid disabled=no dst-port=1377 protocol=t comment="Bagle Virus" disabled=no dst-port=2745 prot comment="Drop Dumaru.Y" disabled=no dst-port=2283 pr comment="Drop Beagle" disabled=no dst-port=2535 prot comment="Drop Beagle.C-K" disabled=no dst-port=2745 comment="Drop MyDoom" disabled=no dst-port=3127 prot comment="Drop Backdoor OptixPro" disabled=no dst-por comment=Worm disabled=no dst-port=4444 protocol=tcp comment=Worm disabled=no dst-port=4444 protocol=udp comment="Drop Sasser" disabled=no dst-port=5554 prot comment="Drop Beagle.B" disabled=no dst-port=8866 pr comment="Drop Dabber.A-B" disabled=no dst-port=9898 comment="Drop Dumaru.Y, sebaiknya di didisable karen vpn atau webmin" disabled=yes dst-port=10000 \ comment="Drop MyDoom.B" disabled=no dst-port=10080 p comment="Drop NetBus" disabled=no dst-port=12345 pro comment="Drop Kuang2" disabled=no dst-port=17300 pro comment="Drop SubSeven" disabled=no dst-port=27374 p comment="Drop PhatBot, Agobot, Gaobot" disabled=no d
add action=jump chain=forward comment="jump to the virus chain" disabled=no jump -target=virus add action=accept chain=input comment="Accept established connections" connectio n-state=established disabled=no add action=accept chain=input comment="Accept related connections" connection-st ate=related disabled=no add action=drop chain=input comment="Drop invalid connections" connection-state= invalid disabled=no add action=accept chain=input comment=UDP disabled=no protocol=udp add action=accept chain=input comment="Allow limited pings" disabled=no limit=50 /5s,2 protocol=icmp add action=drop chain=input comment="Drop excess pings" disabled=no protocol=icm p add action=accept chain=input comment="FTP 1" disabled=no dst-port=21 protocol=t cp src-address-list=admin1 add action=accept chain=input comment="FTP 2" disabled=no dst-port=21 protocol=t cp src-address-list=admin2 add action=accept chain=input comment="SSH for secure shell 1" disabled=no dst-p ort=22 protocol=tcp src-address-list=admin1 add action=accept chain=input comment="SSH for secure shell 2" disabled=no dst-p ort=22 protocol=tcp src-address-list=admin2 add action=accept chain=input comment="Telnet 1" disabled=no dst-port=23 protoco l=tcp src-address-list=admin1 add action=accept chain=input comment="Telnet 2" disabled=no dst-port=23 protoco l=tcp src-address-list=admin2 add action=accept chain=input comment="Web 1" disabled=no dst-port=80 protocol=t cp src-address-list=admin1 add action=accept chain=input comment="Web 2" disabled=no dst-port=80 protocol=t cp src-address-list=admin2 add action=accept chain=input comment="winbox 1" disabled=no dst-port=8291 proto col=tcp src-address-list=admin1 add action=accept chain=input comment="winbox 2" disabled=no dst-port=8291 proto col=tcp src-address-list=admin2 add action=accept chain=input comment=pptp-server disabled=no dst-port=1723 prot ocol=tcp add action=accept chain=input comment="komp 1" disabled=no src-address-list=admi n1 add action=accept chain=input comment="komp 2" disabled=no src-address-list=admi n2 add action=log chain=input comment="Log everything else" disabled=no log-prefix= "DROP INPUT" add action=drop chain=input comment="Drop everything else" disabled=yes /ip firewall mangle add action=mark-packet chain=output comment="" disabled=no dscp=4 new-packet-mar k=proxy-hit out-interface=Wireles passthrough=no add action=mark-packet chain=output comment="" disabled=no dscp=4 new-packet-mar k=proxy-hit-lan out-interface=Lokal passthrough=no add action=mark-packet chain=prerouting comment="" disabled=no in-interface=Wire les new-packet-mark=test-up passthrough=no src-address=192.168.2.0/25 add action=mark-packet chain=prerouting comment="" disabled=no in-interface=Loka l new-packet-mark=test-up-lan passthrough=no src-address=10.10.10.0/28 add action=mark-connection chain=forward comment="" disabled=no new-connection-m ark=test-con passthrough=yes src-address=192.168.2.0/25 add action=mark-connection chain=forward comment="" disabled=no new-connection-m ark=test-con-lan passthrough=yes src-address=10.10.10.0/28 add action=mark-packet chain=forward comment="" connection-mark=test-con disable d=no in-interface="Modem 3.1" new-packet-mark=test-down passthrough=no \ src-address=192.168.2.0/25 add action=mark-packet chain=forward comment="" connection-mark=test-con-lan dis abled=no in-interface="Modem 3.1" new-packet-mark=test-down-lan passthrough=\
no src-address=10.10.10.0/28 add action=mark-packet chain=output comment="" disabled=no dst-address=192.168.2 .0/25 new-packet-mark=test-down out-interface=Wireles passthrough=no add action=mark-packet chain=output comment="" disabled=no dst-address=10.10.10. 0/28 new-packet-mark=test-down-lan out-interface=Lokal passthrough=no /ip firewall nat add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes add action=masquerade chain=srcnat comment="" disabled=no out-interface="Modem 3 .1" src-address=0.0.0.0/0 add action=redirect chain=dstnat comment="" disabled=no dst-port=80 protocol=tcp src-address=192.168.2.0/25 to-ports=3128 add action=redirect chain=dstnat comment="" disabled=no dst-port=80 protocol=tcp src-address=10.10.10.0/28 to-ports=3128 add action=masquerade chain=srcnat comment="" disabled=yes out-interface=Proxy s rc-address=192.168.20.0/24 add action=redirect chain=dstnat comment="" disabled=yes in-interface=Lokal prot ocol=udp src-address=10.10.10.0/28 to-ports=3128 add action=redirect chain=dstnat comment="" disabled=yes dst-port=80 protocol=tc p src-address=192.168.2.0/25 to-ports=3128 add action=masquerade chain=srcnat comment="" disabled=yes out-interface="Modem 3.1" src-address=192.168.2.0/25 add action=masquerade chain=srcnat comment="" disabled=yes out-interface="Modem 3.1" src-address=10.10.10.0/28 add action=redirect chain=dstnat comment="" disabled=yes dst-port=443 in-interfa ce=Wireles protocol=tcp src-address=192.168.2.0/25 to-ports=3128 add action=redirect chain=dstnat comment="" disabled=yes dst-port=443 in-interfa ce=Lokal protocol=tcp src-address=10.10.10.0/28 to-ports=3128 add action=masquerade chain=srcnat comment="" disabled=yes src-address=192.168.1 0.0/24 add action=redirect chain=dstnat comment="" disabled=yes dst-port=3128 in-interf ace=Wireles protocol=tcp src-address=192.168.2.0/25 to-ports=3128 add action=redirect chain=dstnat comment="" disabled=yes dst-port=8080 in-interf ace=Wireles protocol=tcp src-address=192.168.2.0/25 to-ports=3128 add action=masquerade chain=srcnat comment="" disabled=yes src-address=10.10.10. 0/24 add action=masquerade chain=srcnat comment="" disabled=yes src-address=192.168.2 .0/25 add action=masquerade chain=srcnat comment="" disabled=yes src-address=192.168.2 0.0/24 add action=dst-nat chain=dstnat comment="" disabled=yes in-interface=Lokal proto col=tcp src-address=10.10.10.0/28 src-port=80 to-addresses=192.168.20.2 \ to-ports=3128 add action=dst-nat chain=dstnat comment="" disabled=yes dst-port=80 in-interface =Lokal protocol=tcp src-address=10.10.10.0/28 to-addresses=192.168.20.2 \ to-ports=3128 /ip firewall service-port set ftp disabled=no ports=21 set tftp disabled=no ports=69 set irc disabled=no ports=6667 set h323 disabled=no set sip disabled=no ports=5060,5061 set pptp disabled=no

Firewall

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Firewall

Uploaded by

Copyright:

Available Formats

/ip firewall connection tracking set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-c lose-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s \ tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s

You might also like