Follow us on...
Follow us on G+ Follow us on Twitter Follow us on Facebook Watch us on YouTube
Register
Page 1 of 3 123 LastLast
Results 1 to 15 of 42
  1. #1
    Status
    Offline
    adh1et's Avatar
    Member Senior
    Join Date
    Jul 2010
    Posts
    350
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0

    [Share] Firewall Filter maknyos yang saya pakai

    Berikut ini adalah hasil dari beberapa threat dan pengembangan saya sendiri, semoga membantu temen" di sini untuk melindungi mikrotik...

    pertama" buat dulu address list dengan nama local-addr, di sini masukin list ip yang boleh mengakses mikrotik..

    kemudian :
    Code:
    /ip firewall filter
    add action=reject chain=input disabled=yes protocol=icmp reject-with=\
        icmp-network-unreachable
    add action=drop chain=forward comment="Filter - Traceroute" disabled=yes \
        icmp-options=11:0 protocol=icmp
    add action=drop chain=forward disabled=yes icmp-options=3:3 protocol=icmp
    add action=add-src-to-address-list address-list=WARN-FTP \
        address-list-timeout=4w2d chain=input comment="Filter - Wan Access FTP" \
        disabled=no dst-port=21 protocol=tcp src-address-list=!local-addr
    add action=drop chain=input disabled=no src-address-list=WARN-FTP
    add action=accept chain=input disabled=no dst-port=21 protocol=tcp \
        src-address-list=local-addr
    add action=add-src-to-address-list address-list=WARN-SSH \
        address-list-timeout=4w2d chain=input comment="Filter - Wan Access SSH" \
        disabled=no dst-port=22 protocol=tcp src-address-list=!local-addr
    add action=drop chain=input disabled=no src-address-list=WARN-SSH
    add action=accept chain=input disabled=no dst-port=22 protocol=tcp \
        src-address-list=local-addr
    add action=add-src-to-address-list address-list=WARN-TELNET \
        address-list-timeout=4w2d chain=input comment=\
        "Filter - Wan Access TELNET" disabled=no dst-port=23 protocol=tcp \
        src-address-list=!local-addr
    add action=drop chain=input disabled=no src-address-list=WARN-TELNET
    add action=accept chain=input disabled=no dst-port=23 protocol=tcp \
        src-address-list=local-addr
    add action=add-src-to-address-list address-list=WARN-WEB \
        address-list-timeout=4w2d chain=input comment="Filter - Wan Access WEB" \
        disabled=no dst-port=80 protocol=tcp src-address-list=!local-addr
    add action=drop chain=input disabled=no src-address-list=WARN-WEB
    add action=accept chain=input disabled=no dst-port=80 protocol=tcp \
        src-address-list=local-addr
    add action=add-src-to-address-list address-list=WARN-WINBOX \
        address-list-timeout=4w2d chain=input comment=\
        "Filter - Wan Access WINBOX" disabled=no dst-port=8291 protocol=tcp \
        src-address-list=!local-addr
    add action=drop chain=input disabled=no src-address-list=WARN-WINBOX
    add action=accept chain=input disabled=no dst-port=8291 protocol=tcp \
        src-address-list=local-addr
    add action=add-src-to-address-list address-list="Filter - Port Scanners" \
        address-list-timeout=2w chain=input comment="Filter - Port Scanners" \
        disabled=no protocol=tcp psd=21,3s,3,1
    add action=add-src-to-address-list address-list="port scanners" \
        address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\
        fin,!syn,!rst,!psh,!ack,!urg
    add action=add-src-to-address-list address-list="port scanners" \
        address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\
        fin,syn
    add action=add-src-to-address-list address-list="port scanners" \
        address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\
        syn,rst
    add action=add-src-to-address-list address-list="port scanners" \
        address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\
        fin,psh,urg,!syn,!rst,!ack
    add action=add-src-to-address-list address-list="port scanners" \
        address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\
        fin,syn,rst,psh,ack,urg
    add action=add-src-to-address-list address-list="port scanners" \
        address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\
        !fin,!syn,!rst,!psh,!ack,!urg
    add action=drop chain=input disabled=no src-address-list="port scanners"
    add action=accept chain=forward comment=Connections connection-state=\
        established disabled=no
    add action=accept chain=forward connection-state=related disabled=no
    add action=drop chain=forward connection-state=invalid disabled=no
    print screen :
    Click here to enlarge

    fungsi :
    3 : menambahkan ke address list IP yang mencoba masuk lewat port 21 dengan nama WARN-FTP selama waktu yang di tentukan
    4 : drop semua ip yang src address list nya adalah WARN-FTP
    5 : terima semua ip sesuai address list yang di tentukan (local-addr)

    6 : menambahkan ke address list IP yang mencoba masuk lewat port 22 dengan nama WARN-SSH selama waktu yang di tentukan
    7 : drop semua ip yang src address list nya adalah WARN-SSH
    8 : terima semua ip sesuai address list yang di tentukan (local-addr)

    9 : menambahkan ke address list IP yang mencoba masuk lewat port 23 dengan nama WARN-TELNET selama waktu yang di tentukan
    10 : drop semua ip yang src address list nya adalah WARN-TELNET
    11 : terima semua ip sesuai address list yang di tentukan (local-addr)

    12 : menambahkan ke address list IP yang mencoba masuk lewat port 80 dengan nama WARN-WEB selama waktu yang di tentukan
    13 : drop semua ip yang src address list nya adalah WARN-WEB
    14 : terima semua ip sesuai address list yang di tentukan (local-addr)

    12 : menambahkan ke address list IP yang mencoba masuk lewat port 8291 dengan nama WARN-WINBOX selama waktu yang di tentukan
    13 : drop semua ip yang src address list nya adalah WARN-WINBOX
    14 : terima semua ip sesuai address list yang di tentukan (local-addr)

    keuntungan :
    anda dapat melihat list IP yang tersaring / mencoba masuk ke router anda pada bagian address-list dengan nama WARN-FTP / WARN-SSH / WARN-TELNET / WARN-WEB / WARN-WINBOX.
    siapa tau mau serang balik Click here to enlarge

    anda bisa menambahkan sendiri / memodifikasi sesuai keperluan.
    di sini saya hanya "memainkan" address list dan port yang ingin di filter.

    jika berguna, klik thanks Click here to enlarge
    NB : Sorry, itu hasil print screen salah di bagian telnet, tertulis port 22, harusnya 23
    Last edited by adh1et; 03-07-2011 at 00:16. Reason: nambahin keterangan fungsi

  2. The Following 19 Users Say Thank You to adh1et For This Useful Post:

    + Show/Hide list of the thanked


  3. #2
    Status
    Offline
    Dickbrain's Avatar
    Baru Gabung
    Join Date
    May 2010
    Posts
    12
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    hmmm...tampaknya boleh juga dicoba ..thanks gan!

  4. #3
    Status
    Offline
    063
    063's Avatar
    Baru Gabung
    Join Date
    Oct 2009
    Posts
    7
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    bedanya ama yg punya mas adhie apa ya?

    pengen nyoba

  5. #4
    Status
    Offline
    lamno's Avatar
    Calon Member
    Join Date
    Feb 2008
    Posts
    81
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    ndak usah di input ke address list...
    makan resource Click here to enlarge

  6. #5
    Status
    Offline
    c0nf's Avatar
    Contributor
    Join Date
    Jul 2007
    Location
    Bandung, Indonesia
    Posts
    1,816
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    wow, di blok nya sampe 1 bulan hehhehehhe
    sharing aja, kalo saya di blok nya paling cuman 1hari, in case saya yg salah masukin passwd, jd ngga usah nunggu sampe 1bulan.

    Eniwei good luck gan, and thanks udah sharing di sini.Click here to enlarge

  7. #6
    Status
    Offline
    adh1et's Avatar
    Member Senior
    Join Date
    Jul 2010
    Posts
    350
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Click here to enlarge Originally Posted by lamno Click here to enlarge
    ndak usah di input ke address list...
    makan resource Click here to enlarge
    gak terlalu berat sih kyknya bro, kalo mikrotiknya sering nganggur kan kasian Click here to enlarge , asal si Mikrotik gak di jadiin backbone buat link data antar cabang aja, bisa ngos" an kalo sekelas RB450G ke bawah, pernah nih gw kejadian pake RB450G trafict lewat < 100Mb resource sudah 50% an, RB nya di pake buat handle 2 Gateway internet + Link data 2 kantor cabang + hotspot Click here to enlarge

    Click here to enlarge Originally Posted by c0nf Click here to enlarge
    wow, di blok nya sampe 1 bulan hehhehehhe
    sharing aja, kalo saya di blok nya paling cuman 1hari, in case saya yg salah masukin passwd, jd ngga usah nunggu sampe 1bulan.

    Eniwei good luck gan, and thanks udah sharing di sini.Click here to enlarge
    hehehe, soalnya saya jarang bgt kontrol mikrotik mas bro... but thanks masukanya ya.. Click here to enlarge

  8. The Following User Says Thank You to adh1et For This Useful Post:


  9. #7
    Status
    Offline
    f3rry's Avatar
    Newbie
    Join Date
    Nov 2010
    Posts
    32
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Thanks ijin dicoba dl bro...

  10. #8
    Status
    Offline
    Faisal Muchtar's Avatar
    Baru Gabung
    Join Date
    Mar 2010
    Location
    Karawang jawa barat
    Posts
    8
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    kren nih kaya nya...coba ah...trims dah share gan...Click here to enlarge

  11. #9
    Status
    Offline
    lazyshark's Avatar
    Baru Gabung
    Join Date
    May 2010
    Posts
    16
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    mantaf...izin nyobain gan...Click here to enlarge
    Last edited by lazyshark; 17-12-2011 at 08:39.

  12. #10
    Status
    Offline
    pebs's Avatar
    Baru Gabung
    Join Date
    Jul 2010
    Posts
    14
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    thanks tut nya gan..!! ijin icip2.. Click here to enlarge

  13. #11
    Status
    Offline
    mokalin's Avatar
    Baru Gabung
    Join Date
    Oct 2010
    Posts
    14
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    thx gan, boleh untuk dicoba..
    biar ketauan siapa dibalik ini semuanya.. haha Click here to enlarge

  14. #12
    Status
    Offline
    anak_lolong's Avatar
    Baru Gabung
    Join Date
    Nov 2011
    Posts
    16
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    add action=add-src-to-address-list address-list=WARN-WEB \
    address-list-timeout=4w2d chain=input comment="Filter - Wan Access WEB" \
    disabled=no dst-port=80 protocol=tcp src-address-list=!local-addr
    add action=drop chain=input disabled=no src-address-list=WARN-WEB
    add action=accept chain=input disabled=no dst-port=80 protocol=tcp \
    src-address-list=local-addr

    cuplikan rule di atas jika diterapkan ke hotspot MT artinya semua klien dengan IP dinamik kita harus terdaftar di list "local-addr" , jika tidak mereka tidak bisa OL karena tidak bisa akses port 80 kan? terus apa gunanya rule itu agan?
    mungkin analisa saya kementhus ..... maafin.... Click here to enlargeClick here to enlargeClick here to enlarge

  15. #13
    Status
    Offline
    adh1et's Avatar
    Member Senior
    Join Date
    Jul 2010
    Posts
    350
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    hotspot MT kan di anggap sebagai client kita, maka range ip mereka di masukan ke dalam white list (local-addr), maka selain local-addr akan di blok akses "input" ke mikrotik

  16. The Following User Says Thank You to adh1et For This Useful Post:


  17. #14
    Status
    Offline
    dj rebell's Avatar
    Baru Gabung
    Join Date
    Jan 2012
    Posts
    7
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    coba dulu ahh gan .. hehehehClick here to enlarge

  18. #15
    Status
    Offline
    metabee's Avatar
    Baru Gabung
    Join Date
    Jun 2010
    Location
    current city: Long Kali
    Posts
    19
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    ijin coba gan....

 

 
Page 1 of 3 123 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. [ask] ttg rule firewall filter MT .. benarkah ??
    By earthlink in forum General Networking
    Replies: 6
    Last Post: 04-09-2014, 10:19
  2. Replies: 58
    Last Post: 09-12-2012, 07:28
  3. sudah ada ga yang pakai Radius Manager share dong disini
    By langoday in forum HotSpot, The Dude & User Manager
    Replies: 22
    Last Post: 07-09-2011, 00:10
  4. Setting Firewall filter kok ga bisa???
    By darkwatch in forum Beginner Basics
    Replies: 3
    Last Post: 11-10-2010, 16:17
  5. [HELP]remove firewall filter lists
    By aaheroe in forum General Networking
    Replies: 2
    Last Post: 05-03-2010, 21:58

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •