Follow us on...
Follow us on G+ Follow us on Twitter Follow us on Facebook Watch us on YouTube
Register
Results 1 to 3 of 3
  1. #1
    Status
    Offline
    tjhana's Avatar
    Newbie
    Join Date
    Aug 2007
    Posts
    21
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0

    Exclamation Need Help tentang Filtering

    Juragan sekalian,

    saya lagi configure mikrotik untuk keperluan kantor. sudah jalan, hanya saja saya belum berhasil meng-allow supaya semua komputer bisa update anti virus.

    inti nya rule yang saya sudah saya terapkan adalah

    1. allow user yang terdaftar di "Internet-List" untuk browsing
    2. user yang bisa browsing dilarang utk browse ke FB, Friendster, youtube dll
    3. Block Netbios
    4. Block outgoing proxy
    5. Block semua user tanpa kecuali.

    dari rule 1 - 5 yang saya terapkan sudah berjalan sempurna, hanya saja ketika saya ingin meng-allow supaya komputer yang tidak punya akses internet, bisa update Anti Virus kaspersky nya belom berhasil. udah di coba berbagai macam trik tidak berhasil. mohon pencerahannya.

    saya lampirkan script firewall saya:

    /ip firewall filter
    add action=jump chain=forward comment="block Facebook, Friendster, dll." \
    disabled=no jump-target=Illegal-Url packet-mark=Illegal-Url-Packet
    add action=log chain=Illegal-Url comment="" connection-state=new disabled=no \
    log-prefix=""
    add action=add-dst-to-address-list address-list=Blocked-url \
    address-list-timeout=0s chain=Illegal-Url comment="" disabled=no
    add action=drop chain=Illegal-Url comment="" disabled=no src-address-list=\
    "!White List"
    add action=jump chain=forward comment="Allow Anti Virus Update" disabled=no \
    jump-target=antivius-update packet-mark=Av-Update-Packet
    add action=accept chain=antivius-update comment="" disabled=no in-interface=\
    Lan
    add action=drop chain=input comment="drop ssh brute forcers" disabled=no \
    dst-port=22 protocol=tcp src-address-list=ssh_blacklist
    add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=2w chain=input comment="" connection-state=new \
    disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3
    add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input comment="" connection-state=new \
    disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2
    add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input comment="" connection-state=new \
    disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1
    add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input comment="" connection-state=new \
    disabled=no dst-port=22 protocol=tcp
    add action=accept chain=input comment=\
    "allow port 21,22,80,1723,8291 from Lan" disabled=no dst-port=\
    21,22,80,1723,8291 in-interface=Lan protocol=tcp
    add action=log chain=forward comment="deny Outgoing SMTP" disabled=no \
    dst-port=25 in-interface=Lan log-prefix="Outgoing SMTP Denied:" protocol=\
    tcp
    add action=drop chain=forward comment="deny Outgoing SMTP" disabled=no \
    dst-port=25 in-interface=Lan protocol=tcp
    add action=log chain=forward comment="Log denied Proxy & Telnet" disabled=no \
    dst-port=23,81,88,1080,3128,8080,8081,8085,8088,27977 in-interface=Lan \
    log-prefix="Proxy Denied:" protocol=tcp
    add action=drop chain=forward comment="deny Proxy & Telnet" disabled=no \
    dst-port=23,81,88,1080,3128,8080,8081,8085,8088,27977 in-interface=Lan \
    protocol=tcp
    add action=accept chain=forward comment="Allow Users from Internet-List" \
    disabled=no in-interface=Lan src-address-list=Internet-List
    add action=drop chain=input comment="Block NetBios & Microsoft-DS" disabled=\
    no dst-port=135-139,445 protocol=tcp
    add action=drop chain=input comment="Block NetBios & Microsoft-DS" disabled=\
    no dst-port=135-139,445 protocol=udp
    add action=drop chain=forward comment=\
    "Block outbound NetBios & Microsoft-DS port scan" disabled=no dst-port=\
    135-139,445 protocol=tcp
    add action=drop chain=forward comment=\
    "Block outbound NetBios & Microsoft-DS port scan" disabled=no dst-port=\
    135-139,445 protocol=udp
    add action=accept chain=forward comment="" connection-state=established \
    disabled=no
    add action=log chain=forward comment="" connection-state=new disabled=no \
    in-interface=Lan log-prefix="Internet Block:"
    add action=drop chain=forward comment="" disabled=no in-interface=Lan



    /ip firewall nat
    add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
    Internet



    /ip firewall mangle
    add action=mark-connection chain=forward comment="" disabled=no in-interface=\
    Lan layer7-protocol=AV-Update new-connection-mark=Av-Update-Conn \
    passthrough=yes
    add action=mark-packet chain=forward comment="" connection-mark=\
    Av-Update-Conn disabled=no in-interface=Lan new-packet-mark=\
    Av-Update-Packet passthrough=yes
    add action=mark-connection chain=forward comment="Mark Illegal URL" disabled=\
    no in-interface=Lan layer7-protocol=blocked-urls new-connection-mark=\
    Illegal-Url-Conn passthrough=yes
    add action=mark-packet chain=forward comment="" connection-mark=\
    Illegal-Url-Conn disabled=no in-interface=Lan new-packet-mark=\
    Illegal-Url-Packet passthrough=yes



    /ip firewall layer7-protocol
    add comment="" name=blocked-urls regexp="(facebook.com|apps.facebook.com|frien\
    dster.com|login.facebook.com|myspace.com|fcbdn.net |youtube.com|myspace.com\
    |sweetim.com|dailymotion.com|video.google.com|unbl ocked.org|proxify.com|in\
    visiblesurfing.com|anonymouse.org|slyuser.com|texa sproxy.com|filtersneak.c\
    om|ipbender.com|proxybuddy.com|sitesurf.net|beboox y.com)"
    add comment="" name=AV-Update regexp=\
    "(geo.kaspersky.com|kaspersky.com)"




    /ip firewall address-list
    add address=172.17.109.31 comment="" disabled=yes list="White List"
    add address=172.17.109.31 comment=User1 disabled=no list=Internet-List
    add address=172.17.109.95 comment=User2 disabled=no list=Internet-List
    add address=172.17.109.40 comment=User3 disabled=no list=Internet-List


    Mohon bantuannya. Click here to enlarge
    Last edited by tjhana; 11-09-2010 at 18:12.

  2. #2
    Status
    Offline
    oktama's Avatar
    Forum Guru
    Join Date
    Jul 2008
    Location
    Jayapura
    Posts
    1,929
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Click here to enlarge pusing lihat-nya kenapa ngga dibuat simple ajah,

    allow update anti-virus

    add action=jump chain=forward comment="Allow Anti Virus Update" disabled=no jump-target=antivius-update packet-mark=Av-Update-Packet
    add action=accept chain=antivius-update comment="" disabled=no in-interface=Lan
    disederhanakan menjadi

    Code:
    add action=accept chain=forward comment="Allow Anti Virus Update" disabled=no jump-target=antivius-update packet-mark=Av-Update-Packet
    block user dari internet selain white-list

    Code:
    /ip firewall filter
    add action=jump chain=forward comment="block Facebook, Friendster, dll." disabled=no jump-target=Illegal-Url packet-mark=Illegal-Url-Packet add action=log chain=Illegal-Url comment="" connection-state=new disabled=no \
    log-prefix=""
    add action=add-dst-to-address-list address-list=Blocked-url address-list-timeout=0s chain=Illegal-Url comment="" disabled=no
    add action=drop chain=Illegal-Url comment="" disabled=no src-address-list="!White List"
    disederhanakan

    Code:
    add action=drop chain=forward comment="" disabled=no src-address-list="!White List"
    input ssh daripada pake firewall rules kebanyakan
    Code:
    add action=drop chain=input comment="drop ssh brute forcers" disabled=no \
    dst-port=22 protocol=tcp src-address-list=ssh_blacklist
    add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=2w chain=input comment="" connection-state=new \
    disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3
    add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input comment="" connection-state=new \
    disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2
    add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input comment="" connection-state=new \
    disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1
    add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input comment="" connection-state=new \
    disabled=no dst-port=22 protocol=tcp
    mending disederhanakan menjadi address=x.x.x.x buat jaga2 just incase butuh akses via SSH

    Code:
    add action=accept chain=input src-address-list=ssh-allow
    add action=drop chain=input comment="drop ssh brute forcers" disabled=no \
    dst-port=22 protocol=tcp src-address-list=ssh_blacklist
    
    /ip firewall address-list
    add address=x.x.x.x comment="" disabled=no list="ssh-allow"
    pengaman terakhir agar router aman dari serangan via internet (hanya menerima packet dari DNS server luar (jika router juga difungsikan sebagai caching DNS))

    Code:
    ip firewall filter rules add chain=input action=accept protocol=udp in-interface=Internet src-port=53
    ip firewall filter rules add chain=input action=drop
    kira2 seperti itu bro, ngga usah terlalu banyak rules bikin situ pusing yang baca juga pusing Click here to enlarge
    Last edited by oktama; 13-09-2010 at 07:19. Reason: pelengkap dan penjelasan

  3. #3
    Status
    Offline
    tjhana's Avatar
    Newbie
    Join Date
    Aug 2007
    Posts
    21
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Click here to enlarge Originally Posted by oktama Click here to enlarge
    Click here to enlarge pusing lihat-nya kenapa ngga dibuat simple ajah,

    allow update anti-virus



    disederhanakan menjadi

    Code:
    add action=accept chain=forward comment="Allow Anti Virus Update" disabled=no jump-target=antivius-update packet-mark=Av-Update-Packet
    Tq udah kasih masukan. tp saya coba copas rule nya, hasil nya malah invalid. Click here to enlarge

 

 

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. mikrotik bisa mac filtering kaya AP gak ya.?
    By Teach_Me in forum Beginner Basics
    Replies: 19
    Last Post: 29-01-2010, 06:54
  2. [ask] mac address filtering gag bisa DHCP
    By ndayan in forum General Networking
    Replies: 1
    Last Post: 20-11-2009, 12:51
  3. MAC filtering?
    By didik_atc in forum Wireless Networking
    Replies: 3
    Last Post: 12-05-2009, 10:52
  4. Filtering,rule,dll
    By donowe in forum General Networking
    Replies: 6
    Last Post: 22-01-2008, 13:04
  5. SPAM filtering
    By suguz in forum General Networking
    Replies: 5
    Last Post: 07-09-2007, 22:22

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •