Follow us on...
Follow us on G+ Follow us on Twitter Follow us on Facebook Watch us on YouTube
Register
Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 38
  1. #16
    Status
    Offline
    pujo_85's Avatar
    Baru Gabung
    Join Date
    Mar 2008
    Posts
    12
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Click here to enlarge Originally Posted by jhobeaston Click here to enlarge
    mantaab...akhirnya saya dapat pencerahan Click here to enlarge

    satu lagi dung kk...
    mikrotik saya kan saya set DHCP server.
    trus saya juga ingin buat list mac address yang hanya bisa DHCP ke mikrotik saya bisa ndak ya?? settingannya dimana ya kk..??
    jadi selain list mac address yang sudah dibuat jika DHCP maka ga akan dapat IP
    (kecuali diset manual)

    thx sebelumnya Click here to enlarge
    hmm... lama-lama maki susah pertanyaannya Click here to enlarge
    keliatannya belum memungkinkan ato saya yg lum tau caranya soalnya paket DHCP discover bekerja pada layer 2 (DHCP discover bekerja di dst-address FF:FF:FF:FF:FF:FF) sedangkan /ip firewall filter bekerja di Layer 3, jd gampangnya IP firewall ga bisa baca packet DHCP discover.. CMIIW
    bisa diakali kalo misalnya dhcp-servernya dipasang pada interface bridge, trus di bridgenya dipasang firewall untuk memfilter paket itu..
    misalnya...
    /interface bridge add name=bridge1
    /interface bridge port add interface=ether2 bridge=bridge1
    /interface bridge settings set use-ip-firewall=yes --> yg ini jangan lupa biar bisa pake ip filter biasa
    /interface bridge filter add action=drop chain=input comment="ini buat ngdrop DHCP discover" disabled=no ip-protocol=udp mac-protocol=ip src-mac-address=!AB:CD:EF:AB:CD:EF/FF:FF:FF:FF:FF:FF src-port=67-68
    /ip dhcp-server add address-pool=dhcp_pool1 disabled=no interface=bridge1 lease-time=3d name=dhcp1
    dimana AB:CD:EF:AB:CD:EF ini merupakan mac dari user yang diijinkan..
    dicoba dulu ya gan.. ditunggu reportnya Click here to enlarge soalnya belum nyoba utk jaringan sebenarnya Click here to enlarge

  2. #17
    Status
    Offline
    lucubrb's Avatar
    KocokJaya Team
    Join Date
    Nov 2007
    Location
    localhost - 127.0.0.1
    Posts
    542
    Reviews
    Read 0 Reviews
    Downloads
    3
    Uploads
    0
    Feedback Score
    0
    Click here to enlarge Originally Posted by yosanpro Click here to enlarge
    boss lucubrb, kalo rule gitu yang mac di rule2 nggak bisa akses deh kayaknya, soalnya udah di drop di rule 1 (cuman bisa untuk 1 MAC aja...CMIIW

    kalo aku keknya gini aja deh (semua di chain forward)

    Code:
    /ip firewall filter add chain=forward src-mac-address=0123456789ab action=accept
    /ip firewall filter add chain=forward src-mac-address=012345678900 action=accept
    /ip firewall filter add chain=forward src-mac-address=012345678911 action=accept
    /ip firewall filter add chain=forward action=drop
    Emang di bawah drop terakhir percuma dikasih rule-rule, jadi kalo mau nambahin rule baru kayak point nomor 3 pertanyaan TS, yang dibawah harus dipindahkan diatas rule drop terakhir (geser pake drag and drop aja bisa).

    Selain di Firewall Filter, anda bisa saja menggunakan Firewall NAT, atau 'the ultimate' Static ARP...
    hehe... emang 1 mac doank yg diallow Click here to enlarge Click here to enlarge

    tapi klo mau akses dari beberapa tempat, caranya bro yosan ampuh tuh Click here to enlarge

  3. #18
    Status
    Offline
    jhobeaston's Avatar
    Newbie
    Join Date
    Apr 2009
    Posts
    23
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    hiks... ternyata setelah saya cobain cara p1 menggunakan :
    /ip firewall filter add chain=forward src-mac-address=0123456789ab action=accept
    /ip firewall filter add chain=forward src-mac-address=012345678900 action=accept
    /ip firewall filter add chain=forward src-mac-address=012345678911 action=accept
    /ip firewall filter add chain=forward action=drop
    kok ndak bisa ya..?? malah RTO semua??

    trus pake cara ke 2 :
    /ip firewall filter add chain=forward action=jump src-mac-address=0123456789ab jump-target=filter1
    /ip firewall filter add chain=forward action=jump src-mac-address=012345678900 jump-target=filter1
    /ip firewall filter add chain=forward action=jump src-mac-address=012345678911 jump-target=filter1
    /ip firewall filter add chain=forward action=drop
    /ip firewall filter add chain=filter1 action=accept dst-port=23 protocol=tcp comment="telnet" disabled=no
    /ip firewall filter add chain=filter1 action=accept dst-port=25 protocol=tcp comment="smtp" disabled=no
    ...
    ...
    bla...bla...semua list port menggunakan chain yg sama yaitu namanya filter1
    tetep ga bisa juga...hiks
    gimana kk?? Click here to enlarge

  4. #19
    Status
    Offline
    yosanpro's Avatar
    Co-Admin
    Join Date
    Nov 2007
    Location
    Bantul, Bantul, Yogyakarta
    Posts
    2,548
    Reviews
    Read 0 Reviews
    Downloads
    11
    Uploads
    4
    Feedback Score
    1 (100%)
    itu MAC address sudah diganti sesuai mac address komputernya belum?

    Cara liatnya bisa di scan atau di ARP...

  5. #20
    Status
    Offline
    jhobeaston's Avatar
    Newbie
    Join Date
    Apr 2009
    Posts
    23
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Click here to enlarge Originally Posted by yosanpro Click here to enlarge
    itu MAC address sudah diganti sesuai mac address komputernya belum?

    Cara liatnya bisa di scan atau di ARP...
    sudah pak...sesuai kondisi mac di sini
    yang di atas itu hanya sample ajah beserta list port sample yang saya buka beberapa...masih banyak yang lainnya di bawah

    tapi tetap tidak bisa Click here to enlarge

  6. #21
    Status
    Offline
    jhobeaston's Avatar
    Newbie
    Join Date
    Apr 2009
    Posts
    23
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    gimana ya kk..??

  7. #22
    Status
    Offline
    yosanpro's Avatar
    Co-Admin
    Join Date
    Nov 2007
    Location
    Bantul, Bantul, Yogyakarta
    Posts
    2,548
    Reviews
    Read 0 Reviews
    Downloads
    11
    Uploads
    4
    Feedback Score
    1 (100%)
    Bisa diperinci tidak bisanya bagaimana? misalnya apakah mac yang bersangkutan jadi tidak bisa akses? atau mac lainnya tetep bisa akses?

  8. #23
    Status
    Offline
    jhobeaston's Avatar
    Newbie
    Join Date
    Apr 2009
    Posts
    23
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    hasilnya ketika semua di enable, maka MAC yang ada di list maupun tidak ada di list akan RTO ping ke luar

    tapi ketika list MAC masing2 diberi tanda ! pada MAC-Address nya maka selain yang ada di list bisa normal, knapa ya??

  9. #24
    Status
    Offline
    jhobeaston's Avatar
    Newbie
    Join Date
    Apr 2009
    Posts
    23
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    help me kk..

  10. #25
    Status
    Offline
    jhobeaston's Avatar
    Newbie
    Join Date
    Apr 2009
    Posts
    23
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    sundul dulu aah...gmana ya kk...??
    helep me om momod Click here to enlarge

  11. #26
    Status
    Offline
    yosanpro's Avatar
    Co-Admin
    Join Date
    Nov 2007
    Location
    Bantul, Bantul, Yogyakarta
    Posts
    2,548
    Reviews
    Read 0 Reviews
    Downloads
    11
    Uploads
    4
    Feedback Score
    1 (100%)
    Tanda ! bisa dibaca 'selain' (negative), jadi kalo dikasih tanda gitu yang match rule-nya justru selain mac yang ditulis.

    Pada waktu di enable semua, coba dilihat counter pada masing-masing rule dan akses internet dari klien, dilihat apakah counternya untuk mac klien naik atau cuman dropnya yang naik terus. Kalau gak naik alias yang naik cuman bagian dropnya ajah, mungkin rule-nya masih ada yang salah. Coba cek sekali lagi.

    Untuk chain yang paling simple pake chain forward aja, kalau udah ngerti metode jump dan bisa membaca alur silahkan buat chain baru.

    Kalau masih tetap belum bisa, apa salahnya rule yang udah dibuat di paste disini, biar dianalisa bareng-bareng.

  12. #27
    Status
    Offline
    jhobeaston's Avatar
    Newbie
    Join Date
    Apr 2009
    Posts
    23
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    iyah kk dari kmarin bikin list rules nya neh :

    HTML Code:
    /ip firewall filter
    add chain=input action=drop connection-state=invalid comment="Drop invalid connections" disabled=no 
    add chain=input action=accept connection-state=established comment="Allow established connections" disabled=no 
    add chain=input action=accept protocol=udp comment="Allow UDP" disabled=no 
    add chain=input action=accept protocol=icmp comment="Allow ICMP" disabled=no 
    add chain=input action=accept in-interface=!Public comment="Allow connection to router from local network" disabled=no 
    add chain=input action=drop comment="drop anything else" disabled=no 
    add chain=forward action=drop connection-state=invalid protocol=tcp comment="Drop invalid connections" disabled=no 
    add chain=forward action=accept connection-state=established comment="Allow already established connections" disabled=no 
    add chain=forward action=accept connection-state=related comment="Allow related connections" disabled=no 
    add chain=forward action=drop src-address=0.0.0.0/8 comment="Block bogons addresses" disabled=no 
    add chain=forward action=drop dst-address=0.0.0.0/8 comment="" disabled=no 
    add chain=forward action=drop src-address=127.0.0.0/8 comment="" disabled=no 
    add chain=forward action=drop dst-address=127.0.0.0/8 comment="" disabled=no 
    add chain=forward action=drop src-address=169.254.0.0/16 comment="" disabled=no 
    add chain=forward action=drop dst-address=169.254.0.0/16 comment="" disabled=no 
    add chain=forward action=drop src-address=224.0.0.0/3 comment="" disabled=no 
    add chain=forward action=drop dst-address=224.0.0.0/3 comment="" disabled=no 
    add chain=forward action=jump jump-target=tcp protocol=tcp comment="tcp jump rule" disabled=no 
    add chain=forward action=jump jump-target=udp protocol=udp comment="icmp jump rule" disabled=no 
    add chain=forward action=jump jump-target=icmp protocol=icmp comment="icmp jump rule" disabled=no 
    add chain=tcp action=accept dst-port=7 protocol=tcp comment="echo" disabled=no 
    add chain=tcp action=accept dst-port=20-21 protocol=tcp comment="ftp" disabled=no 
    add chain=tcp action=accept dst-port=22 protocol=tcp comment="ssh" disabled=no 
    add chain=tcp action=accept dst-port=23 protocol=tcp comment="telnet" disabled=no 
    add chain=tcp action=accept dst-port=25 protocol=tcp comment="smtp" disabled=no 
    add chain=tcp action=accept dst-port=26 protocol=tcp comment="smtp-26" disabled=no 
    add chain=tcp action=accept dst-port=53 protocol=tcp comment="dns" disabled=no 
    add chain=tcp action=accept dst-port=67-68 protocol=tcp comment="dhcp" disabled=no 
    add chain=tcp action=accept dst-port=80 protocol=tcp comment="http" disabled=no 
    add chain=tcp action=accept dst-port=88 protocol=tcp comment="kerberos-sec" disabled=no 
    add chain=tcp action=accept dst-port=110 protocol=tcp comment="pop3" disabled=no 
    add chain=tcp action=accept dst-port=143 protocol=tcp comment="imap2" disabled=no 
    add chain=tcp action=accept dst-port=161 protocol=tcp comment="snmp" disabled=no 
    add chain=tcp action=accept dst-port=162 protocol=tcp comment="snmp trap" disabled=no 
    add chain=tcp action=accept dst-port=220 protocol=tcp comment="imap3" disabled=no 
    add chain=tcp action=accept dst-port=223 protocol=tcp comment="ssh-hw" disabled=no 
    add chain=tcp action=accept dst-port=389 protocol=tcp comment="ldap" disabled=no 
    add chain=tcp action=accept dst-port=443 protocol=tcp comment="https" disabled=no 
    add chain=tcp action=accept dst-port=445 protocol=tcp comment="tcp-smb" disabled=no 
    add chain=tcp action=accept dst-port=465 protocol=tcp comment="smtps" disabled=no 
    add chain=tcp action=accept dst-port=497 protocol=tcp comment="retrospect" disabled=no 
    add chain=tcp action=accept dst-port=636 protocol=tcp comment="ldaps" disabled=no 
    add chain=tcp action=accept dst-port=749 protocol=tcp comment="kerberos-adm" disabled=no 
    add chain=tcp action=accept dst-port=800 protocol=tcp comment="mu" disabled=no 
    add chain=tcp action=accept dst-port=902 protocol=tcp comment="vmware-console" disabled=no 
    add chain=tcp action=accept dst-port=933 protocol=tcp comment="imap-ssl" disabled=no 
    add chain=tcp action=accept dst-port=995 protocol=tcp comment="pop3s" disabled=no 
    add chain=tcp action=accept dst-port=1025 protocol=tcp comment="smtp" disabled=no 
    add chain=tcp action=accept dst-port=1025 protocol=tcp comment="cvs-up" disabled=no 
    add chain=tcp action=accept dst-port=1352 protocol=tcp comment="domino" disabled=no 
    add chain=tcp action=accept dst-port=1723 protocol=tcp comment="pptp" disabled=no 
    add chain=tcp action=accept dst-port=1863 protocol=tcp comment="msn" disabled=no 
    add chain=tcp action=accept dst-port=2082-2083 protocol=tcp comment="cpanel" disabled=no 
    add chain=tcp action=accept dst-port=2086-2087 protocol=tcp comment="whm" disabled=no 
    add chain=tcp action=accept dst-port=2095-2096 protocol=tcp comment="webmail-cpanel" disabled=no 
    add chain=tcp action=accept dst-port=2967-2968 protocol=tcp comment="sav-client-1" disabled=no 
    add chain=tcp action=accept dst-port=3268 protocol=tcp comment="ldap-global-catalog" disabled=no 
    add chain=tcp action=accept dst-port=3269 protocol=tcp comment="ldaps-global-catalog" disabled=no 
    add chain=tcp action=accept dst-port=3389-3390 protocol=tcp comment="rdp" disabled=no 
    add chain=tcp action=accept dst-port=3401 protocol=tcp comment="snmp-squid" disabled=no 
    add chain=tcp action=accept dst-port=3142 protocol=tcp comment="apt-cacher" disabled=no 
    add chain=tcp action=accept dst-port=4000 protocol=tcp comment="icq" disabled=no 
    add chain=tcp action=accept dst-port=5050 protocol=tcp comment="messenger" disabled=no 
    add chain=tcp action=accept dst-port=5100 protocol=tcp comment="ym-webcam" disabled=no 
    add chain=tcp action=accept dst-port=5190 protocol=tcp comment="icq-2000" disabled=no 
    add chain=tcp action=accept dst-port=5222-5223 protocol=tcp comment="jabber" disabled=no 
    add chain=tcp action=accept dst-port=5800-5801 protocol=tcp comment="vnc" disabled=no 
    add chain=tcp action=accept dst-port=5900-5901 protocol=tcp comment="vnc" disabled=no 
    add chain=tcp action=accept dst-port=6900 protocol=tcp comment="ro-server" disabled=no 
    add chain=tcp action=accept dst-port=8080 protocol=tcp comment="web-cache" disabled=no 
    add chain=tcp action=accept dst-port=8333 protocol=tcp comment="vmware-http" disabled=no 
    add chain=tcp action=accept dst-port=8739 protocol=tcp comment="dns-hostway" disabled=no 
    add chain=tcp action=accept dst-port=8888 protocol=tcp comment="ssh-8888" disabled=no 
    add chain=tcp action=accept dst-port=9999 protocol=tcp comment="urchin" disabled=no 
    add chain=tcp action=accept dst-port=22196 protocol=tcp comment="messenger" disabled=no 
    add chain=tcp action=accept dst-port=38293 protocol=tcp comment="sav-server" disabled=no 
    add chain=tcp action=accept dst-port=40628 protocol=tcp comment="ssh-festive" disabled=no 
    add chain=tcp action=accept dst-port=55555 protocol=tcp comment="assp" disabled=no 
    add chain=tcp action=drop comment="drop-anything-else" disabled=no 
    add chain=icmp action=accept protocol=icmp icmp-options=0:0 comment="" disabled=no 
    add chain=icmp action=accept protocol=icmp icmp-options=3:0 comment="" disabled=no 
    add chain=icmp action=accept protocol=icmp icmp-options=3:1 comment="" disabled=no 
    add chain=icmp action=accept protocol=icmp icmp-options=4:0 comment="allow-source-quench" disabled=no 
    add chain=icmp action=accept protocol=icmp icmp-options=8:0 comment="allow-echo-request" disabled=no 
    add chain=icmp action=accept protocol=icmp icmp-options=11:0 comment="allow-time-exeed" disabled=no 
    add chain=icmp action=accept protocol=icmp icmp-options=12:0 comment="allow-parameter-bad" disabled=no 
    add chain=icmp action=drop comment="deny-all-other-types" disabled=no 
    add chain=udp action=drop dst-port=69 protocol=udp comment="deny-tftp" disabled=no 
    add chain=udp action=drop dst-port=111 protocol=udp comment="deny-rpc-portmapper" disabled=no 
    add chain=udp action=drop dst-port=135 protocol=udp comment="deny-rpc-portmapper" disabled=no 
    add chain=udp action=drop dst-port=137-139 protocol=udp comment="deny-nbt" disabled=no 
    add chain=udp action=drop dst-port=2049 protocol=udp comment="deny-nfs" disabled=no 
    add chain=udp action=drop dst-port=3133 protocol=udp comment="deny-backoriffice" disabled=no 
    add chain=forward action=accept protocol=gre comment="protocol GRE" disabled=no 
    add chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list="port scanners" address-list-timeout=2w comment="Port scanners to list " disabled=no 
    add chain=input action=add-src-to-address-list tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan" disabled=no 
    add chain=input action=add-src-to-address-list tcp-flags=fin,syn protocol=tcp address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan" disabled=no 
    add chain=input action=add-src-to-address-list tcp-flags=syn,rst protocol=tcp address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan" disabled=no 
    add chain=input action=add-src-to-address-list tcp-flags=fin,psh,urg,!syn,!rst,!ack protocol=tcp address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan" disabled=no 
    add chain=input action=add-src-to-address-list tcp-flags=fin,syn,rst,psh,ack,urg protocol=tcp address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan" disabled=no 
    add chain=input action=add-src-to-address-list tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan" disabled=no
    itu kan chain nya macem2...trus gimana cara add mac filter nya yg bagus kk??
    jika menggunakan jump bagaimana jga??
    jika ada yg salah mohon dibenarkan ya kk...
    thx banyak Click here to enlarge

  13. #28
    Status
    Offline
    pujo_85's Avatar
    Baru Gabung
    Join Date
    Mar 2008
    Posts
    12
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Click here to enlarge Originally Posted by jhobeaston Click here to enlarge
    iyah kk dari kmarin bikin list rules nya neh :



    itu kan chain nya macem2...trus gimana cara add mac filter nya yg bagus kk??
    jika menggunakan jump bagaimana jga??
    jika ada yg salah mohon dibenarkan ya kk...
    thx banyak Click here to enlarge
    kebanyaken rule bikin puyeng ane Click here to enlarge...
    add chain=input action=accept in-interface=!Public comment="Allow connection to router from local network" disabled=no
    add chain=input action=drop comment="drop anything else" disabled=no
    ...
    ...
    add chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list="port scanners" address-list-timeout=2w comment="Port scanners to list " disabled=no
    add chain=input action=add-src-to-address-list tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan" disabled=no
    ni rule ga bakal dieksekusi donk Click here to enlarge

  14. #29
    Status
    Offline
    jhobeaston's Avatar
    Newbie
    Join Date
    Apr 2009
    Posts
    23
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    oh iya maaf...itu harusnya disable=yes
    soalnya masih disable

  15. #30
    Status
    Offline
    yosanpro's Avatar
    Co-Admin
    Join Date
    Nov 2007
    Location
    Bantul, Bantul, Yogyakarta
    Posts
    2,548
    Reviews
    Read 0 Reviews
    Downloads
    11
    Uploads
    4
    Feedback Score
    1 (100%)
    Hmm, kalo ditambahkan di chain forward ntar rule yang port-port di bawahnya nggak dieksekusi, kalo masuk TCP ntar cuman berlaku untuk TCP aja...

    Kayaknya mendingan bikin chain sendiri misalnya 'mac', kemudian di akhir masing-masing chain (TCP,UDP,ICMP) yang action=drop dihapus dan diganti jump ke chain mac. Abis itu di chain mac masukin rule-rule mac, dan di akhir chain mac baru dikasih action=drop.

    CMIIW...

 

 
Page 2 of 3 FirstFirst 123 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. BGP Routing Filter buat MT 2.9.27
    By t3rm in forum General Networking
    Replies: 16
    Last Post: 04-05-2010, 16:33
  2. Beda dst-address dan target-address di queue simple
    By awarmanf in forum General Networking
    Replies: 2
    Last Post: 24-04-2009, 13:08
  3. tolong di filter
    By alie in forum General Networking
    Replies: 10
    Last Post: 12-09-2008, 11:53
  4. Replies: 15
    Last Post: 31-07-2008, 02:00
  5. (ask) filter dan blok ip
    By agung in forum Beginner Basics
    Replies: 3
    Last Post: 28-11-2007, 09:42

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •