Follow us on...
Follow us on G+ Follow us on Twitter Follow us on Facebook Watch us on YouTube
Register
Results 1 to 5 of 5
  1. #1
    Status
    Offline
    okto_2005's Avatar
    Member Super Senior
    Join Date
    Jul 2007
    Posts
    655
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0

    Dmitry Firewall (2006)

    Setelah cari cari di wiki dapet juga isi firewall-nya Dmitry (Dmitry Golubev, MikroTik (Latvia) Documentation writer and expert in networking, has worked at MikroTik for four years.)

    Ini hasil kopas yang diterjemahkan secara bebas dan juga beberapa penyesuaian. Kalau bro bro / sis sis (ada ngga yah sis disini ??????) baca sumbernya disini:

    Komponen utama untuk menentukan firewall adalah:
    * protocol classifier
    * invalid packet filter
    * port-scan detector
    * policy classifier
    * application protocol filter
    * TCP-specific filters
    * application protocol specific filters

    Protocol Classifier
    disini digunakan untuk mengklasifikasikan bebarapa port baik TCP atau UDP:
    Code:
    / ip firewall mangle
    add chain=prerouting protocol=tcp connection-state=new action=jump jump-target=tcp-services
    add chain=prerouting protocol=udp connection-state=new action=jump jump-target=udp-services
    add chain=prerouting connection-state=new action=jump jump-target=other-services
    Untuk bagian TCP bisa dikelompokkan sebagai berikut:
    Code:
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=20-21 action=mark-connection new-connection-mark=ftp passthrough=no
    add chain=tcp-services protocol=tcp src-port=513-65535 dst-port=22 action=mark-connection new-connection-mark=ssh passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=23 action=mark-connection new-connection-mark=telnet passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=25 action=mark-connection new-connection-mark=smtp passthrough=no
    add chain=tcp-services protocol=tcp src-port=53 dst-port=53 action=mark-connection new-connection-mark=dns passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=53 action=mark-connection new-connection-mark=dns passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=80 action=mark-connection new-connection-mark=http passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=110 action=mark-connection new-connection-mark=pop3 passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=113 action=mark-connection new-connection-mark=auth passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=119 action=mark-connection new-connection-mark=nntp passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=143 action=mark-connection new-connection-mark=imap passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=161-162 action=mark-connection new-connection-mark=snmp passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=443 action=mark-connection new-connection-mark=https passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=465 action=mark-connection new-connection-mark=smtps passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=993 action=mark-connection new-connection-mark=imaps passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=995 action=mark-connection new-connection-mark=pop3s passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=1723 action=mark-connection new-connection-mark=pptp passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=2379 action=mark-connection new-connection-mark=kgs passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=3128 action=mark-connection new-connection-mark=proxy passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=3389 action=mark-connection new-connection-mark=win-ts passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=4242-4243 action=mark-connection new-connection-mark=emule passthrough=no
    add chain=tcp-services protocol=tcp src-port=4661-4662 dst-port=1024-65535 action=mark-connection new-connection-mark=overnet passthrough=no
    add chain=tcp-services protocol=tcp src-port=4711 dst-port=1024-65535 action=mark-connection new-connection-mark=emule passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=5900-5901 action=mark-connection new-connection-mark=vnc passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=6667-6669 action=mark-connection new-connection-mark=irc passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=6881-6889 action=mark-connection new-connection-mark=bittorrent passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=8080 action=mark-connection new-connection-mark=http passthrough=no
    add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=8291 action=mark-connection new-connection-mark=winbox passthrough=no
    add chain=tcp-services protocol=tcp action=mark-connection new-connection-mark=other-tcp passthrough=no
    Untuk bagian UDP juga ga kalah banyaknya loh ^^. :
    Code:
    add chain=udp-services protocol=udp src-port=1024-65535 dst-port=53 action=mark-connection new-connection-mark=dns passthrough=no
    add chain=udp-services protocol=udp src-port=1024-65535 dst-port=123 action=mark-connection new-connection-mark=ntp passthrough=no
    add chain=udp-services protocol=udp src-port=1024-65535 dst-port=1701 action=mark-connection new-connection-mark=l2tp passthrough=no
    add chain=udp-services protocol=udp src-port=1024-65535 dst-port=4665 action=mark-connection new-connection-mark=emule passthrough=no
    add chain=udp-services protocol=udp src-port=1024-65535 dst-port=4672 action=mark-connection new-connection-mark=emule passthrough=no
    add chain=udp-services protocol=udp src-port=4672 dst-port=1024-65535 action=mark-connection new-connection-mark=emule passthrough=no
    add chain=udp-services protocol=udp src-port=1024-65535 dst-port=12053 action=mark-connection new-connection-mark=overnet passthrough=no
    add chain=udp-services protocol=udp src-port=12053 dst-port=1024-65535 action=mark-connection new-connection-mark=overnet passthrough=no
    add chain=udp-services protocol=udp src-port=36725 dst-port=1024-65535 action=mark-connection new-connection-mark=skype passthrough=no
    add chain=udp-services protocol=udp connection-state=new action=mark-connection new-connection-mark=other-udp passthrough=no
    Nah yang ga di masukkan di tipe TCP dan UDP juga dimasukkin juga di mangle:
    Code:
    add chain=other-services protocol=icmp icmp-options=8:0-255 action=mark-connection new-connection-mark=ping passthrough=no
    add chain=other-services protocol=gre action=mark-connection new-connection-mark=gre passthrough=no
    add chain=other-services action=mark-connection new-connection-mark=other passthrough=no
    Nah ini ada tips trick nya Dmitry:
    Code:
    Note that for TCP and UDP, we check both, source port (usually, 1024-65535) and destination port. Everything else is not a valid protocol.
    so biasanya yang port aman diantara port 1024 sampai 65535 asal port yang dipake oleh client.

    Invalid packet filter
    Untuk memudahkan packet filter, maka dibuat dulu mangle sebagai berikut:
    Code:
    /ip firewall mangle
    add chain=prerouting in-interface=Public dst-address-list=nat-addr action=mark-packet new-packet-mark=nat-traversal passthrough=no
    Kita masukkan ip local, ip yang direstricted dan ip ISP kita biar bisa masuk ke mikrotiknya (mohon disesuaikan dengan kebutuhan yahhhhh):
    Code:
    / ip firewall address-list
    add list=illegal-addr address=0.0.0.0/8 comment="illegal addresses"
    add list=illegal-addr address=127.0.0.0/8
    add list=illegal-addr address=224.0.0.0/3
    add list=illegal-addr address=10.0.0.0/8
    add list=illegal-addr address=172.16.0.0/12
    add list=illegal-addr address=192.168.0.0/16
    add list=local-addr address=192.168.1.0/24 comment="my local network"
    add list=local-addr address=10.1.0.0/16 comment="my Local ISP network"
    add list=local-addr address=172.31.255.0/21 comment="my Public IP network"
    add list=nat-addr address=192.168.1.0/24 comment="my local network"
    Di atas terlihat 3 bagian daftar ip
    illegal ----> daftar ip yang aneh-aneh dan yang di restricted
    local-add ---> daftar ip jaringan kita, dan ip lokal ISP, dan juga IP Public kita
    nat-addr ----> daftar block ip yang di masquerade (src-nat)

    Port Scan Detector dan TCP-specific filters
    Di bagian Filter Firewall Rule:
    Kita bypass traffic untuk jaringan internal kita:
    Code:
    / ip firewall filter
    add chain=forward in-interface=Local out-interface=Local action=accept comment="Allow traffic between wired and wireless networks"
    Nah disini mulai kita blok port Scanner dan intrusi dari luar ke mikrotik kita:
    Code:
    / ip firewall filter
    add chain=forward action=jump jump-target=sanity-check comment="Sanity Check"
    add chain=sanity-check packet-mark=nat-traversal action=jump jump-target=drop comment="Deny illegal NAT traversal"
    add chain=sanity-check protocol=tcp psd=20,3s,3,1 action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d comment="Block port scans"
    add chain=sanity-check protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d comment="Block TCP Null scan"
    add chain=sanity-check protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d comment="Block TCP Xmas scan"
    add chain=sanity-check protocol=tcp src-address-list=blocked-addr action=jump jump-target=drop
    add chain=sanity-check protocol=tcp tcp-flags=rst action=jump jump-target=drop comment="Drop TCP RST"
    add chain=sanity-check protocol=tcp tcp-flags=fin,syn action=jump jump-target=drop comment="Drop TCP SYN+FIN"
    add chain=sanity-check connection-state=invalid action=jump jump-target=drop comment="Dropping invalid connections at once"
    add chain=sanity-check connection-state=established action=accept comment="Accepting already established connections"
    add chain=sanity-check connection-state=related action=accept comment="Also accepting related connections"
    add chain=sanity-check dst-address-type=broadcast,multicast action=jump jump-target=drop comment="Drop all traffic that goes to multicast or broadcast addresses"
    add chain=sanity-check in-interface=Local dst-address-list=illegal-addr dst-address-type=!local action=jump jump-target=drop comment="Drop illegal destination addresses"
    add chain=sanity-check in-interface=Local src-address-list=!local-addr action=jump jump-target=drop comment="Drop everything that goes from local interface but not from local address"
    add chain=sanity-check in-interface=Public src-address-list=illegal-addr action=jump jump-target=drop comment="Drop illegal source addresses"
    add chain=sanity-check in-interface=Public dst-address-list=!local-addr action=jump jump-target=drop comment="Drop everything that goes from public interface but not to local address"
    add chain=sanity-check src-address-type=broadcast,multicast action=jump jump-target=drop comment="Drop all traffic that goes from multicast or broadcast addresses"
    Application protocol specific filters
    Aplikasi spesifik yang membutuhkan rule tertentu:
    Code:
    / ip firewall filter
    add chain=forward protocol=tcp action=jump jump-target=restrict-tcp
    add chain=forward protocol=udp action=jump jump-target=restrict-udp
    add chain=forward action=jump jump-target=restrict-ip
    add chain=restrict-tcp connection-mark=auth action=reject
    add chain=restrict-tcp connection-mark=smtp action=jump jump-target=smtp-first-drop comment="anti-spam policy"
    add chain=smtp-first-drop src-address-list=first-smtp action=add-src-to-address-list address-list=approved-smtp
    add chain=smtp-first-drop src-address-list=approved-smtp action=return
    add chain=smtp-first-drop action=add-src-to-address-list address-list=first-smtp
    add chain=smtp-first-drop action=reject reject-with=icmp-network-unreachable
    Nah karena koneksi port / protocol yang tidak bisa diklafikasikan di atas, maka kita drop saja ^^
    Code:
    / ip firewall filter
    add chain=restrict-tcp connection-mark=other-tcp action=jump jump-target=drop
    add chain=restrict-udp connection-mark=other-udp action=jump jump-target=drop
    add chain=restrict-ip connection-mark=other action=jump jump-target=drop
    Nah kan jaringan kita sudah terprotek dari luar, tapi.... mikrotik kita juga butuh security nih..........., maka liat aja nih firewall dibawah:
    Code:
    / ip firewall filter
    add chain=input src-address-type=local dst-address-type=local action=accept comment="Allow local traffic \(between router applications\)"
    add chain=input in-interface=Local protocol=udp src-port=68 dst-port=67 action=jump jump-target=dhcp comment="DHCP protocol would not pass sanity checking, so enabling it explicitly before other checks"
    add chain=input action=jump jump-target=sanity-check comment="Sanity Check"
    add chain=input dst-address-type=!local action=jump jump-target=drop comment="Dropping packets not destined to the router itself, including all broadcast traffic"
    add chain=input connection-mark=ping limit=5,5 action=accept comment="Allow pings, but at a very limited rate \(5 per sec\)"
    add chain=input in-interface=Local action=jump jump-target=local-services comment="Allowing some services to be accessible from the local network"
    add chain=input in-interface=Public action=jump jump-target=public-services comment="Allowing some services to be accessible from the Internet"
    add chain=input action=jump jump-target=drop
    add chain=dhcp src-address=0.0.0.0 dst-address=255.255.255.255 action=accept
    add chain=dhcp src-address=0.0.0.0 dst-address-type=local action=accept
    add chain=dhcp src-address-list=local-addr dst-address-type=local action=accept
    add chain=local-services connection-mark=ssh action=accept comment="SSH \(22/TCP\)"
    add chain=local-services connection-mark=dns action=accept comment="DNS"
    add chain=local-services connection-mark=proxy action=accept comment="HTTP Proxy \(3128/TCP\)"
    add chain=local-services connection-mark=winbox comment="Winbox \(8291/TCP\)" disabled=no
    add chain=local-services action=drop comment="Drop Other Local Services"
    add chain=public-services connection-mark=ssh action=accept comment="SSH \(22/TCP\)"
    add chain=public-services connection-mark=pptp action=accept comment="PPTP \(1723/TCP\)"
    add chain=public-services connection-mark=gre action=accept comment="GRE for PPTP"
    add chain=public-services action=drop comment="Drop Other Public Services"

  2. #2
    Status
    Offline
    muaredi's Avatar
    Newbie
    Join Date
    May 2010
    Posts
    51
    Reviews
    Read 0 Reviews
    Downloads
    1
    Uploads
    0
    Feedback Score
    0
    kok sepi neh

  3. #3
    Status
    Offline
    napitu7's Avatar
    Baru Gabung
    Join Date
    Jan 2013
    Location
    Jakarta, Indonesia
    Posts
    11
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Nice gan Click here to enlarge

  4. #4
    Status
    Offline
    suparachmad's Avatar
    Baru Gabung
    Join Date
    Jul 2010
    Posts
    19
    Reviews
    Read 0 Reviews
    Downloads
    2
    Uploads
    0
    Feedback Score
    0
    Matur Suwun okto_2005, setelah baca artikel ini kesalahan configku jadi tersolusikan

  5. #5
    Status
    Offline
    suparachmad's Avatar
    Baru Gabung
    Join Date
    Jul 2010
    Posts
    19
    Reviews
    Read 0 Reviews
    Downloads
    2
    Uploads
    0
    Feedback Score
    0
    Suhu suhu, setelah saya cek kembali ternyta masih ada error di tempat saya, jadi ip public yg di bwah router masih ke drop

 

 

Thread Information

Users Browsing this Thread

There are currently 2 users browsing this thread. (0 members and 2 guests)

Similar Threads

  1. About Firewall
    By oktama in forum General Networking
    Replies: 9
    Last Post: 11-03-2011, 07:48
  2. [ASK] Firewall 2 LAN, 1 ISP
    By adh1et in forum Beginner Basics
    Replies: 2
    Last Post: 14-10-2010, 09:25
  3. Replies: 22
    Last Post: 28-03-2010, 16:07
  4. Firewall & Web-Proxy
    By kacokale in forum Beginner Basics
    Replies: 0
    Last Post: 16-07-2009, 21:34
  5. (help) firewall server
    By durjay in forum General Networking
    Replies: 9
    Last Post: 28-04-2009, 12:44

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •