Ahoj,
pracuju na firewall filtru na pobočky a abych se přiznal nejsem úplně odborník a rád bych poprosil zkušenější o radu či pomoc.
Můj nadřízený mě poprosil o neprustřelný firewall :) pár pravidel jsem si našel a napasoval a lehce odzkoušel, teď prosím někoho kdo by se na to podíval a řekl jestli se to dá nebo je to slabota :(
/ip firewall filter
add action=accept chain=input dst-port=22 log-prefix=no protocol=tcp \
src-address=xxxxxxxxx/29
add action=accept chain=input dst-port=50023 log-prefix=no protocol=tcp \
src-address=xxxxxxxxx/29
add action=accept chain=input dst-port=50023,10000 log-prefix=no protocol=tcp \
src-address=xxxxxxxxx/29
add action=accept chain=input dst-port=50023,10000,12222,8502-8506,50023 \
log-prefix=no protocol=tcp src-address=xxxxxxxxx/29
add action=accept chain=input dst-port=50023,10000,12222,8502-8506,50023 \
log-prefix=no protocol=tcp src-address=xxxxxxxxx
add action=accept chain=input dst-port=50023,10000,12222,8502-8506,50023 \
log-prefix=no protocol=tcp src-address=xxxxxxxxx
add action=accept chain=input dst-port=50023,10000,12222,8502-8506,50023 \
log-prefix=no protocol=tcp src-address=xxxxxxxxx
add action=accept chain=input dst-port=50023,10000,12222,8502-8506,50023 \
log-prefix=no protocol=tcp src-address=xxxxxxxxx
add action=accept chain=input dst-port=50023,10000,12222,8502-8506,50023 \
log-prefix=no protocol=tcp src-address=xxxxxxxxx
add action=accept chain=input dst-port=50023,10000,12222,8502-8506,50023 \
log-prefix=no protocol=tcp src-address=xxxxxxxxx
add action=accept chain=input dst-port=50023,10000,12222,8502-8506,50023 \
log-prefix=no protocol=tcp src-address=xxxxxxxxx
add action=accept chain=input dst-port=10000,12222 log-prefix=no protocol=udp \
src-address=xxxxxxxxx/29
add action=accept chain=input dst-port=10000,12222 log-prefix=no protocol=udp \
src-address=9xxxxxxxxx
add action=accept chain=input dst-port=10000,12222 log-prefix=no protocol=udp \
src-address=1xxxxxxxxx
add action=accept chain=input dst-port=10000,12222 log-prefix=no protocol=udp \
src-address=xxxxxxxxx
add action=accept chain=input dst-port=10000,12222 log-prefix=no protocol=udp \
src-address=xxxxxxxxx
add action=accept chain=input dst-port=10000,12222 log-prefix=no protocol=udp \
src-address=xxxxxxxxx
add action=accept chain=input dst-port=10000,12222 log-prefix=no protocol=udp \
src-address=xxxxxxxxx
add action=accept chain=input dst-port=10000,12222 log-prefix=no protocol=udp \
src-address=xxxxxxxxx
add action=accept chain=input dst-port=8291 log-prefix="" protocol=tcp \
src-address=xxxxxxxxx9
add action=accept chain=input dst-port=80 log-prefix="" protocol=tcp \
src-address=xxxxxxxxx
add action=drop chain=input comment="Zakazany Ping" log-prefix="" protocol=\
icmp
add action=drop chain=input comment="Drop na vsechno" in-interface=ether1 \
log-prefix=""
add action=accept chain=forward comment="Povoleny port 3389/vzdalena plocha" \
log-prefix="" protocol=tcp src-port=3389
add action=accept chain=forward comment="Povoleny port 3389/vzdalena plocha" \
dst-port=3389 log-prefix="" protocol=tcp
add action=accept chain=forward comment=\
"Povoleny port pro kominikaci s diskama/10.22.5.11" dst-port=445 \
log-prefix="" protocol=tcp
add action=accept chain=forward comment=\
"Povoleny port pro kominikaci s diskama/10.22.5.11" log-prefix="" \
protocol=tcp src-port=445
add action=accept chain=forward comment=\
"Povoleny port pro kominikaci s diskama/10.22.5.11" dst-port=139 \
log-prefix="" protocol=tcp
add action=accept chain=forward comment=\
"Povoleny port pro kominikaci s diskama/10.22.5.11" log-prefix="" \
protocol=tcp src-port=139
add action=accept chain=forward comment=\
"Povoleny port pro kominikaci s diskama/10.22.5.11" dst-port=138 \
log-prefix="" protocol=udp
add action=accept chain=forward comment=\
"Povoleny port pro kominikaci s diskama/10.22.5.11" log-prefix="" \
protocol=udp src-port=138
add action=accept chain=forward comment=\
"Povoleny port pro kominikaci s diskama/10.22.5.11" dst-port=137 \
log-prefix="" protocol=udp
add action=accept chain=forward comment=\
"Povoleny port pro kominikaci s diskama/10.22.5.11" log-prefix="" \
protocol=udp src-port=137
add action=accept chain=forward comment=\
"Povoleny port pro kominikaci s diskama/10.22.5.11" dst-port=135 \
log-prefix="" protocol=tcp
add action=accept chain=forward comment=\
"Povoleny port pro kominikaci s diskama/10.22.5.11" log-prefix="" \
protocol=tcp src-port=135
add action=accept chain=forward comment="Povoleny port 8080" dst-port=8080 \
log-prefix="" protocol=tcp
add action=accept chain=forward comment="Povoleny port 8080" log-prefix="" \
protocol=tcp src-port=8080
add action=accept chain=forward comment="Povoleny port 8443/eset" dst-port=\
8443 log-prefix="" protocol=tcp
add action=accept chain=forward comment="Povoleny port 8443/eset" log-prefix=\
"" protocol=tcp src-port=8443
add action=accept chain=forward comment=Winbox log-prefix="" port=8291 \
protocol=tcp
add action=accept chain=forward comment="Povolene http" dst-port=80 \
log-prefix="" protocol=tcp
add action=accept chain=forward comment="Povolene http" log-prefix="" \
protocol=tcp src-port=80
add action=accept chain=forward comment="xxxxxxxxx/Depot" log-prefix="" \
protocol=tcp src-port=1433
add action=accept chain=forward comment="xxxxxxxxx" dst-port=1433 \
log-prefix="" protocol=tcp
add action=accept chain=forward comment="xxxxxxxxx" log-prefix="" \
protocol=udp src-port=1433
add action=accept chain=forward comment="xxxxxxxxx" dst-port=1433 \
log-prefix="" protocol=udp
add action=accept chain=forward comment="Povolene https" dst-port=443 \
log-prefix="" protocol=tcp
add action=accept chain=forward comment="Povolene https" log-prefix="" \
protocol=tcp src-port=443
add action=accept chain=forward comment="Povolene udp" log-prefix="" \
protocol=udp
add action=accept chain=forward comment="Povolene VNC port 5900" log-prefix=\
"" port=5900 protocol=tcp
add action=accept chain=forward comment="Povolene VNC port 5800" log-prefix=\
"" port=5800 protocol=tcp
add action=accept chain=forward comment="Nova spojeni" connection-state=new \
log-prefix=""
add action=accept chain=forward comment="Navazana spojeni" connection-state=\
established log-prefix=""
add action=accept chain=forward comment="Souvisici spojeni" connection-state=\
related log-prefix=""
add action=jump chain=forward comment=Detect-Ddos connection-state=new \
in-interface=ether1 jump-target=detect-ddos log-prefix=""
add action=return chain=detect-ddos comment=Detect-Ddos dst-limit=\
32,32,src-and-dst-addresses/10s log-prefix=""
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
1w chain=detect-ddos comment=Detect-Ddos log-prefix=""
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
1w chain=detect-ddos comment=Detect-Ddos log-prefix=""
add action=drop chain=forward comment=Detect-Ddos connection-state=new \
dst-address-list=ddosed log-prefix="" src-address-list=ddoser
add action=drop chain=forward comment="Neplatne spojeni" connection-state=\
invalid log-prefix=""
add action=drop chain=forward comment="Drop na vsechno ostatni" log-prefix=""
