Dobrý den
Mám dotaz na zkušené uživatele ohledně firewallu.
V logu MK se začal zobrazovat tento řádek:
input input: in:ether1 out🙁unknown 0), connection-state:new src-mac xx:xx:xx:xx:xx:xx, proto UDP, 0.0.0.0:68->255.255.255.255:67, len 328
Bohužel nějak netuším co to je?
Poradíte kde jsem udělal něco špatně?
Nejsem žádný MK guru a budu za každou radu rád.
Mám veřejnou IP na eth1, mám nastavený firewall takto:
/ip firewall address-list
add address=x.x.x.x/y comment=verejny_rozsah list=ALLOWE_ROUTER_INPUT
add address=10.10.10.0/24 comment=lokalni_rozsah list=ALLOWE_ROUTER_INPUT
add address=10.10.10.0/24 comment=lokalni_rozsah list=LAN_ADDRESS
add address=0.0.0.0/8 comment=RFC6890 list=PRIVATE_ADDRS
add address=172.16.0.0/12 comment=RFC6890 list=PRIVATE_ADDRS
add address=10.10.0.0/16 comment=RFC6890 list=PRIVATE_ADDRS
add address=10.0.0.0/16 comment=RFC6890 list=PRIVATE_ADDRS
add address=169.254.0.0/16 comment=RFC6890 list=PRIVATE_ADDRS
add address=127.0.0.0/8 comment=RFC6890 list=PRIVATE_ADDRS
add address=224.0.0.0/4 comment=RFC6890 list=MULTICAST
add address=192.18.0.0/15 comment=RFC6890 list=PRIVATE_ADDRS
add address=192.0.0.0/24 comment=RFC6890 list=PRIVATE_ADDRS
add address=192.0.2.0/24 comment=RFC6890 list=PRIVATE_ADDRS
add address=198.51.100.0/24 comment=RFC6890 list=PRIVATE_ADDRS
add address=203.0.113.0/24 comment=RFC6890 list=PRIVATE_ADDRS
add address=100.64.0.0/10 comment=RFC6890 list=PRIVATE_ADDRS
add address=240.0.0.0/4 comment=RFC6890 list=PRIVATE_ADDRS
add address=192.88.99.0/24 comment=6to4_relay_Anycast_RFC6890 list=PRIVATE_ADDRS
add list=ddos-attackers
add list=ddos-target
/ip firewall filter
add action=jump chain=forward connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos dst-limit=40,40,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-target address-list-timeout=10m chain=detect-ddos log=yes log-prefix=ddos_target
add action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=10m chain=detect-ddos log=yes log-prefix=ddos_attacker
add action=drop chain=forward comment="BLOCK SPAMER or BLOCK SPAMBOT USER" dst-port=25 protocol=tcp src-address-list=spammer
add action=add-src-to-address-list address-list=spammer address-list-timeout=1d chain=forward comment="Detect and blacklist spambot or spammers" connection-limit=30,32 dst-port=25 limit=50,5 protocol=tcp
add action=drop chain=virus comment="Drop Spam" dst-port=25 protocol=tcp src-address-list=spammer
add action=add-src-to-address-list address-list=spammer address-list-timeout=1d chain=virus comment="blacklist spammer to list" connection-limit=30,32 dst-port=25 limit=50,5 protocol=tcp
add action=jump chain=forward comment="jump to the virus chain" jump-target=virus
add action=passthrough chain=forward comment="special dummy rule to show fasttrack counters"
add action=drop chain=input comment="Bordel z Brazilie" src-address-list=BordelZBrazilie
add action=fasttrack-connection chain=forward comment="EST, REL" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="EST, REL" connection-state=established,related
add action=accept chain=forward comment="SSL IMAP" disabled=yes dst-port=993 protocol=tcp
add action=accept chain=forward disabled=yes dst-port=443 protocol=tcp
add action=accept chain=forward disabled=yes dst-port=80 protocol=tcp
add action=accept chain=forward disabled=yes dst-port=25 protocol=tcp
add action=accept chain=forward disabled=yes dst-port=143 protocol=tcp
add action=accept chain=forward disabled=yes dst-port=587 protocol=tcp
add action=accept chain=forward disabled=yes dst-port=110 protocol=tcp
add action=accept chain=forward disabled=yes dst-port=902 protocol=tcp
add action=accept chain=forward disabled=yes dst-port=995 protocol=tcp
add action=accept chain=input comment="Allow WinBox" dst-port=8291 protocol=tcp
add action=drop chain=forward comment="Drop Invalid connection" connection-state=invalid
add action=drop chain=forward comment="Drop tries to reach public addresses from LAN" dst-address-list=PRIVATE_ADDRS in-interface-list=LAN out-interface-list=!LAN
add action=drop chain=forward comment="rop incoming packet that are not NAT ted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment=" Drop oncoming from internet which is not public IP" in-interface=ether1 src-address-list=""
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface-list=LAN src-address-list=!LAN_ADDRESS
add action=jump chain=forward jump-target=icmp protocol=icmp
add action=jump chain=forward jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=accept chain=forward src-address-list=LAN_ADDRESS
add action=fasttrack-connection chain=input comment="EST, REL" connection-state=established,related hw-offload=yes
add action=accept chain=input comment="EST, REL" connection-state=established,related
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add action=accept chain=input comment="Allowed Router input" src-address-list=ALLOWE_ROUTER_INPUT
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=drop chain=input log=yes log-prefix=input
add action=drop chain=tcp comment="deny TFTP" dst-port=69 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=111 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=135 protocol=tcp
add action=drop chain=tcp comment="deny NBT" dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="deny cifs" dst-port=445 protocol=tcp
add action=drop chain=tcp comment="deny NFS" dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=12345-12346 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" dst-port=3133 protocol=tcp
add action=drop chain=tcp comment="deny DHCP" dst-port=67-68 protocol=tcp
add action=drop chain=udp comment="deny TFTP" dst-port=69 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=111 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=135 protocol=udp
add action=drop chain=udp comment="deny NBT" dst-port=137-139 protocol=udp
add action=drop chain=udp comment="deny NFS" dst-port=2049 protocol=udp
add action=drop chain=udp comment="deny BackOriffice" dst-port=3133 protocol=udp
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachale" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo quench" icmp-options=4:0 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time cxceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=10.10.10.0/24
/ip firewall raw
add action=drop chain=prerouting dst-address-list=ddos-target src-address-list=ddos-attackers