Hirdetés

Új hozzászólás Aktív témák

  • Core2duo6600

    veterán

    Hello,

    Kiegészítettem a az alap szűréseket, ime :
    Mit kellene még eszközölni ?
    Ill. jó-e a sorrend ?

    E szerint csináltam a szabályokat [link]

    Ime :

    [admin@MikroTik] /ip firewall filter> print
    Flags: X - disabled, I - invalid, D - dynamic
    0 D ;;; special dummy rule to show fasttrack counters
    chain=forward action=passthrough

    1 ;;; default configuration
    chain=input action=accept connection-state=established,related

    2 ;;; Allowed to router
    chain=input action=accept src-address-list=allowed_to_router log=no log-prefix=""

    3 chain=input action=drop protocol=tcp dst-port=53 log=yes log-prefix="Drop_DNS"

    4 chain=input action=drop protocol=udp dst-port=53 log=yes log-prefix="Drop_DNS"

    5 ;;; FastTrack
    chain=forward action=fasttrack-connection connection-state=established,related

    6 ;;; Established, Related
    chain=forward action=accept connection-state=established,related

    7 ;;; Drop invalid
    chain=forward action=drop connection-state=invalid log=yes log-prefix="invalid"

    8 ;;; Drop tries to reach not public addresses from LAN
    chain=forward action=drop dst-address-list=not_in_internet in-interface=Lan out-interface=!Lan log=yes log-prefix="!public_from_LAN"

    9 ;;; Drop incoming packets that are not NATted
    chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=Digi-PPPOE log=yes log-prefix="!NAT"

    10 ;;; Drop incoming from internet which is not public IP
    chain=forward action=drop src-address-list=not_in_internet in-interface=Digi-PPPOE log=yes log-prefix="!public"

    11 ;;; Drop packets from LAN that do not have LAN IP
    chain=forward action=drop src-address=!192.168.1.0/24 in-interface=Lan log=yes log-prefix="LAN_!LAN"

    12 chain=input action=drop log=no log-prefix="Drop"
    [admin@MikroTik] /ip firewall filter>

Új hozzászólás Aktív témák