-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Friday, 29 April 2016 12:41 PM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Universal Firewall
Also, having many rules for features which aren't needed right now in a disabled state is handy, comments on as many entries as possible as well, then
can pick and choose which rules they need and don't need, then they just enable the ones they need.
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Friday, 29 April 2016 11:50 AM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Universal Firewall
All,
Per Josh's post below, what we are trying to do is to create some kind of 'recommended best practice' base firewall script that will suit most applications - most typically, SME, business and home border router type setup.
We often receive requests for this kind of thing, but to date we can only offer some general recommendations and pointers to various mikrotik wiki and forum pages.
On top of the usual scheme as presented below, I'm thinking we should include some of the more obvious checks and actions such as:
1. IMPORTANT: include permit established and permit related as the first rule/s 2. detect ssh brute force attack, add to blocked list 3. block udp and tcp input on port 53? (prevent dns dos when resolver is enabled) 4. detect high volume smtp traffic and clamp to rate limit
also, we're thinking about setting some global variables at beginning of
allow for easy defining of various address-list timeout values etc.
So we're looking for some general suggestions from others as to:
- what do you already include in your firewall actions - what are the typical attacks that you think need to be addressed - what variations do you think are needed depending on different applications (e.g. for a SME gateway, rate of x/min smtp is typical, whereas n*x/min is more appropriate for a corporate gateway
What we expect to do is to publish somewhere publicly accessible, the results as a fully worked routerOS firewall script with some global variables at the
All good suggestions - keep them coming! :-) Regarding rules and rule blocks being easily disabled - that is the idea of including a set of global variables at the head, so certain rule types can be adjusted, e.g: # set smtp-per-minute-count, 0 is disabled global max-smtp-count 1000 # set smtp-clamp-rate (bps) global smtp-clamp-rate 64000 # enable honeypot address - 0.0.0.0 for disabled global honeypot 10.10.10.1 .. and so on. Suggestions about what kind of globals would be useful and also welcome!! :) Cheers, Mike. people script to head
to enable/disable various rule types, packet rate triggers and timeout variables. That script will then be able to form a basis for further ongoing development over time as a resource for everyone to use and contribute if they wish.
Any suggestions/ideas? :-}
Cheers, Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Josh Oberin Sent: Thursday, 28 April 2016 10:05 AM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] Universal Firewall
Hi Guys,
I'm trying to build a starter universal firewall so people can load it on their routers and then add onto it as needed, or even as just to use as an example.
I uploaded it to pastebin as 50 lines is a little too much to slap into an email.
Let me know of any suggestions you have.
Thanks,
Josh
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au