-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Josh Oberin Sent: Thursday, 28 April 2016 10:05 AM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] Universal Firewall
Hi Guys,
I'm trying to build a starter universal firewall so people can load it on
Good idea Mike, I have picked up some great info over the years in fine tuning our scripts we use. Suggestions would be: - On input chain throw to other chains for UDP and TCP traffic then process individual requirements for each protocol in those chains to keep the input chain clean - Setup rate limiting for ICMP traffic so you still get it through but not high volumes - We setup honeypot addresses as well on some gear which is just an address that has never ever been used, if something tries to connect to it we add to a dynamic block list Just what I can think of for now Regards Paul -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Friday, 29 April 2016 11:50 AM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Universal Firewall All, Per Josh's post below, what we are trying to do is to create some kind of 'recommended best practice' base firewall script that will suit most applications - most typically, SME, business and home border router type setup. We often receive requests for this kind of thing, but to date we can only offer some general recommendations and pointers to various mikrotik wiki and forum pages. On top of the usual scheme as presented below, I'm thinking we should include some of the more obvious checks and actions such as: 1. IMPORTANT: include permit established and permit related as the first rule/s 2. detect ssh brute force attack, add to blocked list 3. block udp and tcp input on port 53? (prevent dns dos when resolver is enabled) 4. detect high volume smtp traffic and clamp to rate limit also, we're thinking about setting some global variables at beginning of script to allow for easy defining of various address-list timeout values etc. So we're looking for some general suggestions from others as to: - what do you already include in your firewall actions - what are the typical attacks that you think need to be addressed - what variations do you think are needed depending on different applications (e.g. for a SME gateway, rate of x/min smtp is typical, whereas n*x/min is more appropriate for a corporate gateway What we expect to do is to publish somewhere publicly accessible, the results as a fully worked routerOS firewall script with some global variables at the head to enable/disable various rule types, packet rate triggers and timeout variables. That script will then be able to form a basis for further ongoing development over time as a resource for everyone to use and contribute if they wish. Any suggestions/ideas? :-} Cheers, Mike. their
routers and then add onto it as needed, or even as just to use as an example.
I uploaded it to pastebin as 50 lines is a little too much to slap into an email.
Let me know of any suggestions you have.
Thanks,
Josh
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au