Professional Documents
Culture Documents
F R E P
R I F T C E
L L A EW
No time...
Not possible...
What we can do
restrict access to the network services limit the number of active connections detect some port-scan atacks drop illegal traffic
sing marks
!angle has four types of marks may be used for different applications" packet mark # $ueue policies connection mark # protocol policies routing mark # policy routing rules %not used in this setup& To' # (iff'erv service policy transfer %not used in this setup&
Protocol classifiers
prerouting mangle packets opening new connections connection mark for TCP and (P) check both) source port %usually) *+,--.//0/& and destination port.
Port-scan detection
P'( matcher TCP flags for 3mas and Null scans put violators in blocked 1P address list
Policy classifier
different customer profiles classify by addresses) then 4ump to separate policy enforcement chains 25P for binding 1P with !2C
TCP-specific filters
2pplication-specific filters
2 T6 # re4ect '!TP # drop the first connection) allow only second connection from a particular source address
!ore to do
pro8y everything" NTP) (N') 6TTP filter 6TTP connections to some sites %porn site list was published somewhere on the forum& use a dedicated 1(2 use trusted software protect local traffic outsource
T62N: ;< =
Come to the 'ecurity (iscussion Table) 1 will be waiting 6ave a nice trip back home= >et the firewall configuration script done with this scheme on monday evening at wiki.mikrotik.com