Scribd Logo
Upload

Welcome to Scribd!

  • Reglas Firewall

    Uploaded by

    Wilmer Montero Núñez
    4 views3 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    4 views3 pages

    Reglas Firewall

    Uploaded by

    Wilmer Montero Núñez

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    /ip firewall address-list

    add address=0.0.0.0/0 list=adminitracion


    add address=0.0.0.0/0 list=forward

    /ip firewall filter


    add action=accept chain=input comment="permitir solo conexiones establecidas y
    relacionadas" connection-state=established,related
    add action=drop chain=input comment="denegar trafico invalido" connection-
    state=invalid
    add action=accept chain=input comment="permitir administracion solo de:" src-
    address-list=adminitracion
    add action=drop chain=input comment="denegar el resto de trafico"
    add action=accept chain=forward comment="permitir solo conexiones establecidas y
    relacionadas" connection-state=established,related
    add action=drop chain=forward comment="denegar trafico invalido" connection-
    state=invalid
    add action=accept chain=forward comment="permitir trafico forward a:" src-address-
    list=forward
    add action=drop chain=forward comment="denegar el resto de trafico"

    ::Filtros ICMP::

    /ip firewall filter


    add action=jump chain=forward jump-target=icmp
    add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
    add action=accept chain=icmp comment="net unreachable" icmp-options=3:0
    protocol=icmp
    add action=accept chain=icmp comment="host unreachable" icmp-options=3:1
    protocol=icmp
    add action=accept chain=icmp comment="host unreachable fragmentation required"
    icmp-options=3:4 protocol=icmp
    add action=accept chain=icmp comment="allow source quench" icmp-options=4:0
    protocol=icmp
    add action=accept chain=icmp comment="allow echo request" icmp-options=8:0
    protocol=icmp
    add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0
    protocol=icmp
    add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0
    protocol=icmp
    add action=drop chain=icmp comment="deny all other types"

    /ip firewall filter


    add action=jump chain=forward comment="SYN Flood protect FORWARD" connection-
    state=new jump-target= syn-attack protocol=tcp tcp-flags=syn
    add action=jump chain=input comment="SYN Flood protect INPUT" connection-state=new
    jump-target=syn-attack protocol=tcp tcp-flags=syn
    add action=accept chain=syn-attack connection-state=new limit=400,5:packet
    protocol=tcp tcp-flags=syn
    add action=drop chain=syn-attack connection-state=new protocol=tcp tcp-flags=syn

    /ip firewall filter


    add action=drop chain=input comment="Drop SSH Brute Forcers" dst-port=22
    protocol=tcp src-address-list=brute-force_blacklist
    add action=add-src-to-address-list address-list=brute-force_blacklist address-list-
    timeout=1d chain=input connection-state=new dst-port=22,23 protocol=tcp src-
    address-list=bruteforce_stage3
    add action=add-src-to-address-list address-list=bruteforce_stage3 address-list-
    timeout=30s chain=input connection-state=new dst-port=22,23 protocol=tcp src-
    address-list=bruteforce_stage2
    add action=add-src-to-address-list address-list=bruteforce_stage2 address-list-
    timeout=30s chain=input connection-state=new dst-port=22,23 protocol=tcp src-
    address-list=bruteforce_stage1
    add action=add-src-to-address-list address-list=bruteforce_stage1 address-list-
    timeout=1m chain=input connection-state=new dst-port=22,23 protocol=tcp

    Revisar Reglas dan error al cargarlas

    /ip firewall filter


    add action=drop chain=input src-address-list="port scanners"

    /ip firewall filter


    add action=add-src-to-address-list address-list="port scanners" address-list-
    timeout=2w chain=input
    comment="Port scanners to list" protocol=tcp psd=21,3s,3,1

    add action=add-src-to-address-list address-list="port scanners" address-list-


    timeout=2w chain=input
    comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
    add action=add-src-to-address-list address-list="port scanners" address-list-
    timeout=2w chain=input
    comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
    add action=add-src-to-address-list address-list="port scanners" address-list-
    timeout=2w chain=input
    comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
    add action=add-src-to-address-list address-list="port scanners" address-list-
    timeout=2w chain=input
    comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
    add action=add-src-to-address-list address-list="port scanners" address-list-
    timeout=2w chain=input
    comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
    add action=add-src-to-address-list address-list="port scanners" address-list-
    timeout=2w chain=input
    comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg

    Reglas Port Knocking

    /ip firewall filter


    add action=drop chain=input dst-port=8291 protocol=tcp src-address-list=!knock-
    final
    add action=add-src-to-address-list address-list=knock1 address-list-timeout=10s
    chain=input dst-port=11111 protocol=tcp
    add action=add-src-to-address-list address-list=knock2 address-list-timeout=10s
    chain=input dst-port=22222 protocol=tcp src-address-list=knock1
    add action=add-src-to-address-list address-list=knock-final address-list-timeout=1d
    chain=input dst-port=33333 protocol=tcp src-address-list=knock2

    /certificate add name=LocalCA country=EC state=GY locality=na organization=na


    unit=na common-name=example.com key size=2048
    days-valid=365 key-usage=key-cert-sign,crl-sign
    /certificate add name=Webfig country=EC state=GY locality=na organization=na
    unit=na common-name=192.168.9.20 key-size=2048
    days-valid=365

    /certificate
    add name=CA country=EC state=GY locality=na organization=na unit=na common-
    name=kkkk.com subject-alt-name=IP:0.0.0.0
    key-size=4096 days-valid=365 key-usage=crl-sign,key-cert-sign

    /certificate
    add name=Client country=EC state=GY locality=na organization=na unit=na common-
    name=ppp.com subject-alt-name=IP:0.0.0.0
    key-size=4096 days-valid=365 key-usage=tls-client

    /certificate
    add name=Server country=EC state=GY locality=na organization=na unit=na common-
    name=192.168.9.1 subject-alt-name=IP:0.0.0.0
    key-size=4096 days-valid=365 key-usage=tls-server,digital-signature,key-enciphement

    10.1.1.9 - Ip Local
    10.1.1.4 - Ip Remota

    You might also like