Scribd Logo
Upload

Welcome to Scribd!

  • Firewall Lama

    Uploaded by

    dod88
    5 views3 pages

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    5 views3 pages

    Firewall Lama

    Uploaded by

    dod88

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    [doddy@ILO-NIAS] > ip firewall pr no such command or directory (pr) [doddy@ILO-NIAS] > ip firewall filter pr Flags: X - disabled, I - invalid, D - dynamic

    0 ;;; Drop invalid connections chain=input connection-state=invalid action=drop 1 2 3 4 5 6 7 8 9 10 11 12 13 ;;; Allow esatblished connections chain=input connection-state=established action=accept ;;; Allow related connections chain=input connection-state=related action=accept ;;; Allow UDP chain=input protocol=udp action=accept ;;; Allow ICMP chain=input protocol=icmp action=accept ;;; Allow connection to router from local network chain=input in-interface=!internet action=accept ;;; Drop everything else chain=input action=drop chain=forward in-interface=internet action=jump jump-target=customer ;;; Drop invalid connection packets chain=customer connection-state=invalid action=drop ;;; Allow established connections chain=customer connection-state=established action=accept ;;; Allow related connections chain=customer connection-state=related action=accept ;;; Log dropped connections chain=customer action=log log-prefix="customer_drop" ;;; Drop and log everything else chain=customer action=drop ;;; Port scanner to list chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list=port scanners address-list-timeout=2w chain=input in-interface=internet protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop chain=output protocol=tcp content=530 Login incorrect dst-limit=1/1m,9,dst-address/1m action=accept chain=output protocol=tcp content=530 Login incorrect action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h ;;; Trinoo chain=input protocol=udp dst-port=12667 action=drop

    14 15 16

    17

    18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33

    ;;; Trinoo chain=input protocol=udp dst-port=27665 action=drop ;;; Trinoo chain=input protocol=udp dst-port=31335 action=drop ;;; Trinoo chain=input protocol=udp dst-port=27444 action=drop ;;; Trinoo chain=input protocol=udp dst-port=34555 action=drop ;;; Trinoo chain=input protocol=udp dst-port=35555 action=drop ;;; Trinoo chain=input protocol=tcp dst-port=27444 action=drop ;;; Trinoo chain=input protocol=tcp dst-port=27665 action=drop ;;; Trinoo chain=input protocol=tcp dst-port=31335 action=drop ;;; Trinoo chain=input protocol=tcp dst-port=31846 action=drop ;;; Trinoo chain=input protocol=tcp dst-port=34555 action=drop ;;; Trinoo chain=input protocol=tcp dst-port=35555 action=drop ;;; Allow chain=input connection-state=established action=accept chain=forward protocol=tcp connection-state=invalid action=drop ;;; allow chain=forward connection-state=established action=accept ;;; allow chain=forward connection-state=related action=accept ;;; disabled=no ;;; add chain=forward dst-address=0.0.0.0/8 action=drop comment= chain=forward src-address=0.0.0.0/8 action=drop ;;; disabled=no ;;; add chain=forward dst-address=127.0.0.0/8 action=drop comment= chain=forward src-address=127.0.0.0/8 action=drop ;;; disabled=no ;;; add chain=forward dst-address=224.0.0.0/3 action=drop comment= chain=forward src-address=224.0.0.0/3 action=drop chain=forward protocol=tcp action=jump jump-target=tcp chain=input src-address=!192.168.1.0/24 protocol=tcp src-port=1024-65535 action=accept

    34

    35

    36 37

    38

    ;;; More than 10 simultaneous connections looks spammy chain=forward protocol=tcp dst-port=25 connection-limit=10,32 action=add-src-to-address-list address-list=suspectedspambot address-list-timeout=2d ;;; Drop traffic from those on the suspect list chain=forward protocol=tcp dst-port=25 src-address-list=suspectedspambot action=drop ;;; drop ftp brute forcers chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop chain=output protocol=tcp content=530 Login incorrect dst-limit=1/1m,9,dst-address/1m action=accept chain=output protocol=tcp content=530 Login incorrect action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h ;;; drop ssh brute forcers chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m ;;; Untuk mendrop permintaan internet selain yang disetujui chain=forward in-interface=internet src-address-list=!bonet action=drop ;;; Deny TFTP chain=tcp dst-port=69 action=drop ;;; Deny NBT chain=tcp dst-port=137-139 action=drop

    39

    40

    41 42

    43

    44

    45

    46

    47

    48 49 50

    [doddy@ILO-NIAS] >

    You might also like