Firewall Filter - использование jump и return

Обсуждение оборудования и его настройки
Ответить
EdkiyGluk
Сообщения: 241
Зарегистрирован: 21 сен 2014, 08:34
Откуда: 34
Контактная информация:

Доброго времени суток =)
В работе RB951Ui, он находится в центральной точке. На него "стучаться" 40 впнов (pptp, sstp, l2tp), куча проброшенных портов и тд... При создании своих цепочек правил в фаерволе и перенаправлении на них трафика - нагрузка на CPU снизилась в N раз.... Пользуется ли вообще кто либо, кроме меня, этой штукой на этом форуме? Или все забили на это?
===
Кому интересн, можете посмотреть под спойлером... задисабленные правила были сделаны чисто для дебага
Для справки - первый провайдер PPOE-PROVIDER на Ether5, а второй приходит в Ether4 статикой
Почти все правила откаментил
 Выжимка из фаервола
# oct/03/2014 00:37:03 by RouterOS 6.19
# software id = 38F6-G73Q
#
/ip firewall filter
add action=drop chain=input comment=BAD_PACKED connection-state=invalid
add action=drop chain=forward comment=BAD_PACKET connection-state=invalid
add action=jump chain=input comment=PPP_GOGOGO dst-address-list=!external_ip \
in-interface=!PPOE-PROVIDER jump-target=PPP_GOGOGO
add action=jump chain=input comment=PPP_GOGOGO dst-address-list=!external_ip \
in-interface=!ether4 jump-target=PPP_GOGOGO
add chain=input comment=Acept_RAZRESHENO_LIST src-address-list=RAZRESHENO
add action=drop chain=input comment=Face_Control src-address-list=BLACK_LIST
add action=drop chain=forward comment=FACE_CONTROL src-address-list=\
BLACK_LIST
add action=jump chain=input comment="\C2\F1\E5 \ED\EE\E2\FB\E5 \F1\EE\E5\E4\E8\
\ED\E5\ED\E8\FF \EF\F0\EE\E2\E5\F0\FF\F2\FC \ED\E0 \EF\EE\F0\F2-\F1\EA\E0\
\ED" connection-state=new jump-target=port_scan protocol=tcp
add chain=forward comment="SIP <<==" src-address-list=SIP
add chain=forward comment="SIP ==>>" dst-address-list=SIP
add action=jump chain=input comment=PING dst-address-list=external_ip \
jump-target=port_knock protocol=icmp
add action=jump chain=input comment=GO_packet_established connection-state=\
established jump-target=packet_ok
add action=jump chain=input comment=GO_packet_related connection-state=\
related jump-target=packet_ok
add action=jump chain=input comment=GO_MIKROT_RULE dst-port=\
21,22,23,80,8728,8729,8291 jump-target=STOP_MIKROT_RULE protocol=tcp
add action=add-src-to-address-list address-list=BLACK_LIST \
address-list-timeout=2w chain=port_scan comment=\
"\C2\DB\D7\C8\D1\CB\DF\C5\CC \D1\CA\C0\CD\C5\D0\DB \CF\CE\D0\D2\CE\C2" \
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=BLACK_LIST \
address-list-timeout=2w chain=port_scan comment="NMAP FIN Stealth scan" \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=BLACK_LIST \
address-list-timeout=2w chain=port_scan comment="SYN/FIN scan" protocol=\
tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=BLACK_LIST \
address-list-timeout=2w chain=port_scan comment="SYN/RST scan" protocol=\
tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=BLACK_LIST \
address-list-timeout=2w chain=port_scan comment="FIN/PSH/URG scan" \
protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=BLACK_LIST \
address-list-timeout=2w chain=port_scan comment="ALL/ALL scan" protocol=\
tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=BLACK_LIST \
address-list-timeout=2w chain=port_scan comment="NMAP NULL scan" \
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=return chain=port_scan
add action=log chain=port_knock comment=6_PORT_KNOCK log-prefix=\
"PORT_KNOCK STOP!!!!" packet-size=100 protocol=icmp src-address-list=\
WHITE_STAGE5
add action=add-src-to-address-list address-list=BLACK_LIST \
address-list-timeout=12h chain=port_knock comment=6_PORT_KNOCK \
packet-size=100 protocol=icmp src-address-list=WHITE_STAGE5
add action=reject chain=port_knock comment=\
"\F3\E1\E8\E2\E0\F2\FC \E1\EE\EB\FC\F8\E8\E5 \EF\E8\ED\E3\E8" \
packet-size=1500-10000 protocol=icmp reject-with=icmp-host-unreachable
add action=add-src-to-address-list address-list=SEND_BACKAP \
address-list-timeout=2h chain=port_knock comment="6_PORT_KNOCK (\D3\C4\C0\
\CB\C8\D2\DC, \E5\F1\EB\E8 \ED\E5 \E1\F3\E4\E5\EC \EF\EE\EB\FC\E7\EE\E2\E0\
\F2\FC\F1\FF send_backup)" disabled=yes packet-size=101 protocol=icmp \
src-address-list=WHITE_STAGE5
add action=add-src-to-address-list address-list=RAZRESHENO \
address-list-timeout=12h chain=port_knock comment=5_PORT_KNOCK \
packet-size=100 protocol=icmp src-address-list=WHITE_STAGE4
add action=add-src-to-address-list address-list=WHITE_STAGE4 \
address-list-timeout=2s chain=port_knock comment=4_PORT_KNOCK \
packet-size=100 protocol=icmp src-address-list=WHITE_STAGE3
add action=add-src-to-address-list address-list=WHITE_STAGE3 \
address-list-timeout=2s chain=port_knock comment=3_PORT_KNOCK \
packet-size=100 protocol=icmp src-address-list=WHITE_STAGE2
add action=add-src-to-address-list address-list=WHITE_STAGE2 \
address-list-timeout=2s chain=port_knock comment=2_PORT_KNOCK \
packet-size=100 protocol=icmp src-address-list=WHITE_STAGE1
add action=add-src-to-address-list address-list=WHITE_STAGE1 \
address-list-timeout=2s chain=port_knock comment=1_PORT_KNOCK \
packet-size=100 protocol=icmp
add chain=input comment="Allow Ping Mikrotik" dst-address-list=external_ip \
protocol=icmp
add chain=forward comment="Allow Ping My Network" dst-address-list=\
external_ip protocol=icmp
add chain=input comment=\
"\F0\E0\E7\F0\E5\F8\E8\F2\FC \F1\F2\F3\F7\E0\F2\FC\F1\FF \E2\EF\ED\E0\EC" \
dst-address-list=external_ip dst-port=1723,1701,443 protocol=tcp
add chain=input comment=\
"\F0\E0\E7\F0\E5\F8\E8\F2\FC \F1\F2\F3\F7\E0\F2\FC\F1\FF \E2\EF\ED\E0\EC" \
dst-address-list=external_ip dst-port=1701 protocol=udp
add chain=forward comment=\
"\CD\EE\F3\F2\F3 \E0\E4\EC\E8\ED\E0 \F5\EE\E4\E8\F2\FC \E2\E5\E7\E4\E5" \
disabled=yes src-address=192.168.155.168
add chain=forward comment="\D0\E0\E7\F0\E5\F8\E8\F2\FC \ED\EE\F3\F2\F3 \E0\ED\
\F2\E8\EF\EE\E2\E0 \F5\EE\E4\E8\F2\FC \E2\E5\E7\E4\E5" disabled=yes \
src-address=192.168.155.166
add action=drop chain=input comment=STOP! disabled=yes dst-port=\
21,22,23,80,8728,8729,8291 in-interface=ether4 protocol=tcp
add action=drop chain=input comment=STOP! disabled=yes dst-port=\
21,22,23,80,8728,8729,8291 in-interface=PPOE-PROVIDER protocol=tcp
add action=drop chain=input comment="\D0\D3\C1\C8\CC \C2\D1\A8 \C8 \C2\D1\DF" \
disabled=yes in-interface=PPOE-PROVIDER
add action=drop chain=input comment="\D0\D3\C1\C8\CC \C2\D1\A8 \C8 \C2\D1\DF" \
disabled=yes in-interface=ether4
add action=drop chain=forward comment=\
"\D0\D3\C1\C8\CC \C2\D1\A8 \C8 \C2\D1\DF" disabled=yes in-interface=\
PPOE-PROVIDER
add action=drop chain=forward comment=\
"\D0\D3\C1\C8\CC \C2\D1\A8 \C8 \C2\D1\DF" disabled=yes in-interface=\
ether4
add chain=forward disabled=yes dst-address=217.149.191.82
add chain=forward disabled=yes in-interface=ether4
add chain=STOP_MIKROT_RULE comment=Acept_WHITE_LIST src-address-list=\
RAZRESHENO
add action=drop chain=STOP_MIKROT_RULE comment=STOP dst-port=\
21,22,23,80,8728,8729,8291 in-interface=ether4 protocol=tcp
add action=drop chain=STOP_MIKROT_RULE comment=STOP dst-port=\
21,22,23,80,8728,8729,8291 in-interface=PPOE-PROVIDER protocol=tcp
add action=drop chain=bad_packet comment="\C7\E0\EF\F0\E5\F2\E8\F2\FC \E1\E8\
\F2\FB\E5 \EF\E0\EA\E5\F2\FB \D3\C4\C0\CB\C8\D2\DC" connection-state=\
invalid disabled=yes in-interface=PPOE-PROVIDER
add action=drop chain=input comment="\C7\E0\EF\F0\E5\F2\E8\F2\FC \E1\E8\F2\FB\
\E5 \EF\E0\EA\E5\F2\FB \D3\C4\C0\CB\C8\D2\DC" connection-state=invalid \
disabled=yes dst-address-list=external_ip in-interface=ether4
add action=drop chain=bad_packet comment="\C7\E0\EF\F0\E5\F2\E8\F2\FC \E1\E8\
\F2\FB\E5 \EF\E0\EA\E5\F2\FB \D3\C4\C0\CB\C8\D2\DC" connection-state=\
invalid disabled=yes dst-address-list=external_ip in-interface=ether4
add action=drop chain=bad_packet comment="\C7\E0\EF\F0\E5\F2\E8\F2\FC \E1\E8\
\F2\FB\E5 \EF\E0\EA\E5\F2\FB \D3\C4\C0\CB\C8\D2\DC" connection-state=\
invalid disabled=yes in-interface=PPOE-PROVIDER
add chain=packet_ok comment="\D0\E0\E7\F0\E5\F8\E8\F2\FC \F3\F1\F2\E0\ED\EE\E2\
\EB\E5\ED\ED\FB\E5 \F1\EE\E5\E4\E8\ED\E5\ED\E8\FF" connection-state=\
established in-interface=PPOE-PROVIDER
add chain=forward comment="\D0\E0\E7\F0\E5\F8\E8\F2\FC \F3\F1\F2\E0\ED\EE\E2\
\EB\E5\ED\ED\FB\E5 \F1\EE\E5\E4\E8\ED\E5\ED\E8\FF" connection-state=\
established in-interface=PPOE-PROVIDER
add chain=packet_ok comment="\D0\E0\E7\F0\E5\F8\E8\F2\FC \F3\F1\F2\E0\ED\EE\E2\
\EB\E5\ED\ED\FB\E5 \F1\EE\E5\E4\E8\ED\E5\ED\E8\FF" connection-state=\
established in-interface=ether4
add chain=forward comment="\D0\E0\E7\F0\E5\F8\E8\F2\FC \F3\F1\F2\E0\ED\EE\E2\
\EB\E5\ED\ED\FB\E5 \F1\EE\E5\E4\E8\ED\E5\ED\E8\FF" connection-state=\
established in-interface=ether4
add chain=packet_ok comment="\D0\E0\E7\F0\E5\F8\E8\F2\FC \F0\EE\E4\F1\F2\E2\E5\
\ED\ED\FB\E5 \F1\EE\E5\E4\E8\ED\E5\ED\E8\FF" connection-state=related \
in-interface=PPOE-PROVIDER
add chain=forward comment="\D0\E0\E7\F0\E5\F8\E8\F2\FC \F0\EE\E4\F1\F2\E2\E5\
\ED\ED\FB\E5 \F1\EE\E5\E4\E8\ED\E5\ED\E8\FF" connection-state=related \
in-interface=PPOE-PROVIDER
add chain=packet_ok comment="\D0\E0\E7\F0\E5\F8\E8\F2\FC \F0\EE\E4\F1\F2\E2\E5\
\ED\ED\FB\E5 \F1\EE\E5\E4\E8\ED\E5\ED\E8\FF" connection-state=related \
in-interface=ether4
add chain=forward comment="\D0\E0\E7\F0\E5\F8\E8\F2\FC \F0\EE\E4\F1\F2\E2\E5\
\ED\ED\FB\E5 \F1\EE\E5\E4\E8\ED\E5\ED\E8\FF" connection-state=related \
in-interface=ether4
add chain=input comment="\D3\C4\C0\CB\C8\D2\DC!!!TEST_\D0\E0\E7\F0\E5\F8\E8\F2\
\FC \F3\F1\F2\E0\ED\EE\E2\EB\E5\ED\ED\FB\E5 \F1\EE\E5\E4\E8\ED\E5\ED\E8\FF\
" connection-state=established disabled=yes in-interface=PPOE-PROVIDER
add chain=forward comment="\D3\C4\C0\CB\C8\D2\DC!!!TEST_\D0\E0\E7\F0\E5\F8\E8\
\F2\FC \F3\F1\F2\E0\ED\EE\E2\EB\E5\ED\ED\FB\E5 \F1\EE\E5\E4\E8\ED\E5\ED\E8\
\FF" connection-state=established disabled=yes in-interface=PPOE-PROVIDER
add chain=input comment="\D3\C4\C0\CB\C8\D2\DC!!!TEST_\D0\E0\E7\F0\E5\F8\E8\F2\
\FC \F0\EE\E4\F1\F2\E2\E5\ED\ED\FB\E5 \F1\EE\E5\E4\E8\ED\E5\ED\E8\FF" \
connection-state=related disabled=yes in-interface=PPOE-PROVIDER
add chain=forward comment="\D3\C4\C0\CB\C8\D2\DC!!!TEST_\D0\E0\E7\F0\E5\F8\E8\
\F2\FC \F0\EE\E4\F1\F2\E2\E5\ED\ED\FB\E5 \F1\EE\E5\E4\E8\ED\E5\ED\E8\FF" \
connection-state=related disabled=yes in-interface=PPOE-PROVIDER
add action=return chain=PPP_GOGOGO dst-address-list=external_ip
add chain=PPP_GOGOGO


vqd
Модератор
Сообщения: 3605
Зарегистрирован: 26 сен 2013, 14:20
Откуда: НСК
Контактная информация:

Ну что есть вполне логично


Есть интересная задача и бюджет? http://mikrotik.site
Ответить