Jestli-že je ether1 internet/uplink a je dostupý zvenčí (má veřejnou IP), tak to pravidlo:
22 ;;; tcp ports
chain=input action=accept protocol=tcp in-interface=ether1
dst-port=22,25,53,1723,2000,7780,8291
23 ;;; udp ports
chain=input action=accept protocol=udp in-interface=ether1 dst-port=53
dosáhne toho, že se z toho routeru časem stane součást nějaké DDoS DNS sítě. :-) Proč by měl mít ten router povoleno odpovídat na dotazy přicházející z internetu?
Uz som nevedel preco mi to nejde...tak som to aj tak povolil....
Po novom to vyzera takto a vyzera ze za vsetkym bolo nepovolenie estabilished connections:
0 ;;; Drop invalid connections
chain=input action=drop connection-state=invalid
1 ;;; Port scanners to list
chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1
address-list=port scanners address-list-timeout=2w
2 ;;; NMAP FIN Stealth scan
chain=input action=add-src-to-address-list
tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
address-list=port scanners address-list-timeout=2w
3 ;;; SYN/FIN scan
chain=input action=add-src-to-address-list tcp-flags=fin,syn protocol=tcp
address-list=port scanners address-list-timeout=2w
4 ;;; SYN/RST scan
chain=input action=add-src-to-address-list tcp-flags=syn,rst protocol=tcp
address-list=port scanners address-list-timeout=2w
5 ;;; FIN/PSH/URG scan
chain=input action=add-src-to-address-list
tcp-flags=fin,psh,urg,!syn,!rst,!ack pr address-list=port scanners address-list-timeout=2w
6 ;;; ALL/ALL scan
chain=input action=add-src-to-address-list
tcp-flags=fin,syn,rst,psh,ack,urg protocol=tcp address-list=port scanners
address-list-timeout=2w
7 ;;; NMAP NULL scan
chain=input action=add-src-to-address-list
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
address-list=port scanners address-list-timeout=2w
8 ;;; dropping port scanners
chain=input action=drop src-address-list=port scanners
9 ;;; suppress DoS attack
chain=input action=tarpit protocol=tcp src-address-list=black_list
connection-limit=3,32
10 ;;; detect DoS attack(10 connections/ip from internet)
chain=input action=add-src-to-address-list protocol=tcp
address-list=black_list address-list-timeout=1d in-interface=ether1
connection-limit=10,32
11 ;;; DOS attack protection(50 connections/ip)
chain=input action=add-src-to-address-list protocol=tcp
address-list=black_list address-list-timeout=1d connection-limit=50,32
12 ;;; drop ssh brute forcers
chain=input action=drop protocol=tcp src-address-list=ssh_blacklist
dst-port=22
13 chain=input action=add-src-to-address-list connection-state=new protocol=tc>
src-address-list=ssh_stage3 address-list=ssh_blacklist
address-list-timeout=1w3d dst-port=22
14 chain=input action=add-src-to-address-list connection-state=new protocol=tc>
src-address-list=ssh_stage2 address-list=ssh_stage3
address-list-timeout=1m dst-port=22
15 chain=input action=add-src-to-address-list connection-state=new protocol=tc>
src-address-list=ssh_stage1 address-list=ssh_stage2
address-list-timeout=1m dst-port=22
16 chain=input action=add-src-to-address-list connection-state=new protocol=tc>
address-list=ssh_stage1 address-list-timeout=1m dst-port=22
17 ;;; drop ssh brute downstream
chain=forward action=drop protocol=tcp src-address-list=ssh_blacklist
dst-port=22
18 ;;; Allow Broadcast Traffic
chain=input action=accept dst-address-type=broadcast
19 ;;; smtp(e-mail)
chain=input action=accept protocol=tcp src-port=25
20 ;;; vpn(gre)
chain=input action=accept protocol=gre
21 ;;; ping
chain=input action=accept protocol=icmp
22 ;;; tcp ports
chain=input action=accept protocol=tcp dst-port=22,25,1723,2000,7780,8291
23 ;;; allow estabilished connections
chain=input action=accept connection-state=established
24 ;;; drop everything else
chain=input action=drop in-interface=ether1
