time ( time | time | sat | fri | thu | wed | tue | mon | sun ) - allows to create filter based on the packets'
arrival time and date or, for locally generated packets, departure time and date
tos ( max-reliability | max-throughput | min-cost | min-delay | normal ) - specifies a match for the
value of Type of Service (ToS) field of an IP header
• max-reliability - maximize reliability (ToS=4)
• max-throughput - maximize throughput (ToS=8)
• min-cost - minimize monetary cost (ToS=2)
• min-delay - minimize delay (ToS=16)
• normal - normal service (ToS=0)
Notes
Because the NAT rules are applied first, it is important to hold this in mind when setting up firewall
rules, since the original packets might be already modified by the NAT
Filter Applications
Protect your RouterOS router
To protect your router, you should not only change admin's password but also set up packet
filtering. All packets with destination to the router are processed against the ip firewall input chain.
Note, that the input chain does not affect packets which are being transferred through the router.
/ ip firewall filter
add chain=input connection-state=invalid action=drop \
comment="Drop Invalid connections"
add chain=input connection-state=established action=accept \
comment="Allow Established connections"
add chain=input protocol=udp action=accept \
comment="Allow UDP"
add chain=input protocol=icmp action=accept \
comment="Allow ICMP"
add chain=input src-address=192.168.0.0/24 action=accept \
comment="Allow access to router from known network"
add chain=input action=drop comment="Drop anything else"
Protecting the Customer's Network
To protect the customer's network, we should check all traffic which goes through router and block
unwanted. For icmp, tcp, udp traffic we will create chains, where will be droped all unwanted
packets:
/ip firewall filter
add chain=forward protocol=tcp connection-state=invalid \
action=drop comment="drop invalid connections"
add chain=forward connection-state=established action=accept \
comment="allow already established connections"
add chain=forward connection-state=related action=accept \
comment="allow related connections"
Block IP addreses called "bogons":
Page 445 of 695
Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
To Next Page
Loading...
General