Firewall Filter
/ip firewall filter
add action=add-dst-to-address-list address-list=cekek address-list-timeout=1h chain=forward comment="Filter Download iso" content=.iso disabled=no protocol=tcp \
src-address=192.168.0.0/24
add action=add-dst-to-address-list address-list=cekek address-list-timeout=1h chain=forward comment=mpg content=.mpg disabled=no protocol=tcp src-address=\
192.168.0.0/24
add action=add-dst-to-address-list address-list=cekek address-list-timeout=1h chain=forward comment=mp3 content=.mp3 disabled=no protocol=tcp src-address=\
192.168.0.0/24
add action=add-dst-to-address-list address-list=cekek address-list-timeout=1h chain=forward comment=avi content=.avi disabled=no protocol=tcp src-address=\
192.168.0.0/24
add action=add-dst-to-address-list address-list=cekek address-list-timeout=1h chain=forward comment=exe content=.exe disabled=no protocol=tcp src-address=\
192.168.0.0/24
add action=add-dst-to-address-list address-list=cekek address-list-timeout=1h chain=forward comment=rar content=.rar disabled=no protocol=tcp src-address=\
192.168.0.0/24
add action=add-dst-to-address-list address-list=cekek address-list-timeout=1h chain=forward comment=mwv content=.mwv disabled=no protocol=tcp src-address=\
192.168.0.0/24
add action=add-dst-to-address-list address-list=cekek address-list-timeout=1h chain=forward comment=zip content=.zip disabled=no protocol=tcp src-address=\
192.168.0.0/24
add action=add-dst-to-address-list address-list=cekek address-list-timeout=1h chain=forward comment=3gp content=.3gp disabled=no protocol=tcp src-address=\
192.168.0.0/24
add action=add-dst-to-address-list address-list=cekek address-list-timeout=1h chain=forward comment=mp4 content=.mp4 disabled=no protocol=tcp src-address=\
192.168.0.0/24
Firewall Mangle
/ip firewall mangle add chain=forward \
protocol=tcp src-address-list=cekek \
action=mark-packet new-packet-mark=cekek-bw
Queue
/queue simple add name=download-files \
max-limit=32000/32000 packet-marks=cekek-bw
Limit Streaming Mikrotik
Layer Protocol
/ip firewall layer7-protocol
add name=http-video-streaming regexp="http/(0\\.9|1\\.0|1\\.1)[\\x09-\\x0d ][1-5\
][0-9][0-9][\\x09-\\x0d -~]*(content-type: video)"
Firewall Mangle
/ip firewall mangle
add action=mark-connection chain=prerouting comment="Limit Streaming Video" \
disabled=no layer7-protocol=http-video-streaming new-connection-mark=\
http-video-streaming-1 passthrough=yes
add action=mark-packet chain=prerouting disabled=no layer7-protocol=\
Queue
/queue type
add kind=pcq name=Pcq-Download pcq-burst-rate=0 pcq-burst-threshold=0 \
pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=50 pcq-rate=0 pcq-src-address-mask=\
32 pcq-src-address6-mask=128 pcq-total-limit=2000
add kind=pcq name=Pcq-Upload pcq-burst-rate=0 pcq-burst-threshold=0 \
pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=50 pcq-rate=0 pcq-src-address-mask=\
32 pcq-src-address6-mask=128 pcq-total-limit=2000
/queue tree
add burst-limit=128k burst-threshold=24k burst-time=4s disabled=no limit-at=\
32k max-limit=32k name=Streaming packet-mark=http-video-streaming \
parent=global-total priority=8 queue=Pcq-Download
/ip firewall layer7-protocol
add name=http-video-streaming regexp="http/(0\\.9|1\\.0|1\\.1)[\\x09-\\x0d ][1-5\
][0-9][0-9][\\x09-\\x0d -~]*(content-type: video)"
Firewall Mangle
/ip firewall mangle
add action=mark-connection chain=prerouting comment="Limit Streaming Video" \
disabled=no layer7-protocol=http-video-streaming new-connection-mark=\
http-video-streaming-1 passthrough=yes
add action=mark-packet chain=prerouting disabled=no layer7-protocol=\
Queue
/queue type
add kind=pcq name=Pcq-Download pcq-burst-rate=0 pcq-burst-threshold=0 \
pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=50 pcq-rate=0 pcq-src-address-mask=\
32 pcq-src-address6-mask=128 pcq-total-limit=2000
add kind=pcq name=Pcq-Upload pcq-burst-rate=0 pcq-burst-threshold=0 \
pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=50 pcq-rate=0 pcq-src-address-mask=\
32 pcq-src-address6-mask=128 pcq-total-limit=2000
/queue tree
add burst-limit=128k burst-threshold=24k burst-time=4s disabled=no limit-at=\
32k max-limit=32k name=Streaming packet-mark=http-video-streaming \
parent=global-total priority=8 queue=Pcq-Download
Standar Firewall Mikrotik
Address List
/ip firewall address-list
add address=192.168.0.8 disabled=no list=local-addr ( ip address yg di izinkan untuk acces winbox )
Firewall Filter
/ip firewall filter
add action=add-src-to-address-list address-list=-FTP address-list-timeout=4w2d \
chain=input comment="Filter - Wan Access FTP" disabled=no dst-port=21 \
protocol=tcp src-address-list=!local-addr
add action=drop chain=input disabled=no src-address-list=-FTP
add action=accept chain=input disabled=no dst-port=21 protocol=tcp \
src-address-list=local-addr
add action=add-src-to-address-list address-list=-SSH address-list-timeout=4w2d \
chain=input comment="Filter - Wan Access SSH" disabled=no dst-port=22 \
protocol=tcp src-address-list=!local-addr
add action=drop chain=input disabled=no src-address-list=-SSH
add action=accept chain=input disabled=no dst-port=22 protocol=tcp \
src-address-list=local-addr
add action=add-src-to-address-list address-list=-TELNET address-list-timeout=\
4w2d chain=input comment="Filter - Wan Access TELNET" disabled=no dst-port=\
23 protocol=tcp src-address-list=!local-addr
add action=drop chain=input disabled=no src-address-list=-TELNET
add action=accept chain=input disabled=no dst-port=23 protocol=tcp \
src-address-list=local-addr
add action=add-src-to-address-list address-list=-WEB address-list-timeout=4w2d \
chain=input comment="Filter - Wan Access WEB" disabled=no dst-port=80 \
protocol=tcp src-address-list=!local-addr
add action=drop chain=input disabled=no src-address-list=-WEB
add action=accept chain=input disabled=no dst-port=80 protocol=tcp \
src-address-list=local-addr
add action=add-src-to-address-list address-list=-WINBOX address-list-timeout=\
4w2d chain=input comment="Filter - Wan Access WINBOX" disabled=no dst-port=\
8291 protocol=tcp src-address-list=!local-addr
add action=drop chain=input disabled=no src-address-list=-WINBOX
add action=accept chain=input disabled=no dst-port=8291 protocol=tcp \
src-address-list=local-addr
add action=add-src-to-address-list address-list=-VPN address-list-timeout=4w2d \
chain=input comment="Filter - Wan Access VPN" disabled=no dst-port=1723 \
protocol=tcp src-address-list=!local-addr
add action=drop chain=input disabled=no src-address-list=-VPN
add action=accept chain=input disabled=no dst-port=1723 protocol=tcp \
src-address-list=local-addr
add action=add-src-to-address-list address-list="Filter - Port Scanners" \
address-list-timeout=2w chain=input comment="Filter - Port Scanners" \
disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\
fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\
syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\
fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\
fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\
!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\
fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input disabled=no src-address-list="port scanners"
add action=accept chain=forward comment=Connections connection-state=\
established disabled=no
add action=accept chain=forward connection-state=related disabled=no
add action=drop chain=forward comment="Blok Ping Out" disabled=no \
out-interface=modem1 protocol=icmp src-address=!192.168.0.8
/ip firewall address-list
add address=192.168.0.8 disabled=no list=local-addr ( ip address yg di izinkan untuk acces winbox )
Firewall Filter
/ip firewall filter
add action=add-src-to-address-list address-list=-FTP address-list-timeout=4w2d \
chain=input comment="Filter - Wan Access FTP" disabled=no dst-port=21 \
protocol=tcp src-address-list=!local-addr
add action=drop chain=input disabled=no src-address-list=-FTP
add action=accept chain=input disabled=no dst-port=21 protocol=tcp \
src-address-list=local-addr
add action=add-src-to-address-list address-list=-SSH address-list-timeout=4w2d \
chain=input comment="Filter - Wan Access SSH" disabled=no dst-port=22 \
protocol=tcp src-address-list=!local-addr
add action=drop chain=input disabled=no src-address-list=-SSH
add action=accept chain=input disabled=no dst-port=22 protocol=tcp \
src-address-list=local-addr
add action=add-src-to-address-list address-list=-TELNET address-list-timeout=\
4w2d chain=input comment="Filter - Wan Access TELNET" disabled=no dst-port=\
23 protocol=tcp src-address-list=!local-addr
add action=drop chain=input disabled=no src-address-list=-TELNET
add action=accept chain=input disabled=no dst-port=23 protocol=tcp \
src-address-list=local-addr
add action=add-src-to-address-list address-list=-WEB address-list-timeout=4w2d \
chain=input comment="Filter - Wan Access WEB" disabled=no dst-port=80 \
protocol=tcp src-address-list=!local-addr
add action=drop chain=input disabled=no src-address-list=-WEB
add action=accept chain=input disabled=no dst-port=80 protocol=tcp \
src-address-list=local-addr
add action=add-src-to-address-list address-list=-WINBOX address-list-timeout=\
4w2d chain=input comment="Filter - Wan Access WINBOX" disabled=no dst-port=\
8291 protocol=tcp src-address-list=!local-addr
add action=drop chain=input disabled=no src-address-list=-WINBOX
add action=accept chain=input disabled=no dst-port=8291 protocol=tcp \
src-address-list=local-addr
add action=add-src-to-address-list address-list=-VPN address-list-timeout=4w2d \
chain=input comment="Filter - Wan Access VPN" disabled=no dst-port=1723 \
protocol=tcp src-address-list=!local-addr
add action=drop chain=input disabled=no src-address-list=-VPN
add action=accept chain=input disabled=no dst-port=1723 protocol=tcp \
src-address-list=local-addr
add action=add-src-to-address-list address-list="Filter - Port Scanners" \
address-list-timeout=2w chain=input comment="Filter - Port Scanners" \
disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\
fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\
syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\
fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\
fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\
!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\
fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input disabled=no src-address-list="port scanners"
add action=accept chain=forward comment=Connections connection-state=\
established disabled=no
add action=accept chain=forward connection-state=related disabled=no
add action=drop chain=forward comment="Blok Ping Out" disabled=no \
out-interface=modem1 protocol=icmp src-address=!192.168.0.8
Langganan:
Postingan (Atom)
