Header Ads

Ampuh Atasi Vulnerability Menggunakan Firewall Mikrotik

K-W Sunday, January 06, 2019

Cara Mengatasi Vulnerability Menggunakan Firewall Mikrotik 

ampuh mengatasi serangan ddos Attack

Konfigurasi Firewall:
Di sini saya menggunakan:
* Mikrotik Router RB-750-GL
* ether1-gateway (10.0.x.x/24)
* ether2-local-master (192.168.x.x/24) -> Network ini adalah khusus Administrator Router
* ether3-hotspot (11.8.x.x/20) gateway 11.8.x.x -> Network inilah nanti yang harus kita lindungi.
* 1 Bh Antena TP-Link WA-5210-G diset sebagai AP-Bridge (192.168.x.x)
* Beberapa buah Antena TP-LINK WA-5210-G diset sebagai Repeater (192.168.x.x)
 

Silakan langsung saja Copy-Paste, Firewall di bawah ini (tapi sekai lagi ingat yach 'harus' disesuaikan dengan Topologi jaringan anda) Misalnya range ip-hotspot anda 192.168.0.1 sd 192.168.0.253 maka gantikan tulusan (range-ip-hotspot anda) dengan '192.168.0.1-192.168.0.253':

  • Firewall ini bertujuan untuk melakukan reject terhadap, koneksi invalid yang dilakukan oleh klien. Invalid Connection bisa terjadi apabila klien menggunakan IP-Statik yang belum tentu sesuai dengan keinginan DHCP yang kita inginkan pada jaringan kita.
/ip firewall filter
add action=reject chain=forward comment="1>drop invalid connections" \
    connection-state=invalid disabled=no reject-with=icmp-network-unreachable
add action=reject chain=input comment="2>drop invalid connections" \
    connection-state=invalid disabled=no reject-with=icmp-network-unreachable
add action=reject chain=output comment="3>drop invalid connections" \
    connection-state=invalid disabled=no reject-with=icmp-network-unreachable

  • Reject TCP dari klien ke arah port yang tidak dikenal/diijinkan (Biasanya yang dibuka hanya port-port di bawah ini), kalau ingin menambahkan port yang ingin dibuka nanti bisa ditambahkan sendiri. Tapi ingat, anda harus tahu fungsi dari port yang anda buka itu. Misalnya, port 80 untuk http, 443 untuk https, 123 untuk ntp, dan lain-lain.
/ip firewall filter
add action=reject chain=input comment="Recomended Port" disabled=no \
    dst-address=0.0.0.0/0 dst-port=\
    !80,53,123,443,21-25,5000-5223,6005,9443,1920,1272,8001-8002,61521 \
    in-interface=ether3-hotspot protocol=tcp reject-with=\
    icmp-protocol-unreachable src-address=(range-ip-hotspot anda)
add action=reject chain=forward disabled=no dst-address=0.0.0.0/0 dst-port=\
    !80,53,123,443,21-25,5000-5223,6005,9443,1920,1272,8001-8002,61521 \
    in-interface=ether3-hotspot protocol=tcp reject-with=\
    icmp-protocol-unreachable src-address=(range-ip-hotspot anda)
add action=reject chain=output disabled=no dst-address=0.0.0.0/0 dst-port=\
    !80,53,123,443,21-25,5000-5223,6005,9443,1920,1272,8001-8002,61521 \
    out-interface=ether1-gateway protocol=tcp reject-with=\
    icmp-protocol-unreachable src-address=(range-ip-hotspot anda)


  • Reject UDP dari klien ke arah port yang tidak dikenal/diijinkan (Biasanya yang dibuka hanya port-port di bawah ini), kalau ingin menambahkan port yang ingin dibuka nanti bisa ditambahkan sendiri.

    • /ip firewall filter
    add action=reject chain=input disabled=no dst-address=0.0.0.0/0 dst-port=\
        !53,69,161,520 in-interface=ether3-hotspot protocol=udp reject-with=\
        icmp-protocol-unreachable src-address=(range-ip-hotspot anda)
    add action=reject chain=forward disabled=no dst-address=0.0.0.0/0 dst-port=\
        !53,69,161,520 in-interface=ether3-hotspot protocol=udp reject-with=\
        icmp-protocol-unreachable src-address=(range-ip-hotspot anda)
    add action=reject chain=output disabled=no dst-address=0.0.0.0/0 dst-port=\
        !53,123,69,161,520 out-interface=ether1-gateway protocol=udp reject-with=\
        icmp-protocol-unreachable src-address=(range-ip-hotspot anda)

    • Melindungi TCP port 80 milik global internet dari TCP range-port 0-1023.
    /ip firewall filter
    add action=reject chain=forward comment="Protect TCP Port 80" disabled=no \
        dst-address=0.0.0.0/0 dst-port=80 in-interface=ether3-hotspot protocol=tcp \
        reject-with=icmp-protocol-unreachable src-address=(range-ip-hotspot anda) \
        src-port=0-1023
    add action=reject chain=forward disabled=no dst-address=0.0.0.0/0 dst-port=80 \
        in-interface=ether3-hotspot protocol=tcp reject-with=\
        icmp-protocol-unreachable src-address=!(range-ip-hotspot anda) src-port=0-1023
    • Melindungi UDP Port 53 dari UDP range-port 1025-1027.
    /ip firewall filter
    add action=reject chain=input comment="Protect UDP Port 80" disabled=no dst-address=0.0.0.0/0 dst-port=53 \
        in-interface=ether3-hotspot protocol=udp reject-with=\
        icmp-protocol-unreachable src-address=(range-ip-hotspot anda) src-port=\
        1025-1027
    add action=reject chain=forward disabled=no dst-address=0.0.0.0/0 dst-port=53 \
        in-interface=ether3-hotspot protocol=udp reject-with=\
        icmp-protocol-unreachable src-address=(range-ip-hotspot anda) src-port=\
        1025-1027
    • Reject Semua Protocol yang tidak dijinkan.
    /ip firewall filter
    add action=reject chain=input comment="Reject All Protocol" disabled=no \
        in-interface=ether3-hotspot protocol=0 reject-with=\
        icmp-protocol-unreachable src-address=!(range-ip-hotspot anda)
    add action=reject chain=forward disabled=no in-interface=ether3-hotspot \
        protocol=0 reject-with=icmp-protocol-unreachable src-address=\
        !(range-ip-hotspot anda)
    add action=reject chain=output disabled=no dst-address=!(range-ip-hotspot anda) \
        out-interface=ether3-hotspot protocol=0 reject-with=\
        icmp-protocol-unreachable
    add action=reject chain=input disabled=no dst-address=(range-ip-hotspot anda) \
        in-interface=ether3-hotspot protocol=0 reject-with=\
        icmp-protocol-unreachable src-address=(range-ip-hotspot anda)
    add action=reject chain=forward disabled=no dst-address=(range-ip-hotspot anda) \
        in-interface=ether3-hotspot protocol=0 reject-with=\
        icmp-protocol-unreachable src-address=(range-ip-hotspot anda)
    • Reject Invalid DHCP from/to port 67-68.
    /ip firewall filter
    add action=reject chain=input comment="Drop Invalid Request DHCP" disabled=no dst-port=\
        67-68 protocol=udp reject-with=icmp-protocol-unreachable src-address=\
        0.0.0.0/0
    add action=reject chain=forward disabled=no dst-port=67-68 protocol=udp \
        reject-with=icmp-protocol-unreachable src-address=0.0.0.0/0
    add action=reject chain=output disabled=no dst-port=67-68 protocol=udp \
        reject-with=icmp-protocol-unreachable src-address=0.0.0.0/0
    add action=reject chain=input disabled=no protocol=udp reject-with=\
        icmp-protocol-unreachable src-address=0.0.0.0/0 src-port=67-68
    add action=reject chain=forward disabled=no protocol=udp reject-with=\
        icmp-protocol-unreachable src-address=0.0.0.0/0 src-port=67-68
    add action=reject chain=output disabled=no protocol=udp reject-with=\
        icmp-protocol-unreachable src-address=0.0.0.0/0 src-port=67-68
    add action=reject chain=input disabled=no dst-port=67-68 protocol=tcp \
        reject-with=icmp-protocol-unreachable src-address=0.0.0.0/0
    add action=reject chain=forward disabled=no dst-port=67-68 protocol=tcp \
        reject-with=icmp-protocol-unreachable src-address=0.0.0.0/0
    add action=reject chain=output disabled=no dst-port=67-68 protocol=tcp \
        reject-with=icmp-protocol-unreachable src-address=0.0.0.0/0
    add action=reject chain=input disabled=no protocol=tcp reject-with=\
        icmp-protocol-unreachable src-address=0.0.0.0/0 src-port=67-68
    add action=reject chain=forward disabled=no protocol=tcp reject-with=\
        icmp-protocol-unreachable src-address=0.0.0.0/0 src-port=67-68
    add action=reject chain=output disabled=no protocol=tcp reject-with=\
        icmp-protocol-unreachable src-address=0.0.0.0/0 src-port=67-68
    • Drop Traceroute & Limited ping.
    /ip firewall filter
    add action=drop chain=forward comment="drop traceroute" disabled=no \
        icmp-options=11:0 protocol=icmp
    add action=drop chain=forward disabled=no icmp-options=3:3 protocol=icmp
    add action=accept chain=input disabled=no limit=50/5s,2 protocol=icmp
    • Anti Flooding Connection Flooding & Port Flooding
    /ip firewall filter
    add action=add-src-to-address-list address-list=blocked-addr \
        address-list-timeout=1d chain=input comment=\
        "1>limit incoming connection(Script Anti Flooding)" connection-limit=100,32 \
        disabled=no protocol=tcp
    add action=tarpit chain=input comment="2>action tarpit" connection-limit=3,32 \
        disabled=no protocol=tcp src-address-list=blocked-addr
    add action=jump chain=forward comment="3>SYN Flood protect" connection-state=\
        new disabled=yes jump-target=SYN-Protect protocol=tcp tcp-flags=syn
    add action=accept chain=SYN-Protect connection-state=new disabled=no limit=\
        400,5 protocol=tcp tcp-flags=syn
    add action=drop chain=SYN-Protect comment="4>syn cookies" connection-state=new \
        disabled=no protocol=tcp tcp-flags=syn
    add action=jump chain=forward comment="Flood protect" connection-state=new \
        disabled=no jump-target=SYN-Protect protocol=tcp tcp-flags=syn
    add action=jump chain=input connection-state=new disabled=no jump-target=\
        SYN-Protect protocol=tcp tcp-flags=syn
    add action=accept chain=SYN-Protect connection-state=new disabled=no limit=\
        400,5 protocol=tcp tcp-flags=syn
    add action=drop chain=SYN-Protect connection-state=new disabled=no protocol=tcp \
        tcp-flags=syn
    add action=accept chain=input comment="1>limited dns" disabled=no dst-port=53 \
        limit=2400/1m,5 protocol=udp
    add action=accept chain=input disabled=no dst-port=53 limit=2400/1m,5 protocol=\
        tcp
    add action=reject chain=input comment="2>all others go to hell" disabled=no \
        dst-port=53 protocol=udp reject-with=icmp-protocol-unreachable
    add action=reject chain=input disabled=no dst-port=53 protocol=tcp reject-with=\
        icmp-protocol-unreachable
    add action=accept chain=input comment="1>limited https" disabled=no dst-port=\
        443 limit=2400/1m,5 protocol=udp
    add action=accept chain=input disabled=no dst-port=443 limit=2400/1m,5 \
        protocol=tcp
    add action=reject chain=input comment="2>all others go to hell" disabled=no \
        dst-port=443 protocol=udp reject-with=icmp-network-unreachable
    add action=reject chain=input disabled=no dst-port=443 protocol=tcp \
        reject-with=icmp-network-unreachable
    add action=accept chain=input comment="1>limited http" disabled=no dst-port=80 \
        limit=2400/1m,5 protocol=udp
    add action=accept chain=input disabled=no dst-port=80 limit=2400/1m,5 protocol=\
        tcp
    add action=drop chain=input comment="2>all others go to hell" disabled=no \
        dst-port=80 protocol=udp
    add action=drop chain=input disabled=no dst-port=80 protocol=tcp
    • Reject All Virus
    /ip firewall filter
    add action=reject chain=virus comment=Virus disabled=no in-interface=\
        ether3-hotspot protocol=0 reject-with=icmp-protocol-unreachable \
        src-address=(range-ip-hotspot anda)
    add action=reject chain=virus disabled=no in-interface=ether3-hotspot protocol=\
        0 reject-with=icmp-protocol-unreachable src-address=!(range-ip-hotspot anda)
    • Drop Netcut, setelah membaca postingan saya tentang Netcut maka ini adalah salah satu solusinya menggunakan firewall tapi ingat harus dikombinasikan dengan management-hotspot, script-scheduler, dan setingan Antena(AP). Firewall ini untu mencegah agar software Netcut dan semacam-nya tidak dapat melakukan Scanning IP & MAC-Address untuk kemudian melanjutkan serangannya.
    /ip firewall filter
    add action=reject chain=icmp comment="Drop Koneksi Antar-Client" disabled=no \
        dst-address=(range-ip-hotspot anda) protocol=tcp reject-with=tcp-reset \
        src-address=(range-ip-hotspot anda)
    add action=reject chain=tcp disabled=no dst-address=(range-ip-hotspot anda) \
        protocol=tcp reject-with=tcp-reset src-address=(range-ip-hotspot anda)
    add action=reject chain=udp disabled=no dst-address=(range-ip-hotspot anda) \
        protocol=tcp reject-with=tcp-reset src-address=(range-ip-hotspot anda)
    add action=reject chain=input disabled=no dst-address=(range-ip-hotspot anda) \
        protocol=igmp reject-with=icmp-protocol-unreachable src-address=\
        (range-ip-hotspot anda)
    add action=reject chain=output disabled=no dst-address=(range-ip-hotspot anda) \
        protocol=igmp reject-with=icmp-protocol-unreachable src-address=\
        (range-ip-hotspot anda)
    add action=reject chain=forward disabled=no dst-address=(range-ip-hotspot anda) \
        protocol=igmp reject-with=icmp-protocol-unreachable src-address=\
        (range-ip-hotspot anda)
    add action=reject chain=input disabled=no dst-address=(range-ip-hotspot anda) \
        in-interface=ether3-hotspot protocol=tcp reject-with=\
        icmp-protocol-unreachable src-address=(range-ip-hotspot anda)
    add action=reject chain=output disabled=no dst-address=(range-ip-hotspot anda) \
        protocol=tcp reject-with=tcp-reset src-address=(range-ip-hotspot anda)
    add action=reject chain=forward disabled=no dst-address=(range-ip-hotspot anda) \
        protocol=tcp reject-with=tcp-reset src-address=(range-ip-hotspot anda)
    add action=reject chain=input disabled=no dst-address=(range-ip-hotspot anda) \
        protocol=tcp reject-with=tcp-reset src-address=(range-ip-hotspot anda)
    add action=reject chain=input disabled=no dst-address=(range-ip-hotspot anda) \
        reject-with=icmp-protocol-unreachable src-address=(range-ip-hotspot anda)
    add action=reject chain=output disabled=no dst-address=(range-ip-hotspot anda) \
        reject-with=icmp-protocol-unreachable src-address=(range-ip-hotspot anda)
    add action=reject chain=forward disabled=no dst-address=(range-ip-hotspot anda) \
        reject-with=icmp-protocol-unreachable src-address=(range-ip-hotspot anda)
    add action=reject chain=input disabled=no dst-address=11.8.15.254 in-interface=\
        ether3-hotspot reject-with=icmp-protocol-unreachable src-address=\
        !(range-ip-hotspot anda)
    add action=reject chain=input disabled=no dst-address=(range-ip-hotspot anda) \
        in-interface=ether3-hotspot reject-with=icmp-protocol-unreachable \
        src-address=0.0.0.0
    add action=drop chain=input disabled=no dst-address=(range-ip-lan anda) \
        in-interface=ether3-hotspot src-address=(range-ip-hotspot anda)
    • Melindungi Router Anda
    /ip firewall filter
    add action=reject chain=forward comment="1>Block Bogus IP Address" disabled=no \
        reject-with=icmp-network-unreachable src-address=0.0.0.0/8
    add action=reject chain=forward disabled=no dst-address=0.0.0.0/8 reject-with=\
        icmp-network-unreachable
    add action=reject chain=forward disabled=no reject-with=\
        icmp-network-unreachable src-address=127.0.0.0/8
    add action=reject chain=forward disabled=no dst-address=127.0.0.0/8 \
        reject-with=icmp-network-unreachable
    add action=reject chain=forward disabled=no reject-with=\
        icmp-network-unreachable src-address=224.0.0.0/3
    add action=reject chain=forward disabled=no dst-address=224.0.0.0/3 \
        reject-with=icmp-network-unreachable
    add action=reject chain=forward disabled=no reject-with=\
        icmp-network-unreachable src-address=239.0.0.0/8
    add action=reject chain=forward disabled=no dst-address=239.0.0.0/8 \
        reject-with=icmp-network-unreachable
    add action=drop chain=input comment="2>Drop SSH brute forcers" disabled=no \
        dst-port=22 protocol=tcp src-address-list=ssh_blacklist
    add action=add-src-to-address-list address-list=ssh_blacklist \
        address-list-timeout=1w3d chain=input connection-state=new disabled=no \
        dst-port=22 protocol=tcp src-address-list=ssh_stage3
    add action=add-src-to-address-list address-list=ssh_stage3 \
        address-list-timeout=1m chain=input connection-state=new disabled=no \
        dst-port=22 protocol=tcp src-address-list=ssh_stage2
    add action=add-src-to-address-list address-list=ssh_stage2 \
        address-list-timeout=1m chain=input connection-state=new disabled=no \
        dst-port=22 protocol=tcp src-address-list=ssh_stage1
    add action=add-src-to-address-list address-list=ssh_stage1 \
        address-list-timeout=1m chain=input connection-state=new disabled=no \
        dst-port=22 protocol=tcp
    add action=add-src-to-address-list address-list="port scanners" \
        address-list-timeout=2w chain=input comment="3>Port Scanners to list" \
        disabled=no protocol=tcp psd=21,3s,3,1
    add action=add-src-to-address-list address-list="port scanners" \
        address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\
        fin,!syn,!rst,!psh,!ack,!urg
    add action=add-src-to-address-list address-list="port scanners" \
        address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\
        fin,syn
    add action=add-src-to-address-list address-list="port scanners" \
        address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\
        syn,rst
    add action=add-src-to-address-list address-list="port scanners" \
        address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\
        fin,psh,urg,!syn,!rst,!ack
    add action=add-src-to-address-list address-list="port scanners" \
        address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\
        fin,syn,rst,psh,ack,urg
    add action=add-src-to-address-list address-list="port scanners" \
        address-list-timeout=2w chain=input disabled=no protocol=tcp tcp-flags=\
        !fin,!syn,!rst,!psh,!ack,!urg
    add action=drop chain=input disabled=no src-address-list="port scanners"
    add action=drop chain=input comment="4>Filter FTP to Box" disabled=no dst-port=\
        21 protocol=tcp src-address-list=ftp_blacklist
    add action=accept chain=output content="530 Login incorrect" disabled=no \
        dst-limit=1/1m,9,dst-address/1m protocol=tcp
    add action=add-dst-to-address-list address-list=ftp_blacklist \
        address-list-timeout=3h chain=output content="530 Login incorrect" \
        disabled=no protocol=tcp
    add action=reject chain=udp comment="5>Blocking UDP Packet" disabled=no \
        dst-port=69 protocol=udp reject-with=icmp-network-unreachable
    add action=reject chain=udp disabled=no dst-port=111 protocol=udp reject-with=\
        icmp-network-unreachable
    add action=reject chain=udp disabled=no dst-port=135 protocol=udp reject-with=\
        icmp-network-unreachable
    add action=reject chain=udp disabled=no dst-port=137-139 protocol=udp \
        reject-with=icmp-protocol-unreachable
    add action=reject chain=udp disabled=no dst-port=2049 protocol=udp reject-with=\
        icmp-network-unreachable
    add action=reject chain=udp disabled=no dst-port=3133 protocol=udp reject-with=\
        icmp-network-unreachable
    add action=reject chain=udp disabled=no dst-port=5355 protocol=udp reject-with=\
        icmp-protocol-unreachable
    add action=drop chain=tcp comment="6>Bloking TCP Packet" disabled=no dst-port=\
        69 protocol=tcp
    add action=drop chain=tcp disabled=no dst-port=111 protocol=tcp
    add action=drop chain=tcp disabled=no dst-port=119 protocol=tcp
    add action=drop chain=tcp disabled=no dst-port=135 protocol=tcp
    add action=drop chain=tcp disabled=no dst-port=137-139 protocol=tcp
    add action=drop chain=tcp disabled=no dst-port=445 protocol=tcp
    add action=drop chain=tcp disabled=no dst-port=2049 protocol=tcp
    add action=drop chain=tcp disabled=no dst-port=12345-12346 protocol=tcp
    add action=drop chain=tcp disabled=no dst-port=20034 protocol=tcp
    add action=drop chain=tcp disabled=no dst-port=3133 protocol=tcp
    add action=drop chain=tcp disabled=no dst-port=67-68 protocol=tcp
    • Drop Tracert by Comodo Firewall. Comodo adalah software yang diinstall di sisi klien, tapi kita harus memblokir tracertnya untuk melakukan update otomatis dan sangat mengganggu traffic-bandwidth kita.
    /ip firewall filter
    add action=drop chain=forward comment="Drop Comodo Tracert" disabled=no \
        dst-address=192.88.99.1
    add action=drop chain=input disabled=no dst-address=192.88.99.1
    add action=drop chain=output disabled=no dst-address=192.88.99.1
    • No-Torrent, Firewall ini bisa anda tambahkan jika anda tidak menginginkan klien anda menggunakan torrent.
    /ip firewall filter
    add action=drop chain=forward comment="No Torent" disabled=no p2p=all-p2p
    add action=drop chain=forward disabled=no p2p=bit-torrent
    add action=drop chain=forward disabled=no p2p=blubster
    add action=drop chain=forward disabled=no p2p=direct-connect
    add action=drop chain=forward disabled=no p2p=edonkey
    add action=drop chain=forward disabled=no p2p=fasttrack
    add action=drop chain=forward disabled=no p2p=gnutella
    add action=drop chain=forward disabled=no p2p=soulseek
    add action=drop chain=forward disabled=no p2p=warez
    add action=drop chain=forward disabled=no p2p=winmx
    • Membagi Recomended Protocol dan Reject Not-Recomended Protocol
    /ip firewall filter
    add action=accept chain=input comment="Distribute Protocol" disabled=no \
        in-interface=ether3-hotspot protocol=tcp
    add action=accept chain=input disabled=no in-interface=ether3-hotspot protocol=\
        udp
    add action=accept chain=input disabled=no in-interface=ether3-hotspot protocol=\
        icmp
    add action=reject chain=input disabled=no in-interface=ether3-hotspot protocol=\
        0 reject-with=icmp-protocol-unreachable
    add action=accept chain=forward disabled=no in-interface=ether3-hotspot \
        protocol=tcp
    add action=accept chain=forward disabled=no in-interface=ether3-hotspot \
        protocol=udp
    add action=accept chain=forward disabled=no in-interface=ether3-hotspot \
        protocol=icmp
    add action=reject chain=forward disabled=no in-interface=ether3-hotspot \
        protocol=0 reject-with=icmp-protocol-unreachable
    • Membuka semua koneksi router khusus ether2-local-master.
    /ip firewall filter
    add action=accept chain=input comment=\
        "Allow access to router from known network" disabled=no in-interface=\
        ether2-local-master src-address=(range-ip-local-master anda)
    • Membuka koneksi yang diijinkan
        /ip firewall filter
    add action=drop chain=forward comment=\
        "1>Keep Protect The Customer" connection-state=invalid \
        disabled=no protocol=tcp
    add action=accept chain=forward comment="......" connection-state=established \
        disabled=no
    add action=accept chain=forward comment="2>allow related connections" \
        connection-state=related disabled=no
    add action=jump chain=forward comment="Separate Protocol into Chains" disabled=\
        no jump-target=tcp protocol=tcp
    add action=jump chain=forward disabled=no jump-target=udp protocol=udp
    add action=jump chain=forward disabled=no jump-target=icmp protocol=icmp
    • Memisahkan lagi protocol, dan reject yang lainnya (tidak diijinkan).

    /ip firewall filter
    add action=accept chain=input comment="Distribute Protocol" disabled=no \
        protocol=tcp
    add action=accept chain=input disabled=no protocol=udp
    add action=accept chain=input disabled=no protocol=icmp
    add action=reject chain=input disabled=no reject-with=icmp-protocol-unreachable
    add action=accept chain=forward disabled=no protocol=tcp
    add action=accept chain=forward disabled=no protocol=udp
    add action=accept chain=forward disabled=no protocol=icmp
    add action=reject chain=forward disabled=no reject-with=\
        icmp-protocol-unreachable
    • Menutup semua koneksi yang lainnya.
    /ip firewall filter
    add action=drop chain=forward comment="drop everything else" disabled=no
    Dengan setingan firewall di atas akan menjadi pencegahan kedua terhadap semua Vulnerability di Jaringan anda termasuk Netcut, MAC-Clone, Flooding, DDOS-Attack, Virus, Spyware, Sniffing, Spoofing, dll.

    Sampai di sini, capek juga yach ngerjainnya.. pasti anda juga kan. Karena capek saya putuskan tuk menyudahi dulu postingan saya kali ini. Untuk postingan saya berikutnya akan membahas tentang Ampuh Atasi Vulnerability Menggunakan Mikrotik System Script Scheduler dan merupakan pencegahan ketiga untuk Netcut & MAC-Clone.
    sumber : http://yucan-skiess.blogspot.com/

     

    Tags
    Reactions

    Post a Comment

    0 Comments