Pertama kita buat address-list “trusted-network” yang berisi alamat IP yang berhak mengakses router dan masuk dalam kategori �Trusted Network�.
Dalam contoh berikut ini, saya menggunakan IP lokal network / LAN 192.168.1.0/24. Dan IP public 202.152.x.x dari akses internet rumah saya. Anda bisa menambahkan list IP tersebut agar dapat mengakses routernya.
/ip firewall address-list add list=trusted-network address=192.168.1.0/24 comment=”Trusted Network” disabled=no
/ip firewall address-list add list=trusted-network address=202.152.x.x/24 comment=”Trusted Network” disabled=no
Selanjutnya buat chain virus agar port-port yang sering dimanfaatkan virus di blok sehingga traffic virus tidak dapat dilewatkan, tetapi perlu diperhatikan jika ada user yang kesulitan mengakses service tertentu apakah port yang dibutuhkan user tersebut terblok oleh firewall.
/ip firewall filter add chain=forward connection-state=established action=accept comment=”Allow Established Connections” disabled=no
/ip firewall filter add chain=forward connection-state=related action=accept comment=”Allow Related Connections” disabled=no
/ip firewall filter add chain=virus protocol=udp dst-port=135-139 action=drop comment=”Drop Messenger Worm” disabled=no
/ip firewall filter add chain=forward connection-state=invalid action=drop comment=”Drop Invalid Connections” disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=135-139 action=drop comment=”Drop Blaster Worm” disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment=”Worm” disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=445 action=drop comment=”Drop Blaster Worm” disabled=no
/ip firewall filter add chain=virus protocol=udp dst-port=445 action=drop comment=”Drop Blaster Worm” disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=593 action=drop comment=”________” disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment=”________” disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=1080 action=drop comment=”Drop MyDoom” disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=1214 action=drop comment=”________” disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=1363 action=drop comment=”NDM Requester” disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=1364 action=drop comment=”NDM Server” disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=1368 action=drop comment=”Screen Cast” disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=1373 action=drop comment=”Hromgrafx” disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=1377 action=drop comment=”Cichlid” disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=2745 action=drop comment=”Bagle Virus” disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=2283 action=drop comment=”Drop Dumaru.Y” disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=2535 action=drop comment=”Drop Beagle” disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=2745 action=drop comment=”Drop Beagle.C-K” disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=3127 action=drop comment=”Drop MyDoom” disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=3410 action=drop comment=”Drop Backdoor OptixPro” disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=4444 action=drop comment=”Worm” disabled=no
/ip firewall filter add chain=virus protocol=udp dst-port=4444 action=drop comment=”Worm” disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=5554 action=drop comment=”Drop Sasser” disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=8866 action=drop comment=”Drop Beagle.B” disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=9898 action=drop comment=”Drop Dabber.A-B” disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=10000 action=drop comment=”Drop Dumaru.Y, sebaiknya disable karena juga sering digunakan utk vpn / webmin” disabled=yes
/ip firewall filter add chain=virus protocol=tcp dst-port=10080 action=drop comment=”Drop MyDoom.B” disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=12345 action=drop comment=”Drop NetBus” disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=17300 action=drop comment=”Drop Kuang2″ disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=27374 action=drop comment=”Drop SubSeven” disabled=no
/ip firewall filter add chain=virus protocol=tcp dst-port=65506 action=drop comment=”Drop PhatBot, Agobot, Gaobot” disabled=no
Jump semua paket yang melewati router ke dalam virus chain
/ip firewall filter add chain=forward action=jump jump-target=virus comment=”Jump to The Virus Chain” disabled=no
Accept Established and Related Connection
/ip firewall filter add chain=input connection-state=established action=accept comment=”Accept Established Connections” disabled=no
/ip firewall filter add chain=input connection-state=related action=accept comment=”Accept Related Connections” disabled=no
Drop Invalid Connection
/ip firewall filter add chain=input connection-state=invalid action=drop comment=”Drop Invalid Connections” disabled=no
Accept UDP Connection, Limited Pings and Drop Excess Ping
/ip firewall filter add chain=input protocol=udp action=accept comment=”UDP” disabled=no
/ip firewall filter add chain=input protocol=icmp limit=50/5s,2 action=accept comment=”Allow Limited Pings” disabled=no
/ip firewall filter add chain=input protocol=icmp action=drop comment=”Drop Excess Pings” disabled=no
Allow Input Connection From Trusted Networks
/ip firewall filter add chain=input protocol=tcp dst-port=21 src-address-list=trusted-network action=accept comment=”FTP” disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=22 src-address-list=trusted-network action=accept comment=”SSH for Secure Shell” disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=23 src-address-list=trusted-network action=accept comment=”Telnet” disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=80 src-address-list=trusted-network action=accept comment=”Web” disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=8291 src-address-list=trusted-network action=accept comment=”Winbox” disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=1723 action=accept comment=”pptp-server” disabled=no
/ip firewall filter add chain=input src-address-list=trusted-network action=accept comment=”From Trusted Network” disabled=no
Log All and Drop Everything Else
/ip firewall filter add chain=input action=log log-prefix=”DROP INPUT” comment=”Log Everything Else” disabled=no
/ip firewall filter add chain=input action=drop comment=”Drop Everything Else” disabled=no
Dengan Firewall diatas maka :
- Router hanya dapat diakses service FTP, SSH, Web dan Winbox dari IP yang telah didefinisikan dalam address-list “trusted-network”.
- Port-port yang sering dimanfaatkan oleh virus di blok oleh Router sehingga traffic virus tidak dapat melewati Router, tetapi perlu diperhatikan jika ada user yang mengakses service tertentu harus dicek pada chain=”virus” apakah port yang dibutuhkan user tersebut terblok oleh firewall atau tidak.
- Ping Request dibatasi untuk menghindari excess ping.
NB : Perlu diperhatikan bahwa default user dari mikrotik ini adalah admin. Untuk lebih safe nya, buat user baru dan password dengan group full kemudian disable user admin, hal ini untuk meminimasi resiko router mikrotik di hack orang.
EmoticonEmoticon