Hm. Ok. Odd.
So, something more like:
add action=log chain=IPS log-prefix=port_scan: protocol=tcp psd=10,3s,3,1
add action=drop chain=IPS protocol=tcp psd=10,3s,3,1
add action=tarpit chain=IPS protocol=tcp src-address-list=black_list
add action=log chain=IPS connection-limit=10,32 log-prefix=blacklist:
add action=add-src-to-address-list address-list=black_list
address-list-timeout=1d chain=IPS connection-limit=10,32
add action=return chain=IPS limit=10,5 protocol=icmp
add action=log chain=IPS log-prefix=ping_flood: protocol=icmp
add action=return chain=IPS
Chupaka <mailto:[email protected]>
September 13, 2012 14:21
add action=log chain=IPS limit=10,5 log-prefix=ping_flood: protocol=icmp
This will log any ICMP upto 10 packets per second, not more - I don't
think
it's what you need.
2012/9/13 Jacob Heider <[email protected]>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://www.butchevans.com/pipermail/mikrotik/attachments/20120913/dab77701/attachment.html>
_______________________________________________
Mikrotik mailing list
[email protected]
http://www.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS
Jacob Heider <mailto:[email protected]>
September 13, 2012 13:27
Soon, I will be installing a routerboard (probably a 2011) for a bank
as their primary router/firewall. Based on a little light reading, I'm
probably going to be using the following as a basic IPS configuration:
/ip firewall filter
add action=jump chain=input in-interface=ether1 jump-target=IPS
[other input blocking rules]
add action=jump chain=forward in-interface=ether1 jump-target=IPS
add action=log chain=IPS limit=10,5 log-prefix=ping_flood: protocol=icmp
add action=log chain=IPS log-prefix=port_scan: protocol=tcp psd=10,3s,3,1
add action=drop chain=IPS protocol=tcp psd=10,3s,3,1
add action=tarpit chain=IPS protocol=tcp src-address-list=black_list
add action=log chain=IPS connection-limit=10,32 log-prefix=blacklist:
add action=add-src-to-address-list address-list=black_list
address-list-timeout=1d chain=IPS connection-limit=10,32
add action=return chain=IPS
Anyone tried to satisfy security requirements for a U.S. bank using
MT's filtering rules? Any suggestions?
_______________________________________________
Mikrotik mailing list
[email protected]
http://www.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://www.butchevans.com/pipermail/mikrotik/attachments/20120913/a38ad95f/attachment.html>
_______________________________________________
Mikrotik mailing list
[email protected]
http://www.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
