پاسخ : معرفی و نصب میکروتیک
Filter
Filter یک بخش از فایروال است.
فایروال چیست؟
فایروال در لغت به معنی دیواره آتش است اما در مفهوم مانند یک دیوار است که دور یک شهر کشیده شده و معابری مانند دروازه های شهر در آن وجود دارد که نگهبانانی در آنها وجود دارند که عبور و مرور را کنترل می نمایند.
در شبکه فایروال ها معمولا روی gateway نصب می شوند و تمامی عبور و مرور ها را کنترل می نمایند. که معمولا کار حفاظت اطلاعات داخلی را از هجوم های خارجی را بر عهده دارد.
فایروالها ممکن است استراتژی های مختلفی داشته باشند.که به نوع شبکه و نوع و level حفاظت بستگی دارد.
MikroTik دارای یکpacket filter قوی است که ویژگی های آن در زیر آورده شده است.
- stateful packet filtering
- peer-to-peer protocols filtering
- traffic classification by:
- source MAC address
- IP addresses (network or list) and address types (broadcast, local, multicast, unicast)
- port or port range
- IP protocols
- protocol options (ICMP type and code fields, TCP flags, IP options and MSS)
- interface the packet arrived from or left through
- internal flow and connection marks
- ToS (DSCP) byte
- packet content
- rate at which packets arrive and sequence numbers
- packet size
- packet arrival time
- and much more!
قائده کلی Filtering
فایروال بر پایه رول های آن بنا شده است یعنی فایروال و روتر کاری را انجام می دهد که رول ها بگویند. هر رول از 2 قسمت تشکیل شده است قسمت اول مشخص می کند که کدام پکت با رول ما match میشود و قسمت دوم عملی که روی پکت باید انجام بگیرد را مشخص می کند.
رول ها بر اساس chain آنها برای مدیریت بهتر دسته بندی می شوند. هر رول 3 حالت به صورت پیش فرض میتواند داشته باشد. Input و forward و output که به معنی پکت هایی که به مقصد روتر می آیند و پکت هایی که از روتر رد می شوند و پکت هایی که از مبدا روتر خارج می شوند هستند. حالتهایی هم به صورت دستی می توان برای فایروال تعریف کرد.
Property Description
action (accept | add-dst-to-address-list | add-src-to-address-list | drop | jump | log | passthrough | reject | return | tarpit; default: accept) - action to undertake if the packet matches the rule
accept - accept the packet. No action is taken, i.e. the packet is passed through and no more rules are applied to it
add-dst-to-address-list - adds destination address of an IP packet to the address list specified by address-list parameter
add-src-to-address-list - adds source address of an IP packet to the address list specified by address-list parameter
drop - silently drop the packet (without sending the ICMP reject message)
jump - jump to the chain specified by the value of the jump-target parameter
log - each match with this action will add a message to the system log
passthrough - ignores this rule and goes on to the next one
reject - reject the packet and send an ICMP reject message
return - passes control back to the chain from where the jump took place
tarpit - captures and holds incoming TCP connections (replies with SYN/ACK to the inbound TCP SYN packet)
address-list (name) - specifies the name of the address list to collect IP addresses from rules having action=add-dst-to-address-list or action=add-src-to-address-list actions. These address lists could be later used for packet matching
address-list-timeout (time; default: 00:00:00) - time interval after which the address will be removed from the address list specified by address-list parameter. Used in conjunction with add-dst-to-address-list or add-src-to-address-list actions
00:00:00 - leave the address in the address list forever
chain (forward | input | output | name) - specifies the chain to put a particular rule into. As the different traffic is passed through different chains, always be careful in choosing the right chain for a new rule. If the input does not match the name of an already defined chain, a new chain will be created
comment (text) - a descriptive comment for the rule. A comment can be used to identify rules form scripts
connection-bytes (integer-integer) - matches packets only if a given amount of bytes has been transfered through the particular connection
0 - means infinity, exempli gratia: connection-bytes=2000000-0 means that the rule matches if more than 2MB has been transfered through the relevant connection
connection-limit (integer,netmask) - restrict connection limit per address or address block
connection-mark (name) - matches packets marked via mangle facility with particular connection mark
connection-state (estabilished | invalid | new | related) - interprets the connection tracking analysis data for a particular packet
estabilished - a packet which belongs to an existing connection, exempli gratia a reply packet or a packet which belongs to already replied connection
invalid - a packet which could not be identified for some reason. This includes out of memory condition and ICMP errors which do not correspond to any known connection. It is generally advised to drop these packets
new - a packet which begins a new TCP connection
related - a packet which is related to, but not part of an existing connection, such as ICMP errors or a packet which begins FTP data connection (the later requires enabled FTP connection tracking helper under /ip firewall service-port)
connection-type (ftp | gre | h323 | irc | mms | pptp | quake3 | tftp) - matches packets from related connections based on information from their connection tracking helpers. A relevant connection helper must be enabled under /ip firewall service-port
content (text) - the text packets should contain in order to match the rule
dst-address (IP address/netmask | IP address-IP address) - specifies the address range an IP packet is destined to. Note that console converts entered address/netmask value to a valid network address, i.e.:1.1.1.1/24 is converted to 1.1.1.0/24
dst-address-list (name) - matches destination address of a packet against user-defined address list
dst-address-type (unicast | local | broadcast | multicast) - matches destination address type of the IP packet, one of the:
unicast - IP addresses used for one point to another point transmission. There is only one sender and one receiver in this case
local - matches addresses assigned to router's interfaces
broadcast - the IP packet is sent from one point to all other points in the IP subnetwork
multicast - this type of IP addressing is responsible for transmission from one or more points to a set of other points
dst-limit (integer/time{0,1},integer,dst-address | dst-port | src-address{+},time{0,1}) - limits the packet per second (pps) rate on a per destination IP or per destination port base. As opposed to the limit match, every destination IP address / destination port has it's own limit. The options are as follows (in order of appearance):
Count - maximum average packet rate, measured in packets per second (pps), unless followed by Time option
Time - specifies the time interval over which the packet rate is measured
Burst - number of packets to match in a burst
Mode - the classifier(-s) for packet rate limiting
Expire - specifies interval after which recorded IP addresses / ports will be deleted
dst-port (integer: 0..65535-integer: 0..65535{*}) - destination port number or range
hotspot (multiple choice: from-client | auth | local-dst | http) - matches packets received from clients against various Hot-Spot. All values can be negated
from-client - true, if a packet comes from HotSpot client
auth - true, if a packet comes from authenticted client
local-dst - true, if a packet has local destination IP address
hotspot - true, if it is a TCP packet from client and either the transparent ***** on port 80 is enabled or the client has a ***** address configured and this address is equal to the address:port pair of the IP packet
icmp-options (integer:integer) - matches ICMP Type:Code fields
in-interface (name) - interface the packet has entered the router through
ipv4-options (any | loose-source-routing | no-record-route | no-router-alert | no-source-routing | no-timestamp | none | record-route | router-alert | strict-source-routing | timestamp) - match ipv4 header options
any - match packet with at least one of the ipv4 options
loose-source-routing - match packets with loose source routing option. This option is used to route the internet datagram based on information supplied by the source
no-record-route - match packets with no record route option. This option is used to route the internet datagram based on information supplied by the source
no-router-alert - match packets with no router alter option
no-source-routing - match packets with no source routing option
no-timestamp - match packets with no timestamp option
record-route - match packets with record route option
router-alert - match packets with router alter option
strict-source-routing - match packets with strict source routing option
timestamp - match packets with timestamp
jump-target (forward | input | output | name) - name of the target chain to jump to, if the action=jump is used
limit (integer/time{0,1},integer) - restricts packet match rate to a given limit. Usefull to reduce the amount of log messages
Count - maximum average packet rate, measured in packets per second (pps), unless followed by Time option
Time - specifies the time interval over which the packet rate is measured
Burst - number of packets to match in a burst
log-prefix (text) - all messages written to logs will contain the prefix specified herein. Used in conjunction with action=log
nth (integer,integer: 0..15,integer{0,1}) - match a particular Nth packet received by the rule. One of 16 available counters can be used to count packets
Every - match every Every+1th packet. For example, if Every=1 then the rule matches every 2nd packet
Counter - specifies which counter to use. A counter increments each time the rule containing nth match matches
Packet - match on the given packet number. The value by obvious reasons must be between 0 and Every. If this option is used for a given counter, then there must be at least Every+1 rules with this option, covering all values between 0 and Every inclusively.
out-interface (name) - interface the packet will leave the router through
p2p (all-p2p | bit-torrent | blubster | direct-connect | edonkey | fasttrack | gnutella | soulseek | warez | winmx) - matches packets from various peer-to-peer (P2P) protocols
packet-mark (text) - matches packets marked via mangle facility with particular packet mark
packet-size (integer: 0..65535-integer: 0..65535{0,1}) - matches packet of the specified size or size range in bytes
Min - specifies lower boundary of the size range or a standalone value
Max - specifies upper boundary of the size range
phys-in-interface (name) - matches the bridge port physical input device added to a bridge device. It is only useful if the packet has arrived through the bridge
phys-out-interface (name) - matches the bridge port physical output device added to a bridge device. It is only useful if the packet will leave the router through the bridge
protocol (ddp | egp | encap | ggp | gre | hmp | icmp | idrp-cmtp | igmp | ipencap | ipip | ipsec-ah | ipsec-esp | iso-tp4 | ospf | pup | rdp | rspf | st | tcp | udp | vmtp | xns-idp | xtp | integer) - matches particular IP protocol specified by protocol name or number. You should specify this setting if you want to specify ports
psd (integer,time,integer,integer) - attempts to detect TCP and UDP scans. It is advised to assign lower weight to ports with high numbers to reduce the frequency of false positives, such as from passive mode FTP transfers
WeightThreshold - total weight of the latest TCP/UDP packets with different destination ports coming from the same host to be treated as port scan sequence
DelayThreshold - delay for the packets with different destination ports coming from the same host to be treated as possible port scan subsequence
LowPortWeight - weight of the packets with privileged (<=1024) destination port
HighPortWeight - weight of the packet with non-priviliged destination port
random (integer: 1..99) - matches packets randomly with given propability
reject-with (icmp-admin-prohibited | icmp-echo-reply | icmp-host-prohibited | icmp-host-unreachable | icmp-net-prohibited | icmp-network-unreachable | icmp-port-unreachable | icmp-protocol-unreachable | tcp-reset | integer) - alters the reply packet of reject action
routing-mark (name) - matches packets marked by mangle facility with particular routing mark
src-address (IP address/netmask | IP address-IP address) - specifies the address range an IP packet is originated from. Note that console converts entered address/netmask value to a valid network address, i.e.:1.1.1.1/24 is converted to 1.1.1.0/24
src-address-list (name) - matches source address of a packet against user-defined address list
src-address-type (unicast | local | broadcast | multicast) - matches source address type of the IP packet, one of the:
unicast - IP addresses used for one point to another point transmission. There is only one sender and one receiver in this case
local - matches addresses assigned to router's interfaces
broadcast - the IP packet is sent from one point to all other points in the IP subnetwork
multicast - this type of IP addressing is responsible for transmission from one or more points to a set of other points
src-mac-address (MAC address) - source MAC address
src-port (integer: 0..65535-integer: 0..65535{*}) - source port number or range
tcp-flags (ack | cwr | ece | fin | psh | rst | syn | urg) - tcp flags to match
ack - acknowledging data
cwr - congestion window reduced
ece - ECN-echo flag (explicit congestion notification)
fin - close connection
psh - push function
rst - drop connection
syn - new connection
urg - urgent data
tcp-mss (integer: 0..65535) - matches TCP MSS value of an IP packet
time (time-time,sat | fri | thu | wed | tue | mon | sun{+}) - allows to create filter based on the packets' arrival time and date or, for locally generated packets, departure time and date
tos (max-reliability | max-throughput | min-cost | min-delay | normal) - specifies a match for the value of Type of Service (ToS) field of an IP header
max-reliability - maximize reliability (ToS=4)
max-throughput - maximize throughput (ToS=8)
min-cost - minimize monetary cost (ToS=2)
min-delay - minimize delay (ToS=16)
normal - normal service (ToS=0)
پاسخ با نقل قول