[ Robinson_back @ 03.12.2008. 18:53 ] @
| dali je normalno da po defaultu dolaze postavke u firewallu u Ros-u 3.13. naime nalazi se tu hrpa toga. Može li neko pojasnit o čemu se zapravo radi?? |
|
[ Robinson_back @ 03.12.2008. 18:53 ] @
[ Sa$a @ 03.12.2008. 22:01 ] @
Samo ovo imas kad ostavis init config (v3.16, a mozda i ranije)
[admin@MikroTik] > ip address print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 ;;; default configuration 192.168.88.1/24 192.168.88.0 192.168.88.255 ether1 inace evo ti sta se "dobija" na praznom ruteru /interface ethernet set 0 arp=enabled auto-negotiation=yes cable-settings=default comment="" \ disable-running-check=yes disabled=no full-duplex=yes mac-address=\ xx:xx:xx:xx:xx:xx mtu=1500 name=ether1 speed=100Mbps set 1 arp=enabled auto-negotiation=yes cable-settings=default comment="" \ disable-running-check=yes disabled=no full-duplex=yes mac-address=\ xx:xx:xx:xx:xx:xx mtu=1500 name=ether2 speed=100Mbps /interface wireless security-profiles set default authentication-types="" eap-methods=passthrough group-ciphers="" \ group-key-update=5m interim-update=0s mode=none name=default \ radius-eap-accounting=no radius-mac-accounting=no \ radius-mac-authentication=no radius-mac-caching=disabled \ radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \ static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\ none static-key-0="" static-key-1="" static-key-2="" static-key-3="" \ static-sta-private-algo=none static-sta-private-key="" \ static-transmit-key=key-0 supplicant-identity=MikroTik tls-certificate=\ none tls-mode=no-certificates unicast-ciphers="" wpa-pre-shared-key="" \ wpa2-pre-shared-key="" /ip hotspot profile set default dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot \ http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=cookie,http-chap \ name=default rate-limit="" smtp-server=0.0.0.0 split-user-domain=no \ use-radius=no /ip hotspot user profile set default idle-timeout=none keepalive-timeout=2m name=default shared-users=\ 1 status-autorefresh=1m transparent-proxy=no /ip ipsec proposal set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m \ name=default pfs-group=modp1024 /port set 0 baud-rate=9600 data-bits=8 flow-control=hardware name=serial0 parity=\ none stop-bits=1 /ppp profile set default change-tcp-mss=yes comment="" name=default only-one=default \ use-compression=default use-encryption=default use-vj-compression=default set default-encryption change-tcp-mss=yes comment="" name=default-encryption \ only-one=default use-compression=default use-encryption=yes \ use-vj-compression=default /queue type set default kind=pfifo name=default pfifo-limit=50 set ethernet-default kind=pfifo name=ethernet-default pfifo-limit=50 set wireless-default kind=sfq name=wireless-default sfq-allot=1514 \ sfq-perturb=5 set synchronous-default kind=red name=synchronous-default red-avg-packet=1000 \ red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10 set hotspot-default kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=\ 5 set default-small kind=pfifo name=default-small pfifo-limit=10 /routing bgp instance set default as=65530 client-to-client-reflection=yes comment="" disabled=no \ ignore-as-path-len=no name=default out-filter="" redistribute-connected=\ no redistribute-ospf=no redistribute-other-bgp=no redistribute-rip=no \ redistribute-static=no router-id=0.0.0.0 /routing ospf area add area-id=0.0.0.0 authentication=none disabled=no name=backbone type=\ default /snmp set contact="" enabled=no engine-boots=0 engine-id="" location="" \ time-window=15 trap-sink=0.0.0.0 trap-version=1 /snmp community set public address=0.0.0.0/0 authentication-password="" \ authentication-protocol=MD5 encryption-password="" encryption-protocol=\ DES name=public read-access=yes security=none write-access=no /system logging action set memory memory-lines=100 memory-stop-on-full=no name=memory target=memory set disk disk-lines=100 disk-stop-on-full=no name=disk target=disk set echo name=echo remember=yes target=echo set remote name=remote remote=0.0.0.0:514 target=remote /user group add name=read policy="local,telnet,ssh,reboot,read,test,winbox,password,web,sn\ iff,!ftp,!write,!policy" add name=write policy="local,telnet,ssh,reboot,read,write,test,winbox,password\ ,web,sniff,!ftp,!policy" add name=full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbo\ x,password,web,sniff" /user add address=0.0.0.0/0 comment="system default user" disabled=no group=full \ name=admin /interface bridge settings set use-ip-firewall=no use-ip-firewall-for-vlan=no /interface ethernet mirror set /interface l2tp-server server set authentication=pap,chap,mschap1,mschap2 default-profile=\ default-encryption enabled=no max-mru=1460 max-mtu=1460 mrru=disabled /interface ovpn-server server set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=\ default enabled=no keepalive-timeout=60 mac-address=FE:04:FC:55:82:02 \ max-mtu=1500 mode=ip netmask=24 port=1194 require-client-certificate=no /interface pptp-server server set authentication=mschap1,mschap2 default-profile=default-encryption \ enabled=no keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled /interface wireless align set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=\ 00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=300 \ frames-per-second=25 receive-all=no ssid-all=no /interface wireless sniffer set channel-time=200ms file-limit=10 file-name="" memory-limit=10 \ multiple-channels=no only-headers=no receive-errors=no streaming-enabled=\ no streaming-max-rate=0 streaming-server=0.0.0.0 /interface wireless snooper set channel-time=200ms multiple-channels=yes receive-errors=no /ip accounting set account-local-traffic=no enabled=no threshold=256 /ip accounting web-access set accessible-via-web=no address=0.0.0.0/0 /ip address add address=192.168.88.1/24 broadcast=192.168.88.255 comment=\ "default configuration" disabled=no interface=ether1 network=192.168.88.0 /ip dhcp-server config set store-leases-disk=5m /ip dns set allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB \ max-udp-packet-size=512 primary-dns=0.0.0.0 secondary-dns=0.0.0.0 /ip firewall connection tracking set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \ tcp-close-wait-timeout=10s tcp-established-timeout=1d \ tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \ tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \ tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s /ip firewall service-port set ftp disabled=no ports=21 set tftp disabled=no ports=69 set irc disabled=no ports=6667 set h323 disabled=no set sip disabled=no ports=5060,5061 set pptp disabled=no /ip hotspot service-port set ftp disabled=no ports=21 /ip neighbor discovery set ether1 discover=yes set ether2 discover=yes /ip proxy set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 \ cache-on-disk=no enabled=no max-cache-size=unlimited \ max-client-connections=600 max-fresh-time=3d max-server-connections=600 \ parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=\ no src-address=0.0.0.0 /ip service set telnet address=0.0.0.0/0 disabled=no port=23 set ftp address=0.0.0.0/0 disabled=no port=21 set www address=0.0.0.0/0 disabled=no port=80 set ssh address=0.0.0.0/0 disabled=no port=22 set www-ssl address=0.0.0.0/0 certificate=none disabled=yes port=443 set api address=0.0.0.0/0 disabled=yes port=8728 set winbox address=0.0.0.0/0 disabled=no port=8291 /ip socks set connection-idle-timeout=2m enabled=no max-connections=200 port=1080 /ip traffic-flow set active-flow-timeout=30m cache-entries=4k enabled=no \ inactive-flow-timeout=15s interfaces=all /ip upnp set allow-disable-external-interface=yes enabled=no show-dummy-rule=yes /ppp aaa set accounting=yes interim-update=0s use-radius=no /queue interface set ether1 queue=ethernet-default set ether2 queue=ethernet-default /radius incoming set accept=no port=3799 /routing mme set bidirectional-timeout=2 gateway-class=none gateway-keepalive=1m \ gateway-selection=no-gateway origination-interval=5s preferred-gateway=\ 0.0.0.0 timeout=1m ttl=50 /routing ospf set distribute-default=never metric-bgp=20 metric-connected=20 \ metric-default=1 metric-rip=20 metric-static=20 mpls-te-area=unspecified \ mpls-te-router-id=unspecified redistribute-bgp=no redistribute-connected=\ no redistribute-rip=no redistribute-static=no router-id=0.0.0.0 /routing rip set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1 \ metric-default=1 metric-ospf=1 metric-static=1 redistribute-bgp=no \ redistribute-connected=no redistribute-ospf=no redistribute-static=no \ timeout-timer=3m update-timer=30s /store add comment="" disabled=no disk=primary-master name=user-manager1 type=\ user-manager add comment="" disabled=no disk=primary-master name=web-proxy1 type=web-proxy /system clock manual set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start=\ "jan/01/1970 00:00:00" time-zone=+00:00 /system console add disabled=no port=serial0 term=vt102 set [ find vcno=1 ] disabled=no term=linux set [ find vcno=2 ] disabled=no term=linux set [ find vcno=3 ] disabled=no term=linux set [ find vcno=4 ] disabled=no term=linux set [ find vcno=5 ] disabled=no term=linux set [ find vcno=6 ] disabled=no term=linux set [ find vcno=7 ] disabled=no term=linux set [ find vcno=8 ] disabled=no term=linux /system console screen set line-count=25 /system hardware set multi-cpu=yes /system health set state-after-reboot=enabled /system identity set name=MikroTik /system logging add action=memory disabled=no prefix="" topics=info add action=memory disabled=no prefix="" topics=error add action=memory disabled=no prefix="" topics=warning add action=echo disabled=no prefix="" topics=critical /system note set note="" show-at-login=yes /system ntp client set enabled=no mode=unicast primary-ntp=0.0.0.0 secondary-ntp=0.0.0.0 /system ntp server set broadcast=no enabled=no manycast=yes multicast=no /system routerboard bios set /system upgrade mirror set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=\ 0.0.0.0 user="" [ Robinson_back @ 03.12.2008. 22:20 ] @
Ne znam dal si me razumio.. riječ je o instalaciji na računalo.
Upgradeao sam sa 2.9.51 na 3.13 i dobio hrpu pravila u firewallu koje ja nisam postavio. Nisam expert pa rađe pitam iskusnije :-) zbunjuje me hrpa pravila. Šta je sad sa mojom maskaradom i redirekcijom porta 80 za transparentni proxy??? NAT mi daje ovo (ima još dalje al da ne postam) [dalibor@Zorkovac HotSpot] /ip firewall nat> print all Flags: X - disabled, I - invalid, D - dynamic 0 D chain=dstnat action=jump jump-target=hotspot hotspot=from-client 1 D chain=hotspot action=redirect to-ports=64872 dst-port=53 protocol=udp 2 D chain=hotspot action=redirect to-ports=64872 dst-port=53 protocol=tcp 3 D chain=hotspot action=redirect to-ports=64873 hotspot=local-dst dst-port=8> protocol=tcp 4 D chain=hotspot action=redirect to-ports=64875 hotspot=local-dst dst-port=443 protocol=tcp 5 D chain=hotspot action=jump jump-target=hs-unauth hotspot=!auth protocol=tc> 6 D chain=hotspot action=jump jump-target=hs-auth hotspot=auth protocol=tcp 7 D chain=hs-unauth action=redirect to-ports=64874 dst-port=80 protocol=tcp 8 D chain=hs-unauth action=redirect to-ports=64874 dst-port=3128 protocol=tcp 9 D chain=hs-unauth action=redirect to-ports=64874 dst-port=8080 protocol=tcp -- [Q quit|D dump|right|down] FILTER daje ovo [dalibor@Zorkovac HotSpot] /ip firewall filter> print all Flags: X - disabled, I - invalid, D - dynamic 0 D chain=forward action=jump jump-target=hs-unauth hotspot=from-client,!auth 1 D chain=forward action=jump jump-target=hs-unauth-to hotspot=to-client,!aut> 2 D chain=input action=jump jump-target=hs-input hotspot=from-client 3 I chain=hs-input action=jump jump-target=pre-hs-input 4 D chain=hs-input action=accept dst-port=64872 protocol=udp 5 D chain=hs-input action=accept dst-port=64872-64875 protocol=tcp 6 D chain=hs-input action=jump jump-target=hs-unauth hotspot=!auth 7 D chain=hs-unauth action=reject reject-with=tcp-reset protocol=tcp 8 D chain=hs-unauth action=reject reject-with=icmp-net-prohibited 9 D chain=hs-unauth-to action=reject reject-with=icmp-host-prohibited 10 X ;;; place hotspot rules here chain=unused-hs-chain action=passthrough -- [Q quit|D dump|right|down] [ Sa$a @ 03.12.2008. 23:04 ] @
To je ok posto si radio upgrade jer je on instalirao novu verziju os i zadrzao pravila koja si imao u staroj verziji.Da si instalirao novi os imao bi samo ono sto sam ti poslao u prvom postu(razlika je samo u interfejsima koje imas na masini)
[Ovu poruku je menjao Sa$a dana 04.12.2008. u 00:17 GMT+1] [ Robinson_back @ 04.12.2008. 09:42 ] @
Da neka su pravila od tih bila crvena, znači nevažeća... šta da radim s tim, da ostavim ili da mičem
[ Sa$a @ 04.12.2008. 17:49 ] @
http://forum.mikrotik.com/view...amp;t=28052&hilit=redirect
.......Ohh and another bug, downgrading from 3.16 to 3.13 will remove your hotspot files, be careful to watch out for this as it wont warn you. Did that to me about 80% of the time upon downgrade. [ Kolins Balaban @ 04.12.2008. 18:25 ] @
vjerovatno su ti ta pravila crvena, jer su u njima navedeni neki drugi opsezi ip adresa (ili nisu nikako navedeni) ili neki drugi nazivi interfejsa. samo ih prilagodi.
[ Robinson_back @ 04.12.2008. 19:54 ] @
S tim pravilima je ne mogu ništa.... osim izbrisati ih. kroz winbox ne mogu promjniti niti jednu njihovu stavku. Kao nešto što dolazi po defoulu. Ne kužim zašto bi se to tu našlo. Evo da pogledam link iz sašinog posta možda bude jasnije...
[ roppe @ 05.12.2008. 01:49 ] @
Imao si ta pravila i u prethodnoj verziji, to su dinamicka pravila! U staroj verziji mikrotika pravila su ti filtrirana na "static" a u novijoj verziji na "all"
[ Robinson_back @ 05.12.2008. 09:57 ] @
Stvarno ne znam.... pravila koja su bila crvena ja sam makno, jer ne mogu ih editirat ni ništa. Ne razumjem što sad. Na tom tiku ide mi Hotspot, i queues te proxy. Ništa pretjerano tu nije bilo konfigurirano sem maskarade i redirekcije porta 80 za transparentni proxy
Copyright (C) 2001-2025 by www.elitesecurity.org. All rights reserved.
|