Name | Modified | Size | Downloads / Week |
---|---|---|---|
Parent folder | |||
README | 2012-11-29 | 2.7 kB | |
gkmtfirewall_rel7.zip | 2012-11-29 | 1.5 MB | |
Totals: 2 Items | 1.5 MB | 0 |
Prerequisites to work: 1. A Routerboard device (or RouterOS installed on any device) acting as a firewall for your internal network 2. An available linux PC (or server) 3. /ip firewall filter : add your allow rules first and after that drop any connection from outside example: 1)chain=forward action=accept connection-state=related 2)chain=input action=accept connection-state=established 3)chain=input action=accept connection-state=related 4)chain=forward action=accept connection-state=new src-address-list=internal 5)chain=forward action=accept protocol=tcp dst-address=192.168.1.10 dst-port=80 6)chain=forward action=accept protocol=tcp dst-address=192.168.1.11 dst-port=25 7)chain=forward action=accept protocol=tcp dst-address=192.168.1.11 dst-port=110 8)chain=forward action=accept protocol=tcp dst-address=192.168.1.11 dst-port=143 . . . 100)chain=forward action=drop dst-address-list=internal 4. Before any other rule in filter add : chain=forward action=drop src-address-list=attackers dst-address-list=internal 5. Before rule 100 add : chain=forward action=log connection-state=new protocol=tcp dst-address-list=internal dst-port=20-35,445,1433,1521,1524,1526,1812,2082,2483,2484,3306,3872 log-prefix="Service Scanner x:" (You can add any ports you want for attacker detection.) 6. Add a new remote logging target at ROS device : /system logging action add name="remotelog" remote=192.168.1.100 remote-port=5555 bsd-syslog=yes target=remote syslog-facility=23 syslog-severity=6 7. Add a new logging /system logging add action=remotelog topics=firewall 8. Checkout source code to your linux machine 9. Compile with : g++ main.cpp attackleases.cpp configfilereader.cpp connection.cpp iplocator.cpp rulefilereader.cpp -o gkmtfirewall -lpthread -lssh 10. Move the executable to /usr/sbin/. 11. Edit contents of gkmtfirewall.conf to adapt your needs 12. Move gkmtfirewall.conf to /etc/gkmtfirewall.conf 13. Move gkmtfirewall.init to /etc/init.d/gkmtfirewall 14. Move IpToCountry.csv to /etc/gkmtfirewall/IpToCountry.csv (it would be better to download a newer version from http://software77.net/geo-ip/) 15. Move rules to /etc/gkmtfirewall/rules 16. Change rules to adapt your needs (countrycode samePacketScore ipScannerScore portScannerScore unknownScannerScore) If a country is not listed in rules then default scores will be applied 17. Change permissions of /etc/init.d/gkmtfirewall to 755 18. Type /etc/init.d/gkmtfirewall start to start the program 19. Take a look at syslog to determine possible problems 20. !!! Remember to update regularly IpToCountry.csv from http://software77.net/geo-ip/ (restart gkmtfirewall after update this file)