ROS 3.13 kakve to postavke dolaze u firewallu?

dali je normalno da po defaultu dolaze postavke u firewallu u Ros-u 3.13. naime nalazi se tu hrpa toga. Može li neko pojasnit o čemu se zapravo radi??

Samo ovo imas kad ostavis init config (v3.16, a mozda i ranije)
[admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 ;;; default configuration
192.168.88.1/24 192.168.88.0 192.168.88.255 ether1

inace evo ti sta se "dobija" na praznom ruteru

/interface ethernet
set 0 arp=enabled auto-negotiation=yes cable-settings=default comment="" \
disable-running-check=yes disabled=no full-duplex=yes mac-address=\
xx:xx:xx:xx:xx:xx mtu=1500 name=ether1 speed=100Mbps
set 1 arp=enabled auto-negotiation=yes cable-settings=default comment="" \
disable-running-check=yes disabled=no full-duplex=yes mac-address=\
xx:xx:xx:xx:xx:xx mtu=1500 name=ether2 speed=100Mbps
/interface wireless security-profiles
set default authentication-types="" eap-methods=passthrough group-ciphers="" \
group-key-update=5m interim-update=0s mode=none name=default \
radius-eap-accounting=no radius-mac-accounting=no \
radius-mac-authentication=no radius-mac-caching=disabled \
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
none static-key-0="" static-key-1="" static-key-2="" static-key-3="" \
static-sta-private-algo=none static-sta-private-key="" \
static-transmit-key=key-0 supplicant-identity=MikroTik tls-certificate=\
none tls-mode=no-certificates unicast-ciphers="" wpa-pre-shared-key="" \
wpa2-pre-shared-key=""
/ip hotspot profile
set default dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot \
http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=cookie,http-chap \
name=default rate-limit="" smtp-server=0.0.0.0 split-user-domain=no \
use-radius=no
/ip hotspot user profile
set default idle-timeout=none keepalive-timeout=2m name=default shared-users=\
1 status-autorefresh=1m transparent-proxy=no
/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m \
name=default pfs-group=modp1024
/port
set 0 baud-rate=9600 data-bits=8 flow-control=hardware name=serial0 parity=\
none stop-bits=1
/ppp profile
set default change-tcp-mss=yes comment="" name=default only-one=default \
use-compression=default use-encryption=default use-vj-compression=default
set default-encryption change-tcp-mss=yes comment="" name=default-encryption \
only-one=default use-compression=default use-encryption=yes \
use-vj-compression=default
/queue type
set default kind=pfifo name=default pfifo-limit=50
set ethernet-default kind=pfifo name=ethernet-default pfifo-limit=50
set wireless-default kind=sfq name=wireless-default sfq-allot=1514 \
sfq-perturb=5
set synchronous-default kind=red name=synchronous-default red-avg-packet=1000 \
red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10
set hotspot-default kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=\
5
set default-small kind=pfifo name=default-small pfifo-limit=10
/routing bgp instance
set default as=65530 client-to-client-reflection=yes comment="" disabled=no \
ignore-as-path-len=no name=default out-filter="" redistribute-connected=\
no redistribute-ospf=no redistribute-other-bgp=no redistribute-rip=no \
redistribute-static=no router-id=0.0.0.0
/routing ospf area
add area-id=0.0.0.0 authentication=none disabled=no name=backbone type=\
default
/snmp
set contact="" enabled=no engine-boots=0 engine-id="" location="" \
time-window=15 trap-sink=0.0.0.0 trap-version=1
/snmp community
set public address=0.0.0.0/0 authentication-password="" \
authentication-protocol=MD5 encryption-password="" encryption-protocol=\
DES name=public read-access=yes security=none write-access=no
/system logging action
set memory memory-lines=100 memory-stop-on-full=no name=memory target=memory
set disk disk-lines=100 disk-stop-on-full=no name=disk target=disk
set echo name=echo remember=yes target=echo
set remote name=remote remote=0.0.0.0:514 target=remote
/user group
add name=read policy="local,telnet,ssh,reboot,read,test,winbox,password,web,sn\
iff,!ftp,!write,!policy"
add name=write policy="local,telnet,ssh,reboot,read,write,test,winbox,password\
,web,sniff,!ftp,!policy"
add name=full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbo\
x,password,web,sniff"
/user
add address=0.0.0.0/0 comment="system default user" disabled=no group=full \
name=admin
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-vlan=no
/interface ethernet mirror
set
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=\
default-encryption enabled=no max-mru=1460 max-mtu=1460 mrru=disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=\
default enabled=no keepalive-timeout=60 mac-address=FE:04:FC:55:82:02 \
max-mtu=1500 mode=ip netmask=24 port=1194 require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption \
enabled=no keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
/interface wireless align
set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=\
00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=300 \
frames-per-second=25 receive-all=no ssid-all=no
/interface wireless sniffer
set channel-time=200ms file-limit=10 file-name="" memory-limit=10 \
multiple-channels=no only-headers=no receive-errors=no streaming-enabled=\
no streaming-max-rate=0 streaming-server=0.0.0.0
/interface wireless snooper
set channel-time=200ms multiple-channels=yes receive-errors=no
/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=192.168.88.1/24 broadcast=192.168.88.255 comment=\
"default configuration" disabled=no interface=ether1 network=192.168.88.0
/ip dhcp-server config
set store-leases-disk=5m
/ip dns
set allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB \
max-udp-packet-size=512 primary-dns=0.0.0.0 secondary-dns=0.0.0.0
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip neighbor discovery
set ether1 discover=yes
set ether2 discover=yes
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 \
cache-on-disk=no enabled=no max-cache-size=unlimited \
max-client-connections=600 max-fresh-time=3d max-server-connections=600 \
parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=\
no src-address=0.0.0.0
/ip service
set telnet address=0.0.0.0/0 disabled=no port=23
set ftp address=0.0.0.0/0 disabled=no port=21
set www address=0.0.0.0/0 disabled=no port=80
set ssh address=0.0.0.0/0 disabled=no port=22
set www-ssl address=0.0.0.0/0 certificate=none disabled=yes port=443
set api address=0.0.0.0/0 disabled=yes port=8728
set winbox address=0.0.0.0/0 disabled=no port=8291
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=no \
inactive-flow-timeout=15s interfaces=all
/ip upnp
set allow-disable-external-interface=yes enabled=no show-dummy-rule=yes
/ppp aaa
set accounting=yes interim-update=0s use-radius=no
/queue interface
set ether1 queue=ethernet-default
set ether2 queue=ethernet-default
/radius incoming
set accept=no port=3799
/routing mme
set bidirectional-timeout=2 gateway-class=none gateway-keepalive=1m \
gateway-selection=no-gateway origination-interval=5s preferred-gateway=\
0.0.0.0 timeout=1m ttl=50
/routing ospf
set distribute-default=never metric-bgp=20 metric-connected=20 \
metric-default=1 metric-rip=20 metric-static=20 mpls-te-area=unspecified \
mpls-te-router-id=unspecified redistribute-bgp=no redistribute-connected=\
no redistribute-rip=no redistribute-static=no router-id=0.0.0.0
/routing rip
set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1 \
metric-default=1 metric-ospf=1 metric-static=1 redistribute-bgp=no \
redistribute-connected=no redistribute-ospf=no redistribute-static=no \
timeout-timer=3m update-timer=30s
/store
add comment="" disabled=no disk=primary-master name=user-manager1 type=\
user-manager
add comment="" disabled=no disk=primary-master name=web-proxy1 type=web-proxy
/system clock manual
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start=\
"jan/01/1970 00:00:00" time-zone=+00:00
/system console
add disabled=no port=serial0 term=vt102
set [ find vcno=1 ] disabled=no term=linux
set [ find vcno=2 ] disabled=no term=linux
set [ find vcno=3 ] disabled=no term=linux
set [ find vcno=4 ] disabled=no term=linux
set [ find vcno=5 ] disabled=no term=linux
set [ find vcno=6 ] disabled=no term=linux
set [ find vcno=7 ] disabled=no term=linux
set [ find vcno=8 ] disabled=no term=linux
/system console screen
set line-count=25
/system hardware
set multi-cpu=yes
/system health
set state-after-reboot=enabled
/system identity
set name=MikroTik
/system logging
add action=memory disabled=no prefix="" topics=info
add action=memory disabled=no prefix="" topics=error
add action=memory disabled=no prefix="" topics=warning
add action=echo disabled=no prefix="" topics=critical
/system note
set note="" show-at-login=yes
/system ntp client
set enabled=no mode=unicast primary-ntp=0.0.0.0 secondary-ntp=0.0.0.0
/system ntp server
set broadcast=no enabled=no manycast=yes multicast=no
/system routerboard bios
set
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=\
0.0.0.0 user=""

---

Ne znam dal si me razumio.. riječ je o instalaciji na računalo.
Upgradeao sam sa 2.9.51 na 3.13 i dobio hrpu pravila u firewallu koje ja nisam postavio. Nisam expert pa rađe pitam iskusnije :-) zbunjuje me hrpa pravila. Šta je sad sa mojom maskaradom i redirekcijom porta 80 za transparentni proxy???

NAT mi daje ovo (ima još dalje al da ne postam)


[dalibor@Zorkovac HotSpot] /ip firewall nat> print all
Flags: X - disabled, I - invalid, D - dynamic
0 D chain=dstnat action=jump jump-target=hotspot hotspot=from-client
1 D chain=hotspot action=redirect to-ports=64872 dst-port=53 protocol=udp
2 D chain=hotspot action=redirect to-ports=64872 dst-port=53 protocol=tcp
3 D chain=hotspot action=redirect to-ports=64873 hotspot=local-dst dst-port=8>
protocol=tcp
4 D chain=hotspot action=redirect to-ports=64875 hotspot=local-dst
dst-port=443 protocol=tcp
5 D chain=hotspot action=jump jump-target=hs-unauth hotspot=!auth protocol=tc>
6 D chain=hotspot action=jump jump-target=hs-auth hotspot=auth protocol=tcp
7 D chain=hs-unauth action=redirect to-ports=64874 dst-port=80 protocol=tcp
8 D chain=hs-unauth action=redirect to-ports=64874 dst-port=3128 protocol=tcp
9 D chain=hs-unauth action=redirect to-ports=64874 dst-port=8080 protocol=tcp

-- [Q quit|D dump|right|down]


FILTER daje ovo

[dalibor@Zorkovac HotSpot] /ip firewall filter> print all
Flags: X - disabled, I - invalid, D - dynamic
0 D chain=forward action=jump jump-target=hs-unauth hotspot=from-client,!auth
1 D chain=forward action=jump jump-target=hs-unauth-to hotspot=to-client,!aut>
2 D chain=input action=jump jump-target=hs-input hotspot=from-client
3 I chain=hs-input action=jump jump-target=pre-hs-input
4 D chain=hs-input action=accept dst-port=64872 protocol=udp
5 D chain=hs-input action=accept dst-port=64872-64875 protocol=tcp
6 D chain=hs-input action=jump jump-target=hs-unauth hotspot=!auth
7 D chain=hs-unauth action=reject reject-with=tcp-reset protocol=tcp
8 D chain=hs-unauth action=reject reject-with=icmp-net-prohibited
9 D chain=hs-unauth-to action=reject reject-with=icmp-host-prohibited
10 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
-- [Q quit|D dump|right|down]

To je ok posto si radio upgrade jer je on instalirao novu verziju os i zadrzao pravila koja si imao u staroj verziji.Da si instalirao novi os imao bi samo ono sto sam ti poslao u prvom postu(razlika je samo u interfejsima koje imas na masini)

_{[Ovu poruku je menjao Sa$a dana 04.12.2008. u 00:17 GMT+1]}

---

Da neka su pravila od tih bila crvena, znači nevažeća... šta da radim s tim, da ostavim ili da mičem

http://forum.mikrotik.com/view...amp;t=28052&hilit=redirect
.......Ohh and another bug, downgrading from 3.16 to 3.13 will remove your hotspot files, be careful to watch out for this as it wont warn you. Did that to me about 80% of the time upon downgrade.

---

vjerovatno su ti ta pravila crvena, jer su u njima navedeni neki drugi opsezi ip adresa (ili nisu nikako navedeni) ili neki drugi nazivi interfejsa. samo ih prilagodi.

---

S tim pravilima je ne mogu ništa.... osim izbrisati ih. kroz winbox ne mogu promjniti niti jednu njihovu stavku. Kao nešto što dolazi po defoulu. Ne kužim zašto bi se to tu našlo. Evo da pogledam link iz sašinog posta možda bude jasnije...

Imao si ta pravila i u prethodnoj verziji, to su dinamicka pravila! U staroj verziji mikrotika pravila su ti filtrirana na "static" a u novijoj verziji na "all"

Stvarno ne znam.... pravila koja su bila crvena ja sam makno, jer ne mogu ih editirat ni ništa. Ne razumjem što sad. Na tom tiku ide mi Hotspot, i queues te proxy. Ništa pretjerano tu nije bilo konfigurirano sem maskarade i redirekcije porta 80 za transparentni proxy