Fadhli's Blog

Important note to remind..

Squid.conf Labor

#file squid.conf
http_port 3128 transparent
icp_port 3130
visible_hostname localhost
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

cache_mem 128 MB
cache_swap_low 98
cache_swap_high 99
maximum_object_size 8096 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 8096 KB
fqdncache_size 1024
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
memory_pools off

cache_dir ufs i:/squid/cache 4500 16 256
redirect_rewrites_host_header off

cache_access_log i:/squid/var/logs/access.log
cache_log i:/squid/var/logs/cache.log
#cache_store_log i:/squid/var/logs/store.log
cache_store_log none

cache_mgr fadhlismart@yahoo.com
cachemgr_passwd fadhli

# TUNING CACHE PROXY

# pictures & images
refresh_pattern -i \.(gif|png|jpeg|jpg|bmp|tif|tiff|ico)$ 10080 50% 43200 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-auth ignore-private
refresh_pattern -i \.(xml|html|htm|js|txt|css|php)$ 10080 50% 43200 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-auth

#sound, video multimedia
refresh_pattern -i \.(flv|x-flv|mov|avi|qt|mpg|mpeg|swf)$ 10080 50% 43200 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache
refresh_pattern -i \.(wav|mp3|mp4|au|mid)$ 10080 50% 43200 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-auth ignore-private

# files
refresh_pattern -i \.(iso|deb|rpm|zip|tar|tgz|ram|rar|bin|ppt|doc)$ 10080 90% 43200 ignore-no-cache ignore-auth
refresh_pattern -i \.(zip|gz|arj|lha|lzh)$ 10080 90% 43200 override-expire ignore-no-cache ignore-auth
refresh_pattern -i \.(rar|tgz|tar|exe|bin)$ 10080 90% 43200 override-expire ignore-no-cache ignore-auth
refresh_pattern -i \.(hqx|pdf|rtf|doc|swf)$ 10080 90% 43200 override-expire ignore-no-cache ignore-auth
refresh_pattern -i \.(inc|cab|ad|txt|dll)$ 10080 90% 43200 override-expire ignore-no-cache ignore-auth

# — refresh pattern for specific sites — #
refresh_pattern ^http://*.blogspot.com/.* 720 90% 10080 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-auth
refresh_pattern ^http://*.wordpress.*/.* 720 90% 10080 override-expire override-lastmod reload-into-ims ignore-no-cache
refresh_pattern ^http://*.kaskus.*/.* 720 90% 28800 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-auth
refresh_pattern ^http://www.kaskus.com/.* 720 100% 28800 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-auth
refresh_pattern ^http://*.detik.*/.* 720 50% 2880 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-auth
refresh_pattern ^http://*.detiknews.*/*.* 720 50% 2880 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-auth
refresh_pattern ^http://*.friendster.com/.* 720 90% 10080 override-expire override-lastmod ignore-no-cache ignore-auth
refresh_pattern ^http://*.facebook.*/.* 720 90% 10080 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-auth
refresh_pattern ^http://apps.facebook.com/.* 720 90% 10080 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-auth
refresh_pattern ^http://*.fbcdn.*/.* 720 90% 10080 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-auth
refresh_pattern ^http://*.zynga.*/.* 720 90% 10080 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-auth
refresh_pattern ^http://profile.ak.fbcdn.net/.* 720 90% 10080 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-auth
refresh_pattern ^http://*.yahoo.com/.* 720 80% 10080 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-auth
refresh_pattern ^http://*.google.*/.* 720 80% 10080 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-auth
refresh_pattern ^http://*.forummikrotik.com/.* 720 80% 10080 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-auth

#default option
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

negative_ttl 1 minutes

#httpd_accel_host apps.facebook.com
#httpd_accel_with_proxy on
#httpd_accel_port 80
#httpd_accel_uses_host_header off

acl localnet src 192.168.1.0/24
acl localhost src 127.0.0.1/255.255.255.255
acl Safe_ports port 80 443 210 119 70 21 1025-65535
acl CONNECT method CONNECT
acl manager proto cache_object
acl all src 0.0.0.0/0.0.0.0
acl ftp proto FTP
acl zynga port 9339 843
acl webzynga dstdomain .zynga.com

http_access allow zynga
http_access allow webzynga
http_access allow ftp
http_access allow manager
http_access allow localnet
http_access allow localhost
http_access deny all

#end of file, end paste here

14 Desember 2010 Posted by | IT, PC dan Warnet | Tinggalkan komentar

Aktivasi dstnat RB750 tuk Ext. Proxy

chain=dstnat action=accept protocol=tcp src-address-list=192.168.1.100 dst-port=80
chain=dstnat action=dst-nat to-addresses=192.168.1.100 to-ports=3128 protocol=tcp src-address-list=clients dst-port=80

2 Desember 2010 Posted by | IT, PC dan Warnet | Tinggalkan komentar

Optimasi Mikrotik utk PointBlank

ip firewall mangle
add action=mark-connection chain=forward comment=”Trafik Mark” disabled=no new-connection-mark=all_con passthrough=yes src-address=192.168.1.0/24
add action=mark-connection chain=forward comment=”” connection-mark=all_con disabled=no dst-port=39190-49100 new-connection-mark=pb-con passthrough=yes protocol=tcp src-address=192.168.1.0/24
add action=mark-connection chain=forward comment=”” connection-mark=all_con disabled=no dst-port=39190-49100 new-connection-mark=pb-con passthrough=yes protocol=udp src-address=192.168.1.0/24
add action=mark-packet chain=forward comment=”” connection-mark=pb-con disabled=no new-packet-mark=point-blank passthrough=no
add action=mark-packet chain=forward comment=”” disabled=no new-packet-mark=all_packet passthrough=no

/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=1600k name=”Download” parent=ether2-lan priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=HTTP packet-mark=all_packet parent=”Download” priority=8 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=”Point Blank” packet-mark=point-blank parent=”Download” priority=7 queue=default

—————————-
VERSI LAIN

#Set pppoe lewat mikrotik ( modem set sebagai bridge )
/interface pppoe-client
add ac-name=”” add-default-route=no allow=pap,chap,mschap1,mschap2 comment=”” dial-on-demand=no disabled=no interface=Speedy-1 max-mru=1480 max-mtu=1480 mrru=disabled name=”******@telkom.net” password=”***” profile=default service-name=”” use-peer-dns=no user=”***”
#Optimalisasi Facebook & Poker
/ip firewall address-list
add list=”facebook” address=69.63.184.142
add list=”facebook” address=69.63.187.17
add list=”facebook” address=69.63.187.19
add list=”facebook” address=69.63.181.11
add list=”facebook” address=69.63.181.12
add list=”facebook” address=69.63.180.14
add list=”facebook” address=69.63.186.31
add list=”facebook” address=69.63.186.30
add list=”facebook” address=69.63.176.11
add list=”facebook” address=69.63.186.11
add list=”facebook” address=69.63.187.12
add list=”facebook” address=69.63.180.12
add list=”facebook” address=69.63.186.12
add list=”facebook” address=69.63.176.65
add list=”facebook” address=66.151.132.0/24
add list=”facebook” address=118.214.190.0/24
add list=”facebook” address=69.63.176.213
add list=”facebook” address=125.160.18.0/24
add list=”facebook” address=125.56.199.0/24
add list=”facebook” address=125.160.16.0/24
/ip firewall nat
add chain=srcnat action=masquerade out-interface=public
add chain=dstnat protocol=udp dst-port=53 action=redirect to-ports=53
add chain=dstnat protocol=tcp dst-port=53 action=redirect to-ports=53
add chain=dstnat in-interface=local protocol=icmp action=redirect to-ports=1
add chain=dstnat in-interface=local src-address=192.168.1.0/24 dst-address-list=!poker protocol=tcp dst-port=80 action=redirect to-ports=8000
#mangle khusus facebook & point blank
/ip fi ma
add chain=prerouting dst-address=203.89.146.0/23 protocol=udp dst-port=40000-40010 action=mark-connection new-connection-mark=pb-facebook passthrough=yes comment=”PB IIX” disabled=no
add chain=prerouting dst-address-list=facebook action=mark-connection new-connection-mark=pb-facebook passthrough=yes comment=”facebook” disabled=no
add chain=prerouting connection-mark=pb-facebook action=mark-packet new-packet-mark=pb-fb passthrough=no comment=”” disabled=no
/queue tree
add name=”pcq” parent=global-out packet-mark=pb-fb limit-at=0 queue=default priority=2 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
#Mangle limit download loss browsing
/ip fi ma
add chain=postrouting out-interface=local dst-address=192.168.1.0/24 protocol=tcp src-port=80 action=mark-connection new-connection-mark=http_conn passthrough=yes
add chain=postrouting out-interface=local connection-mark=http_conn connection-bytes=0-131072 action=mark-packet new-packet-mark=browsing passthrough=no
add chain=postrouting out-interface=local connection-mark=http_conn connection-bytes=131073-4294967295 action=mark-packet new-packet-mark=download passthrough=no
add chain=prerouting comm=”pcq” action=mark-packet new-packet-mark=ALL passthrough=no
/queue type
add name=”browsing” kind=pcq pcq-rate=0 pcq-limit=50 pcq-classifier=dst-address pcq-total-limit=2000
add name=”download” kind=pcq pcq-rate=256000 pcq-limit=50 pcq-classifier=dst-address pcq-total-limit=2000
add name=”PCQ_Upload” kind=pcq pcq-rate=0 pcq-limit=50 pcq-classifier=src-address pcq-total-limit=2000
/queue tree
add name=”pcq” parent=local packet-mark=”” limit-at=0 queue=default priority=3 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
add name=”browsing” parent=pcq packet-mark=”browsing” limit-at=0 queue=browsing priority=1 max-limit=0 burst-limit=0 burst-threshold=0
add name=”download” parent=pcq packet-mark=”download” limit-at=0 queue=download priority=8 max-limit=256000 burst-limit=0 burst-threshold=0
add name=”PCQ upload” parent=global-in packet-mark=ALL limit-at=0 queue=PCQ_Upload priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s
#web proxy intrenal
/ip proxy
Enabled=yes
src-address=0.0.0.0
port=8080
parent-proxy=0.0.0.0:0
parent-proxy-port=0
cache-drive=system
cache-administrator=”alfanet@block”
max-disk-cache-size=unlimited
max-ram-cache-size=yes
maximal-client-connections=950
maximal-server-connections=950
max-object-size=4096KiB
max-fresh-time=3d
serialize-connections=no
##Import nice address
/tool fetch address=ixp.mikrotik.co.id src-path=/download/nice.rsc;
import nice.rsc
##Schedul update IP nice automatic
/system sched add comment=”update-nice” disabled=no interval=1d name=”update-nice-rsc” on-event=”:if ([:len [/file find name=nice.rsc]] > 0) do={/file remove nice.rsc }; /tool fetch address=ixp.mikrotik.co.id src-path=/download/nice.rsc;/import nice.rsc” start-date=jan/01/1970 start-time=00:06:00

Selesaii…………….

————————————

Versi Lain LAgi

MIKROTIK PISAH DOWNLOAD, BROWSE DAN GAME DI 1 LINE

Langsung aja ah…..
Test running well di RB750 OS ver.4.5
ISP= SAPIDI EXECUTIVE 512 – 2M
Mangle:
GAME
contoh buat Point Blank, game lain sesuaikan aja port/ip nya
chain=game action=mark-connection new-connection-mark=Game passthrough=yes protocol=tcp dst-address=203.89.146.0/23 dst-port=39190 comment=”Point Blank”

chain=game action=mark-connection new-connection-mark=Game passthrough=yes protocol=udp dst-address=203.89.146.0/23 dst-port=40000-40010

chain=game action=mark-packet new-packet-mark=Game_pkt passthrough=no connection-mark=Game

chain=prerouting action=jump jump-target=game

POKER

chain=forward action=mark-connection new-connection-mark=Poker_con passthrough=yes protocol=tcp dst-address-list=LOAD POKER comment=”POKER”

chain=forward action=mark-connection new-connection-mark=Poker_con passthrough=yes protocol=tcp content=statics.poker.static.zynga.com

chain=forward action=mark-packet new-packet-mark=Poker passthrough=no connection-mark=Poker_con

BROWSING

chain=forward action=mark-connection new-connection-mark=http passthrough=yes protocol=tcp in-interface=WAN out-interface=Lan packet-mark=!Game_pkt connection-mark=!Game connection-bytes=0-262146 comment=”BROWSE”

chain=forward action=mark-packet new-packet-mark=http_pkt passthrough=no protocol=tcp connection-mark=http

chain=forward action=mark-packet new-packet-mark=http_pkt passthrough=no protocol=tcp connection-mark=http

UPLOAD

chain=prerouting action=mark-packet new-packet-mark=Upload passthrough=no protocol=tcp src-address=192.168.0.0/24 in-interface=Lan packet-mark=!icmp_pkt comment=”UPLOAD”

LIMIT DOWNLOAD

chain=forward action=mark-connection new-connection-mark=Download passthrough=yes protocol=tcp in-interface=WAN out-interface=Lan packet-mark=!Game_pkt connection-mark=!Poker_con connection bytes=262146-4294967295 comment=”LIMIT DOWNLOAD”

chain=forward action=mark-packet new-packet-mark=Download_pkt passthrough=no packet-mark=!Game_pk> connection-mark=Download

QUEUE

queue type

name=”Download” kind=pcq pcq-rate=256000 pcq-limit=50 pcq-classifier=dst-address pcq-total-limit=2000

name=”Http” kind=pcq pcq-rate=1M pcq-limit=50 pcq-classifier=dst-address pcq-total-limit=2000

name=”Game” kind=pcq pcq-rate=0 pcq-limit=50 pcq-classifier=src-address,dst-address,src-port,dst-port pcq-total-limit=2000

name=”Upload” kind=pcq pcq-rate=0 pcq-limit=50 pcq-classifier=src-address pcq-total-limit=2000

Queue Tree

name=”Main Browse” parent=Lan limit-at=0 priority=8 max-limit=1M burst-limit=0 burst-threshold=0 burst-time=0s

name=”Browse” parent=Main Browse packet-mark=http_pkt limit-at=0 queue=Http priority=8 max-limit=1M burst-limit=0 burst-threshold=0 burst-time=0s

name=”Game” parent=global-total packet-mark=Game_pkt limit-at=0 queue=Game priority=1 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s

name=”Poker” parent=global-out packet-mark=Poker limit-at=0 queue=Game priority=3 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s

name=”Download” parent=global-out packet-mark=Download_pkt limit-at=0 queue=Download priority=8 max-limit=256k burst-limit=0 burst-threshold=0 burst-time=0s

name=”Main Upload” parent=global-in limit-at=0 priority=8 max-limit=256k burst-limit=0 burst-threshold=0 burst-time=0s

name=”Upload” parent=Main Upload packet-mark=Upload limit-at=0 queue=Upload priority=8 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s

HASILNYA
BROWSING 1Mbs bagi rata sekampung (baca: satu jaringan)
DOWNLOAD 256Kbps bagi rata sekampung
GAME seadanya bandwith sesuai kebutuhan sekampung
POKER seadanya bandwith sesuai kebutuhan sekampung
UPLOAD seadanya bandwith bagi rata sesuai kebutuhan sekampung

30 November 2010 Posted by | IT, PC dan Warnet | Tinggalkan komentar

Editing Squid.conf

Edit the squid.conf, the Squid Cache Proxy configuration file.

1. Open the squid config file (squid.conf) that is located on the /etc/squid directory with your own choice of text editor.

[root@linux fedora]# vi /etc/squid/squid.conf

or you can use the gedit program…

[root@linux fedora]# gedit /etc/squid/squid.conf

Warning: If you don’t need to change the default configuration on squid.conf file, you shouldn’t uncomment the line and leave it like it is.

2. Fist of all, we need to setup on which port Squid should listen for client proxy request. By default Squid will listen on port 3128 on all IP address on the machine

On this project, we setup (configure) our Squid proxy to bind with the internal Ethernet card which is using internal IP 10.2.0.5 and listen on port 8080 on that internal IP address. With this configuration, Squid should only visible and listen to our internal address only.

Configuration example on squid.conf file:

Customize the socket address where your Squid proxy should listen for HTTP client request: Change the address to fit your network layout.

# NETWORK OPTIONS

……………………

#Default:

# http_port 3128

http_port 10.2.0.5:8080

Improve Squid performances.

To improve Squid proxy performance edit the default configuration file to utilize system hardware capability. The configuration below show the process of increasing the size of cache memory and the size of cache directory of squid proxy.

3. Scroll down the page and find # TAG: cache_mem (bytes), To increase the Squid cache memory capacity, edit the default setting and put the appropriate memory size base on your system capabilities. The example below show that the Squid cache memory setting increase up to 256 MB. Take note that, before you change this setting make sure your hardware can support the size of memory that you specify here.

# OPTIONS WHICH AFFECT THE CACHE SIZE

# ———————————–

# TAG: cache_mem (bytes)

# NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.

# IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL

# USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER

# THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.

#

# ‘cache_mem’ specifies the ideal amount of memory to be used

# for:

# * In-Transit objects

# * Hot Objects

# * Negative-Cached objects

——- +++++ —————————

#Default:

# cache_mem 8 MB

cache_mem 256 MB

4. Then find tag # TAG: cache_dir, then increase the size of cache directory to 2000 MB, also make sure that you have enough disk space before you change the size value.

# LOGFILE PATHNAMES AND CACHE DIRECTORIES

# —————————————————————————–

# TAG: cache_dir

# Usage:

#

# cache_dir Type Directory-Name Fs-specific-data [options]

#

——- +++++ —————————

#

#Default:

# cache_dir ufs /var/spool/squid 100 16 256

cache_dir ufs /var/spool/squid 2000 16 256

Set Proxy to find DNS servers:

5. Adjust the list of DNS name servers. Squid cache proxy used this list of DNS servers to query domain name.

# TAG: dns_nameservers

# Use this if you want to specify a list of DNS name servers

# (IP addresses) to use instead of those given in your

# /etc/resolv.conf file.

# On Windows platforms, if no value is specified here or in

# the /etc/resolv.conf file, the list of DNS name servers are

# taken from the Windows registry, both static and dynamic DHCP

# configurations are supported.

#

# Example: dns_nameservers 10.0.0.1 192.172.0.4

#

#Default:

# none

dns_nameservers 203.106.93.91 161.142.227.17 192.228.128.16 201.188.0.16

Adding aux port:

6. Add required port to “Acess Control List”. This example show that the port number 2083 port is add to safe_ports list.

# ACCESS CONTROLS

# —————————

———– **** +++++

#Examples:

#acl macaddress arp 09:00:2b:23:45:67

#acl myexample dst_as 1241

#acl password proxy_auth REQUIRED

#acl fileupload req_mime_type -i ^multipart/form-data$

#acl javascript rep_mime_type -i ^application/x-javascript$

#

#Recommended minimum configuration:

acl all src 0.0.0.0/0.0.0.0

acl manager proto cache_object

acl localhost src 127.0.0.1/255.255.255.255

acl to_localhost dst 127.0.0.0/8

acl SSL_ports port 2083 443 563

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 2083 443 563 # https, snews

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT

Adding Internal network to ACL:

7. To control access to the Squid proxy or who can use your Squid proxy, find and add the list of your Squid clients. The example of Access Control List rules below only allow only the internal IP network to access and use the Squid proxy.

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# Example rule allowing access from your local networks. Adapt

# to list your (internal) IP networks from where browsing should

# be allowed

#acl our_networks src 192.168.1.0/24 192.168.2.0/24

#http_access allow our_networks

acl FE_networks src 10.2.0.0/255.255.0.0

acl LABS_networks src 10.3.0.0/255.255.0.0

acl GENSUB_networks src 10.4.0.0/255.255.0.0

acl ADM_networks src 10.5.0.0/255.255.0.0

acl LABS_networks src 10.6.0.0/255.255.0.0

acl TKM_networks src 10.7.0.0/255.255.0.0

acl TKP_networks src 10.8.0.0/255.255.0.0

acl TKE_networks src 10.9.0.0/255.255.0.0

acl TKK_networks src 10.10.0.0/255.255.0.0

http_access allow FE_networks

http_access allow LABS_networks

http_access allow GENSUB_networks

http_access allow ADM_networks

http_access allow LIB_networks

http_access allow TKM_networks

http_access allow TKP_networks

http_access allow TKE_networks

http_access allow TKK_networks

# And finally deny all other access to this proxy

http_access allow localhost

http_access deny all

==========================================

other example for Squid acl:

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# Example rule allowing access from your local networks. Adapt

# to list your (internal) IP networks from where browsing should

# be allowed

#acl our_networks src 192.168.1.0/24 192.168.2.0/24

#http_access allow our_networks

acl our_networks src 172.16.160.0/24 172.16.161.0/24 172.16.162.0/24 172.16.163.0/24 172.16.164.0/24 172.16.165.0/24 172.16.166.0/24 172.16.167.0/24 172.16.168.0/24 172.16.169.0/24 172.16.170.0/24

acl bad_url dstdomain “/etc/squid/bad-sites.squid”

http_access allow our_networks

http_access deny bad_url

8. To allow FTP request from client.

# TAG: always_direct

# Usage: always_direct allow|deny [!]aclname …

#

# Here you can use ACL elements to specify requests which should

# ALWAYS be forwarded by Squid to the origin servers without using

# any peers. For example, to always directly forward requests for

# local servers ignoring any parents or siblings you may have use

# something like:

#

# acl local-servers dstdomain my.domain.net

# always_direct allow local-servers

#

# To always forward FTP requests directly, use

#

# acl FTP proto FTP

# always_direct allow FTP

+++++++++++++++++++++

#

#Default:

# none

acl FTP proto FTP

always_direct allow FTP

DONE

30 November 2010 Posted by | IT, PC dan Warnet | Tinggalkan komentar

Misc – Squid Proxy

System Administration With Webmin
Prev Chapter 12. Squid Next
Other Caches

The Other Caches page provides an interface to one of Squids most interesting, but also widely misunderstood, features. Squid is the reference implementation of ICP, or Intercache Communication Protocol, a simple but effective means for multiple caches to communicate with each other regarding the content that is available on each. This opens the door for many interesting possibilities when one is designing a caching infrastructure.
Intercache Communication Protocol

It is probably useful to discuss how ICP works and some common usages for ICP within Squid, in order to quickly make it clear what it is good for, and perhaps even more importantly, what it isn’t good for. The most popular uses for ICP are discussed, and more good ideas will probably arise in the future as the internet becomes even more global in scope, and the web caching infrastructure must grow with it.
Parent and Sibling Relationships

The ICP protocol specifies that a web cache can act as either a parent or a sibling. A parent cache is simply an ICP capable cache that will answer both hits and misses for child caches, while a sibling will only answer hits for other siblings. This subtle distinction means simply that a parent cache can proxy for caches that have no direct route to the internet. A sibling cache, on the other hand, cannot be relied upon to answer all requests, and your cache must have another method to retrieve requests that cannot come from the sibling. This usually means that in sibling relationships, your cache will also have a direct connection to the internet or a parent proxy that can retrieve misses from the origin servers. ICP is a somewhat chatty protocol in that an ICP request will be sent to every neighbor cache each time a cache miss occurs. By default, whichever cache replies with an ICP hit first, will be the cache used to request the object.
When to Use ICP

ICP is often used in situations wherein one has multiple internet connections, or several types of path to internet content. Other possibilities include having a cache mesh such as the IRCache Hierarchy in the US or The National Janet Web Caching Service in the UK, which can utilize lower cost non-backbone links to connect several remote caches in order to lower costs and raise performance. Finally, it is possible, though usually not recommended, to implement a rudimentary form of load balancing through the use of multiple parents and multiple child web caches. All of these options are discussed in some detail, but this document should not be considered the complete reference to ICP. Other good sources of information include the two RFCs on the subject, RFC 2186 which discusses the protocol itself, and RFC 2187 which describes the application of ICP.

One common ICP-based solution in use today, is satellite cache pre-population services, such as that offered by Cidera. In this case, there are at least two caches at a site, one of which is connected to a satellite internet uplink. The satellite connected cache is provided by the service provider, and it is automatically filled with popular content via the satellite link. The other cache uses the satellite connected cache as a sibling, which it queries for every cache miss that it has. If the satellite connected sibling has the content it will be served from the sibling cache, if not the primary cache will fetch the content from the origin server or a parent cache. ICP is a pretty effective, if somewhat bandwidth and processor intensive, means of accomplishing this task. A refinement of this process would be to use Cache-Digests for the satellite connected sibling in order to reduce traffic between the sibling caches. Nonetheless, ICP is a quite good method of implementing this idea.

Another common use is cache meshes. A cache mesh is, in short, a number of web caches at remote sites–possibly distant, but also possibly just in different buildings of the same university or different floors in the same office building–that are allowed to share data using ICP. This type of hierarchy allows a large number of caches to benefit from a larger client population than is directly available to it. All other things being equal, a cache that is not overloaded will perform better (with regard to hit ratio) with a larger number of clients. Simply put, a larger client population leads to a higher quality of cache content, which in turn leads to higher hit ratios and improved bandwidth savings. So, whenever it is possible to increase the client population without overloading the cache, such as in the case of a cache mesh, it may be worth considering. Again this type of hierarchy can be improved upon by the use of Cache Digests, but ICP is usually simpler to implement and is a widely supported standard, even on non-Squid caches.

Finally, ICP is also sometimes used for load balancing multiple caches at the same site. ICP, or even Cache Digests for that matter, are almost never the best way to implement load balancing. However, for completeness, I’ll discuss it briefly. Using ICP for load balancing can be achieved in a few ways. One common method is to have several local siblings, which can each provide hits to the others’ clients, while the client load is evenly divided across the number of caches. Another option is to have a very fast but low capacity web cache in front of two or more lower cost, but higher capacity, parent web caches. The parents will then provide the requests in a roughly equal amount. As mentioned, there are much better options for balancing web caches, the most popular being WCCP (version 1 is fully supported by Squid), and L4 switches. These will be covered in more detail in a later section.
Other Proxy Cache Servers

This section of the Other Caches page provides a list of currently configured sibling and parent caches, and also allows one to add more neighbor caches. Clicking on the name of a neighbor cache will allow you to edit it. This section also provides the vital information about the neighbor caches, such as the type (parent, sibling, multicast), the proxy or HTTP port, and the ICP or UDP port of the caches. Note that Proxy port is the port where the neighbor cache normally listens for client traffic, which defaults to 3128.
Edit Cache Host

Clicking on a neighbor cache name or clicking Add another cache on the primary Other Caches page brings you to this page, which allows you to edit most of the relevant details about neighbor caches.

Figure 12-2. Edit Cache Host Page

Hostname is the name or IP address of the neighbor cache you want your cache to communicate with. Note that this will be one way traffic, ACLs are used to allow ICP requests from other caches. ACLs are covered later. This option plus most of the rest of the options on this page correspond to cache_peer lines in squid.conf.

Type is simply the type of relationship you want your cache to have with the neighbor cache. If the cache is upstream, and you have no control over it, you will need to consult with the administrator to find out what kind of relationship you should set up. If it is configured wrong, cache misses will likely result in errors for your users. The options here are sibling, parent, and multicast.

Proxy port sets the port on which the neighbor cache is listening for standard HTTP requests. Even though the caches transmit availability data via ICP, actual web objects are still transmitted via HTTP on the port usually used for standard client traffic. If your neighbor cache is a Squid based cache, then it is likely to be listening on the default port 3128. Other common ports used by cache servers include 8000, 8888, 8080, and even 80 in some circumstances.

ICP port is the port on which the neighbor cache is configured to listen for ICP traffic. If your neighbor cache is a Squid based proxy, this value can be found by checking the icp_port directive in the squid.conf file on the neighbor cache. Generally, however, the neighbor cache will listen on the default port 3130.

Proxy only? is a simple yes or no question to tell whether objects fetched from the neighbor cache should be cached locally. This can be used when all caches are operating well below their client capacity, but disk space is at a premium or hit ratio is of prime importance.

Send ICP queries? tells your cache whether or not to send ICP queries to a neighbor. The default is Yes, and it should probably stay that way. ICP queries is the method by which Squid knows which caches are responding, and which caches are closest and/or best able to quickly answer a request.

Default cache can be switched to Yes if this neighbor cache is to be the last-resort parent cache to be used in the event that no other neighbor cache is present as determined by ICP queries. Note that this does not prevent it from being used normally while other caches are responding as expected.

Round-robin cache? chooses whether to use round robin scheduling between multiple parent caches in the absence of ICP queries. This should be set on all parents that you would like to schedule in this way.

ICP time-to-live defines the multicast tty for ICP packets. When using multicast ICP, it is usually wise for security and bandwidth reasons to use the minimum tty suitable for your network.

Cache weighting sets the weight for a parent cache. When using this option it is possible to set higher numbers for preferred caches. The default value is 1, and if left unset for all parent caches, whichever cache responds positively first to an ICP query will be be sent a request to fetch that object.

Closest only allows you to specify that your cache wants only CLOSEST_PARENT_MISS replies from parent caches. This allows your cache to then request the object from the parent cache closest to the origin server.

No digest? chooses whether this neighbor cache should send cache digests.

No NetDB exchange. When using ICP, it is possible for Squid to keep a database of network information about the neighbor caches, including availability and RTT, or Round Trip Time, information. This usually allows Squid to choose more wisely which caches to make requests to when multiple caches have the requested object.

No delay? prevents accesses to this neighbor cache from effecting delay pools. Delay pools, discussed in more detail later, are a mean by which Squid can regulate bandwidth usage. If a neighbor cache is on the local network, and bandwidth usage between the caches does not need to be restricted, then this option can be used.

Login to proxy is used to send authentication information when challenged by the neighbor cache. On local networks, this type of security is unlikely to be necessary.

Multicast responder allows Squid to know where to accept multicast ICP replies. Because multicast is fed on a single IP to many caches, Squid must have some way of determining which caches to listen to and what options apply to that particular cache. Selecting Yes here configures Squid to listen for multicast replies from the IP of this neighbor cache.

Query host for domains and Don’t query for domains are the only options on this page to configure a directive other than cache_peer in Squid. In this case it sets the cache_peer_domain option. This allows you to configure whether requests for certain domains can be queried via ICP and which should not. It is often used to configure caches not to query other caches for content within the local domain. Another common usage, such as in the national web hierarchies discussed above, is to define which web cache is used for requests destined for different TLDs. So, for example, if one has a low cost satellite link to the US backbone from another country that is preferred for web traffic to the much more expensive land line, one can configure the satellite connected cache as the cache to query for all .com, .edu, .org, net, .us, and .gov, addresses.
Cache Selection Options

This section provides configuration options for general ICP configuration. These options effect all of the other neighbor caches that you define.

Figure 12-3. Some global ICP options

Directly fetch URLs containing allows you to configure a match list of items to always fetch directly rather than query a neighbor cache. The default here is cgi-bin ? and should continue to be included unless you know what you’re doing. This helps prevent wasting bandwidth on lots of requests that are usually never considered cachable, and so will never return hits from your neighbor caches. This option sets the hierarchy_stoplist directive.

ICP query timeout defines the timeout in milliseconds that Squid will wait before timing out ICP requests. The default allows Squid to calculate an optimum value based on average RTT of the neighbor caches. Usually, it is wise to leave this unchanged. However, for reference, the old default value was 2000, or 2 seconds. This option edits the icp_query_timeout directive.

Multicast ICP timeout sets the timeout value for multicast probes, which are sent out to discover the number of active multicast peers listening on a give multicast address. This configures the mcast_icp_query_timeout directive and defaults to 2000 ms, or 2 seconds.

Dead peer timeout controls how long Squid waits to declare a peer cache dead. If there are no ICP replies received in this amount of time, Squid will declare the peer dead and will not expect to receive any further ICP replies. However, it continues to send ICP queries for the peer and will mark it active again on receipt of a reply. This timeout also affects when Squid expects to receive ICP replies from peers. If more than this number of seconds have passed since the last ICP reply was received, Squid will not expect to receive an ICP reply on the next query. Thus, if your time between requests is greater than this timeout, your cache will send more requests DIRECT rather than through the neighbor caches.

25 November 2010 Posted by | PC dan Warnet | Tinggalkan komentar

Firewall Mikrotik – 1

Saturday, September 4, 2010
Mikrotik Firewall
Disini saya coba bahas sedikit tentang mikrotik firewall dari apa yang saya pelajari dari mikrotik wiki. Sudah suatu kewajiban pemasangan firewall pada mesin mikrotik untuk melindungi kita baik dari sisi luar (baca : internet) ataupun dari sisi client. Nah biar ga asal copas scripts dan paham bagaimana proses perlindungannya, berikut penjelasannya :
Firewall biasanya terbentuk dari suatu packet filtering atas semua traffic yang keluar masuk mesin router. Bersama NAT (Network Address Translation), firewall akan memberikan batasan “pihak luar” untuk tidak ikut campur urusan “dalam negeri” sekaligus filter bagi semua urusan “dalam negeri” dengan “pihak luar”.
Packet Flow Diagram bisa dilihat pada gambar dibawah :

Bingung? sama….. :D :D
Wes, lupakan soal diagram… pake logika aja… pada dasarnya ada 3 chain utama, yaitu :
* INPUT – Digunakan untuk memproses semua packet yang masuk pada router melalui interface apapun.
* FORWARD – Digunakan untuk memproses semua packet yang melewati router
* OUTPUT – Digunakan untuk memproses semua packet berasal dari router yang keluar melalui interface, namun bukan hasil proses chain forward diatas.
Untuk memproses suatu packet, maka aturan yang dibaca adalah berurutan dari rule paling atas trus kebawah, jadi semisal ada packet yang masuk kriteria pada rule pertama ya diproses, jika tidak maka akan diteruskan ke rule berikutnya, dst dst….
Pertama kita pahami dulu connection-states dari sebuah packet, males nerjemahin jadi pake bahasa aslinya aja…
* established – a packet which belongs to an existing connection
* invalid – a packet which could not be identified for some reason
* new – a packet which begins a new connection
* related – a packet which is related to, but not part of an existing connection, such as ICMP errors or a packet which begins FTP data connection
Contoh… langsung praktek aja…. data yang digunakan untuk tutorial ini adalah sbb :
Interface ke local = Local
Interface ke PPPoE = Speedy
Interface ke proxy = Proxy
IP jaringan local = 192.168.2.0/27
IP jaringan proxy = 192.168.3.28/30
Alur yang kita proses adalah berurutan :

MEMPROSES INPUT PACKET
1. Drop semua INVALID PACKET

/ip firewall filter
add action=drop chain=input comment=”Drop Invalid connections” connection-state=invalid disabled=no

2. Allow packet dari interface LAN dan PROXY dengan subnet yang udah ditentukan

add action=accept chain=input comment=”Allow Input from LOCAL Network” \
disabled=no in-interface=Local src-address=192.168.2.0/27
add action=accept chain=input comment=”Allow Input from PROXY Network” \
disabled=no in-interface=Proxy src-address=192.168.3.28/30

3. Allow packet dari interface PPPoE dengan connection state ESTABLISHED dan RELATED

add action=accept chain=input comment=”Allow Established connections” \
connection-state=established disabled=no in-interface=Speedy
add action=accept chain=input comment=”Allow Related connections” \
connection-state=related disabled=no in-interface=Speedy

4. Drop sisanya

add action=drop chain=input comment=”Drop everything else” disabled=no

Nah, dari rule yang sederhana diatas bisa dibilang router udah aman dari “pihak luar”. Masalahnya ya router mikrotik ga bisa diakses dari luar… termasuk winbox nya.. :D untuk itu perlu tambahkan baris untuk allow port winbox, INGAT! aktifkan saat dibutuhkan aja…

add action=accept chain=input comment=\
“Allow Winbox Access ———- CHECK BEFORE ENABLED” disabled=yes \
dst-port=8291 in-interface=Speedy protocol=tcp

Taruh dibagian bawah SEBELUM “Drop everything else”!
Jika ada tambahan untuk blocking port scanner, tinggal tambahkan baris berikut :

add action=add-src-to-address-list address-list=”port scanners” \
address-list-timeout=2w chain=input comment=”Port scanners to list ” \
disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=”port scanners” \
address-list-timeout=2w chain=input comment=”NMAP FIN Stealth scan” \
disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=”port scanners” \
address-list-timeout=2w chain=input comment=”SYN/FIN scan” disabled=no \
protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=”port scanners” \
address-list-timeout=2w chain=input comment=”SYN/RST scan” disabled=no \
protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=”port scanners” \
address-list-timeout=2w chain=input comment=”FIN/PSH/URG scan” disabled=\
no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=”port scanners” \
address-list-timeout=2w chain=input comment=”ALL/ALL scan” disabled=no \
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=”port scanners” \
address-list-timeout=2w chain=input comment=”NMAP NULL scan” disabled=no \
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment=”Dropping port scanners” disabled=no \
src-address-list=”port scanners”

Taruh baris diatas, SESUDAH “Drop Invalid connections”
Hasil bisa dilihat pada gambar berikut :
MEMPROSES FORWARD PACKET
1. Drop semua INVALID PACKET

add action=drop chain=forward comment=”Drop Invalid connections” \
connection-state=invalid disabled=no

2. Bikin CHAIN untuk memproses packet TCP, UDP dan ICMP

add action=jump chain=forward comment=”Bad packets filtering” disabled=no \
jump-target=tcp protocol=tcp
add action=jump chain=forward comment=”” disabled=no jump-target=udp \
protocol=udp
add action=jump chain=forward comment=”” disabled=no jump-target=icmp \
protocol=icmp

3. Drop TCP packet yang dirasa membahayakan bangsa dan negara

add action=drop chain=tcp comment=”deny SMTP” disabled=no dst-port=25 \
protocol=tcp
add action=drop chain=tcp comment=”deny TFTP” disabled=no dst-port=69 \
protocol=tcp
add action=drop chain=tcp comment=”deny RPC portmapper” disabled=no dst-port=\
111 protocol=tcp
add action=drop chain=tcp comment=”deny RPC portmapper” disabled=no dst-port=\
135 protocol=tcp
add action=drop chain=tcp comment=”deny NBT” disabled=no dst-port=137-139 \
protocol=tcp
add action=drop chain=tcp comment=”deny cifs” disabled=no dst-port=445 \
protocol=tcp
add action=drop chain=tcp comment=”deny NFS” disabled=no dst-port=2049 \
protocol=tcp
add action=drop chain=tcp comment=”deny NetBus” disabled=no dst-port=\
12345-12346 protocol=tcp
add action=drop chain=tcp comment=”deny NetBus” disabled=no dst-port=20034 \
protocol=tcp
add action=drop chain=tcp comment=”deny BackOriffice” disabled=no dst-port=\
31337 protocol=tcp
add action=drop chain=tcp comment=”deny DHCP” disabled=no dst-port=67-68 \
protocol=tcp
add action=drop chain=tcp comment=”deny P2P” disabled=no p2p=all-p2p

4. Drop pula UDP packets nya…

add action=drop chain=udp comment=”deny TFTP” disabled=no dst-port=69 \
protocol=udp
add action=drop chain=udp comment=”deny PRC portmapper” disabled=no dst-port=\
111 protocol=udp
add action=drop chain=udp comment=”deny PRC portmapper” disabled=no dst-port=\
135 protocol=udp
add action=drop chain=udp comment=”deny NBT” disabled=no dst-port=137-139 \
protocol=udp
add action=drop chain=udp comment=”deny NFS” disabled=no dst-port=2049 \
protocol=udp
add action=drop chain=udp comment=”deny BackOriffice” disabled=no dst-port=\
31337 protocol=udp
add action=drop chain=udp comment=”deny P2P” disabled=no p2p=all-p2p

5. Untuk ICMP kita batesin aja 5 packets per detik, lebih dari itu kita drop

add action=accept chain=icmp comment=”limit packets 5/secs” disabled=no \
icmp-options=0:0-255 limit=5,5 protocol=icmp
add action=accept chain=icmp comment=”limit packets 5/secs” disabled=no \
icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment=”limit packets 5/secs” disabled=no \
icmp-options=3:3 limit=5,5 protocol=icmp
add action=accept chain=icmp comment=”limit packets 5/secs” disabled=no \
icmp-options=3:4 limit=5,5 protocol=icmp
add action=accept chain=icmp comment=”limit packets 5/secs” disabled=no \
icmp-options=8:0-255 limit=5,5 protocol=icmp
add action=accept chain=icmp comment=”limit packets 5/secs” disabled=no \
icmp-options=11:0-255 limit=5,5 protocol=icmp
add action=drop chain=icmp comment=”Drop other icmp packets” disabled=no

6. Allow packet forward dari interface LAN dan PROXY dengan subnet yang udah ditentukan

add action=accept chain=forward comment=”Allow Forward from LOCAL Network” \
disabled=no in-interface=Local src-address=192.168.2.0/27
add action=accept chain=forward comment=”Allow Forward from PROXY Network” \
disabled=no in-interface=Proxy src-address=192.168.3.28/30

7. Allow packet forward dari interface PPPoE dengan connection state ESTABLISHED dan RELATED

add action=accept chain=forward comment=”Allow Established connections” \
connection-state=established disabled=no in-interface=Speedy
add action=accept chain=forward comment=”Allow Related connections” \
connection-state=related disabled=no in-interface=Speedy

8. Drop sisanya

add action=drop chain=forward comment=”Drop everything else” disabled=no

Hasil bisa dilihat pada gambar berikut :

Dan untuk NAT nya sebagai berikut :

add action=dst-nat chain=dstnat comment=”TRANSPARENT PROXY” disabled=no \
dst-address=!192.168.3.28/30 dst-port=80,8080,3128 in-interface=Local \
protocol=tcp to-addresses=192.168.3.29 to-ports=3128
add action=masquerade chain=srcnat comment=”MASQUERADE PPPOE” disabled=no \
out-interface=Speedy

Beres, router udah “aman” dari luar dan dalam. Kalo mu cek firewallnya silahkan googling aja dengan keyword “firewall test”. Rekomendasinya silahkan cek di GRC atau PC Flank. Kalo di pikir2 apa ada sih yg aman di internet? xixixixiixi

http://wiki.warneter.net/mikrotik-firewall.aspx

——————————

Varian lain :

/ ip firewall filter
add chain=input connection-state=invalid action=drop comment=”Drop Invalid
connections” disabled=no
add chain=input src-address=!192.168.0.0/27 protocol=tcp src-port=1024-65535
dst-port=8080 action=drop comment=”Block to Proxy” disabled=no
add chain=input protocol=udp dst-port=12667 action=drop comment=”Trinoo”
disabled=no
add chain=input protocol=udp dst-port=27665 action=drop comment=”Trinoo”
disabled=no
add chain=input protocol=udp dst-port=31335 action=drop comment=”Trinoo”
disabled=no
add chain=input protocol=udp dst-port=27444 action=drop comment=”Trinoo”
disabled=no
add chain=input protocol=udp dst-port=34555 action=drop comment=”Trinoo”
disabled=no
add chain=input protocol=udp dst-port=35555 action=drop comment=”Trinoo”
disabled=no
add chain=input protocol=tcp dst-port=27444 action=drop comment=”Trinoo”
disabled=no
add chain=input protocol=tcp dst-port=27665 action=drop comment=”Trinoo”
disabled=no
add chain=input protocol=tcp dst-port=31335 action=drop comment=”Trinoo”
disabled=no
add chain=input protocol=tcp dst-port=31846 action=drop comment=”Trinoo”
disabled=no
add chain=input protocol=tcp dst-port=34555 action=drop comment=”Trinoo”
disabled=no
add chain=input protocol=tcp dst-port=35555 action=drop comment=”Trinoo”
disabled=no
add chain=input connection-state=established action=accept comment=”Allow
Established connections” disabled=no
add chain=input protocol=udp action=accept comment=”Allow UDP” disabled=no
add chain=input protocol=icmp action=accept comment=”Allow ICMP” disabled=no
add chain=input src-address=192.168.0.0/27 action=accept comment=”Allow access
to router from known network” disabled=no
add chain=input action=drop comment=”Drop anything else” disabled=no
add chain=forward protocol=tcp connection-state=invalid action=drop
comment=”drop invalid connections” disabled=no
add chain=forward connection-state=established action=accept comment=”allow
already established connections” disabled=no
add chain=forward connection-state=related action=accept comment=”allow
related connections” disabled=no
add chain=forward src-address=0.0.0.0/8 action=drop comment=”” disabled=no
add chain=forward dst-address=0.0.0.0/8 action=drop comment=”” disabled=no
add chain=forward src-address=127.0.0.0/8 action=drop comment=”” disabled=no
add chain=forward dst-address=127.0.0.0/8 action=drop comment=”” disabled=no
add chain=forward src-address=224.0.0.0/3 action=drop comment=”” disabled=no
add chain=forward dst-address=224.0.0.0/3 action=drop comment=”” disabled=no
add chain=forward protocol=tcp action=jump jump-target=tcp comment=””
disabled=no
add chain=forward protocol=udp action=jump jump-target=udp comment=””
disabled=no
add chain=forward protocol=icmp action=jump jump-target=icmp comment=””
disabled=no
add chain=tcp protocol=tcp dst-port=69 action=drop comment=”deny TFTP”
disabled=no
add chain=tcp protocol=tcp dst-port=111 action=drop comment=”deny RPC
portmapper” disabled=no
add chain=tcp protocol=tcp dst-port=135 action=drop comment=”deny RPC
portmapper” disabled=no
add chain=tcp protocol=tcp dst-port=137-139 action=drop comment=”deny NBT”
disabled=no
add chain=tcp protocol=tcp dst-port=445 action=drop comment=”deny cifs”
disabled=no
add chain=tcp protocol=tcp dst-port=2049 action=drop comment=”deny NFS”
disabled=no
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment=”deny
NetBus” disabled=no
add chain=tcp protocol=tcp dst-port=20034 action=drop comment=”deny NetBus”
disabled=no
add chain=tcp protocol=tcp dst-port=3133 action=drop comment=”deny
BackOriffice” disabled=no
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment=”deny DHCP”
disabled=no
add chain=udp protocol=udp dst-port=69 action=drop comment=”deny TFTP”
disabled=no
add chain=udp protocol=udp dst-port=111 action=drop comment=”deny PRC
portmapper” disabled=no
add chain=udp protocol=udp dst-port=135 action=drop comment=”deny PRC
portmapper” disabled=no
add chain=udp protocol=udp dst-port=137-139 action=drop comment=”deny NBT”
disabled=no
add chain=udp protocol=udp dst-port=2049 action=drop comment=”deny NFS”
disabled=no
add chain=udp protocol=udp dst-port=3133 action=drop comment=”deny
BackOriffice” disabled=no
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list
address-list=”port scanners” address-list-timeout=2w comment=”Port
scanners to list ” disabled=no
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list=”port scanners”
address-list-timeout=2w comment=”NMAP FIN Stealth scan” disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list
address-list=”port scanners” address-list-timeout=2w comment=”SYN/FIN
scan” disabled=no
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list
address-list=”port scanners” address-list-timeout=2w comment=”SYN/RST
scan” disabled=no
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
action=add-src-to-address-list address-list=”port scanners”
address-list-timeout=2w comment=”FIN/PSH/URG scan” disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
action=add-src-to-address-list address-list=”port scanners”
address-list-timeout=2w comment=”ALL/ALL scan” disabled=no
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list=”port scanners”
address-list-timeout=2w comment=”NMAP NULL scan” disabled=no
add chain=input src-address-list=”port scanners” action=drop comment=”dropping
port scanners” disabled=no
add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment=”drop
invalid connections” disabled=no
add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment=”allow
established connections” disabled=no
add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment=”allow
already established connections” disabled=no
add chain=icmp protocol=icmp icmp-options=4:0 action=accept comment=”allow
source quench” disabled=no
add chain=icmp protocol=icmp icmp-options=8:0 action=accept comment=”allow
echo request” disabled=no
add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment=”allow
time exceed” disabled=no
add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment=”allow
parameter bad” disabled=no
add chain=icmp action=drop comment=”deny all other types” disabled=no
add chain=tcp protocol=tcp dst-port=25 action=reject
reject-with=icmp-network-unreachable comment=”Smtp” disabled=no
add chain=tcp protocol=udp dst-port=25 action=reject
reject-with=icmp-network-unreachable comment=”Smtp” disabled=no
add chain=tcp protocol=tcp dst-port=110 action=reject
reject-with=icmp-network-unreachable comment=”Smtp” disabled=no
add chain=tcp protocol=udp dst-port=110 action=reject
reject-with=icmp-network-unreachable comment=”Smtp” disabled=no
add chain=tcp protocol=udp dst-port=110 action=reject
reject-with=icmp-network-unreachable comment=”Smtp” disabled=no

———————–

25 November 2010 Posted by | PC dan Warnet | 5 Komentar

Various Squid.conf untuk Squip Proxy

Versi 1 :
—————————————————

# OPTION JARINGAN
# ââââââââââââââââââââââââââ
http_port 8080
#http_port 3128
icp_port 3130

# OPTION UKURAN CACHE
# ââââââââââââââââââââââââââ
cache_mem 128 MB
cache_swap_low 98
cache_swap_high 99
maximum_object_size 4096 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 4096 KB
fqdncache_size 1024
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
memory_pools off

# DIREKTORI LOG DAN CACHE
# ââââââââââââââââââââââââââ
cache_dir aufs /var/spool/squid 25000 16 256
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
logfile_rotate 8
cache_effective_user squid
cache_effective_group squid
shutdown_lifetime 10 seconds

# TUNING CACHE PROXY
# ââââââââââââââââââââââââââ
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
negative_ttl 1 minutes

# TIMEOUT
# ââââââââââââââââââââââââââ
half_closed_clients off

#ACCESS CONTROL
# ââââââââââââââââââââââââââ
#acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl ftp proto FTP
acl zynga port 9339 843
acl webzynga dstdomain .zynga.com
http_access allow ftp
acl SSL_ports port 443 563 4000
acl Safe_ports port 80 # http
acl Safe_ports port 9339 # poker
acl Safe_ports port 843 # poker
acl Safe_ports port 22 # ssh
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl SSL_ports port 2081-2090
acl portharam port 1863
acl portharam port 4899
acl portharam port 9666
acl CONNECT method CONNECT

# ââââââââââââ-
# Daftar IP address
# ââââââââââââ-
acl lokal src 10.102.0.0/255.255.0.0

http_access allow zynga
http_access allow webzynga
http_access allow lokal

——————————————————–

dan firewall saya menggunakan iptables.
file iptablesny seperti ini:
———————————————————————-

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*nat
:.PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:.POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth2 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state –state NEW -m tcp -p tcp –dport 8080 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 9339 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 843 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth2 -j ACCEPT
-A INPUT -j REJECT –reject-with icmp-host-prohibited
-A FORWARD -j REJECT –reject-with icmp-host-prohibited
COMMIT

————————————————–

25 November 2010 Posted by | PC dan Warnet | Tinggalkan komentar

Make Firefox faster

Here’s something for broadband people that will really speed Firefox up:

1.Type “about:config” into the address bar and hit return. Scroll down and look for the following entries:

network.http.pipelining network.http.proxy.pipelining network.http.pipelining.maxrequests

Normally the browser will make one request to a web page at a time. When you enable pipelining it will make several at once, which really speeds up page loading.

2. Alter the entries as follows:

Set “network.http.pipelining” to “true”

Set “network.http.proxy.pipelining” to “true”

Set “network.http.pipelining.maxrequests” to some number like 30. This means it will make 30 requests at once.

3. Lastly right-click anywhere and select New-> Integer. Name it “nglayout.initialpaint.delay” and set its value to “0″. This value is the amount of time the browser waits before it acts on information it receives.

If you’re using a broadband connection you’ll load pages MUCH faster now!

24 November 2010 Posted by | PC dan Warnet | Tinggalkan komentar

Block Range IP @ Mikrotik

asumsi nya kita mau ngeblok ip 192.168.0.1-192.168.0.10

/ip firewall filter add chain=forward src-address=192.168.0.1-192.168.0.10 action=drop

/ip firewall filter add chain=forward dst-address=192.168.0.1-192.168.0.10 action=drop

atau cara lain :

chain=forward in-interface=ether2 src-address=192.168.100.100-192.168.100.200 action=drop

chain=input in-interface=ether2 src-address=192.168.100.100-192.168.100.200 action=drop

(berarti ip antara …100 sampe …200 udah ke blok)

24 November 2010 Posted by | PC dan Warnet | Tinggalkan komentar

Alternative Rule External Transparent Proxy for Mikrotik

teknik redirect port 80 ke ip tertentu.

Adapun detailnya sbb :

Mikrotik : 192.168.0.1

Internet : eth1

Lan : eth2

Proxy : 192.168.0.254

port : 3128

———–

di asumsikan bahwa transparent proxy sudah berjalan normal pada Proxy Server

1. Table NAT ( IP > Firewall > NAT )

dst-nat, src-address = !192.168.0.254 protocol=tcp dst-port=80 in-interface=ether2 action=dstnat to-addresses=192.168.0.254 to-port=3128

src-nat, src-address=192.168.0.0/24 out-interface=ether2 action=srcnat to-addresses=192.168.0.1 to-port=0-65535

2. Table Filter Rules

chain=forward src-address=192.168.0.0/24 dst-address=192.168.0.254 dst-port=3128 in-interface=ether2 out-interface=ether1 action=accept

dengan script ini akhirnya transparent proxy tanpa menggunakan fitur proxy Mikrotik dapat berjalan dengan sempurna.

Ulasan pengalaman setting Dansguradian sebagai web filtering akan saya lanjutkan pada tulisan berikutnya.

23 November 2010 Posted by | PC dan Warnet | 2 Komentar

   

Ikuti

Get every new post delivered to your Inbox.