Saturday 2 January 2010

Firewall MIKROTIK


/ip firewall filter add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop
/ip firewall filter add chain=output protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m action=accept
/ip firewall filter add chain=output protocol=tcp content="530 Login incorrect" address-list=ftp_blacklist address-list-timeout=3h action=add-dst-to-address-list
/ip firewall filter add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment="drop ssh brute forcers" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=10d comment="" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m comment="" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
/ip firewall filter add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list" disabled=no
/ip firewall filter add chain=services src-address-list=127.0.0.1 dst-address=127.0.0.1 action=accept comment="accept localhost" disabled=no
/ip firewall filter add chain=services protocol=udp dst-port=20561 action=accept comment="allow MACwinbox" disabled=no
/ip firewall filter add chain=services protocol=tcp dst-port=2000 action=accept comment="Bandwidth server" disabled=no
/ip firewall filter add chain=services protocol=udp dst-port=5678 action=accept comment="MT Discovery Protocol" disabled=no
/ip firewall filter add chain=services action=return comment="" disabled=no
/ip firewall filter add chain=input connection-state=established comment="Accept established connections"
/ip firewall filter add chain=input connection-state=related comment="Accept related connections"
/ip firewall filter add chain=input connection-state=invalid action=drop comment="Drop invalid connections"
/ip firewall filter add chain=input protocol=udp action=accept comment="UDP" disabled=no
/ip firewall filter add chain=input protocol=icmp limit=50/5s,2 comment="Allow limited pings"
/ip firewall filter add chain=input protocol=icmp action=drop comment="Drop excess pings"
/ip firewall filter add chain=input protocol=tcp dst-port=22 comment="SSH for secure shell"
/ip firewall filter add chain=input protocol=tcp dst-port=8291 comment="winbox"
/ip firewall filter add chain=input action=log log-prefix="DROP INPUT" comment="Log everything else"
/ip firewall filter add chain=input action=drop comment="Drop everything else"
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan"
/ip firewall filter add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan"
/ip firewall filter add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no