firewallscript

1. /ip firewall filter
2.  
3. add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input \
4. comment="Add Syn Flood IP to the list" connection-limit=30,32 disabled=no protocol=tcp tcp-flags=syn
5. add action=drop chain=input comment="Drop to syn flood list" disabled=no src-address-list=Syn_Flooder
6. add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect"\
7. disabled=no protocol=tcp psd=21,3s,3,1
8. add action=drop chain=input comment="Drop to port scan list" disabled=no src-address-list=Port_Scanner
9. add action=jump chain=input comment="Jump for icmp input flow" disabled=no jump-target=ICMP protocol=icmp
10. add action=drop chain=input\
11. comment="Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST"\
12. disabled=yes dst-port=8291 protocol=tcp src-address-list=!support
13. add action=jump chain=forward comment="Jump for icmp forward flow" disabled=no jump-target=ICMP protocol=icmp
14. add action=drop chain=forward comment="Drop to bogon list" disabled=no dst-address-list=bogons
15. add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 hours"\
16. connection-limit=30,32 disabled=no dst-port=25,587 limit=30/1m,0 protocol=tcp
17. add action=drop chain=forward comment="Avoid spammers action" disabled=no dst-port=25,587 protocol=tcp src-address-list=spammers
18. add action=accept chain=input comment="Accept DNS - UDP" disabled=no port=53 protocol=udp
19. add action=accept chain=input comment="Accept DNS - TCP" disabled=no port=53 protocol=tcp
20. add action=accept chain=input comment="Accept to established connections" connection-state=established\
21. disabled=no
22. add action=accept chain=input comment="Accept to related connections" connection-state=related disabled=no
23. add action=accept chain=input comment="Full access to SUPPORT address list" disabled=no src-address-list=support
24. add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED"\
25. disabled=yes
26. add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" disabled=no icmp-options=8:0 limit=1,5 protocol=icmp
27. add action=accept chain=ICMP comment="Echo reply" disabled=no icmp-options=0:0 protocol=icmp
28. add action=accept chain=ICMP comment="Time Exceeded" disabled=no icmp-options=11:0 protocol=icmp
29. add action=accept chain=ICMP comment="Destination unreachable" disabled=no icmp-options=3:0-1 protocol=icmp
30. add action=accept chain=ICMP comment=PMTUD disabled=no icmp-options=3:4 protocol=icmp
31. add action=drop chain=ICMP comment="Drop to the other ICMPs" disabled=no protocol=icmp
32. add action=jump chain=output comment="Jump for icmp output" disabled=no jump-target=ICMP protocol=icmp