[MT]: Endpoint firewall

1. /ip firewall filter
2. add action=log chain=recent comment==RECENT= disabled=yes
3. add action=add-src-to-address-list address-list=alst-BAN-MNGMT address-list-timeout=30m chain=recent comment="Stage #4 - ban action" log=yes log-prefix=banned-mngmt src-address-list=alst-RECENT-ST3
4. add action=add-src-to-address-list address-list=alst-RECENT-ST3 address-list-timeout=1m chain=recent comment="Stage #3 - third connection match" src-address-list=alst-RECENT-ST2
5. add action=add-src-to-address-list address-list=alst-RECENT-ST2 address-list-timeout=1m chain=recent comment="Stage #2 - second connection match" src-address-list=alst-RECENT-ST1
6. add action=add-src-to-address-list address-list=alst-RECENT-ST1 address-list-timeout=1m20s chain=recent comment="Stage #1 - initial connection attempt"
7. add action=accept chain=recent comment="Default rule"
8. add action=log chain=mngmt comment==MNGMT= disabled=yes
9. add action=accept chain=mngmt comment="Access :: Administrators" dst-limit=1/5m,9,src-address/5m src-address-list=alst-ADMIN
10. add action=reject chain=mngmt log=yes protocol=tcp reject-with=tcp-reset src-address-list=alst-ADMIN
11. add action=jump chain=mngmt comment="Default rule" dst-limit=1/5m,9,src-address/5m jump-target=recent protocol=tcp src-address-list=alst-LOCAL
12. add action=drop chain=mngmt log-prefix=drop protocol=tcp
13. add action=log chain=icmp comment==ICMP= disabled=yes
14. add action=accept chain=icmp comment="Allow certain types of ICMP types" icmp-options=0 protocol=icmp
15. add action=accept chain=icmp icmp-options=3:0-4 protocol=icmp
16. add action=accept chain=icmp icmp-options=11 protocol=icmp
17. add action=accept chain=icmp comment="Limit ICMP echo replies" dst-limit=300,50,src-address/1s icmp-options=8 protocol=icmp
18. add action=drop chain=icmp comment="Default rule"
19. add action=log chain=input comment==INPUT= disabled=yes
20. add action=accept chain=input comment="Management :: Watchdog" dst-address=127.0.0.0/8 src-address-type=local
21. add action=drop chain=input protocol=tcp src-address=127.0.0.0/8
22. add action=jump chain=input comment="Management :: ICMP" jump-target=icmp protocol=icmp
23. add action=jump chain=input comment="Management :: FTP,SSH,TELNET,WINBOX" connection-state=new dst-address-type=local dst-port=21,22,23,8291 jump-target=mngmt protocol=tcp
24. add chain=input comment="Management :: SNMP,MDP,CAPSMAN" connection-state=new dst-address-type=local dst-port=161,5246,5247,5678 protocol=udp src-address-list=alst-LOCAL
25. add action=accept chain=input comment="Established & related" connection-state=established,related
26. add action=drop chain=input comment=Invalid connection-state=invalid
27. add action=add-src-to-address-list address-list=alst-BAN-PSD address-list-timeout=1d chain=input comment="Other :: Portscanning detect" psd=21,5m,3,1
28. add action=drop chain=input comment="Default rule"
29. add action=log chain=output comment==OUTPUT= disabled=yes
30. add action=accept chain=output comment="FTP :: Block password bruteforce" content="530 Login incorrect" dst-limit=1/1m,4,dst-address/1m protocol=tcp
31. add action=add-dst-to-address-list address-list=alst-BAN-CLRTXT address-list-timeout=30m chain=output content="530 Login incorrect" dst-address-list=!alst-ADMIN log=yes log-prefix=banned-ftp protocol=tcp
32. add action=accept chain=output comment="TELNET :: Block password bruteforce" content="Login failed, incorrect username or password" dst-limit=1/1m,4,dst-address/1m protocol=tcp
33. add action=add-dst-to-address-list address-list=alst-BAN-CLRTXT address-list-timeout=30m chain=output content="Login failed, incorrect username or password" dst-address-list=!alst-ADMIN log=yes log-prefix=banned-telnet protocol=tcp
34. add action=accept chain=output comment="Default rule" src-address-type=local
35. add action=drop chain=output
36. add action=log chain=forward comment==FORWARD= disabled=yes
37. add action=drop chain=forward comment="Default rule"
38. /ip firewall raw
39. add action=drop chain=prerouting comment==DROP-SMB= dst-port=135,137-139,445 protocol=udp
40. add action=drop chain=prerouting dst-port=1024-65535 protocol=udp src-port=137
41. add action=drop chain=prerouting dst-port=135,139,445 protocol=tcp
42. add action=drop chain=prerouting comment==DROP-BANNED-ANYWAY= src-address-list=alst-BAN-ANYWAY
43. add action=drop chain=prerouting comment==DROP-BANNED-MNGMT= src-address-list=alst-BAN-MNGMT
44. add action=drop chain=prerouting comment==DROP-BANNED-FTP-TELNET= dst-address-type=local dst-port=20,21,23 protocol=tcp src-address-list=alst-BAN-CLRTXT
45. add action=drop chain=prerouting comment==DROP-BANNED-PSD= src-address-list=alst-BAN-PSD