[MT]: IP filter default settings

1. #
2. /ip firewall address-list add address=10.0.0.0/8 list=alst-ALLOW-TO-CONNECT
3. /ip firewall address-list add address=192.168.0.0/16 list=alst-ALLOW-TO-CONNECT
4. /ip firewall address-list add address=172.16.0.0/12 list=alst-ALLOW-TO-CONNECT
5. /ip firewall address-list add address=10.2.4.0/24 list=alst-WHITE-LIST
6. #
7. /ip firewall connection tracking set generic-timeout=3m tcp-established-timeout=2h tcp-max-retrans-timeout=2m tcp-unacked-timeout=2m
8. #
9. /ip firewall filter add action=log chain=recent comment="=RECENT=" disabled=yes
10. /ip firewall filter add action=add-src-to-address-list address-list=alst-BAN-MNGMT address-list-timeout=30m chain=recent comment="Stage #4 - ban action" log=yes log-prefix=banned-mngmt src-address-list=alst-RECENT-ST3
11. /ip firewall filter add action=add-src-to-address-list address-list=alst-RECENT-ST3 address-list-timeout=1m chain=recent comment="Stage #3 - third connection match" src-address-list=alst-RECENT-ST2
12. /ip firewall filter add action=add-src-to-address-list address-list=alst-RECENT-ST2 address-list-timeout=1m chain=recent comment="Stage #2 - second connection match" src-address-list=alst-RECENT-ST1
13. /ip firewall filter add action=add-src-to-address-list address-list=alst-RECENT-ST1 address-list-timeout=1m20s chain=recent comment="Stage #1 - initial connection attempt"
14. /ip firewall filter add action=accept chain=recent comment="Default rule"
15. #
16. /ip firewall filter add action=log chain=mngmt comment="=MNGMT=" disabled=yes
17. /ip firewall filter add action=accept chain=mngmt comment="Access :: WHITE-LIST networks" dst-limit=1/5m,9,src-address/5m src-address-list=alst-WHITE-LIST
18. /ip firewall filter add action=reject chain=mngmt log=yes protocol=tcp reject-with=tcp-reset src-address-list=alst-WHITE-LIST
19. /ip firewall filter add action=jump chain=mngmt comment="Default rule" dst-limit=1/5m,9,src-address/5m jump-target=recent protocol=tcp src-address-list=alst-ALLOW-TO-CONNECT
20. /ip firewall filter add action=drop chain=mngmt log-prefix=drop protocol=tcp
21. #
22. /ip firewall filter add action=log chain=icmp comment="=ICMP=" disabled=yes
23. /ip firewall filter add action=accept chain=icmp comment="Allow certain types of ICMP types" icmp-options=0 protocol=icmp
24. /ip firewall filter add action=accept chain=icmp icmp-options=3:0-4 protocol=icmp
25. /ip firewall filter add action=accept chain=icmp icmp-options=11 protocol=icmp
26. /ip firewall filter add action=accept chain=icmp comment="Limit ICMP echo replies" dst-limit=300,50,src-address/1s icmp-options=8 protocol=icmp
27. #
28. /ip firewall filter add action=drop chain=icmp comment="Default rule"
29. /ip firewall filter add action=log chain=input comment="=INPUT=" disabled=yes
30. /ip firewall filter add action=accept chain=input comment="Management :: Watchdog" dst-address=127.0.0.0/8 src-address-type=local
31. /ip firewall filter add action=drop chain=input protocol=tcp src-address=127.0.0.0/8
32. /ip firewall filter add action=jump chain=input comment="Management :: ICMP" jump-target=icmp protocol=icmp
33. /ip firewall filter add action=jump chain=input comment="Management :: FTP,SSH,TELNET,WINBOX" connection-state=new dst-address-type=local dst-port=21,22,23,8291 jump-target=mngmt protocol=tcp
34. /ip firewall filter add chain=input comment="Management :: SNMP,MDP,CAPSMAN" connection-state=new dst-address-type=local dst-port=161,5246,5247,5678 protocol=udp src-address-list=alst-ALLOW-TO-CONNECT
35. /ip firewall filter add action=accept chain=input comment="Established & related" connection-state=established,related
36. /ip firewall filter add action=drop chain=input comment=Invalid connection-state=invalid
37. /ip firewall filter add action=add-src-to-address-list address-list=alst-BAN-PSD address-list-timeout=1d chain=input comment="Other :: Portscanning detect" psd=21,5m,3,1
38. /ip firewall filter add action=drop chain=input comment="Default rule"
39. #
40. /ip firewall filter add action=log chain=output comment="=OUTPUT=" disabled=yes
41. /ip firewall filter add action=accept chain=output comment="FTP :: Block password bruteforce" content="530 Login incorrect" dst-limit=1/1m,4,dst-address/1m protocol=tcp
42. /ip firewall filter add action=add-dst-to-address-list address-list=alst-BAN-CLRTXT address-list-timeout=30m chain=output content="530 Login incorrect" dst-address-list=!alst-WHITE-LIST log=yes log-prefix=banned-ftp protocol=tcp
43. /ip firewall filter add action=accept chain=output comment="TELNET :: Block password bruteforce" content="Login failed, incorrect username or password" dst-limit=1/1m,4,dst-address/1m protocol=tcp
44. /ip firewall filter add action=add-dst-to-address-list address-list=alst-BAN-CLRTXT address-list-timeout=30m chain=output content="Login failed, incorrect username or password" dst-address-list=!alst-WHITE-LIST log=yes log-prefix=banned-telnet protocol=tcp
45. /ip firewall filter add action=accept chain=output comment="Default rule" src-address-type=local
46. /ip firewall filter add action=drop chain=output
47. #
48. /ip firewall filter add action=log chain=forward comment="=FORWARD=" disabled=yes
49. /ip firewall filter add action=drop chain=forward comment="Default rule"
50. #
51. /ip firewall raw add action=drop chain=prerouting comment="=DROP-SMB=" dst-port=135,137-139,445 protocol=udp
52. /ip firewall raw add action=drop chain=prerouting dst-port=1024-65535 protocol=udp src-port=137
53. /ip firewall raw add action=drop chain=prerouting dst-port=135,139,445 protocol=tcp
54. /ip firewall raw add action=drop chain=prerouting comment="=DROP-BANNED-ANYWAY=" src-address-list=alst-BAN-ANYWAY
55. /ip firewall raw add action=drop chain=prerouting comment="=DROP-BANNED-MNGMT=" src-address-list=alst-BAN-MNGMT
56. /ip firewall raw add action=drop chain=prerouting comment="=DROP-BANNED-FTP-TELNET=" dst-address-type=local dst-port=20,21,23 protocol=tcp src-address-list=alst-BAN-CLRTXT
57. /ip firewall raw add action=drop chain=prerouting comment="=DROP-BANNED-PSD=" src-address-list=alst-BAN-PSD
58.