Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #
- /ip firewall address-list add address=10.0.0.0/8 list=alst-ALLOW-TO-CONNECT
- /ip firewall address-list add address=192.168.0.0/16 list=alst-ALLOW-TO-CONNECT
- /ip firewall address-list add address=172.16.0.0/12 list=alst-ALLOW-TO-CONNECT
- /ip firewall address-list add address=10.2.4.0/24 list=alst-WHITE-LIST
- #
- /ip firewall connection tracking set generic-timeout=3m tcp-established-timeout=2h tcp-max-retrans-timeout=2m tcp-unacked-timeout=2m
- #
- /ip firewall filter add action=log chain=recent comment="=RECENT=" disabled=yes
- /ip firewall filter add action=add-src-to-address-list address-list=alst-BAN-MNGMT address-list-timeout=30m chain=recent comment="Stage #4 - ban action" log=yes log-prefix=banned-mngmt src-address-list=alst-RECENT-ST3
- /ip firewall filter add action=add-src-to-address-list address-list=alst-RECENT-ST3 address-list-timeout=1m chain=recent comment="Stage #3 - third connection match" src-address-list=alst-RECENT-ST2
- /ip firewall filter add action=add-src-to-address-list address-list=alst-RECENT-ST2 address-list-timeout=1m chain=recent comment="Stage #2 - second connection match" src-address-list=alst-RECENT-ST1
- /ip firewall filter add action=add-src-to-address-list address-list=alst-RECENT-ST1 address-list-timeout=1m20s chain=recent comment="Stage #1 - initial connection attempt"
- /ip firewall filter add action=accept chain=recent comment="Default rule"
- #
- /ip firewall filter add action=log chain=mngmt comment="=MNGMT=" disabled=yes
- /ip firewall filter add action=accept chain=mngmt comment="Access :: WHITE-LIST networks" dst-limit=1/5m,9,src-address/5m src-address-list=alst-WHITE-LIST
- /ip firewall filter add action=reject chain=mngmt log=yes protocol=tcp reject-with=tcp-reset src-address-list=alst-WHITE-LIST
- /ip firewall filter add action=jump chain=mngmt comment="Default rule" dst-limit=1/5m,9,src-address/5m jump-target=recent protocol=tcp src-address-list=alst-ALLOW-TO-CONNECT
- /ip firewall filter add action=drop chain=mngmt log-prefix=drop protocol=tcp
- #
- /ip firewall filter add action=log chain=icmp comment="=ICMP=" disabled=yes
- /ip firewall filter add action=accept chain=icmp comment="Allow certain types of ICMP types" icmp-options=0 protocol=icmp
- /ip firewall filter add action=accept chain=icmp icmp-options=3:0-4 protocol=icmp
- /ip firewall filter add action=accept chain=icmp icmp-options=11 protocol=icmp
- /ip firewall filter add action=accept chain=icmp comment="Limit ICMP echo replies" dst-limit=300,50,src-address/1s icmp-options=8 protocol=icmp
- #
- /ip firewall filter add action=drop chain=icmp comment="Default rule"
- /ip firewall filter add action=log chain=input comment="=INPUT=" disabled=yes
- /ip firewall filter add action=accept chain=input comment="Management :: Watchdog" dst-address=127.0.0.0/8 src-address-type=local
- /ip firewall filter add action=drop chain=input protocol=tcp src-address=127.0.0.0/8
- /ip firewall filter add action=jump chain=input comment="Management :: ICMP" jump-target=icmp protocol=icmp
- /ip firewall filter add action=jump chain=input comment="Management :: FTP,SSH,TELNET,WINBOX" connection-state=new dst-address-type=local dst-port=21,22,23,8291 jump-target=mngmt protocol=tcp
- /ip firewall filter add chain=input comment="Management :: SNMP,MDP,CAPSMAN" connection-state=new dst-address-type=local dst-port=161,5246,5247,5678 protocol=udp src-address-list=alst-ALLOW-TO-CONNECT
- /ip firewall filter add action=accept chain=input comment="Established & related" connection-state=established,related
- /ip firewall filter add action=drop chain=input comment=Invalid connection-state=invalid
- /ip firewall filter add action=add-src-to-address-list address-list=alst-BAN-PSD address-list-timeout=1d chain=input comment="Other :: Portscanning detect" psd=21,5m,3,1
- /ip firewall filter add action=drop chain=input comment="Default rule"
- #
- /ip firewall filter add action=log chain=output comment="=OUTPUT=" disabled=yes
- /ip firewall filter add action=accept chain=output comment="FTP :: Block password bruteforce" content="530 Login incorrect" dst-limit=1/1m,4,dst-address/1m protocol=tcp
- /ip firewall filter add action=add-dst-to-address-list address-list=alst-BAN-CLRTXT address-list-timeout=30m chain=output content="530 Login incorrect" dst-address-list=!alst-WHITE-LIST log=yes log-prefix=banned-ftp protocol=tcp
- /ip firewall filter add action=accept chain=output comment="TELNET :: Block password bruteforce" content="Login failed, incorrect username or password" dst-limit=1/1m,4,dst-address/1m protocol=tcp
- /ip firewall filter add action=add-dst-to-address-list address-list=alst-BAN-CLRTXT address-list-timeout=30m chain=output content="Login failed, incorrect username or password" dst-address-list=!alst-WHITE-LIST log=yes log-prefix=banned-telnet protocol=tcp
- /ip firewall filter add action=accept chain=output comment="Default rule" src-address-type=local
- /ip firewall filter add action=drop chain=output
- #
- /ip firewall filter add action=log chain=forward comment="=FORWARD=" disabled=yes
- /ip firewall filter add action=drop chain=forward comment="Default rule"
- #
- /ip firewall raw add action=drop chain=prerouting comment="=DROP-SMB=" dst-port=135,137-139,445 protocol=udp
- /ip firewall raw add action=drop chain=prerouting dst-port=1024-65535 protocol=udp src-port=137
- /ip firewall raw add action=drop chain=prerouting dst-port=135,139,445 protocol=tcp
- /ip firewall raw add action=drop chain=prerouting comment="=DROP-BANNED-ANYWAY=" src-address-list=alst-BAN-ANYWAY
- /ip firewall raw add action=drop chain=prerouting comment="=DROP-BANNED-MNGMT=" src-address-list=alst-BAN-MNGMT
- /ip firewall raw add action=drop chain=prerouting comment="=DROP-BANNED-FTP-TELNET=" dst-address-type=local dst-port=20,21,23 protocol=tcp src-address-list=alst-BAN-CLRTXT
- /ip firewall raw add action=drop chain=prerouting comment="=DROP-BANNED-PSD=" src-address-list=alst-BAN-PSD
Add Comment
Please, Sign In to add comment