  1. /ip firewall export verbose
  2. # dec/13/2015 07:16:49 by RouterOS 6.33.3
  3. # software id = YJAX-K4H6
  4. #
  5. /ip firewall connection tracking
  6. set enabled=auto generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s \
  7.     tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-max-retrans-timeout=5m \
  8.     tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-time-wait-timeout=10s tcp-unacked-timeout=5m \
  9.     udp-stream-timeout=3m udp-timeout=10s
  10. /ip firewall filter
  11. add action=accept chain=input !connection-bytes !connection-limit !connection-mark !connection-nat-state \
  12.     !connection-rate !connection-state !connection-type !content disabled=no !dscp !dst-address !dst-address-list \
  13.     !dst-address-type !dst-limit dst-port=500 !fragment !hotspot !icmp-options !in-bridge-port !in-interface \
  14.     !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port \
  15.     !out-interface !p2p !packet-mark !packet-size !per-connection-classifier !port !priority protocol=udp !psd !random \
  16.     !routing-mark !routing-table src-address=HQ_IP !src-address-list !src-address-type !src-mac-address \
  17.     !src-port !tcp-flags !tcp-mss !time !ttl
  18. add action=accept chain=input !connection-bytes !connection-limit !connection-mark !connection-nat-state \
  19.     !connection-rate !connection-state !connection-type !content disabled=no !dscp !dst-address !dst-address-list \
  20.     !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-interface \
  21.     !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port \
  22.     !out-interface !p2p !packet-mark !packet-size !per-connection-classifier !port !priority protocol=ipsec-esp !psd \
  23.     !random !routing-mark !routing-table src-address=HQ_IP !src-address-list !src-address-type !src-mac-address \
  24.     !src-port !tcp-flags !tcp-mss !time !ttl
  25. add action=accept chain=input comment="default configuration" !connection-bytes !connection-limit !connection-mark \
  26.     !connection-nat-state !connection-rate !connection-state !connection-type !content disabled=no !dscp !dst-address \
  27.     !dst-address-list !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port \
  28.     !in-interface !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \
  29.     !out-bridge-port !out-interface !p2p !packet-mark !packet-size !per-connection-classifier !port !priority protocol=\
  30.     icmp !psd !random !routing-mark !routing-table !src-address !src-address-list !src-address-type !src-mac-address \
  31.     !src-port !tcp-flags !tcp-mss !time !ttl
  32. add action=accept chain=input comment="default configuration" !connection-bytes !connection-limit !connection-mark \
  33.     !connection-nat-state !connection-rate connection-state=established,related !connection-type !content disabled=no \
  34.     !dscp !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \
  35.     !in-bridge-port !in-interface !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no \
  36.     log-prefix="" !nth !out-bridge-port !out-interface !p2p !packet-mark !packet-size !per-connection-classifier !port \
  37.     !priority !protocol !psd !random !routing-mark !routing-table !src-address !src-address-list !src-address-type \
  38.     !src-mac-address !src-port !tcp-flags !tcp-mss !time !ttl
  39. add action=accept chain=input !connection-bytes !connection-limit !connection-mark !connection-nat-state \
  40.     !connection-rate !connection-state !connection-type !content disabled=no !dscp !dst-address !dst-address-list \
  41.     !dst-address-type !dst-limit dst-port=80,8291,22 !fragment !hotspot !icmp-options !in-bridge-port !in-interface \
  42.     !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port \
  43.     !out-interface !p2p !packet-mark !packet-size !per-connection-classifier !port !priority protocol=tcp !psd !random \
  44.     !routing-mark !routing-table !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
  45.     !tcp-mss !time !ttl
  46. add action=accept chain=input !connection-bytes !connection-limit !connection-mark !connection-nat-state \
  47.     !connection-rate !connection-state !connection-type !content disabled=no !dscp !dst-address !dst-address-list \
  48.     !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-interface \
  49.     !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port \
  50.     !out-interface !p2p !packet-mark !packet-size !per-connection-classifier !port !priority protocol=icmp !psd !random \
  51.     !routing-mark !routing-table !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
  52.     !tcp-mss !time !ttl
  53. add action=drop chain=input comment="default configuration" !connection-bytes !connection-limit !connection-mark \
  54.     !connection-nat-state !connection-rate !connection-state !connection-type !content disabled=no !dscp !dst-address \
  55.     !dst-address-list !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port \
  56.     in-interface=ether1-gateway !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix=\
  57.     "" !nth !out-bridge-port !out-interface !p2p !packet-mark !packet-size !per-connection-classifier !port !priority \
  58.     !protocol !psd !random !routing-mark !routing-table !src-address !src-address-list !src-address-type \
  59.     !src-mac-address !src-port !tcp-flags !tcp-mss !time !ttl
  60. add action=fasttrack-connection chain=forward comment="default configuration" !connection-bytes !connection-limit \
  61.     !connection-mark !connection-nat-state !connection-rate connection-state=established,related !connection-type \
  62.     !content disabled=no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port !fragment !hotspot \
  63.     !icmp-options !in-bridge-port !in-interface !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
  64.     log=no log-prefix="" !nth !out-bridge-port !out-interface !p2p !packet-mark !packet-size !per-connection-classifier \
  65.     !port !priority !protocol !psd !random !routing-mark !routing-table !src-address !src-address-list !src-address-type \
  66.     !src-mac-address !src-port !tcp-flags !tcp-mss !time !ttl
  67. add action=accept chain=forward comment="default configuration" !connection-bytes !connection-limit !connection-mark \
  68.     !connection-nat-state !connection-rate connection-state=established,related !connection-type !content disabled=no \
  69.     !dscp !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \
  70.     !in-bridge-port !in-interface !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no \
  71.     log-prefix="" !nth !out-bridge-port !out-interface !p2p !packet-mark !packet-size !per-connection-classifier !port \
  72.     !priority !protocol !psd !random !routing-mark !routing-table !src-address !src-address-list !src-address-type \
  73.     !src-mac-address !src-port !tcp-flags !tcp-mss !time !ttl
  74. add action=drop chain=forward comment="default configuration" !connection-bytes !connection-limit !connection-mark \
  75.     !connection-nat-state !connection-rate connection-state=invalid !connection-type !content disabled=no !dscp \
  76.     !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \
  77.     !in-bridge-port !in-interface !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit log=no \
  78.     log-prefix="" !nth !out-bridge-port !out-interface !p2p !packet-mark !packet-size !per-connection-classifier !port \
  79.     !priority !protocol !psd !random !routing-mark !routing-table !src-address !src-address-list !src-address-type \
  80.     !src-mac-address !src-port !tcp-flags !tcp-mss !time !ttl
  81. add action=drop chain=forward comment="default configuration" !connection-bytes !connection-limit !connection-mark \
  82.     connection-nat-state=!dstnat !connection-rate connection-state=new !connection-type !content disabled=no !dscp \
  83.     !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \
  84.     !in-bridge-port in-interface=ether1-gateway !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
  85.     log=no log-prefix="" !nth !out-bridge-port !out-interface !p2p !packet-mark !packet-size !per-connection-classifier \
  86.     !port !priority !protocol !psd !random !routing-mark !routing-table !src-address !src-address-list !src-address-type \
  87.     !src-mac-address !src-port !tcp-flags !tcp-mss !time !ttl
  88. /ip firewall nat
  89. add action=accept chain=srcnat !connection-bytes !connection-limit !connection-mark !connection-rate !connection-type \
  90.     !content disabled=no !dscp dst-address= !dst-address-list !dst-address-type !dst-limit !dst-port \
  91.     !fragment !hotspot !icmp-options !in-bridge-port !in-interface !ingress-priority !ipsec-policy !ipv4-options \
  92.     !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-interface !packet-mark !packet-size \
  93.     !per-connection-classifier !port !priority !protocol !psd !random !routing-mark !routing-table src-address=\
  94. !src-address-list !src-address-type !src-mac-address !src-port !tcp-mss !time !to-addresses !to-ports \
  95.     !ttl
  96. add action=accept chain=dstnat !connection-bytes !connection-limit !connection-mark !connection-rate !connection-type \
  97.     !content disabled=no !dscp dst-address= !dst-address-list !dst-address-type !dst-limit !dst-port \
  98.     !fragment !hotspot !icmp-options !in-bridge-port !in-interface !ingress-priority !ipsec-policy !ipv4-options \
  99.     !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port !out-interface !packet-mark !packet-size \
  100.     !per-connection-classifier !port !priority !protocol !psd !random !routing-mark !routing-table src-address=\
  101. !src-address-list !src-address-type !src-mac-address !src-port !tcp-mss !time !to-addresses !to-ports \
  102.     !ttl
  103. add action=masquerade chain=srcnat comment="default configuration" !connection-bytes !connection-limit !connection-mark \
  104.     !connection-rate !connection-type !content disabled=no !dscp !dst-address !dst-address-list !dst-address-type \
  105.     !dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-interface !ingress-priority !ipsec-policy \
  106.     !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port out-interface=ether1-gateway \
  107.     !packet-mark !packet-size !per-connection-classifier !port !priority !protocol !psd !random !routing-mark \
  108.     !routing-table !src-address !src-address-list !src-address-type !src-mac-address !src-port !tcp-mss !time \
  109.     !to-addresses !to-ports !ttl
  110. /ip firewall service-port
  111. set ftp disabled=no ports=21
  112. set tftp disabled=no ports=69
  113. set irc disabled=no ports=6667
  114. set h323 disabled=no
  115. set sip disabled=no ports=5060,5061 sip-direct-media=yes sip-timeout=1h
  116. set pptp disabled=no
