Advertisement
budiana

FW

Jan 2nd, 2018
1,196
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Simple and Powerfull Firewall Filter Mikrotik
  2.  
  3. ether1=ip public/internet
  4. ether2=ip local/network /lan
  5.  
  6. ===========================================================
  7.  
  8. /ip firewall filter
  9. add action=drop chain=input comment=”Drop Invalid connections” connection-state=invalid disabled=no
  10. add action=accept chain=input comment=”Allow UDP” disabled=no protocol=udp
  11. add action=accept chain=input comment=”Allow Established connections” connection-state=established disabled=no
  12. add action=drop chain=forward connection-state=invalid disabled=no protocol=tcp
  13. add action=accept chain=input comment=”Allow ICMP” disabled=no protocol=icmp
  14. add action=accept chain=forward connection-state=established disabled=no
  15. add action=accept chain=input disabled=no in-interface=ether2 src-address=192.168.1.0/24
  16. add action=accept chain=forward comment=”allow related connections” connection-state=related disabled=no
  17. add action=drop chain=forward disabled=no src-address=0.0.0.0/8
  18. add action=drop chain=forward disabled=no dst-address=0.0.0.0/8
  19. add action=drop chain=forward disabled=no src-address=127.0.0.0/8
  20. add action=drop chain=forward disabled=no dst-address=127.0.0.0/8
  21. add action=drop chain=forward disabled=no src-address=224.0.0.0/3
  22. add action=drop chain=forward disabled=no dst-address=224.0.0.0/3
  23. add action=jump chain=forward disabled=no jump-target=tcp protocol=tcp
  24. add action=jump chain=forward disabled=no jump-target=udp protocol=udp
  25. add action=jump chain=forward disabled=no jump-target=icmp protocol=icmp
  26. add action=drop chain=tcp comment=”deny TFTP” disabled=no dst-port=69 protocol=tcp
  27. add action=drop chain=tcp comment=”deny RPC portmapper” disabled=no dst-port=111 protocol=tcp
  28. add action=drop chain=tcp comment=”deny RPC portmapper” disabled=no dst-port=135 protocol=tcp
  29. add action=reject chain=tcp comment=”deny NBT” disabled=no dst-port=137-139 protocol=tcp reject-with=icmp-network-unreachable
  30. add action=reject chain=tcp comment=”deny cifs” disabled=no dst-port=445 protocol=tcp reject-with=icmp-network-unreachable
  31. add action=drop chain=tcp comment=”deny NFS” disabled=no dst-port=2049 protocol=tcp
  32. add action=drop chain=tcp comment=”deny NetBus” disabled=no dst-port=12345-12346 protocol=tcp
  33. add action=drop chain=tcp comment=”deny NetBus” disabled=no dst-port=20034 protocol=tcp
  34. add action=drop chain=tcp comment=”deny BackOriffice” disabled=no dst-port=3133 protocol=tcp
  35. add action=drop chain=tcp comment=”deny DHCP” disabled=no dst-port=67-68 protocol=tcp
  36. add action=drop chain=udp comment=”deny TFTP” disabled=no dst-port=69 protocol=udp
  37. add action=drop chain=udp comment=”deny PRC portmapper” disabled=no dst-port=111 protocol=udp
  38. add action=drop chain=udp comment=”deny PRC portmapper” disabled=no dst-port=135 protocol=udp
  39. add action=drop chain=udp comment=”deny NBT” disabled=no dst-port=137-139 protocol=udp
  40. add action=drop chain=udp comment=”deny NFS” disabled=no dst-port=2049 protocol=udp
  41. add action=reject chain=forward content=whatsmyipaddress.org disabled=no reject-with=icmp-network-unreachable
  42. add action=drop chain=udp comment=”deny BackOriffice” disabled=no dst-port=3133 protocol=udp
  43. add action=accept chain=icmp comment=”drop invalid connections” disabled=no icmp-options=0:0 protocol=icmp
  44. add action=accept chain=icmp comment=”allow established connections” disabled=no icmp-options=3:0 protocol=icmp
  45. add action=accept chain=icmp comment=”allow already established connections” disabled=no icmp-options=3:1 protocol=icmp
  46. add action=accept chain=icmp comment=”allow source quench” disabled=no icmp-options=4:0 protocol=icmp
  47. add action=accept chain=icmp comment=”allow echo request” disabled=no icmp-options=8:0 protocol=icmp
  48. add action=accept chain=icmp comment=”allow time exceed” disabled=no icmp-options=11:0 protocol=icmp
  49. add action=accept chain=icmp disabled=no icmp-options=12:0 protocol=icmp
  50. add action=drop chain=icmp comment=”deny all other types” disabled=no
  51. add action=drop chain=input comment=”;;;INPUT SELAIN IP NETWORK LAN, DROP” disabled=no in-interface=ether2 src-address=!192.168.1.0/24
  52. add action=drop chain=forward disabled=no in-interface=ether2 src-address=!192.168.1.0/24
  53. add action=drop chain=forward comment=”;;;CONTOH DROP AKSES FB PER IP KLIEN” content=youtube.com disabled=no src-address=192.168.1.12
  54. add action=reject chain=forward comment=”CONTOH DROP VIRUS DAN AKSES  ” content=.internetdownloadmanager.com disabled=no reject-with=icmp-network-unreachable
  55. add action=reject chain=forward disabled=no p2p=all-p2p reject-with=icmp-network-unreachable
  56. add action=reject chain=input disabled=no p2p=all-p2p reject-with=icmp-network-unreachable
  57. add action=reject chain=input content=loader.exe disabled=no reject-with=icmp-network-unreachable
  58. add action=reject chain=forward content=loader.exe disabled=no reject-with=icmp-network-unreachable
  59. add action=reject chain=input content=svchost.exe disabled=no reject-with=icmp-network-unreachable
  60. add action=reject chain=forward content=www.wieistmeineip.de disabled=no reject-with=icmp-network-unreachable
  61. add action=reject chain=forward content=dialer.exe disabled=no reject-with=icmp-network-unreachable
  62. add action=reject chain=forward disabled=no p2p=all-p2p reject-with=icmp-network-unreachable
  63. add action=reject chain=forward content=svchost.exe disabled=no reject-with=icmp-network-unreachable
  64. add action=reject chain=input content=dialer.exe disabled=no reject-with=icmp-network-unreachable
  65. add action=reject chain=forward content=downloader.exe disabled=no reject-with=icmp-network-unreachable
  66. add action=reject chain=forward content=.downloader disabled=no reject-with=icmp-network-unreachable
  67. add action=reject chain=input content=whatsmyipaddress.org disabled=no reject-with=icmp-network-unreachable
  68. add action=drop chain=forward content=getmyip.org disabled=no
  69. add action=drop chain=input comment=”::::::::DROP PING ON PUBLIC :::::;” disabled=no in-interface=ether1 protocol=icmp
  70. add action=drop chain=forward disabled=no in-interface=ether1 protocol=icmp
  71. add action=drop chain=forward comment=”::::::::LIMIT PORT OUT IN ON PUBLIC INTERFACE:::::;” disabled=no dst-address=0.0.0.0/0 dst-port=!53,843,9339,5000-15000,2778,6005,2112,600-6005 out-interface=ether1 protocol=udp src-address=0.0.0.0/0
  72. add action=drop chain=input comment=”::::::::INPUT SELAIN PORT REMOTE IP PUBLIC, DROP:::::;” disabled=no dst-address=0.0.0.0/0 dst-port=!8291,22,10000 in-interface=ether1 protocol=tcp src-address=0.0.0.0/0
  73. add action=jump chain=forward comment=”Flood protect” connection-state=new disabled=no jump-target=SYN-Protect protocol=tcp tcp-flags=syn
  74. add action=jump chain=forward comment=”Flood protect” connection-state=new disabled=no jump-target=SYN-Protect protocol=tcp tcp-flags=syn
  75. add action=accept chain=SYN-Protect disabled=no protocol=tcp
  76. add action=jump chain=input disabled=no jump-target=icmp protocol=icmp
  77. add action=accept chain=icmp comment=”Limited Ping Flood” disabled=no icmp-options=0:0-255 limit=5,5 protocol=icmp
  78. add action=accept chain=icmp disabled=no icmp-options=3:3 limit=5,5 protocol=icmp
  79. add action=accept chain=icmp disabled=no icmp-options=3:4 limit=5,5 protocol=icmp
  80. add action=accept chain=icmp disabled=no icmp-options=8:0-255 limit=5,5 protocol=icmp
  81. add action=accept chain=icmp disabled=no icmp-options=11:0-255 limit=5,5 protocol=icmp
  82. add action=drop chain=icmp disabled=no protocol=icmp
Advertisement
RAW Paste Data Copied
Advertisement