SHARE
TWEET

FW

budiana Jan 2nd, 2018 213 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Simple and Powerfull Firewall Filter Mikrotik
  2.  
  3. ether1=ip public/internet
  4. ether2=ip local/network /lan
  5.  
  6. ===========================================================
  7.  
  8. /ip firewall filter
  9. add action=drop chain=input comment=”Drop Invalid connections” connection-state=invalid disabled=no
  10. add action=accept chain=input comment=”Allow UDP” disabled=no protocol=udp
  11. add action=accept chain=input comment=”Allow Established connections” connection-state=established disabled=no
  12. add action=drop chain=forward connection-state=invalid disabled=no protocol=tcp
  13. add action=accept chain=input comment=”Allow ICMP” disabled=no protocol=icmp
  14. add action=accept chain=forward connection-state=established disabled=no
  15. add action=accept chain=input disabled=no in-interface=ether2 src-address=192.168.1.0/24
  16. add action=accept chain=forward comment=”allow related connections” connection-state=related disabled=no
  17. add action=drop chain=forward disabled=no src-address=0.0.0.0/8
  18. add action=drop chain=forward disabled=no dst-address=0.0.0.0/8
  19. add action=drop chain=forward disabled=no src-address=127.0.0.0/8
  20. add action=drop chain=forward disabled=no dst-address=127.0.0.0/8
  21. add action=drop chain=forward disabled=no src-address=224.0.0.0/3
  22. add action=drop chain=forward disabled=no dst-address=224.0.0.0/3
  23. add action=jump chain=forward disabled=no jump-target=tcp protocol=tcp
  24. add action=jump chain=forward disabled=no jump-target=udp protocol=udp
  25. add action=jump chain=forward disabled=no jump-target=icmp protocol=icmp
  26. add action=drop chain=tcp comment=”deny TFTP” disabled=no dst-port=69 protocol=tcp
  27. add action=drop chain=tcp comment=”deny RPC portmapper” disabled=no dst-port=111 protocol=tcp
  28. add action=drop chain=tcp comment=”deny RPC portmapper” disabled=no dst-port=135 protocol=tcp
  29. add action=reject chain=tcp comment=”deny NBT” disabled=no dst-port=137-139 protocol=tcp reject-with=icmp-network-unreachable
  30. add action=reject chain=tcp comment=”deny cifs” disabled=no dst-port=445 protocol=tcp reject-with=icmp-network-unreachable
  31. add action=drop chain=tcp comment=”deny NFS” disabled=no dst-port=2049 protocol=tcp
  32. add action=drop chain=tcp comment=”deny NetBus” disabled=no dst-port=12345-12346 protocol=tcp
  33. add action=drop chain=tcp comment=”deny NetBus” disabled=no dst-port=20034 protocol=tcp
  34. add action=drop chain=tcp comment=”deny BackOriffice” disabled=no dst-port=3133 protocol=tcp
  35. add action=drop chain=tcp comment=”deny DHCP” disabled=no dst-port=67-68 protocol=tcp
  36. add action=drop chain=udp comment=”deny TFTP” disabled=no dst-port=69 protocol=udp
  37. add action=drop chain=udp comment=”deny PRC portmapper” disabled=no dst-port=111 protocol=udp
  38. add action=drop chain=udp comment=”deny PRC portmapper” disabled=no dst-port=135 protocol=udp
  39. add action=drop chain=udp comment=”deny NBT” disabled=no dst-port=137-139 protocol=udp
  40. add action=drop chain=udp comment=”deny NFS” disabled=no dst-port=2049 protocol=udp
  41. add action=reject chain=forward content=whatsmyipaddress.org disabled=no reject-with=icmp-network-unreachable
  42. add action=drop chain=udp comment=”deny BackOriffice” disabled=no dst-port=3133 protocol=udp
  43. add action=accept chain=icmp comment=”drop invalid connections” disabled=no icmp-options=0:0 protocol=icmp
  44. add action=accept chain=icmp comment=”allow established connections” disabled=no icmp-options=3:0 protocol=icmp
  45. add action=accept chain=icmp comment=”allow already established connections” disabled=no icmp-options=3:1 protocol=icmp
  46. add action=accept chain=icmp comment=”allow source quench” disabled=no icmp-options=4:0 protocol=icmp
  47. add action=accept chain=icmp comment=”allow echo request” disabled=no icmp-options=8:0 protocol=icmp
  48. add action=accept chain=icmp comment=”allow time exceed” disabled=no icmp-options=11:0 protocol=icmp
  49. add action=accept chain=icmp disabled=no icmp-options=12:0 protocol=icmp
  50. add action=drop chain=icmp comment=”deny all other types” disabled=no
  51. add action=drop chain=input comment=”;;;INPUT SELAIN IP NETWORK LAN, DROP” disabled=no in-interface=ether2 src-address=!192.168.1.0/24
  52. add action=drop chain=forward disabled=no in-interface=ether2 src-address=!192.168.1.0/24
  53. add action=drop chain=forward comment=”;;;CONTOH DROP AKSES FB PER IP KLIEN” content=youtube.com disabled=no src-address=192.168.1.12
  54. add action=reject chain=forward comment=”CONTOH DROP VIRUS DAN AKSES  ” content=.internetdownloadmanager.com disabled=no reject-with=icmp-network-unreachable
  55. add action=reject chain=forward disabled=no p2p=all-p2p reject-with=icmp-network-unreachable
  56. add action=reject chain=input disabled=no p2p=all-p2p reject-with=icmp-network-unreachable
  57. add action=reject chain=input content=loader.exe disabled=no reject-with=icmp-network-unreachable
  58. add action=reject chain=forward content=loader.exe disabled=no reject-with=icmp-network-unreachable
  59. add action=reject chain=input content=svchost.exe disabled=no reject-with=icmp-network-unreachable
  60. add action=reject chain=forward content=www.wieistmeineip.de disabled=no reject-with=icmp-network-unreachable
  61. add action=reject chain=forward content=dialer.exe disabled=no reject-with=icmp-network-unreachable
  62. add action=reject chain=forward disabled=no p2p=all-p2p reject-with=icmp-network-unreachable
  63. add action=reject chain=forward content=svchost.exe disabled=no reject-with=icmp-network-unreachable
  64. add action=reject chain=input content=dialer.exe disabled=no reject-with=icmp-network-unreachable
  65. add action=reject chain=forward content=downloader.exe disabled=no reject-with=icmp-network-unreachable
  66. add action=reject chain=forward content=.downloader disabled=no reject-with=icmp-network-unreachable
  67. add action=reject chain=input content=whatsmyipaddress.org disabled=no reject-with=icmp-network-unreachable
  68. add action=drop chain=forward content=getmyip.org disabled=no
  69. add action=drop chain=input comment=”::::::::DROP PING ON PUBLIC :::::;” disabled=no in-interface=ether1 protocol=icmp
  70. add action=drop chain=forward disabled=no in-interface=ether1 protocol=icmp
  71. add action=drop chain=forward comment=”::::::::LIMIT PORT OUT IN ON PUBLIC INTERFACE:::::;” disabled=no dst-address=0.0.0.0/0 dst-port=!53,843,9339,5000-15000,2778,6005,2112,600-6005 out-interface=ether1 protocol=udp src-address=0.0.0.0/0
  72. add action=drop chain=input comment=”::::::::INPUT SELAIN PORT REMOTE IP PUBLIC, DROP:::::;” disabled=no dst-address=0.0.0.0/0 dst-port=!8291,22,10000 in-interface=ether1 protocol=tcp src-address=0.0.0.0/0
  73. add action=jump chain=forward comment=”Flood protect” connection-state=new disabled=no jump-target=SYN-Protect protocol=tcp tcp-flags=syn
  74. add action=jump chain=forward comment=”Flood protect” connection-state=new disabled=no jump-target=SYN-Protect protocol=tcp tcp-flags=syn
  75. add action=accept chain=SYN-Protect disabled=no protocol=tcp
  76. add action=jump chain=input disabled=no jump-target=icmp protocol=icmp
  77. add action=accept chain=icmp comment=”Limited Ping Flood” disabled=no icmp-options=0:0-255 limit=5,5 protocol=icmp
  78. add action=accept chain=icmp disabled=no icmp-options=3:3 limit=5,5 protocol=icmp
  79. add action=accept chain=icmp disabled=no icmp-options=3:4 limit=5,5 protocol=icmp
  80. add action=accept chain=icmp disabled=no icmp-options=8:0-255 limit=5,5 protocol=icmp
  81. add action=accept chain=icmp disabled=no icmp-options=11:0-255 limit=5,5 protocol=icmp
  82. add action=drop chain=icmp disabled=no protocol=icmp
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top