Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /ip firewall filter
- add action=log chain=input disabled=yes in-interface=WAN1-SFP log-prefix=in_wan1_
- add action=log chain=input disabled=yes in-interface=sfpplus log-prefix=in_wan2_
- add action=log chain=output disabled=yes log-prefix=out_wan1_ out-interface=WAN1-SFP
- add action=log chain=output disabled=yes log-prefix=out_wan2_ out-interface=sfpplus
- add action=log chain=input comment="LOG NTP Request" dst-address=192.168.1.1 dst-port=123 in-interface=LAN log=yes log-prefix=NTP protocol=udp
- add action=accept chain=input comment="accept established connection packets" connection-state=established
- add action=accept chain=input comment="accept related connection packets" connection-state=related
- add action=drop chain=input comment="drop invalid packets" connection-state=invalid
- add action=accept chain=input comment="Allow access to router from known network (addresses): safe" src-address-list=safe
- add action=drop chain=input comment="detect and drop port scan connections" log=yes log-prefix=port-scan-detected protocol=tcp psd=21,3s,3,1
- add action=tarpit chain=input comment="suppress DoS attack" connection-limit=3,32 log=yes log-prefix=DoS-TARPIT protocol=tcp src-address-list=black_list
- add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=input comment="detect DoS attack" connection-limit=10,32 protocol=tcp
- add action=jump chain=input comment="jump: services" jump-target=services
- add action=jump chain=input comment="jump: ICMP" jump-target=ICMP protocol=icmp
- add action=accept chain=input comment="Allow Broadcast Traffic" dst-address-type=broadcast
- add action=log chain=input disabled=yes log-prefix=Filter:
- add action=drop chain=input comment="Drop anything else" log-prefix=in-drop-
- add action=jump chain=forward comment="Go to chain for banning computers access" jump-target=internet_ban
- add action=accept chain=ICMP comment="0:0 and limit for 5p/sec" icmp-options=0:0-255 limit=5,5 protocol=icmp
- add action=accept chain=ICMP comment="3:3 and limit for 5pac/s" icmp-options=3:3 limit=5,5 protocol=icmp
- add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" icmp-options=3:4 limit=5,5 protocol=icmp
- add action=accept chain=ICMP comment="8:0 and limit for 5pac/s" icmp-options=8:0-255 limit=5,5 protocol=icmp
- add action=accept chain=ICMP comment="11:0 and limit for 5pac/s" icmp-options=11:0-255 limit=5,5 protocol=icmp
- add action=drop chain=ICMP comment="Drop everything else" protocol=icmp
- add action=return chain=ICMP
- add action=accept chain=services comment="accept localhost" dst-address=127.0.0.1 src-address=127.0.0.1
- add action=accept chain=services comment="allow MACwinbox " dst-port=20561 in-interface=LAN protocol=udp
- add action=accept chain=services comment="Bandwidth server" disabled=yes dst-port=2000 protocol=tcp
- add action=accept chain=services comment=" MT Discovery Protocol" dst-port=5678 in-interface=LAN protocol=udp
- add action=accept chain=services comment="allow SNMP" dst-port=161 in-interface=LAN protocol=tcp
- add action=accept chain=services comment="Allow BGP" disabled=yes dst-port=179 protocol=tcp
- add action=accept chain=services comment="allow BGP" disabled=yes dst-port=5000-5100 protocol=udp
- add action=accept chain=services comment="Allow NTP" dst-port=123 in-interface=LAN protocol=udp
- add action=accept chain=services comment="Allow PPTP" disabled=yes dst-port=1723 protocol=tcp
- add action=accept chain=services comment="allow PPTP and EoIP" disabled=yes protocol=gre
- add action=accept chain=services comment="allow OpenVPN" dst-port=22897 protocol=tcp
- add action=accept chain=services comment="allow DNS request" dst-port=53 in-interface=LAN protocol=tcp
- add action=accept chain=services comment="Allow DNS request" dst-port=53 in-interface=LAN protocol=udp
- add action=accept chain=services comment=UPnP disabled=yes dst-port=1900 protocol=udp
- add action=accept chain=services comment=UPnP disabled=yes dst-port=2828 protocol=tcp
- add action=accept chain=services comment="allow DHCP" disabled=yes dst-port=67-68 protocol=udp
- add action=accept chain=services comment="allow Web Proxy" disabled=yes dst-port=8080 protocol=tcp
- add action=accept chain=services comment="allow IPIP" disabled=yes protocol=ipencap
- add action=accept chain=services comment="allow https for Hotspot" disabled=yes dst-port=443 protocol=tcp
- add action=accept chain=services comment="allow Socks for Hotspot" disabled=yes dst-port=1080 protocol=tcp
- add action=accept chain=services comment="allow IPSec connections" disabled=yes dst-port=500 protocol=udp
- add action=accept chain=services comment="allow IPSec" disabled=yes protocol=ipsec-esp
- add action=accept chain=services comment="allow IPSec" disabled=yes protocol=ipsec-ah
- add action=accept chain=services comment="allow RIP" disabled=yes dst-port=520-521 protocol=udp
- add action=accept chain=services comment="allow OSPF" disabled=yes protocol=ospf
- add action=accept chain=services comment="Allow remote WinBox IP" disabled=yes dst-port=8291 protocol=tcp
- add action=accept chain=services comment="COMPUTER: xxxx - RDP" dst-port=18654 log=yes log-prefix=spc-fw-filter protocol=udp
- add action=accept chain=services comment="COMPUTER: xxxx - RDP" dst-port=18654 protocol=tcp
- add action=return chain=services comment="end: SERVICES"
- add action=reject chain=internet_ban comment="BAN: XXXXX internet" reject-with=icmp-net-prohibited src-mac-address=11:22:22:33:44:55
- add action=return chain=internet_ban comment="END BAN LIST
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement