API tools faq
paste
Guest User

Untitled

a guest
Oct 25th, 2025
19
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 4.40 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. ip firewall filter print
  2. Flags: X - disabled, I - invalid; D - dynamic
  3.  0  D ;;; special dummy rule to show fasttrack counters
  4.       chain=forward action=passthrough
  5.  
  6.  1    ;;; DHCP-client
  7.       chain=input action=accept protocol=udp dst-port=68 log=no log-prefix=""
  8.  
  9.  2    ;;; Established,related,untracked
  10.       chain=input action=accept connection-state=established,related,untracked log=no log-prefix=""
  11.  
  12.  3 X  ;;; Local loopback (for CAPsMAN)
  13.       chain=input action=accept dst-address=127.0.0.1 log=no log-prefix=""
  14.  
  15.  4 X  ;;; IPSec policy (input)
  16.       chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec
  17.  
  18.  5 X  ;;; IPSec policy (output)
  19.       chain=forward action=accept log=no log-prefix="" ipsec-policy=out,ipsec
  20.  
  21.  6    ;;; FASTTRACK
  22.       chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related log=no log-prefix=""
  23.  
  24.  7    ;;; Established,related, untracked
  25.       chain=forward action=accept connection-state=established,related,untracked log=no log-prefix=""
  26.  
  27.  8    ;;; Invalid
  28.       chain=input action=drop connection-state=invalid log=no log-prefix=""
  29.  
  30.  9    ;;; Invalid
  31.       chain=forward action=drop connection-state=invalid log=no log-prefix=""
  32.  
  33. 10    ;;; XMAS scan (tcp)
  34.       chain=input action=drop tcp-flags=!,fin,syn,rst,psh,ack,urg connection-state=new connection-nat-state=!dstnat protocol=tcp
  35.       in-interface-list=WAN log=no log-prefix=""
  36.  
  37. 11    ;;; NULL packets
  38.       chain=input action=drop tcp-flags=!,fin,syn,rst,ack connection-state=new protocol=tcp in-interface-list=WAN log=no log-prefix=""
  39.  
  40. 12    ;;; XMAS scan (udp)
  41.       chain=input action=drop connection-state=new connection-nat-state=!dstnat protocol=udp in-interface-list=WAN log=no log-prefix=""
  42.  
  43. 13    ;;; Unusual TCP options
  44.       chain=forward action=drop protocol=tcp in-interface-list=WAN tcp-mss=!300-2000 log=no log-prefix=""
  45.  
  46. 14    ;;; WAN access
  47.       chain=input action=drop protocol=tcp in-interface-list=WAN dst-port=422,8443,9291 log=no log-prefix=""
  48.  
  49. 15    ;;; Honeypot (tcp)
  50.       chain=input action=add-src-to-address-list protocol=tcp address-list=Honeypot address-list-timeout=4w2d in-interface-list=WAN
  51.       dst-port=21-25,53,80,135-139,161,443-445,1433,1723,2375,3306,3389,5000 log=no log-prefix=""
  52.  
  53. 16    ;;; Honeypot (tcp)
  54.       chain=input action=add-src-to-address-list protocol=tcp address-list=Honeypot
  55.       address-list-timeout=4w2d in-interface-list=WAN
  56.       dst-port=5432,5900,5985,6379,8000,8080,8443,9000,9200,27017,11211,50000,47808,49152 log=no
  57.       log-prefix=""
  58.  
  59. 17    ;;; Honeypot (udp)
  60.       chain=input action=add-src-to-address-list protocol=udp address-list=Honeypot
  61.       address-list-timeout=4w2d in-interface-list=WAN
  62.       dst-port=21-25,53,80,135-139,161,443-445,1433,1723,2375,3306,3389,5000 log=no log-prefix=""
  63.  
  64. 18    ;;; Honeypot (udp)
  65.       chain=input action=add-src-to-address-list protocol=udp address-list=Honeypot
  66.       address-list-timeout=4w2d in-interface-list=WAN
  67.       dst-port=5432,5900,5985,6379,8000,8080,8443,9000,9200,27017,11211,50000,47808,49152 log=no
  68.       log-prefix=""
  69.  
  70. 19    ;;; Path MTU Discovery
  71.       chain=forward action=accept protocol=icmp in-interface-list=WAN icmp-options=3:4 log=no
  72.       log-prefix=""
  73.  
  74. 20    ;;; ICMP
  75.       chain=input action=drop protocol=icmp in-interface-list=WAN log=no log-prefix=""
  76.  
  77. 21    ;;; Broadcast
  78.       chain=forward action=drop protocol=tcp out-interface-list=WAN
  79.       dst-port=135-139,445,1900,2000,2001,5353,5355,5678,5679,5675,8728,8729 log=no log-prefix=""
  80.  
  81. 22    ;;; Broadcast
  82.       chain=forward action=drop protocol=udp out-interface-list=WAN
  83.       dst-port=135-139,445,1900,2000,2001,5353,5355,5678,5679,5675,8728,8729 log=no log-prefix=""
  84.  
  85. 23    ;;; Broadcast
  86.       chain=output action=drop protocol=tcp out-interface-list=WAN
  87.       dst-port=135-139,445,1900,2000,2001,5353,5355,5678,5679,5675,8728,8729 log=no log-prefix=""
  88.  
  89. 24    ;;; Broadcast
  90.       chain=output action=drop protocol=udp out-interface-list=WAN
  91.       dst-port=135-139,445,1900,2000,2001,5353,5355,5678,5679,5675,8728,8729 log=no log-prefix=""
  92.  
  93. 25    ;;; All incoming from WAN
  94.       chain=input action=drop in-interface-list=WAN log=no log-prefix=""
  95.  
  96. 26    ;;; All from WAN not DSTNATed
  97.       chain=forward action=drop connection-state=new connection-nat-state=!dstnat
  98.       in-interface-list=WAN log=no log-prefix=""
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!