Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /ip firewall filter
- add action=accept chain=forward comment="allow already established connections" \
- connection-state=established
- add action=accept chain=input connection-state=established in-interface=WAN
- add action=accept chain=forward comment="allow related connections" \
- connection-state=related
- add action=add-src-to-address-list address-list="port scanners" \
- address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
- tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
- add action=add-src-to-address-list address-list="port scanners" \
- address-list-timeout=2w chain=input comment="Port scanners to list " \
- protocol=tcp psd=21,3s,3,1
- add action=add-src-to-address-list address-list="port scanners" \
- address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
- protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
- add action=add-src-to-address-list address-list="port scanners" \
- address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
- tcp-flags=fin,syn
- add action=add-src-to-address-list address-list="port scanners" \
- address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
- tcp-flags=syn,rst
- add action=add-src-to-address-list address-list="port scanners" \
- address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp \
- tcp-flags=fin,psh,urg,!syn,!rst,!ack
- add action=add-src-to-address-list address-list="port scanners" \
- address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
- tcp-flags=fin,syn,rst,psh,ack,urg
- add action=drop chain=forward comment="drop invalid connections" \
- connection-state="" disabled=yes
- add action=drop chain=input comment="Drop Invalid connections" \
- connection-state="" disabled=yes
- add action=drop chain=input comment="dropping port scanners" src-address-list=\
- "port scanners"
- add action=drop chain=forward comment="Block Bogon IP addresses" src-address=\
- 0.0.0.0/8
- add action=drop chain=forward dst-address=0.0.0.0/8
- add action=drop chain=forward src-address=127.0.0.0/8
- add action=drop chain=forward dst-address=127.0.0.0/8
- add action=drop chain=forward src-address=224.0.0.0/3
- add action=drop chain=forward dst-address=224.0.0.0/3
- add action=drop chain=input in-interface=WAN
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement