# Interfacesset interfaces ge-0/0/0 unit 0 description WANset interfaces ge-

1. # Interfaces
2. set interfaces ge-0/0/0 unit 0 description WAN
3. set interfaces ge-0/0/0 unit 0 family inet filter input-list [ prerouting icmp4 bad_tcp prerouting-termination ]
4. set interfaces ge-0/0/1 unit 0 description LAN
5. set interfaces ge-0/0/1 unit 0 family inet filter input-list [ prerouting icmp4 bad_tcp prerouting-termination ]
6.  
7. # /ip firewall address-list
8. set policy-options prefix-list bad_dst_ipv4 0.0.0.0/8
9. set policy-options prefix-list bad_dst_ipv4 224.0.0.0/4
10. set policy-options prefix-list bad_ipv4 127.0.0.0/8
11. set policy-options prefix-list bad_ipv4 192.0.0.0/24
12. set policy-options prefix-list bad_ipv4 192.0.2.0/24
13. set policy-options prefix-list bad_ipv4 198.51.100.0/24
14. set policy-options prefix-list bad_ipv4 203.0.113.0/24
15. set policy-options prefix-list bad_ipv4 240.0.0.0/4
16. set policy-options prefix-list bad_src_ipv4 224.0.0.0/4
17. set policy-options prefix-list bad_src_ipv4 255.255.255.255/32
18. set policy-options prefix-list not_global_ipv4 0.0.0.0/8
19. set policy-options prefix-list not_global_ipv4 10.0.0.0/8
20. set policy-options prefix-list not_global_ipv4 100.64.0.0/10
21. set policy-options prefix-list not_global_ipv4 169.254.0.0/16
22. set policy-options prefix-list not_global_ipv4 172.16.0.0/12
23. set policy-options prefix-list not_global_ipv4 192.0.0.0/29
24. set policy-options prefix-list not_global_ipv4 192.168.0.0/16
25. set policy-options prefix-list not_global_ipv4 198.18.0.0/15
26. set policy-options prefix-list not_global_ipv4 255.255.255.255/32
27.  
28. # /ip firewall raw
29. # Prerouting
30. set firewall family inet filter prerouting term "defconf: enable for transparent firewall" then accept
31. deactivate firewall family inet filter prerouting term "defconf: enable for transparent firewall"
32. set firewall family inet filter prerouting term "defconf: accept DHCP discover" from source-address 0.0.0.0/32
33. set firewall family inet filter prerouting term "defconf: accept DHCP discover" from destination-address 255.255.255.255/32
34. set firewall family inet filter prerouting term "defconf: accept DHCP discover" from protocol udp
35. set firewall family inet filter prerouting term "defconf: accept DHCP discover" from source-port 68
36. set firewall family inet filter prerouting term "defconf: accept DHCP discover" from destination-port 67
37. set firewall family inet filter prerouting term "defconf: accept DHCP discover" from interface ge-0/0/1.0
38. set firewall family inet filter prerouting term "defconf: accept DHCP discover" then accept
39. set firewall family inet filter prerouting term "defconf: drop bogon IP's - Source" from source-prefix-list bad_ipv4
40. set firewall family inet filter prerouting term "defconf: drop bogon IP's - Source" from source-prefix-list bad_src_ipv4
41. set firewall family inet filter prerouting term "defconf: drop bogon IP's - Source" then discard
42. set firewall family inet filter prerouting term "defconf: drop bogon IP's - Destination" from destination-prefix-list bad_ipv4
43. set firewall family inet filter prerouting term "defconf: drop bogon IP's - Destination" from destination-prefix-list bad_dst_ipv4
44. set firewall family inet filter prerouting term "defconf: drop bogon IP's - Destination" then discard
45. set firewall family inet filter prerouting term "defconf: drop non global from WAN" from source-prefix-list not_global_ipv4
46. set firewall family inet filter prerouting term "defconf: drop non global from WAN" from interface ge-0/0/0
47. set firewall family inet filter prerouting term "defconf: drop non global from WAN" then discard
48. set firewall family inet filter prerouting term "defconf: drop forward to local lan from WAN" from destination-address 192.168.88.0/24
49. set firewall family inet filter prerouting term "defconf: drop forward to local lan from WAN" from interface ge-0/0/0
50. set firewall family inet filter prerouting term "defconf: drop forward to local lan from WAN" then discard
51. set firewall family inet filter prerouting term "defconf: drop local if not from default IP range" from source-address 192.168.88.0/24
52. set firewall family inet filter prerouting term "defconf: drop local if not from default IP range" from interface ge-0/0/1
53. set firewall family inet filter prerouting term "defconf: drop local if not from default IP range" then next term
54. set firewall family inet filter prerouting term "defconf: drop bad UDP" from protocol udp
55. set firewall family inet filter prerouting term "defconf: drop bad UDP" from port 0
56.  
57. # ICMP
58. set firewall family inet filter icmp4 term "defconf: echo reply" from protocol icmp
59. set firewall family inet filter icmp4 term "defconf: echo reply" from icmp-type 0
60. set firewall family inet filter icmp4 term "defconf: echo reply" from icmp-code 0
61. set firewall family inet filter icmp4 term "defconf: echo reply" then policer icmp_policer
62. set firewall family inet filter icmp4 term "defconf: echo reply" then accept
63. set firewall family inet filter icmp4 term "defconf: net unreachable" from protocol icmp
64. set firewall family inet filter icmp4 term "defconf: net unreachable" from icmp-type 3
65. set firewall family inet filter icmp4 term "defconf: net unreachable" from icmp-code 0
66. set firewall family inet filter icmp4 term "defconf: net unreachable" then accept
67. set firewall family inet filter icmp4 term "defconf: host unreachable" from protocol icmp
68. set firewall family inet filter icmp4 term "defconf: host unreachable" from icmp-type 3
69. set firewall family inet filter icmp4 term "defconf: host unreachable" from icmp-code 1
70. set firewall family inet filter icmp4 term "defconf: host unreachable" then accept
71. set firewall family inet filter icmp4 term "defconf: protocol unreachable" from protocol icmp
72. set firewall family inet filter icmp4 term "defconf: protocol unreachable" from icmp-type 3
73. set firewall family inet filter icmp4 term "defconf: protocol unreachable" from icmp-code 2
74. set firewall family inet filter icmp4 term "defconf: protocol unreachable" then accept
75. set firewall family inet filter icmp4 term "defconf: port unreachable" from protocol icmp
76. set firewall family inet filter icmp4 term "defconf: port unreachable" from icmp-type 3
77. set firewall family inet filter icmp4 term "defconf: port unreachable" from icmp-code 3
78. set firewall family inet filter icmp4 term "defconf: port unreachable" then accept
79. set firewall family inet filter icmp4 term "defconf: fragmentation needed" from protocol icmp
80. set firewall family inet filter icmp4 term "defconf: fragmentation needed" from icmp-type 3
81. set firewall family inet filter icmp4 term "defconf: fragmentation needed" from icmp-code 4
82. set firewall family inet filter icmp4 term "defconf: fragmentation needed" then accept
83. set firewall family inet filter icmp4 term "defconf: echo" from protocol icmp
84. set firewall family inet filter icmp4 term "defconf: echo" from icmp-type 8
85. set firewall family inet filter icmp4 term "defconf: echo" from icmp-code 0
86. set firewall family inet filter icmp4 term "defconf: echo" then policer icmp_policer
87. set firewall family inet filter icmp4 term "defconf: echo" then accept
88. set firewall family inet filter icmp4 term "defconf: time exceeded" from protocol icmp
89. set firewall family inet filter icmp4 term "defconf: time exceeded" from icmp-type 11
90. set firewall family inet filter icmp4 term "defconf: time exceeded" then accept
91. set firewall family inet filter icmp4 term "defconf: drop other icmp" from protocol icmp
92. set firewall family inet filter icmp4 term "defconf: drop other icmp" then discard
93.  
94. # bad-tcp
95. set firewall family inet filter bad_tcp term "defconf: TCP flag filter" from protocol tcp
96. set firewall family inet filter bad_tcp term "defconf: TCP flag filter" from tcp-flags "!fin | !syn | !rst | !ack"
97. set firewall family inet filter bad_tcp term "defconf: TCP flag filter" then discard
98. set firewall family inet filter bad_tcp term defconf from tcp-flags "(fin & syn ) | (fin & rst) | (fin & !ack) | (fin & urg) | (syn & rst) | (rst & urg)"
99. set firewall family inet filter bad_tcp term "defconf: TCP port 0 drop - Source" from protocol tcp
100. set firewall family inet filter bad_tcp term "defconf: TCP port 0 drop - Source" from source-port 0
101. set firewall family inet filter bad_tcp term "defconf: TCP port 0 drop - Source" then discard
102. set firewall family inet filter bad_tcp term "defconf: TCP port 0 drop - Destination" from protocol tcp
103. set firewall family inet filter bad_tcp term "defconf: TCP port 0 drop - Destination" from destination-port 0
104. set firewall family inet filter bad_tcp term "defconf: TCP port 0 drop - Destination" then discard
105.  
106. # Prerouting Pt2
107. set firewall family inet filter prerouting-termination term "defconf: accept everything else from LAN/WAN" from interface ge-0/0/0
108. set firewall family inet filter prerouting-termination term "defconf: accept everything else from LAN/WAN" from interface ge-0/0/1
109. set firewall family inet filter prerouting-termination term "defconf: accept everything else from LAN/WAN" then accept
110. set firewall family inet filter prerouting-termination term "defconf: drop the rest" then discard
111.  
112. # Policer
113. set firewall policer icmp_policer if-exceeding bandwidth-limit 5m
114. set firewall policer icmp_policer if-exceeding burst-size-limit 100k
115. set firewall policer icmp_policer then discard
116.  
117.