Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- add action=jump chain=input comment="Jump for icmp input flow" disabled=yes \
- jump-target=ICMP protocol=icmp
- add action=accept chain=forward ipsec-policy=in,ipsec
- add action=accept chain=forward ipsec-policy=out,ipsec
- add action=accept chain=forward comment="XL Solution - Rafael Orioli" \
- src-mac-address=8C:85:90:56:45:58
- add action=accept chain=forward comment="XL Solution - Rafael Peroco" \
- src-mac-address=8C:85:90:24:2C:05
- add action=accept chain=forward comment="XL Solution - Roger Lovato MacBook" \
- src-mac-address=78:4F:43:8B:F6:81
- add action=accept chain=forward comment="XL Solution - Roger Lovato iPhone" \
- src-mac-address=D4:DC:CD:AB:1F:78
- add action=drop chain=forward disabled=yes src-address=172.26.74.0/24
- add action=accept chain=forward comment="Servers Network" src-address=\
- 172.20.0.0/24 src-address-list=""
- add action=accept chain=forward comment="Servers Network" src-address=\
- 172.25.0.0/24 src-address-list=""
- add action=accept chain=forward src-address=172.26.74.201
- add action=accept chain=forward dst-address=172.20.0.0/24 src-address=\
- 172.26.74.0/24
- add action=accept chain=forward dst-address=172.20.0.75 src-address=\
- 192.168.43.0/24
- add action=accept chain=forward protocol=icmp src-address=192.168.43.0/24
- add action=jump chain=forward comment="Jump for icmp forward flow" disabled=\
- yes jump-target=ICMP protocol=icmp
- add action=fasttrack-connection chain=forward connection-state=\
- established,related
- add action=accept chain=forward connection-state=\
- established,related,untracked
- add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
- bogons
- add action=add-src-to-address-list address-list=spammers \
- address-list-timeout=3h chain=forward comment=\
- "Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
- 25,587 limit=30/1m,0:packet protocol=tcp
- add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
- protocol=tcp src-address-list=spammers
- add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 \
- protocol=tcp src-address-list=ssh_blacklist
- add action=accept chain=input comment="Network GCP" src-address=172.19.0.0/24
- add action=accept chain=input comment="Network Office" src-address=\
- 172.25.0.0/23
- add action=accept chain=input comment="Network CL" src-address=172.20.0.0/24
- add action=accept chain=input comment="Network AWS" src-address=172.22.0.0/16
- add action=accept chain=input comment="Acesso liberado por SSH" dst-port=22 \
- protocol=tcp src-address=172.26.74.0/24
- add action=accept chain=input comment="Acesso liberado por DNS" dst-port=53 \
- protocol=udp src-address=172.26.74.0/24
- add action=accept chain=input comment="Acesso liberado por DNS" dst-port=53 \
- protocol=tcp src-address=172.26.74.0/24
- add action=accept chain=input comment="Acesso liberado por DNS" dst-port=53 \
- protocol=udp src-address=192.168.43.0/24
- add action=accept chain=input comment="Acesso liberado por DNS" src-address=\
- 192.168.43.0/24
- add action=accept chain=input comment="Acesso liberado por DHCP" dst-port=\
- 67-68 protocol=udp src-address=172.26.74.0/24
- add action=accept chain=input comment="Acesso liberado por DHCP" dst-port=\
- 67-68 in-interface=vlan-guests protocol=udp src-address=192.168.43.0/24
- add action=accept chain=input comment="Accept DNS - UDP" in-interface=bridge1 \
- port=53 protocol=udp
- add action=accept chain=input comment="Accept DNS - TCP" in-interface=bridge1 \
- port=53 protocol=tcp
- add action=accept chain=input comment="Accept to established connections" \
- connection-state=established,related
- add action=accept chain=input comment="Accept to related connections" \
- connection-state=related
- add action=accept chain=input comment="Acesso liberado por PING" protocol=\
- icmp src-address=172.26.74.0/24
- add action=accept chain=input comment="Full access to SUPPORT address list" \
- src-address-list=support
- add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
- RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED"
- add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \
- icmp-options=8:0 limit=1,5:packet protocol=icmp
- add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
- icmp
- add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
- protocol=icmp
- add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
- 3:0-1 protocol=icmp
- add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
- add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
- add action=jump chain=output comment="Jump for icmp output" disabled=yes \
- jump-target=ICMP protocol=icmp
- add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
- protocol=tcp src-address-list=ftp_blacklist
- add action=accept chain=output content="530 Login incorrect" dst-limit=\
- 1/1m,9,dst-address/1m
- add action=add-dst-to-address-list address-list=ftp_blacklist \
- address-list-timeout=3h chain=output content="530 Login incorrect" \
- protocol=tcp
- add action=add-src-to-address-list address-list=Syn_Flooder \
- address-list-timeout=30m chain=input comment=\
- "Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
- tcp-flags=syn
- add action=drop chain=input comment="Drop to syn flood list" \
- src-address-list=Syn_Flooder
- add action=add-src-to-address-list address-list=Port_Scanner \
- address-list-timeout=1w chain=input comment="Port Scanner Detect" \
- protocol=tcp psd=21,3s,3,1
- add action=drop chain=input comment="Drop to port scan list" \
- src-address-list=Port_Scanner
- add action=drop chain=input comment="Block all access to the winbox - except t\
- o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
- PORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support
- add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
- protocol=tcp src-address-list=ssh_blacklist
- add action=add-src-to-address-list address-list=ssh_blacklist \
- address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
- protocol=tcp src-address-list=ssh_stage3
- add action=add-src-to-address-list address-list=ssh_stage3 \
- address-list-timeout=1m chain=input connection-state=new dst-port=22 \
- protocol=tcp src-address-list=ssh_stage2
- add action=add-src-to-address-list address-list=ssh_stage2 \
- address-list-timeout=1m chain=input connection-state=new dst-port=22 \
- protocol=tcp src-address-list=ssh_stage1
- add action=add-src-to-address-list address-list=ssh_stage1 \
- address-list-timeout=1m chain=input connection-state=new dst-port=22 \
- protocol=tcp
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement