Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- may/21/2019 23:07:43 by RouterOS 6.44.2
- # software id = 0UI5-89S6
- #
- # model = RBD52G-5HacD2HnD
- # serial number = A6470A886355
- /ip firewall filter
- add action=accept chain=input disabled=yes
- add action=accept chain=forward disabled=yes
- add action=accept chain=input comment=\
- "defconf: accept established,related,untracked" connection-state=\
- established,related,untracked
- add action=drop chain=input comment="defconf: drop invalid" connection-state=\
- invalid
- add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
- add action=accept chain=input dst-port=4500,500 protocol=udp
- add action=accept chain=input comment="input VPN IKEv2" dst-port=500,4500 port=\
- "" protocol=tcp src-address-list=""
- add action=accept chain=input comment="input IPsec" protocol=ipsec-esp \
- src-address-list=""
- add action=accept chain=input comment=\
- "allow mikrotik web interface from internet" dst-port=8291 protocol=tcp \
- src-address-list=""
- add action=drop chain=input comment="defconf: drop all not coming from LAN" \
- in-interface-list=!LAN
- add action=accept chain=forward comment="defconf: accept in ipsec policy" \
- ipsec-policy=in,ipsec
- add action=accept chain=forward comment="defconf: accept out ipsec policy" \
- ipsec-policy=out,ipsec
- add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
- connection-mark=!ipsec connection-state=established,related
- add action=accept chain=forward comment=\
- "defconf: accept established,related, untracked" connection-state=\
- established,related,untracked
- add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
- invalid
- add action=drop chain=forward comment=\
- "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
- connection-state=new in-interface-list=WAN
- /ip firewall mangle
- add action=mark-connection chain=forward comment=" Mark IPSec" ipsec-policy=\
- out,ipsec new-connection-mark=ipsec
- add action=mark-connection chain=forward comment=" Mark IPSec" ipsec-policy=\
- in,ipsec new-connection-mark=ipsec
- add action=change-mss chain=forward new-mss=1300 out-interface=ipip-mb \
- passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1301-65535
- /ip firewall nat
- add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
- out,none out-interface-list=WAN
- /ip firewall service-port
- set ftp disabled=yes
- set tftp disabled=yes
- set irc disabled=yes
- set h323 disabled=yes
- set sip disabled=yes
- set pptp disabled=yes
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement