Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /interface list add name=WAN
- /interface list member add list=WAN interface=ether1
- /ip firewall address-list
- add address=ТУТ АДРЕСА list=remote
- /ip firewall filter
- add action=accept chain=input comment="allow Winbox" \
- in-interface-list=WAN src-address-list=remote place-before=4
- /ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
- /ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
- /ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
- /ip firewall filter add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
- /ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=WAN
- /ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
- /ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
- /ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
- /ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
- /ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
- /ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement