Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # sep/15/2020 17:08:09 by RouterOS 6.45.9
- # model = 951G-2HnD
- /ip firewall address-list add address=91.xxx.xxx.xxx list=Trust_IP
- /ip firewall filter add action=accept chain=input comment=OpenVPN dst-port=1194 in-interface=pppoe-out-utk protocol=tcp
- /ip firewall filter add action=accept chain=input comment=L2TP port=500,1701,4500 protocol=udp
- /ip firewall filter add action=accept chain=input protocol=ipsec-esp
- /ip firewall filter add action=accept chain=input dst-port=8291 protocol=tcp src-address-list=Trust_IP
- /ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
- /ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
- /ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
- /ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
- /ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
- /ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
- /ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
- /ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
- /ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
- /ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
- /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN
- /ip firewall service-port set ftp disabled=yes
- /ip firewall service-port set tftp disabled=yes
- /ip firewall service-port set irc disabled=yes
- /ip firewall service-port set h323 disabled=yes
Advertisement
Add Comment
Please, Sign In to add comment
