firewall mikrotik

1. Flags: X - disabled, I - invalid, D - dynamic
2. 0 X chain=forward action=fasttrack-connection
3. connection-state=established,related log=no log-prefix=""
4.  
5. 1 X chain=forward action=accept connection-state=established,related log=no
6. log-prefix=""
7.  
8.  
9. 6 ;;; drop httpa s neta
10. chain=input action=drop protocol=tcp in-interface=vlan4-WiFiMikrotik
11. dst-port=80 log=no log-prefix=""
12.  
13. 7 chain=forward action=drop connection-state=invalid log=no log-prefix=""
14.  
15. 8 ;;; NET firewall rule
16. chain=input action=jump jump-target=INPUT-Internet in-interface=optika
17. log=no log-prefix=""
18.  
19. 9 X ;;; NET firewall rule
20. chain=forward action=jump jump-target=OUTPUT-Internet
21. out-interface=optika log=no log-prefix=""
22.  
23. 10 ;;; port scanners to list
24. chain=OUTPUT-Internet action=add-src-to-address-list protocol=tcp
25. psd=21,3s,3,1 address-list=port scanners address-list-timeout=2w log=no
26. log-prefix=""
27.  
28. 11 ;;; NMAP FIN Stealth scan
29. chain=OUTPUT-Internet action=add-src-to-address-list
30. tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
31. address-list=port scanners address-list-timeout=2w log=no log-prefix=""
32.  
33. 12 ;;; SYN/FIN scan
34. chain=OUTPUT-Internet action=add-src-to-address-list tcp-flags=fin,syn
35. protocol=tcp address-list=port scanners address-list-timeout=2w log=no
36. log-prefix=""
37.  
38. 13 ;;; SYN/RST scan
39. chain=OUTPUT-Internet action=add-src-to-address-list tcp-flags=syn,rst
40. protocol=tcp address-list=port scanners address-list-timeout=2w log=no
41. log-prefix=""
42.  
43. 14 ;;; FIN/PSH/URG scan
44. chain=OUTPUT-Internet action=add-src-to-address-list
45. tcp-flags=fin,psh,urg,!syn,!rst,!ack protocol=tcp
46. address-list=port scanners address-list-timeout=2w log=no log-prefix=""
47.  
48. 15 ;;; NMAP NULL scan
49. chain=OUTPUT-Internet action=add-src-to-address-list
50. tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
51. address-list=port scanners address-list-timeout=2w log=no log-prefix=""
52.  
53. 16 ;;; ALL/ALL scan
54. chain=OUTPUT-Internet action=add-src-to-address-list
55. tcp-flags=fin,syn,rst,psh,ack,urg protocol=tcp
56. address-list=port scanners address-list-timeout=2w log=no log-prefix=""
57.  
58. 17 ;;; Detektiram spamera
59. chain=OUTPUT-Internet action=add-src-to-address-list
60. connection-limit=30,32 protocol=tcp address-list=spammer
61. address-list-timeout=3d dst-port=25 limit=50,5:packet log=no
62. log-prefix=""
63.  
64. 18 chain=OUTPUT-Internet action=drop protocol=tcp dst-port=9 log=no
65. log-prefix=""
66.  
67. 19 chain=OUTPUT-Internet action=drop protocol=tcp dst-port=13 log=no
68. log-prefix=""
69.  
70. 20 ;;; Blaster Worm
71. chain=OUTPUT-Internet action=drop protocol=tcp dst-port=135-139 log=no
72. log-prefix=""
73.  
74. 21 ;;; Messenger Worm
75. chain=OUTPUT-Internet action=drop protocol=udp dst-port=135-139 log=no
76. log-prefix=""
77.  
78. 22 ;;; Crvi i ostala gamad ;-)
79. chain=OUTPUT-Internet action=drop protocol=tcp dst-port=444-445 log=no
80. log-prefix=""
81.  
82. 23 chain=OUTPUT-Internet action=drop protocol=udp dst-port=444-445 log=no
83. log-prefix=""
84.  
85. 24 ;;; msblast worm
86. chain=OUTPUT-Internet action=drop protocol=tcp dst-port=593 log=no
87. log-prefix=""
88.  
89. 25 chain=OUTPUT-Internet action=drop protocol=tcp dst-port=953 log=no
90. log-prefix=""
91.  
92. 26 ;;; SoBig.f worm
93. chain=OUTPUT-Internet action=drop protocol=tcp dst-port=995-999 log=no
94. log-prefix=""
95.  
96. 27 chain=OUTPUT-Internet action=drop protocol=udp dst-port=995-999 log=no
97. log-prefix=""
98.  
99. 28 ;;; MyDoom
100. chain=OUTPUT-Internet action=drop protocol=tcp dst-port=1080 log=no
101. log-prefix=""
102.  
103. 29 chain=OUTPUT-Internet action=drop protocol=tcp dst-port=1024-1030 log=no
104. log-prefix=""
105.  
106. 30 chain=OUTPUT-Internet action=drop protocol=tcp dst-port=1214 log=no
107. log-prefix=""
108.  
109. 31 ;;; ndm requester
110. chain=OUTPUT-Internet action=drop protocol=tcp dst-port=1363 log=no
111. log-prefix=""
112.  
113. 32 ;;; ndm server
114. chain=OUTPUT-Internet action=drop protocol=tcp dst-port=1364 log=no
115. log-prefix=""
116.  
117. 33 ;;; screen cast
118. chain=OUTPUT-Internet action=drop protocol=tcp dst-port=1368 log=no
119. log-prefix=""
120.  
121. 34 ;;; hromgrafx
122. chain=OUTPUT-Internet action=drop protocol=tcp dst-port=1373 log=no
123. log-prefix=""
124.  
125. 35 ;;; cichlid
126. chain=OUTPUT-Internet action=drop protocol=tcp dst-port=1377 log=no
127. log-prefix=""
128.  
129. 36 chain=OUTPUT-Internet action=drop protocol=udp dst-port=1434 log=no
130. log-prefix=""
131.  
132. 37 ;;; Worm
133. chain=OUTPUT-Internet action=drop protocol=tcp dst-port=1433-1434
134. log=no log-prefix=""
135.  
136. 38 ;;; Drop Beagle
137. chain=OUTPUT-Internet action=drop protocol=tcp dst-port=2235 log=no
138. log-prefix=""
139.  
140. 39 ;;; Drop Dumaru.Y
141. chain=OUTPUT-Internet action=drop protocol=tcp dst-port=2283 log=no
142. log-prefix=""
143.  
144. 40 chain=OUTPUT-Internet action=drop protocol=udp dst-port=2745 log=no
145. log-prefix=""
146.  
147. 41 ;;; Drop Beagle.C-K
148. chain=OUTPUT-Internet action=drop protocol=tcp dst-port=2745 log=no
149. log-prefix=""
150.  
151. 42 ;;; Bagle Virus
152. chain=OUTPUT-Internet action=drop protocol=tcp dst-port=2745 log=no
153. log-prefix=""
154.  
155. 43 ;;; Drop MyDoom
156. chain=OUTPUT-Internet action=drop protocol=tcp dst-port=3127-3128
157. log=no log-prefix=""
158.  
159. 44 ;;; Drop Backdoor OptixPro
160. chain=OUTPUT-Internet action=drop protocol=tcp dst-port=3410 log=no
161. log-prefix=""
162.  
163. 45 ;;; WITTY worm
164. chain=OUTPUT-Internet action=drop protocol=tcp dst-port=4000 log=no
165. log-prefix=""
166.  
167. 46 ;;; Worm
168. chain=OUTPUT-Internet action=drop protocol=tcp dst-port=4444 log=no
169. log-prefix=""
170.  
171. 47 ;;; Worm
172. chain=OUTPUT-Internet action=drop protocol=udp dst-port=4444 log=no
173. log-prefix=""
174.  
175. 48 ;;; beagle worm
176. chain=OUTPUT-Internet action=drop protocol=tcp dst-port=4751 log=no
177. log-prefix=""
178.  
179. 49 ;;; Drop Sasser
180. chain=OUTPUT-Internet action=drop protocol=tcp dst-port=5554 log=no
181. log-prefix=""
182.  
183. 50 chain=OUTPUT-Internet action=drop protocol=tcp dst-port=6344-6381 log=no
184. log-prefix=""
185.  
186. 51 chain=OUTPUT-Internet action=drop protocol=udp dst-port=6344-6381 log=no
187. log-prefix=""
188.  
189. 52 ;;; Drop PhatBot, Agobot, Gaobot
190. chain=OUTPUT-Internet action=drop protocol=tcp dst-port=65506 log=no
191. log-prefix=""
192.  
193. 53 ;;; Drop Beagle.B
194. chain=OUTPUT-Internet action=drop protocol=tcp dst-port=8866 log=no
195. log-prefix=""
196.  
197. 54 ;;; SoBig.f worm
198. chain=OUTPUT-Internet action=drop protocol=tcp dst-port=8998 log=no
199. log-prefix=""
200.  
201. 55 chain=OUTPUT-Internet action=drop protocol=udp dst-port=8998 log=no
202. log-prefix=""
203.  
204. 56 ;;; Drop Dabber.A-B
205. chain=OUTPUT-Internet action=drop protocol=tcp dst-port=9898 log=no
206. log-prefix=""
207.  
208. 57 ;;; Drop Dumaru.Y
209. chain=OUTPUT-Internet action=drop protocol=tcp dst-port=10000 log=no
210. log-prefix=""
211.  
212. 58 ;;; Drop MyDoom.B
213. chain=OUTPUT-Internet action=drop protocol=tcp dst-port=10080 log=no
214. log-prefix=""
215.  
216. 59 ;;; Drop NetBus
217. chain=OUTPUT-Internet action=drop protocol=tcp dst-port=12345 log=no
218. log-prefix=""
219.  
220. 60 ;;; Drop Kuang2
221. chain=OUTPUT-Internet action=drop protocol=tcp dst-port=17300 log=no
222. log-prefix=""
223.  
224. 61 ;;; Drop SubSeven
225. chain=OUTPUT-Internet action=drop protocol=tcp dst-port=27374 log=no
226. log-prefix=""
227.  
228. 62 ;;; Deny QUIC protocol HTTP/UDP
229. chain=OUTPUT-Internet action=drop protocol=udp src-address=0.0.0.0
230. dst-address=0.0.0.0 dst-port=80 log=no log-prefix=""
231.  
232. 63 X ;;; logiraj nove konekcije
233. chain=OUTPUT-Internet action=log connection-state=new log=no
234. log-prefix=""
235.  
236. 64 ;;; SVE OSTALO PRIHVATI
237. chain=OUTPUT-Internet action=accept log=no log-prefix=""
238.  
239. 65 ;;; ulaz na ssh-a ako ping poslaje icmp paket 666 stavlja ga u dozvolu za
240. ssh
241. chain=INPUT-Internet action=add-dst-to-address-list protocol=icmp
242. address-list=user_x address-list-timeout=none-dynamic packet-size=666
243. log=no log-prefix=""
244.  
245. 66 ;;; ssh
246. chain=INPUT-Internet action=accept protocol=tcp dst-port=22222 log=yes
247. log-prefix=""
248.  
249. 67 ;;; ALLOW FRANZ od doma
250. chain=INPUT-Internet action=accept src-address=91.241.53.0/24 log=no
251. log-prefix=""
252.  
253. 68 ;;; IP cloud update
254. chain=INPUT-Internet action=accept protocol=udp src-port=15252 log=no
255. log-prefix=""
256.  
257. 69 ;;; DNS
258. chain=INPUT-Internet action=accept protocol=udp src-port=53 log=no
259. log-prefix=""
260.  
261. 70 ;;; NTP sinkronizacija
262. chain=INPUT-Internet action=accept protocol=udp src-port=123 log=no
263. log-prefix=""
264.  
265. 71 ;;; samo za UPDATE na ovome serveru
266. chain=INPUT-Internet action=accept protocol=tcp src-port=80 log=no
267. log-prefix=""
268.  
269. 72 ;;; limitirani pingovi
270. chain=INPUT-Internet action=accept protocol=icmp limit=50/5s,2:packet
271. log=no log-prefix=""
272.  
273. 73 ;;; PPTP kontrola
274. chain=INPUT-Internet action=accept protocol=tcp dst-port=1723 log=no
275. log-prefix=""
276.  
277. 74 ;;; PPTP kontrola
278. chain=INPUT-Internet action=accept protocol=tcp src-port=1723 log=no
279. log-prefix=""
280.  
281. 75 ;;; L2TP
282. chain=INPUT-Internet action=accept protocol=udp port=1701,500,4500
283. log=no log-prefix=""
284.  
285. 76 ;;; PPTP tunel
286. chain=INPUT-Internet action=accept protocol=gre log=no log-prefix=""
287.  
288. 77 ;;; sve ostalo dropaj
289. chain=INPUT-Internet action=drop log=no log-prefix=""