FW ze školního routeru (10.1.2022)

1. /ip firewall address-list
2. add address=192.168.2.0/24 comment="Nase LAN (stary rozsah) je bezpecna - nebo jako neni, ale zatim to tak musi byt, navic do oddeleni na L2 je to celkem zbytecne" list=SecureIP
3. add address=10.20.0.0/24 comment="Sit vyhrazena pro sitove prvky" list=InfrastructureIP
4. add address=10.20.1.0/24 comment="Nase LAN je bezpecna - nebo jako neni, ale zatim to tak musi byt, navic do oddeleni na L2 je to celkem zbytecne" list=SecureIP
5. add address=10.20.2.0/24 comment="Nase VPN je bezpecna" list=SecureIP
6. add address=192.168.2.2 comment="(Stary rozsah) Nas Windows Server je bezpecny" list=SecureIP
7. add address=192.168.2.2 comment="(Stary rozsah) Windows Server" list=MistniServery
8. add address=192.168.2.3 comment="(Stary rozsah) Linux Server" list=MistniServery
9. add address=192.168.2.4 comment="(Stary rozsah) Windows Server (druha sitova karta)" list=MistniServery
10. add address=10.20.1.2 comment="Nas Windows Server je bezpecny" list=SecureIP
11. add address=10.20.1.2 comment="Windows Server" list=MistniServery
12. add address=10.20.1.3 comment="Linux Server" list=MistniServery
13. add address=10.20.1.4 comment="Windows Server (druha sitova karta)" list=MistniServery
14. add address=185.61.XX.XX comment="Moje domaci pripojka" list=SecureIP
15. add address=185.21.XXX.XX comment="Puvodni neznamy zaznam" list=SecureIP
16. add address=185.21.XXX.XXX comment="Puvodni neznamy zaznam" list=SecureIP
17. /ip firewall filter
18. add action=accept chain=input comment="===== OCHRANA ROUTERU =====" disabled=yes
19. add action=accept chain=input comment="Povol established, related, untracked spojeni" connection-state=established,related,untracked
20. add action=drop chain=input comment="Zahod invalid spojeni" connection-state=invalid
21. add action=drop chain=input comment="\\\\ XXXX UTOKY (Nasledujici pravidla zakazana, toto je kontrolni); Finalne doreseno 31.12. s XXXXXXX (XXX XXX XXX) + Cast resena s XXX //" protocol=udp src-address=78.156.XX.0/19
22. add action=drop chain=input comment="!VYRESENO 7.12.2021 S XXXX PODPOROU! //Docasne na test// Zahod veskere UDP pakety z IP 78.156.XX.XXX (Zvlastni DoS UDP utoky)" disabled=yes protocol=udp src-address=78.156.XX.XXX
23. add action=drop chain=input comment="//Docasne, NOVE UTOKY PO VYRESENI PREDCHOZICH// Zahod veskere UDP pakety z IP 78.156.XX.XXX (Zvlastni DoS UDP utoky)" disabled=yes protocol=udp src-address=78.156.XX.XXX
24. add action=drop chain=input comment="Zahod veskere UDP pakety z XXXX rozsahu 78.156.XX.0/19 (pro jistotu)" disabled=yes protocol=udp src-address=78.156.XX.0/19
25. add action=accept chain=input comment="Povol veskere ICMP pakety" protocol=icmp
26. add action=accept chain=input comment="Povol vse z AL \"SecureIP\"" src-address-list=SecureIP
27. add action=accept chain=input comment="Povol L2TP" dst-port=1701 protocol=udp
28. add action=accept chain=input comment="Povol IPSec IKE" dst-port=500,4500 protocol=udp
29. add action=accept chain=input comment="VPN: allow Reverse lookup \?\?Puvodni pravidlo, kvuli bezpecnosti radsi zakazano" disabled=yes dst-port=53 in-interface=ether1 protocol=tcp
30. add action=accept chain=input comment="VPN: allow Reverse lookup \?\?Puvodni pravidlo, kvuli bezpecnosti radsi zakazano" disabled=yes dst-port=53 in-interface=ether1 protocol=udp
31. add action=accept chain=input comment="Povol IPSec AH" protocol=ipsec-ah
32. add action=accept chain=input comment="Povol IPSec ESP" protocol=ipsec-esp
33. add action=accept chain=input comment="Povol CAPsMAN pakety z I \"bridge1\"" dst-port=5246,5247 in-interface=bridge1 protocol=udp
34. add action=drop chain=input comment="Zahod vse ostatni"
35. add action=accept chain=forward comment="===== OCHRANA KONCOVYCH STANIC =====" disabled=yes
36. add action=accept chain=forward comment="Povol established, related, untracked spojeni" connection-state=established,related,untracked
37. add action=drop chain=forward comment="Zahod invalid spojeni" connection-state=invalid
38. add action=accept chain=forward comment="Povol vse z IL \"LAN\" do IL \"WAN\"" in-interface-list=LAN out-interface-list=WAN
39. add action=accept chain=forward comment="Povol vse na AL \"MistniServery\"" dst-address-list=MistniServery
40. add action=accept chain=forward comment="Povol vse z AL \"SecureIP\"" src-address-list=SecureIP
41. add action=drop chain=forward comment="Zahod vse na AL \"InfrastructureIP\"" dst-address-list=InfrastructureIP
42. add action=accept chain=forward comment="Povol presmerovane porty" connection-nat-state=dstnat
43. add action=reject chain=forward comment="Zakaz vse ostatni z IL \"LAN\" (icmp admin prohibited)" in-interface-list=LAN reject-with=icmp-admin-prohibited
44. add action=drop chain=forward comment="Zahod vse ostatni"
45. add action=accept chain=forward comment="===== PUVODNI PRAVIDLA =====" disabled=yes
46. add action=add-dst-to-address-list address-list=Hackers address-list-timeout=none-dynamic chain=input connection-limit=32,32 disabled=yes in-interface=ether1 protocol=tcp
47. add action=tarpit chain=input connection-limit=3,32 disabled=yes in-interface=ether1 protocol=tcp src-address-list=Hackers
48. add action=accept chain=input comment="Accept ICMP" disabled=yes in-interface=ether1 protocol=icmp
49. add action=accept chain=input comment="Accept pristup na port 8080" disabled=yes dst-port=8080 protocol=tcp
50. add action=accept chain=input comment="Accept winbox z vzdalena sprava" disabled=yes dst-port=8291 protocol=tcp src-address-list="Vzdalena sprava"
51. add action=accept chain=input comment="Accept ssh" disabled=yes dst-port=22 protocol=tcp
52. add action=accept chain=input comment="Povoleni z vnitrni site" disabled=yes in-interface=!ether1 src-address=192.168.2.0/24
53. add action=accept chain=input comment="Povoleni z Wifi student" disabled=yes in-interface=!ether1 src-address=192.168.3.0/24
54. add action=drop chain=input comment="Drop invalid connection" connection-state=invalid disabled=yes
55. add action=accept chain=input comment="Accept related connection" connection-state=related disabled=yes
56. add action=accept chain=input comment="Accept estabilished connection" connection-state=established disabled=yes
57. add action=drop chain=input comment="Ostatni zakazat" disabled=yes
58. add action=drop chain=forward disabled=yes src-address=0.0.0.0/8
59. add action=drop chain=forward disabled=yes dst-address=0.0.0.0/8
60. add action=drop chain=forward disabled=yes src-address=127.0.0.0/8
61. add action=drop chain=forward disabled=yes dst-address=127.0.0.0/8
62. add action=accept chain=forward comment="Accept related conncetion" connection-state=related disabled=yes
63. add action=accept chain=forward comment="Accept estabilished conncetion" connection-state=established disabled=yes
64. /ip firewall nat
65. add action=masquerade chain=srcnat comment="Proved NAT vseho do I \"ether1\"" ipsec-policy=out,none out-interface=ether1
66. /ip route
67. add comment="Sit 50 (Turris-1p-Sborovna)" distance=1 dst-address=10.20.50.0/24 gateway=10.20.0.50
68. /ipv6 address
69. add address=2a02:xxxx:xxx:3::1 comment=Zak interface=bridgeZak
70. /ipv6 dhcp-client
71. add add-default-route=yes interface=ether1 pool-name=IPv6_WAN request=prefix
72. /ipv6 firewall address-list
73. add address=::/128 comment="Unspecified address" list=Bad_IPv6
74. add address=::1/128 comment=Loopback list=Bad_IPv6
75. add address=fec0::/10 comment=Site-Local list=Bad_IPv6
76. add address=::ffff:0.0.0.0/96 comment=IPv4-mapped list=Bad_IPv6
77. add address=::/96 comment="IPv4 compat" list=Bad_IPv6
78. add address=100::/64 comment="Discard only " list=Bad_IPv6
79. add address=2001:db8::/32 comment=Documentation list=Bad_IPv6
80. add address=2001:10::/28 comment=ORCHID list=Bad_IPv6
81. add address=3ffe::/16 comment=6bone list=Bad_IPv6
82. add address=::224.0.0.0/100 comment=Other list=Bad_IPv6
83. add address=::127.0.0.0/104 comment=Other list=Bad_IPv6
84. add address=::/104 comment=Other list=Bad_IPv6
85. add address=::255.0.0.0/104 comment=Other list=Bad_IPv6
86. add address=2a02:xxxx:xxxx::/48 comment="Moje domaci pripojka" list=SecureIP
87. add address=2a02:xxxx:xxx::/64 comment="Sit vyhrazena pro sitove prvky" list=InfrastructureIP
88. /ipv6 firewall filter
89. add action=accept chain=input comment="===== OCHRANA ROUTERU =====" disabled=yes
90. add action=accept chain=input comment="Povol established, related, untracked spojeni" connection-state=established,related,untracked
91. add action=drop chain=input comment="Zahod invalid spojeni" connection-state=invalid
92. add action=accept chain=input comment="Povol veskere ICMPv6 pakety" protocol=icmpv6
93. add action=accept chain=input comment="Povol vse z AL \"SecureIP\"" src-address-list=SecureIP
94. add action=accept chain=input comment="Povol L2TP" dst-port=1701 protocol=udp
95. add action=accept chain=input comment="Povol CAPsMAN pakety z I \"bridge1\"" dst-port=5246,5247 in-interface=bridge1 protocol=udp
96. add action=accept chain=input comment="Povol UDP traceroute" port=33434-33534 protocol=udp
97. add action=accept chain=input comment="Povol DHCPv6-Client prefix delegation" dst-port=546,547 protocol=udp src-address=fe80::/10
98. add action=accept chain=input comment="Povol IPSec IKE" dst-port=500,4500 protocol=udp
99. add action=accept chain=input comment="Povol IPSec AH" protocol=ipsec-ah
100. add action=accept chain=input comment="Povol IPSec ESP" protocol=ipsec-esp
101. add action=drop chain=input comment="Zahod vse ostatni"
102. add action=accept chain=forward comment="===== OCHRANA KONCOVYCH STANIC =====" disabled=yes
103. add action=accept chain=forward comment="Povol established, related, untracked spojeni" connection-state=established,related,untracked
104. add action=drop chain=forward comment="Zahod invalid spojeni" connection-state=invalid
105. add action=drop chain=forward comment="Zahod pakety se spatnou zdrojovou IP adresou" src-address-list=Bad_IPv6
106. add action=drop chain=forward comment="Zahod pakety se spatnou cilovou IP adresou" dst-address-list=Bad_IPv6
107. add action=accept chain=forward comment="Povol vse z IL \"LAN\" do IL \"WAN\"" in-interface-list=LAN out-interface-list=WAN
108. add action=accept chain=forward comment="Povol vse na AL \"MistniServery\"" dst-address-list=MistniServery
109. add action=accept chain=forward comment="Povol veskere ICMPv6 pakety" protocol=icmpv6
110. add action=accept chain=forward comment="Povol vse z AL \"SecureIP\"" src-address-list=SecureIP
111. add action=accept chain=forward comment="Povol HIP" protocol=139
112. add action=accept chain=forward comment="Povol IPSec IKE" dst-port=500,4500 protocol=udp
113. add action=accept chain=forward comment="Povol IPSec AH" protocol=ipsec-ah
114. add action=accept chain=forward comment="Povol IPSec ESP" protocol=ipsec-esp
115. add action=accept chain=forward comment="Povol IPSec in policy" ipsec-policy=in,ipsec
116. add action=drop chain=forward comment="Zahod vse na AL \"InfrastructureIP\"" dst-address-list=InfrastructureIP
117. add action=reject chain=forward comment="Zakaz vse ostatni z IL \"LAN\" (icmp admin prohibited)" in-interface-list=LAN reject-with=icmp-admin-prohibited
118. add action=drop chain=forward comment="Zahod vse ostatni"
119. /ipv6 nd
120. set [ find default=yes ] other-configuration=yes
121. /ipv6 route
122. add comment="Sit 50 (Turris-1p-Sborovna)" distance=1 dst-address=2a02:xxxx:xxx:50::/64 gateway=2a02:xxxx:xxx::50