Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /ip firewall address-list
- add address=192.168.2.0/24 comment="Nase LAN (stary rozsah) je bezpecna - nebo jako neni, ale zatim to tak musi byt, navic do oddeleni na L2 je to celkem zbytecne" list=SecureIP
- add address=10.20.0.0/24 comment="Sit vyhrazena pro sitove prvky" list=InfrastructureIP
- add address=10.20.1.0/24 comment="Nase LAN je bezpecna - nebo jako neni, ale zatim to tak musi byt, navic do oddeleni na L2 je to celkem zbytecne" list=SecureIP
- add address=10.20.2.0/24 comment="Nase VPN je bezpecna" list=SecureIP
- add address=192.168.2.2 comment="(Stary rozsah) Nas Windows Server je bezpecny" list=SecureIP
- add address=192.168.2.2 comment="(Stary rozsah) Windows Server" list=MistniServery
- add address=192.168.2.3 comment="(Stary rozsah) Linux Server" list=MistniServery
- add address=192.168.2.4 comment="(Stary rozsah) Windows Server (druha sitova karta)" list=MistniServery
- add address=10.20.1.2 comment="Nas Windows Server je bezpecny" list=SecureIP
- add address=10.20.1.2 comment="Windows Server" list=MistniServery
- add address=10.20.1.3 comment="Linux Server" list=MistniServery
- add address=10.20.1.4 comment="Windows Server (druha sitova karta)" list=MistniServery
- add address=185.61.XX.XX comment="Moje domaci pripojka" list=SecureIP
- add address=185.21.XXX.XX comment="Puvodni neznamy zaznam" list=SecureIP
- add address=185.21.XXX.XXX comment="Puvodni neznamy zaznam" list=SecureIP
- /ip firewall filter
- add action=accept chain=input comment="===== OCHRANA ROUTERU =====" disabled=yes
- add action=accept chain=input comment="Povol established, related, untracked spojeni" connection-state=established,related,untracked
- add action=drop chain=input comment="Zahod invalid spojeni" connection-state=invalid
- add action=drop chain=input comment="\\\\ XXXX UTOKY (Nasledujici pravidla zakazana, toto je kontrolni); Finalne doreseno 31.12. s XXXXXXX (XXX XXX XXX) + Cast resena s XXX //" protocol=udp src-address=78.156.XX.0/19
- add action=drop chain=input comment="!VYRESENO 7.12.2021 S XXXX PODPOROU! //Docasne na test// Zahod veskere UDP pakety z IP 78.156.XX.XXX (Zvlastni DoS UDP utoky)" disabled=yes protocol=udp src-address=78.156.XX.XXX
- add action=drop chain=input comment="//Docasne, NOVE UTOKY PO VYRESENI PREDCHOZICH// Zahod veskere UDP pakety z IP 78.156.XX.XXX (Zvlastni DoS UDP utoky)" disabled=yes protocol=udp src-address=78.156.XX.XXX
- add action=drop chain=input comment="Zahod veskere UDP pakety z XXXX rozsahu 78.156.XX.0/19 (pro jistotu)" disabled=yes protocol=udp src-address=78.156.XX.0/19
- add action=accept chain=input comment="Povol veskere ICMP pakety" protocol=icmp
- add action=accept chain=input comment="Povol vse z AL \"SecureIP\"" src-address-list=SecureIP
- add action=accept chain=input comment="Povol L2TP" dst-port=1701 protocol=udp
- add action=accept chain=input comment="Povol IPSec IKE" dst-port=500,4500 protocol=udp
- add action=accept chain=input comment="VPN: allow Reverse lookup \?\?Puvodni pravidlo, kvuli bezpecnosti radsi zakazano" disabled=yes dst-port=53 in-interface=ether1 protocol=tcp
- add action=accept chain=input comment="VPN: allow Reverse lookup \?\?Puvodni pravidlo, kvuli bezpecnosti radsi zakazano" disabled=yes dst-port=53 in-interface=ether1 protocol=udp
- add action=accept chain=input comment="Povol IPSec AH" protocol=ipsec-ah
- add action=accept chain=input comment="Povol IPSec ESP" protocol=ipsec-esp
- add action=accept chain=input comment="Povol CAPsMAN pakety z I \"bridge1\"" dst-port=5246,5247 in-interface=bridge1 protocol=udp
- add action=drop chain=input comment="Zahod vse ostatni"
- add action=accept chain=forward comment="===== OCHRANA KONCOVYCH STANIC =====" disabled=yes
- add action=accept chain=forward comment="Povol established, related, untracked spojeni" connection-state=established,related,untracked
- add action=drop chain=forward comment="Zahod invalid spojeni" connection-state=invalid
- add action=accept chain=forward comment="Povol vse z IL \"LAN\" do IL \"WAN\"" in-interface-list=LAN out-interface-list=WAN
- add action=accept chain=forward comment="Povol vse na AL \"MistniServery\"" dst-address-list=MistniServery
- add action=accept chain=forward comment="Povol vse z AL \"SecureIP\"" src-address-list=SecureIP
- add action=drop chain=forward comment="Zahod vse na AL \"InfrastructureIP\"" dst-address-list=InfrastructureIP
- add action=accept chain=forward comment="Povol presmerovane porty" connection-nat-state=dstnat
- add action=reject chain=forward comment="Zakaz vse ostatni z IL \"LAN\" (icmp admin prohibited)" in-interface-list=LAN reject-with=icmp-admin-prohibited
- add action=drop chain=forward comment="Zahod vse ostatni"
- add action=accept chain=forward comment="===== PUVODNI PRAVIDLA =====" disabled=yes
- add action=add-dst-to-address-list address-list=Hackers address-list-timeout=none-dynamic chain=input connection-limit=32,32 disabled=yes in-interface=ether1 protocol=tcp
- add action=tarpit chain=input connection-limit=3,32 disabled=yes in-interface=ether1 protocol=tcp src-address-list=Hackers
- add action=accept chain=input comment="Accept ICMP" disabled=yes in-interface=ether1 protocol=icmp
- add action=accept chain=input comment="Accept pristup na port 8080" disabled=yes dst-port=8080 protocol=tcp
- add action=accept chain=input comment="Accept winbox z vzdalena sprava" disabled=yes dst-port=8291 protocol=tcp src-address-list="Vzdalena sprava"
- add action=accept chain=input comment="Accept ssh" disabled=yes dst-port=22 protocol=tcp
- add action=accept chain=input comment="Povoleni z vnitrni site" disabled=yes in-interface=!ether1 src-address=192.168.2.0/24
- add action=accept chain=input comment="Povoleni z Wifi student" disabled=yes in-interface=!ether1 src-address=192.168.3.0/24
- add action=drop chain=input comment="Drop invalid connection" connection-state=invalid disabled=yes
- add action=accept chain=input comment="Accept related connection" connection-state=related disabled=yes
- add action=accept chain=input comment="Accept estabilished connection" connection-state=established disabled=yes
- add action=drop chain=input comment="Ostatni zakazat" disabled=yes
- add action=drop chain=forward disabled=yes src-address=0.0.0.0/8
- add action=drop chain=forward disabled=yes dst-address=0.0.0.0/8
- add action=drop chain=forward disabled=yes src-address=127.0.0.0/8
- add action=drop chain=forward disabled=yes dst-address=127.0.0.0/8
- add action=accept chain=forward comment="Accept related conncetion" connection-state=related disabled=yes
- add action=accept chain=forward comment="Accept estabilished conncetion" connection-state=established disabled=yes
- /ip firewall nat
- add action=masquerade chain=srcnat comment="Proved NAT vseho do I \"ether1\"" ipsec-policy=out,none out-interface=ether1
- /ip route
- add comment="Sit 50 (Turris-1p-Sborovna)" distance=1 dst-address=10.20.50.0/24 gateway=10.20.0.50
- /ipv6 address
- add address=2a02:xxxx:xxx:3::1 comment=Zak interface=bridgeZak
- /ipv6 dhcp-client
- add add-default-route=yes interface=ether1 pool-name=IPv6_WAN request=prefix
- /ipv6 firewall address-list
- add address=::/128 comment="Unspecified address" list=Bad_IPv6
- add address=::1/128 comment=Loopback list=Bad_IPv6
- add address=fec0::/10 comment=Site-Local list=Bad_IPv6
- add address=::ffff:0.0.0.0/96 comment=IPv4-mapped list=Bad_IPv6
- add address=::/96 comment="IPv4 compat" list=Bad_IPv6
- add address=100::/64 comment="Discard only " list=Bad_IPv6
- add address=2001:db8::/32 comment=Documentation list=Bad_IPv6
- add address=2001:10::/28 comment=ORCHID list=Bad_IPv6
- add address=3ffe::/16 comment=6bone list=Bad_IPv6
- add address=::224.0.0.0/100 comment=Other list=Bad_IPv6
- add address=::127.0.0.0/104 comment=Other list=Bad_IPv6
- add address=::/104 comment=Other list=Bad_IPv6
- add address=::255.0.0.0/104 comment=Other list=Bad_IPv6
- add address=2a02:xxxx:xxxx::/48 comment="Moje domaci pripojka" list=SecureIP
- add address=2a02:xxxx:xxx::/64 comment="Sit vyhrazena pro sitove prvky" list=InfrastructureIP
- /ipv6 firewall filter
- add action=accept chain=input comment="===== OCHRANA ROUTERU =====" disabled=yes
- add action=accept chain=input comment="Povol established, related, untracked spojeni" connection-state=established,related,untracked
- add action=drop chain=input comment="Zahod invalid spojeni" connection-state=invalid
- add action=accept chain=input comment="Povol veskere ICMPv6 pakety" protocol=icmpv6
- add action=accept chain=input comment="Povol vse z AL \"SecureIP\"" src-address-list=SecureIP
- add action=accept chain=input comment="Povol L2TP" dst-port=1701 protocol=udp
- add action=accept chain=input comment="Povol CAPsMAN pakety z I \"bridge1\"" dst-port=5246,5247 in-interface=bridge1 protocol=udp
- add action=accept chain=input comment="Povol UDP traceroute" port=33434-33534 protocol=udp
- add action=accept chain=input comment="Povol DHCPv6-Client prefix delegation" dst-port=546,547 protocol=udp src-address=fe80::/10
- add action=accept chain=input comment="Povol IPSec IKE" dst-port=500,4500 protocol=udp
- add action=accept chain=input comment="Povol IPSec AH" protocol=ipsec-ah
- add action=accept chain=input comment="Povol IPSec ESP" protocol=ipsec-esp
- add action=drop chain=input comment="Zahod vse ostatni"
- add action=accept chain=forward comment="===== OCHRANA KONCOVYCH STANIC =====" disabled=yes
- add action=accept chain=forward comment="Povol established, related, untracked spojeni" connection-state=established,related,untracked
- add action=drop chain=forward comment="Zahod invalid spojeni" connection-state=invalid
- add action=drop chain=forward comment="Zahod pakety se spatnou zdrojovou IP adresou" src-address-list=Bad_IPv6
- add action=drop chain=forward comment="Zahod pakety se spatnou cilovou IP adresou" dst-address-list=Bad_IPv6
- add action=accept chain=forward comment="Povol vse z IL \"LAN\" do IL \"WAN\"" in-interface-list=LAN out-interface-list=WAN
- add action=accept chain=forward comment="Povol vse na AL \"MistniServery\"" dst-address-list=MistniServery
- add action=accept chain=forward comment="Povol veskere ICMPv6 pakety" protocol=icmpv6
- add action=accept chain=forward comment="Povol vse z AL \"SecureIP\"" src-address-list=SecureIP
- add action=accept chain=forward comment="Povol HIP" protocol=139
- add action=accept chain=forward comment="Povol IPSec IKE" dst-port=500,4500 protocol=udp
- add action=accept chain=forward comment="Povol IPSec AH" protocol=ipsec-ah
- add action=accept chain=forward comment="Povol IPSec ESP" protocol=ipsec-esp
- add action=accept chain=forward comment="Povol IPSec in policy" ipsec-policy=in,ipsec
- add action=drop chain=forward comment="Zahod vse na AL \"InfrastructureIP\"" dst-address-list=InfrastructureIP
- add action=reject chain=forward comment="Zakaz vse ostatni z IL \"LAN\" (icmp admin prohibited)" in-interface-list=LAN reject-with=icmp-admin-prohibited
- add action=drop chain=forward comment="Zahod vse ostatni"
- /ipv6 nd
- set [ find default=yes ] other-configuration=yes
- /ipv6 route
- add comment="Sit 50 (Turris-1p-Sborovna)" distance=1 dst-address=2a02:xxxx:xxx:50::/64 gateway=2a02:xxxx:xxx::50
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement