Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /ip firewall filter
- add action=accept chain=input disabled=yes protocol=icmp
- add action=drop chain=port-scan comment="DROPING BAD HOMBRES (Scanners)" src-address-list=bad-hombres
- add action=jump chain=input jump-target=port-scan
- add action=add-src-to-address-list address-list=bad-hombres address-list-timeout=none-static chain=port-scan comment="Port scanners to list " protocol=tcp psd=21,5s,3,1
- add action=add-src-to-address-list address-list=bad-hombres address-list-timeout=none-static chain=port-scan comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=\
- fin,!syn,!rst,!psh,!ack,!urg
- add action=add-src-to-address-list address-list=bad-hombres address-list-timeout=none-static chain=port-scan comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
- add action=add-src-to-address-list address-list=bad-hombres address-list-timeout=none-static chain=port-scan comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
- add action=add-src-to-address-list address-list=bad-hombres address-list-timeout=none-static chain=port-scan comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=\
- fin,psh,urg,!syn,!rst,!ack
- add action=add-src-to-address-list address-list=bad-hombres address-list-timeout=none-static chain=port-scan comment="NMAP NULL scan" protocol=tcp tcp-flags=\
- !fin,!syn,!rst,!psh,!ack,!urg
- add action=add-src-to-address-list address-list=bad-hombres address-list-timeout=none-static chain=port-scan comment="ALL/ALL scan" protocol=tcp tcp-flags=\
- fin,syn,rst,psh,ack,urg
- add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
- add action=drop chain=input comment="DROP INVALID" connection-state=invalid
- add action=drop chain=input comment="DROP ALL NOT COMING FROM LAN" src-address-list=!whitelisted
- add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
- add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
- add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
- add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=Especial-Purpose-IP in-interface=Bridge-LAN log=yes \
- log-prefix=!public_from_LAN out-interface=ether1
- add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=ether1 log=yes log-prefix=!public src-address-list=\
- Especial-Purpose-IP
- add action=drop chain=input in-interface=!Bridge-LAN
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement