Sun Nov 10, 2013 11:03 pm
here is my filter
/ip firewall filter
add action=drop chain=input comment="Drop ping" in-interface=\
"wan1" protocol=icmp
add action=drop chain=input comment="Drop vpn" in-interface=\
"wan1" port=1723 protocol=tcp
add action=jump chain=input comment=----------ip_blacklist---------- \
connection-limit=75,24 jump-target=ip_blacklist protocol=udp
add action=add-src-to-address-list address-list=ip_blacklist \
address-list-timeout=1d chain=ip_blacklist protocol=udp
add action=log chain=ip_blacklist disabled=yes log-prefix=ip_blacklist \
protocol=udp src-address-list=ip_blacklist
add action=drop chain=ip_blacklist src-address-list=ip_blacklist
add action=passthrough chain=ip_blacklist
add action=jump chain=input comment=\
"----------drop ssh brute forcers----------" dst-port=22 jump-target=\
ssh_brute_forcers protocol=tcp
add chain=ssh_brute_forcers content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m dst-port=22 protocol=tcp
add action=log chain=ssh_brute_forcers dst-port=22 log-prefix=\
ssh_brute_forcers protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=ssh_brute_forcers connection-state=new \
dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=drop chain=ssh_brute_forcers connection-state=new \
src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=10h chain=ssh_brute_forcers connection-state=new \
dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=drop chain=ssh_brute_forcers connection-state=new \
src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=5d chain=ssh_brute_forcers connection-state=new \
dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=drop chain=ssh_brute_forcers connection-state=new \
src-address-list=ssh_stage3
add action=passthrough chain=ssh_brute_forcers
add action=jump chain=input comment=\
"----------drop ftp_bruteforcers----------" connection-mark=ftp_in \
dst-port=21 jump-target=ftp_bruteforcers protocol=tcp
add chain=ftp_bruteforcers content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m dst-port=21 protocol=tcp
add action=log chain=ftp_bruteforcers dst-port=21 log-prefix=\
"ftp brute forcers" protocol=tcp src-address-list=ftp_blacklist
add action=add-dst-to-address-list address-list=ftp_stage1 \
address-list-timeout=10m chain=ftp_bruteforcers content=\
"530 Login incorrect" dst-port=21 protocol=tcp
add action=drop chain=ftp_bruteforcers src-address-list=ftp_stage1
add action=add-dst-to-address-list address-list=ftp_stage3 \
address-list-timeout=5d chain=ftp_bruteforcers content=\
"530 Login incorrect" dst-port=21 protocol=tcp
add action=drop chain=ftp_bruteforcers src-address-list=ftp_stage3
add action=add-dst-to-address-list address-list=ftp_stage2 \
address-list-timeout=10h chain=ftp_bruteforcers content=\
"530 Login incorrect" dst-port=21 protocol=tcp
add action=drop chain=ftp_bruteforcers src-address-list=ftp_stage2
add action=passthrough chain=ftp_bruteforcers
add action=jump chain=input comment=----------drop_port_scanners---------- \
jump-target=drop_scanners protocol=tcp
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=drop_scanners protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=drop_scanners protocol=tcp tcp-flags=\
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=drop_scanners protocol=tcp tcp-flags=\
syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=drop_scanners protocol=tcp tcp-flags=\
fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=drop_scanners protocol=tcp tcp-flags=\
fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=drop_scanners protocol=tcp tcp-flags=\
fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=drop_scanners protocol=tcp tcp-flags=\
!fin,!syn,!rst,!psh,!ack,!urg
add action=log chain=drop_scanners log-prefix=port_scanners protocol=tcp \
src-address-list="port scanners"
add action=drop chain=drop_scanners protocol=tcp src-address-list=\
"port scanners"
add action=passthrough chain=drop_scanners
add action=jump chain=input comment="----------SYN-Flood Protect----------" \
connection-limit=50,32 connection-state=new jump-target=\
"SYN-Flood Protect" protocol=tcp
add chain="accept tcp flags" connection-state=new limit=400,5 protocol=tcp \
tcp-flags=syn
add action=add-src-to-address-list address-list=SYN-Protect \
address-list-timeout=1d chain="SYN-Flood Protect" connection-limit=42,32 \
protocol=tcp tcp-flags=syn
add action=log chain="SYN-Flood Protect" log-prefix="SYN-Flood Protect" \
protocol=tcp src-address-list=SYN-Protect
add action=drop chain="SYN-Flood Protect" connection-state=new protocol=tcp \
src-address-list=SYN-Protect tcp-flags=syn
add action=passthrough chain="SYN-Flood Protect"
add action=jump chain=input comment=\
"----------DNS amplification attack Protection In----------" jump-target=\
dnsamp
add action=drop chain=dnsamp dst-port=53 in-interface=\
"wan1" protocol=udp
add action=drop chain=dnsamp dst-port=53 in-interface=\
"wan1" protocol=tcp
add action=passthrough chain=dnsamp
add action=jump chain=forward comment=\
"----------DNS amplification attack Protection Out----------" \
jump-target=dnsampout
add action=drop chain=dnsampout dst-port=53 out-interface=\
"!wan1" protocol=udp
add action=drop chain=dnsampout dst-port=53 out-interface=\
"!wan1" protocol=tcp
add action=return chain=dnsampout
add action=jump chain=forward comment=----------isolation---------- \
jump-target=isolation
add action=drop chain=isolation dst-address-list=Security_Segment \
in-interface=ether5-Hotspot
add action=drop chain=isolation dst-address-list=Operations_Segment \
in-interface=ether5-Hotspot
add action=return chain=isolation
add action=jump chain=forward comment=\
"----------jump to the virus chain----------" jump-target=virus
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=135-139 \
protocol=tcp
add action=drop chain=virus comment="Drop Messenger Worm" dst-port=135-139 \
protocol=udp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445 \
protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445 \
protocol=udp
add action=drop chain=virus comment=________ dst-port=593 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1024-1030 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" dst-port=1080 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1214 protocol=tcp
add action=drop chain=virus comment="ndm requester" dst-port=1363 protocol=\
tcp
add action=drop chain=virus comment="ndm server" dst-port=1364 protocol=tcp
add action=drop chain=virus comment="screen cast" dst-port=1368 protocol=tcp
add action=drop chain=virus comment=hromgrafx dst-port=1373 protocol=tcp
add action=drop chain=virus comment=cichlid dst-port=1377 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=1433-1434 protocol=tcp
add action=drop chain=virus comment="Bagle Virus" dst-port=2745 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" dst-port=2283 protocol=\
tcp
add action=drop chain=virus comment="Drop Beagle" dst-port=2535 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.C-K" dst-port=2745 protocol=\
tcp
add action=drop chain=virus comment="Drop MyDoom" dst-port=3127-3128 \
protocol=tcp
add action=drop chain=virus comment="Drop Backdoor OptixPro" dst-port=3410 \
protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 protocol=udp
add action=drop chain=virus comment="Drop Sasser" dst-port=5554 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.B" dst-port=8866 protocol=\
tcp
add action=drop chain=virus comment="Drop Dabber.A-B" dst-port=9898 protocol=\
tcp
add action=drop chain=virus comment="Drop Dumaru.Y" dst-port=10000 protocol=\
tcp
add action=drop chain=virus comment="Drop MyDoom.B" dst-port=10080 protocol=\
tcp
add action=drop chain=virus comment="Drop NetBus" dst-port=12345 protocol=tcp
add action=drop chain=virus comment="Drop Kuang2" dst-port=17300 protocol=tcp
add action=drop chain=virus comment="Drop SubSeven" dst-port=27374 protocol=\
tcp
add action=drop chain=virus comment="Drop PhatBot, Agobot, Gaobot" dst-port=\
65506 protocol=tcp
add action=drop chain=virus comment=Trinoo dst-port=12667 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=27665 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=31335 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=34555 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=35555 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=27444 protocol=tcp
add action=drop chain=virus comment=Trinoo dst-port=27665 protocol=tcp
add action=drop chain=virus comment=Trinoo dst-port=31335 protocol=tcp
add action=drop chain=virus comment=Trinoo dst-port=31846 protocol=tcp
add action=drop chain=virus comment=Trinoo dst-port=34555 protocol=tcp
add action=drop chain=virus comment=Trinoo dst-port=35555 protocol=tcp
add action=drop chain=virus comment="2869 UPNP" dst-port=2869 protocol=tcp
add action=drop chain=virus comment="2869 UPNP" dst-port=2869 protocol=udp
add action=drop chain=virus comment="Anti NETBIOS" protocol=tcp src-port=\
135-139
add action=drop chain=virus protocol=udp src-port=135-139
add action=drop chain=virus dst-port=135-139 protocol=tcp
add action=drop chain=virus dst-port=135-139 protocol=udp
add action=drop chain=virus dst-port=445 protocol=tcp
add action=drop chain=virus protocol=udp src-port=445
add action=drop chain=virus dst-port=445 protocol=udp
add action=log chain=virus disabled=yes log-prefix=virus
add action=return chain=virus
add action=jump chain=forward comment=\
"----------Allow 3-way handshake----------" jump-target=tcpflags \
protocol=tcp
add chain=tcpflags connection-state=new protocol=tcp tcp-flags=syn
add chain=tcpflags protocol=tcp tcp-flags=syn,ack
add chain=tcpflags connection-state=new protocol=tcp tcp-flags=ack
add chain=tcpflags protocol=tcp tcp-flags=fin,ack
add chain=tcpflags connection-state=new protocol=tcp tcp-flags=urg
add action=return chain=tcpflags
add action=jump chain=forward comment=\
"----------Allow/Drop Connection State----------" jump-target=connections
add chain=connections connection-state=established
add action=drop chain=connections connection-state=invalid
add action=return chain=connections
add action=jump chain=forward comment=\
"----------jump to chain ICMP----------" jump-target=ICMP protocol=icmp
add chain=ICMP comment="0:0 and limit for 5pac/s" icmp-options=0 limit=5,5 \
protocol=icmp
add chain=ICMP comment="3:3 and limit for 5pac/s" icmp-options=3:3 limit=5,5 \
protocol=icmp
add chain=ICMP comment="3:4 and limit for 5pac/s" icmp-options=3:4 limit=5,5 \
protocol=icmp
add chain=ICMP comment="8:0 and limit for 5pac/s" icmp-options=8 limit=5,5 \
protocol=icmp
add chain=ICMP comment="11:0 and limit for 5pac/s" icmp-options=11 limit=5,5 \
protocol=icmp
add action=return chain=ICMP
add action=jump chain=forward comment=\
"----------jump to chain services----------" jump-target=services
add chain=services comment="Allow MACwinbox " dst-port=20561 protocol=udp
add chain=connections connection-state=related
add chain=services comment=" MT Discovery Protocol" dst-port=5678 protocol=\
udp
add chain=services comment="Allow SNMP" dst-port=161 protocol=udp
add chain=services comment="Allow BGP" dst-port=179 protocol=tcp
add chain=services comment="Allow SIP" dst-port=5000-5100 protocol=udp
add chain=services comment="Allow NTP" dst-port=123 protocol=udp
add chain=services comment="Allow PPTP" dst-port=1723 protocol=tcp
add chain=services comment="Allow PPTP and EoIP" protocol=gre
add chain=services comment="Allow UPnP" dst-port=1900 protocol=udp
add chain=services comment="Allow UPnP" dst-port=5000 protocol=tcp
add chain=services comment="Allow DHCP" dst-port=67-68 protocol=udp
add chain=services comment="Allow SMTP" dst-port=25 protocol=tcp
add chain=services comment="Allow udp" protocol=udp
add chain=services comment="Allow Dude" src-mac-address=00:00:00:00:00:00
add action=log chain=forward comment="Drop Everything Else" log-prefix=\
"Drop Everything Else"
add action=drop chain=forward comment="drop the rest"