Looking for input on my firewall, its a little cpu hungry, and I may have missed something? The rules I have for limiting TCP SYN and # of IP connections are disabled, they seem to be choking my customers down online. I have them marked with **
/ip firewall filter
add chain=Sanity_Check_LAN comment="Allow Established" connection-state=\
established
add chain=Sanity_Check_WAN comment="Allow Established" connection-state=\
established
add chain=Sanity_Check_WAN comment="Allow Related" connection-state=related
add chain=Sanity_Check_LAN comment="Allow Related" connection-state=related
add action=drop chain=Sanity_Check_LAN comment="Drop Invalid" \
connection-state=invalid
add action=jump chain=input comment=\
"PPTP RULES - Enable This Only When Needed!" disabled=yes jump-target=\
PPTP_RULES
add action=jump chain=input comment="Jump To The DROP LIST" in-interface=wan \
jump-target=DROP_LIST
add action=jump chain=input comment="Sanity Check WAN (Internet)" \
in-interface=wan jump-target=Sanity_Check_WAN
add action=jump chain=input comment="Sanity Check LAN (LOCAL)" in-interface=\
!wan jump-target=Sanity_Check_LAN
add action=jump chain=forward comment="Jump To The DROP LIST" in-interface=\
wan jump-target=DROP_LIST
add action=jump chain=forward comment="Sanity Check Forward" in-interface=wan \
jump-target=Sanity_Check_FWD
add action=jump chain=input comment="TCP Filter WAN" in-interface=wan \
jump-target=TCP_Filter_WAN protocol=tcp
add action=jump chain=forward comment="TCP Filter Forward" jump-target=\
TCP_Filter_FWD protocol=tcp
add action=jump chain=input comment="UDP Filter WAN" in-interface=wan \
jump-target=UDP_Filter_WAN protocol=udp
add action=jump chain=forward comment="UDP Filter Forward" jump-target=\
UDP_Filter_FWD protocol=udp
add action=jump chain=forward comment="ICMP Filter Forward" jump-target=\
ICMP_Filter_FWD protocol=icmp
add chain=UDP_Filter_WAN comment="Allow NTP (UDP/123)" dst-port=123 protocol=\
udp src-address=132.163.4.101 src-port=123
add action=jump chain=input comment="ICMP Filter WAN" in-interface=wan \
jump-target=ICMP_Filter_WAN protocol=icmp
add action=drop chain=Sanity_Check_FWD comment=\
"Drop NEW RFC-1918 Connects On Fiber (BOGONS)" connection-state=new \
in-interface=wan src-address-list=rfc-1918
add chain=TCP_Filter_WAN comment="Allow PPTP (1723/TCP)" dst-port=1723 \
protocol=tcp
add chain=TCP_Filter_WAN comment="Allow Winbox (8291/TCP)" dst-port=8291 \
protocol=tcp
add chain=TCP_Filter_WAN comment="Allow SSH (22/TCP)" disabled=yes dst-port=\
22 protocol=tcp
add chain=TCP_Filter_WAN comment="Allow Winbox (8291/TCP)" dst-port=8291 \
protocol=tcp
add chain=TCP_Filter_WAN comment="Allow ONLY Known-DNS Servers" protocol=tcp \
src-address-list=Known-DNS src-port=53
add chain=TCP_Filter_WAN comment="Allow FTP (TCP/21)" disabled=yes dst-port=\
21 protocol=tcp
add action=drop chain=UDP_Filter_FWD comment="Drop Worm" dst-port=4444 \
protocol=udp
add chain=Sanity_Check_LAN comment="Allow OSPF (Except WAN)" disabled=yes \
in-interface=!wan protocol=ospf
add chain=Sanity_Check_LAN comment="Allow IP Neighbor (Except WAN)" disabled=\
yes dst-port=5678 in-interface=!wan protocol=udp src-port=5678
add chain=Sanity_Check_LAN comment="Allow NTP (Except WAN)" disabled=yes \
dst-port=123 in-interface=!wan protocol=udp src-port=123
add chain=Sanity_Check_LAN comment="Allow Winbox Probe (Except WAN)" \
disabled=yes dst-port=20561 in-interface=!wan protocol=udp src-port=20561
add chain=Sanity_Check_LAN comment="Allow Internal ICMP (Except WAN)" \
disabled=yes in-interface=!wan protocol=icmp
add action=log chain=input comment="Log Everything Else As UNK-INPUT" \
disabled=yes log-prefix=UNK-INPUT
add chain=input comment=\
"ACCEPT Everything Else - Change to DROP after testing"
add action=drop chain=Sanity_Check_FWD comment="Drop Source=FINLAND" \
connection-state=new in-interface=wan src-address-list=FINLAND
add action=drop chain=Sanity_Check_FWD comment="Drop Source=CHINA" \
connection-state=new in-interface=wan src-address-list=CHINA
add action=drop chain=Sanity_Check_FWD comment="Drop Dest=Hackers List" \
connection-state=new dst-address-list=Hackers in-interface=wan
add action=drop chain=Sanity_Check_FWD comment="Drop Source=HONG_KONG" \
connection-state=new in-interface=wan src-address-list=HONG_KONG
add action=drop chain=Sanity_Check_FWD comment="Drop Source=INDIA" \
connection-state=new in-interface=wan src-address-list=INDIA
add action=drop chain=Sanity_Check_FWD comment="Drop Source=JAPAN" \
connection-state=new in-interface=wan src-address-list=JAPAN
add action=drop chain=Sanity_Check_FWD comment="Drop Source=KOREA" \
connection-state=new in-interface=wan src-address-list=KOREA
add action=drop chain=Sanity_Check_FWD comment="Drop Source=Malaysia" \
connection-state=new in-interface=wan src-address-list=MALAYSIA
add action=drop chain=Sanity_Check_FWD comment="Drop Source = Phillipines" \
connection-state=new in-interface=wan src-address-list=PHILLIPINES
add action=drop chain=Sanity_Check_FWD comment="Drop Source = Singapore" \
connection-state=new in-interface=wan src-address-list=SINGAPORE
add action=drop chain=Sanity_Check_FWD comment="Drop Source = Taiwan" \
connection-state=new in-interface=wan src-address-list=TAIWAN
add action=drop chain=Sanity_Check_FWD comment="Drop Source = Thailand" \
connection-state=new in-interface=wan src-address-list=THAILAND
add action=drop chain=Sanity_Check_FWD comment="Drop Source = Vietnam" \
connection-state=new in-interface=wan src-address-list=VIETNAM
add action=drop chain=TCP_Filter_FWD comment="NMAP FIN Stealth scan" \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=TCP_Filter_FWD comment="SYN/FIN scan" protocol=tcp \
tcp-flags=fin,syn
add action=drop chain=TCP_Filter_FWD comment="SYN/RST scan" protocol=tcp \
tcp-flags=syn,rst
add action=drop chain=TCP_Filter_FWD comment="FIN/PSH/URG scan" protocol=tcp \
tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=drop chain=TCP_Filter_FWD comment="ALL/ALL scan" protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=drop chain=TCP_Filter_FWD comment="NMAP NULL scan" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=TCP_Filter_WAN comment="drop ftp brute forcers" \
dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=drop chain=TCP_Filter_WAN comment="drop ssh brute forcers" \
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=2d chain=TCP_Filter_WAN comment=\
"SSH Login Attempt BLACKLISTED" connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=TCP_Filter_WAN comment=\
"SSH Login Attempt STAGE III" connection-state=new dst-port=22 protocol=\
tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=TCP_Filter_WAN comment=\
"SSH Login Attempt STAGE II" connection-state=new dst-port=22 protocol=\
tcp src-address-list=ssh_stage1
add action=drop chain=Sanity_Check_WAN comment="Drop Invalid" \
connection-state=invalid
add action=drop chain=DROP_LIST comment="Drop HACKERS List" src-address-list=\
Hackers
add action=drop chain=output comment="Do NOT Answer HACKERS List" \
dst-address-list=Hackers
add action=drop chain=DROP_LIST comment="Drop SCANNERS List" \
src-address-list=SCANNERS
add action=drop chain=DROP_LIST comment="Drop DNS-Theft List" \
src-address-list=DNS-Theft
add action=drop chain=output comment="Do NOT Answer SCANNERS List" \
dst-address-list=SCANNERS
add action=drop chain=output comment="Do NOT Answer DNS-Theft List" \
dst-address-list=DNS-Theft
add action=drop chain=DROP_LIST comment="Drop FTP Blacklist" \
src-address-list=ftp_blacklist
add action=drop chain=DROP_LIST comment="Drop SSH Blacklist" \
src-address-list=ssh_blacklist
add action=drop chain=Sanity_Check_WAN comment="Drop BOGONS Coming in WAN" \
connection-state=new in-interface=wan src-address-list=rfc-1918
add action=drop chain=TCP_Filter_FWD comment=\
"Drop The Spammers (Need To Check)" \
connection-limit=30,32 dst-port=25,587 in-interface=wan limit=30/1m,0 \
protocol=tcp
add action=drop chain=TCP_Filter_FWD comment="deny DHCP & TFTP" dst-port=\
67-69 protocol=tcp
add action=drop chain=TCP_Filter_FWD comment="deny RPC portmapper" dst-port=\
111 protocol=tcp
add action=drop chain=TCP_Filter_FWD comment="Known VIRUS Port" dst-port=113 \
protocol=tcp
add action=drop chain=TCP_Filter_FWD comment="deny NBT & RPC Portmapper" \
dst-port=135-139 protocol=tcp
add action=drop chain=TCP_Filter_FWD comment="deny cifs" dst-port=445 \
protocol=tcp
add action=drop chain=TCP_Filter_FWD comment="Drop Virii Port" dst-port=593 \
protocol=tcp
add action=drop chain=TCP_Filter_FWD comment="bug" dst-port=1024-1030 \
protocol=tcp
add action=drop chain=TCP_Filter_FWD comment="Drop MyDoom" dst-port=1080 \
protocol=tcp
add action=drop chain=TCP_Filter_FWD comment="bug" dst-port=1214 protocol=\
tcp
add action=drop chain=TCP_Filter_FWD comment="NDM Requester & Server" \
dst-port=1363-1364 protocol=tcp
add action=drop chain=TCP_Filter_FWD comment="screen cast" dst-port=1368 \
protocol=tcp
add action=drop chain=TCP_Filter_FWD comment=hromgrafx dst-port=1373 \
protocol=tcp
add action=drop chain=TCP_Filter_FWD comment=cichlid dst-port=1377 protocol=\
tcp
add action=drop chain=TCP_Filter_FWD comment=Worm dst-port=1433-1434 \
protocol=tcp
add action=drop chain=TCP_Filter_FWD comment="deny NFS" dst-port=2049 \
protocol=tcp
add action=drop chain=TCP_Filter_FWD comment="Drop Dumaru.Y" dst-port=2283 \
protocol=tcp
add action=drop chain=TCP_Filter_FWD comment="Drop Beagle" dst-port=2535 \
protocol=tcp
add action=drop chain=TCP_Filter_FWD comment="Drop Beagle.C-K" dst-port=2745 \
protocol=tcp
add action=drop chain=TCP_Filter_FWD comment="Drop MyDoom" dst-port=3127-3128 \
protocol=tcp
add action=drop chain=TCP_Filter_FWD comment="deny BackOriffice" dst-port=\
3133 protocol=tcp
add action=drop chain=TCP_Filter_FWD comment=\
"RDP Scans (Limited to 1 per second)" dst-port=3389 in-interface=wan \
limit=1,5 protocol=tcp
add action=drop chain=TCP_Filter_FWD comment="Drop Backdoor OptixPro" \
dst-port=3410 protocol=tcp
add action=drop chain=TCP_Filter_FWD comment=Worm dst-port=4444 protocol=tcp
add action=drop chain=TCP_Filter_FWD comment="Drop Sasser" dst-port=5554 \
protocol=tcp
add action=drop chain=TCP_Filter_FWD comment=Bittorent dst-port=6881 \
protocol=tcp
add action=drop chain=TCP_Filter_FWD comment=\
"VNC Port (Limited to 1 per Second)" dst-port=5900 in-interface=wan \
limit=1,5 protocol=tcp
add action=drop chain=TCP_Filter_FWD comment="Drop Beagle.B" dst-port=8866 \
protocol=tcp
add action=log chain=TCP_Filter_FWD comment="LOG Web Proxy Probes" \
connection-state=new disabled=yes dst-port=8080-8081 in-interface=wan \
log-prefix=PROXY protocol=tcp
add action=add-src-to-address-list address-list=Hackers address-list-timeout=\
20m chain=TCP_Filter_FWD comment="SAVE Web Proxy Probes" \
connection-state=new dst-port=8080-8081 in-interface=wan protocol=tcp
add action=drop chain=TCP_Filter_FWD comment="DROP Web Proxy Probes" \
connection-state=new dst-port=8080-8081 in-interface=wan protocol=tcp
add action=drop chain=TCP_Filter_FWD comment="Drop Dabber.A-B" dst-port=9898 \
protocol=tcp
add action=drop chain=TCP_Filter_FWD comment="Drop Dumaru.Y" dst-port=10000 \
protocol=tcp
add action=drop chain=TCP_Filter_FWD comment="Drop MyDoom.B" dst-port=10080 \
protocol=tcp
add action=drop chain=TCP_Filter_FWD comment="deny NetBus" dst-port=\
12345-12346 protocol=tcp
add action=drop chain=TCP_Filter_FWD comment="Drop Kuang2" dst-port=17300 \
protocol=tcp
add action=drop chain=TCP_Filter_FWD comment="deny NetBus" dst-port=20034 \
protocol=tcp
add action=drop chain=UDP_Filter_FWD comment="deny TFTP" dst-port=69 \
protocol=udp
add action=drop chain=UDP_Filter_FWD comment="deny PRC portmapper" dst-port=\
111 protocol=udp
add action=drop chain=UDP_Filter_FWD comment="Known VIRUS Port" dst-port=113 \
protocol=udp
add action=drop chain=UDP_Filter_FWD comment="deny NBT & RPC Portmapper" \
dst-port=135-139 protocol=udp
add action=drop chain=UDP_Filter_FWD comment="Drop Blaster Worm" dst-port=445 \
protocol=udp
add action=drop chain=UDP_Filter_FWD comment="deny NFS" dst-port=2049 \
protocol=udp
add chain=ICMP_Filter_WAN comment="Allow Echo Reply" icmp-options=0:0 \
protocol=icmp
add chain=ICMP_Filter_FWD comment="Allow Echo Reply" icmp-options=0:0 \
protocol=icmp
add chain=ICMP_Filter_WAN comment="Allow Echo Unreachable" icmp-options=3:0 \
protocol=icmp
add chain=ICMP_Filter_FWD comment="Allow Echo Unreachable" icmp-options=3:0 \
protocol=icmp
add chain=ICMP_Filter_WAN comment="Allow Destination Unreachable" \
icmp-options=3:1 protocol=icmp
add chain=ICMP_Filter_FWD comment="Allow Destination Unreachable" \
icmp-options=3:1 protocol=icmp
add chain=ICMP_Filter_WAN comment="Allow Source Quench" icmp-options=4:0 \
protocol=icmp
add chain=ICMP_Filter_FWD comment="Allow Source Quench" icmp-options=4:0 \
protocol=icmp
add action=log chain=ICMP_Filter_WAN comment="Log Echo Request" disabled=yes \
icmp-options=8:0 protocol=icmp
add action=log chain=ICMP_Filter_FWD comment="Log Echo Request" disabled=yes \
icmp-options=8:0 protocol=icmp
add chain=ICMP_Filter_WAN comment="Allow Echo Request (LIMITED)" \
icmp-options=8:0 limit=1,5 protocol=icmp
add chain=ICMP_Filter_FWD comment="Allow Echo Request (LIMITED)" \
icmp-options=8:0 limit=10,10 protocol=icmp
add chain=ICMP_Filter_WAN comment="Allow Time Exceeded" icmp-options=11:0 \
protocol=icmp
add chain=ICMP_Filter_FWD comment="Allow Time Exceeded" icmp-options=11:0 \
protocol=icmp
add chain=ICMP_Filter_WAN comment="Allow Bad Parameter" icmp-options=12:0 \
protocol=icmp
add chain=ICMP_Filter_FWD comment="Allow Bad Parameter" icmp-options=12:0 \
protocol=icmp
add chain=ICMP_Filter_WAN comment="Allow our DNS servers" protocol=icmp \
src-address-list=Known-DNS
add chain=ICMP_Filter_FWD comment="Allow our DNS servers" protocol=icmp \
src-address-list=Known-DNS
add chain=ICMP_Filter_WAN comment="Is this Apple crap\?" icmp-options=3:3 \
protocol=icmp
add chain=ICMP_Filter_FWD comment="Is this Apple crap\?" icmp-options=3:3 \
protocol=icmp
add action=log chain=ICMP_Filter_WAN comment=\
"Log all other types (Be Careful Dude!)" disabled=yes log-prefix=ICMP \
protocol=icmp
add action=log chain=ICMP_Filter_FWD comment=\
"Log all other types (Be Careful Dude!)" disabled=yes log-prefix=ICMP \
protocol=icmp
add action=drop chain=ICMP_Filter_WAN comment="Drop All Other ICMP Traffic" \
protocol=icmp
add action=drop chain=ICMP_Filter_FWD comment="Drop All Other ICMP Traffic" \
protocol=icmp
add action=drop chain=UDP_Filter_FWD comment="deny BackOriffice" dst-port=\
3133 protocol=udp
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=TCP_Filter_WAN comment=\
"SSH Login Attempt STAGE I" connection-state=new dst-port=22 protocol=\
tcp
add action=log chain=TCP_Filter_WAN comment="LOG Unknown TCP on WAN" \
disabled=yes log-prefix=UNKNOWN protocol=tcp
add action=add-src-to-address-list address-list=SCANNERS \
address-list-timeout=20m chain=TCP_Filter_WAN comment=\
"SAVE Unknown TCP on WAN"
add action=drop chain=TCP_Filter_WAN comment="DROP Unknown TCP on WAN"
add chain=UDP_Filter_WAN comment="Drop All Unknown DNS Connections" protocol=\
udp src-address-list=DNS-SERVERS src-port=53
add action=log chain=UDP_Filter_WAN comment="LOG Unknown UDP on WAN" \
disabled=yes log-prefix=UNK_UDP_WAN
add action=add-src-to-address-list address-list=SCANNERS \
address-list-timeout=20m chain=UDP_Filter_WAN comment=\
"SAVE Unknown UDP on WAN"
add action=drop chain=UDP_Filter_WAN comment="DROP Unknown UDP on WAN"
add action=log chain=UDP_Filter_FWD comment=\
"LOG Unknown DNS Connections (In WAN Only)" disabled=yes dst-port=53 \
in-interface=wan log-prefix=UNK_DNS protocol=udp src-address-list=\
!Known-DNS
add action=add-src-to-address-list address-list=DNS-Theft \
address-list-timeout=1m chain=UDP_Filter_FWD comment="SAVE Unknown DNS Con\
nections (In WAN Only - Probably spoofed IP so 1 minute timeout)" \
dst-port=53 in-interface=wan protocol=udp src-address-list=!Known-DNS
add action=drop chain=UDP_Filter_FWD comment=\
"Drop Unknown DNS Connections (In WAN Only)" dst-port=53 in-interface=wan \
protocol=udp src-address-list=!Known-DNS
add chain=UDP_Filter_FWD comment="Allow Everything Else" disabled=yes \
protocol=udp
add action=drop chain=TCP_Filter_FWD comment="Drop SubSeven" dst-port=27374 \
protocol=tcp
add action=drop chain=TCP_Filter_FWD comment="Drop PhatBot, Agobot, Gaobot" \
dst-port=65506 protocol=tcp
add action=drop chain=TCP_Filter_FWD comment=\
"**Limit TCP Connections To 200 per IP" connection-limit=200,32 disabled=\
yes out-interface=wan protocol=tcp src-address-list=Our_Public_Network
add chain=TCP_Filter_FWD comment="**Allow 200 SYN packets per Second" \
connection-state=new disabled=yes in-interface=wan limit=200,5 protocol=\
tcp tcp-flags=syn
add action=add-src-to-address-list address-list=SCANNERS \
address-list-timeout=20m chain=TCP_Filter_FWD comment=\
"**Drop Excessive TCP SYN Packets" connection-state=new disabled=yes \
in-interface=wan protocol=tcp tcp-flags=syn
add action=drop chain=TCP_Filter_FWD comment="**Drop Excessive TCP SYN Packets" \
connection-state=new disabled=yes in-interface=wan protocol=tcp \
tcp-flags=syn
add chain=TCP_Filter_FWD comment="Allow Everything Else" disabled=yes \
protocol=tcp
add chain=Sanity_Check_LAN comment="Allow Everything Else"
add chain=PPTP_RULES protocol=gre
add chain=PPTP_RULES dst-port=500 protocol=udp
add chain=PPTP_RULES dst-port=443 protocol=tcp
add chain=PPTP_RULES dst-port=1723 protocol=tcp
add chain=forward comment="Allow Established" connection-state=established
add chain=forward comment="Allow Related" connection-state=related
add chain=forward comment="Allow Our Public Network Out WAN" \
connection-state=new out-interface=wan src-address-list=\
Our_Public_Network
add action=log chain=forward comment="DROP Invalid" connection-state=invalid \
disabled=yes log-prefix=INV
add action=drop chain=forward comment="DROP Invalid" connection-state=invalid
add action=log chain=forward comment="LOG EVERYTHING ELSE" disabled=yes \
log-prefix=unk
add chain=forward comment="ALLOW EVERYTHING ELSE"