Goodmorning everybody,
i want to ask something about a firewall. I’m not very expert with firewall but after i read some topic about it on internet i belive to create a lot of MESS on my routerboard. I want to ask if my rule is correct for to control a traffic to/from my router. i had a little problem in the past with some indesiderate connection and now i resolve the problem that i think this rule is correct. Anyway doesn’t matter what i think, and i ask for some expert to say me if the rule is correct! After that i have a problem with a shared disk on my local network by SMB because after i made the rule i can’t access by my laptop or pc. the pc doesn’t see the smb and recive a error message. i posted my configuration.
# feb/07/2021 14:26:56 by RouterOS 7.1beta3
# software id = MNQF-X5T5
#
# model = RBD52G-5HacD2HnD
# serial number = C6140B28FC54
/ip firewall filter
add action=drop chain=input comment="Drop invalid connections" \
connection-state=invalid
add action=accept chain=input comment="Allow established connections" \
connection-state=established
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input in-interface=!ether1 src-address=192.168.0.0/24
add action=drop chain=input comment="Drop everything else"
add action=drop chain=forward comment="drop invalid connections" \
connection-state=invalid protocol=tcp
add action=accept chain=forward comment=\
"allow already established connections" connection-state=established
add action=accept chain=forward comment="allow related connections" \
connection-state=related
add action=drop chain=input comment="drop ftp brute forces" dst-port=21 \
protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=drop chain=forward comment="BLOCK SPAMMERS OR INFECTED USERS" \
dst-port=25 protocol=tcp src-address-list=spammer
add action=add-src-to-address-list address-list=spammer address-list-timeout=\
1d chain=forward comment="Detect and add-list SMTP virus or spammers" \
connection-limit=30,32 dst-port=25 limit=50,5 protocol=tcp
add action=drop chain=virus comment="Drop Spammer" dst-port=25 protocol=tcp \
src-address-list=spammer
add action=add-src-to-address-list address-list=spammer address-list-timeout=\
1d chain=virus comment="add to spammer list" connection-limit=30,32 \
dst-port=25 limit=50,5 protocol=tcp
add action=jump chain=forward comment="jump to the virus chain" jump-target=\
virus
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=pppoe-out1 \
out-interface-list=WAN
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment=Camera_garage dst-port=81 protocol=\
tcp to-addresses=x.x.x.103 to-ports=81
add action=dst-nat chain=dstnat comment=Camera_dietro dst-port=82 protocol=\
tcp to-addresses=x.x.x.105 to-ports=82
add action=dst-nat chain=dstnat comment=Camera_Portico2 dst-port=83 protocol=\
tcp to-addresses=x.x.x.107 to-ports=83
add action=dst-nat chain=dstnat comment=Camera_retrocasa dst-port=84 \
protocol=tcp to-addresses=x.x.x.106 to-ports=84
add action=dst-nat chain=dstnat comment=Camera_Portico dst-port=86 protocol=\
tcp to-addresses=x.x.x.104 to-ports=86
add action=dst-nat chain=dstnat comment=Camera_Portico2 dst-port=8000 \
protocol=tcp to-addresses=x.x.x.107 to-ports=8000
add action=dst-nat chain=dstnat comment=Camera_retrocasa dst-port=554 \
protocol=tcp to-addresses=x.x.x.106 to-ports=554
add action=dst-nat chain=dstnat comment=Camera_retrocasa dst-port=555 \
protocol=tcp to-addresses=x.x.x.107 to-ports=555
add action=dst-nat chain=dstnat comment=Camera_retrocasa dst-port=8000 \
protocol=tcp to-addresses=x.x.x.106 to-ports=8000
add action=dst-nat chain=dstnat comment=Camera_Casetta dst-port=87 protocol=\
tcp to-addresses=x.x.x.109 to-ports=87
add action=dst-nat chain=dstnat comment=Emule_TCP disabled=yes dst-port=4242 \
protocol=tcp to-addresses=x.x.x.176 to-ports=4242
add action=dst-nat chain=dstnat comment=Emule_TCP disabled=yes dst-port=4242 \
protocol=tcp to-addresses=x.x.x.155 to-ports=4242
add action=dst-nat chain=dstnat comment=Emule_udp disabled=yes dst-port=4662 \
protocol=udp to-addresses=x.x.x.176 to-ports=4662
add action=dst-nat chain=dstnat comment=Emule_udp disabled=yes dst-port=4662 \
protocol=udp to-addresses=x.x.x.155 to-ports=4662
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip firewall service-port
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes ports=8000
set sip ports=5060,5061,3478,5062
set pptp disabled=yes ports=1723
set udplite disabled=yes ports=80
set dccp ports=443
thanks a lot for help me!