Firewall rules not working (IT noob)

RouterOS Beginner Basics
1

Hello I’m a beginner I just started learning IT 3 months ago by watching Youtube tutorials. I also purchased my 1st router 2 months ago (Hap lite ac dual band). I recently started configuring my 1st network.

My problem: Firewall rules for catching port scanners are not working. I use NMAP to PenTest my network. The UDP scans are detected except for the TCP scans. All of these rules below don’t work.

  1. add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list=”port-scanners” address-list-timeout=2w comment=”Port-scanners-to-list ” disabled=no
\
<br>
* ```text
2. add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=”port-scanners” address-list-timeout=2w comment=”NMAP-FIN-Stealth-scan”



  1. add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list=”port-scanners” address-list-timeout=2w comment=”SYN/FIN-scan”
\
<br>
* ```text
4. add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list=”port-scanners” address-list-timeout=2w comment=”SYN/RST-scan”



  1. add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list=”port-scanners” address-list-timeout=2w comment=”FIN/PSH/URG-scan”
\
<br>
* ```text
6. add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list=”port-scanners” address-list-timeout=2w comment=”ALL/ALL-scan”



  1. add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=”port-scanners” address-list-timeout=2w comment=”NMAP-NULL-scan”
2

Its a waste of time, here is the efficient and clean FW rules you need to drop all traffic except what you wish to allow…

/ip firewall filter
{Input Chain}
(default rules to keep)
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
( admin rules )
add action=accept chain=input src-address-list=Authorized comment=“Config Access”
add action=accept chain=input comment=“Allow LAN DNS queries-UDP”
dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“Allow LAN DNS queries - TCP”
dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment=“drop all else”
{forward chain}
(default rules to keep)
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
(user rules)
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat disabled=yes { enable if required }
add action=drop chain=forward comment=“drop all else”

Where the firewall address list is comprised of admin devices, static LAN DHCP leases.
add address=admin-IP1 list=Authorized comment=“admin desktop”
add address=admin-IP2 list=Authorized comment=“admin laptop”
add address=admin-IP3 list=Authorized comment=“admin ipad/smartphone”

3

anav is right, block all, then allow some.

4

@anav @normis Hello, it worked, but I still kept the anti port scan rules and put it in RAW. Thanks for the support.