Help compiling DoS / Port scanning drop rules

Hi,
I was compiling a set of rules to provide a basic protection to our sites behind a rb750. Basically, I only allow some ports, I drop everything else. I added a port scanning protection and syn flood protection to avoid DoS. Also, I’m logging (not droping) IPs with excesive connections (50).

Can anyone help me validate this rules? We want to prevent DoS attacks.


[admin@tfsla-fw] /ip firewall filter> print all
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; default configuration
chain=input action=accept protocol=icmp

1 ;;; Allow limited pings
chain=input action=accept protocol=icmp limit=50/5s,2

2 ;;; Drop excess pings
chain=input action=drop protocol=icmp

3 ;;; default configuration
chain=input action=accept connection-state=established in-interface=ether1-gateway

4 ;;; default configuration
chain=input action=accept connection-state=related in-interface=ether1-gateway

5 chain=input action=accept protocol=tcp dst-port=81

6 chain=input action=accept protocol=tcp dst-port=80

7 chain=input action=accept protocol=tcp dst-port=143

8 chain=input action=accept protocol=tcp dst-port=443

9 chain=input action=accept protocol=tcp dst-port=2401

10 chain=input action=accept protocol=tcp dst-port=8080

11 chain=input action=accept protocol=tcp dst-port=8081

12 chain=input action=accept protocol=tcp dst-port=20

13 chain=input action=accept protocol=udp dst-port=53

14 chain=input action=accept protocol=tcp dst-port=25

15 chain=input action=accept protocol=tcp dst-port=62622

18 chain=input action=accept protocol=udp dst-port=1723

19 chain=input action=accept protocol=udp dst-port=1194

20 chain=input action=accept protocol=tcp dst-port=3389

21 chain=input action=accept protocol=tcp dst-port=53

22 chain=input action=accept protocol=tcp dst-port=8291

23 chain=input action=accept protocol=tcp dst-port=903

24 chain=input action=accept protocol=tcp dst-port=902

25 chain=input action=accept protocol=gre

26 chain=input action=accept protocol=tcp dst-port=8180

27 chain=input action=accept protocol=tcp dst-port=8860

28 chain=input action=accept protocol=tcp dst-port=1521

29 chain=input action=accept protocol=tcp dst-port=20

30 chain=input action=accept protocol=tcp dst-port=21

31 chain=input action=accept protocol=tcp dst-port=60150-60200

32 chain=input action=add-src-to-address-list protocol=tcp address-list=blocked-addr address-list-timeout=0s connection-limit=100,32

33 X ;;; SYN Flood protect
chain=forward action=jump jump-target=SYN-Protect tcp-flags=syn connection-state=new protocol=tcp

34 chain=SYN-Protect action=accept tcp-flags=syn connection-state=new protocol=tcp limit=400,5

35 chain=SYN-Protect action=drop tcp-flags=syn connection-state=new protocol=tcp

36 ;;; Port scanners to list
chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=port scanners address-list-timeout=2w

37 ;;; NMAP FIN Stealth scan
chain=input action=add-src-to-address-list tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp address-list=port scanners address-list-timeout=2w

29 chain=input action=accept protocol=tcp dst-port=20

30 chain=input action=accept protocol=tcp dst-port=21

31 chain=input action=accept protocol=tcp dst-port=60150-60200

32 chain=input action=add-src-to-address-list protocol=tcp address-list=blocked-addr address-list-timeout=0s connection-limit=100,32

33 X ;;; SYN Flood protect
chain=forward action=jump jump-target=SYN-Protect tcp-flags=syn connection-state=new protocol=tcp

34 chain=SYN-Protect action=accept tcp-flags=syn connection-state=new protocol=tcp limit=400,5

35 chain=SYN-Protect action=drop tcp-flags=syn connection-state=new protocol=tcp

36 ;;; Port scanners to list
chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=port scanners address-list-timeout=2w

37 ;;; NMAP FIN Stealth scan
chain=input action=add-src-to-address-list tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp address-list=port scanners address-list-timeout=2w

38 ;;; SYN/FIN scan
chain=input action=add-src-to-address-list tcp-flags=fin,syn protocol=tcp address-list=port scanners address-list-timeout=2w

39 ;;; SYN/RST scan
chain=input action=add-src-to-address-list tcp-flags=syn,rst protocol=tcp address-list=port scanners address-list-timeout=2w

40 ;;; FIN/PSH/URG scan
chain=input action=add-src-to-address-list tcp-flags=fin,psh,urg,!syn,!rst,!ack protocol=tcp address-list=port scanners address-list-timeout=2w

41 ;;; ALL/ALL scan
chain=input action=add-src-to-address-list tcp-flags=fin,syn,rst,psh,ack,urg protocol=tcp address-list=port scanners address-list-timeout=2w

42 ;;; NMAP NULL scan
chain=input action=add-src-to-address-list tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp address-list=port scanners address-list-timeout=2w

43 ;;; dropping port scanners
chain=input action=drop src-address-list=port scanners

44 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway

you’ve duplicated rules 29-37… was that just mixed up copy and paste or could you consolidate those rules? I also do not see rule 50 which you says logs. It looks like your last rule does drop not log.

I would consider using a src-address-list for select IP’s for those individual ports you want to allow. And I believe you can remove lines 5-31 and do NAT instead of a firewall rule. This is assuming you have NAT’d machines you want that to go to? Or if your intent is to only allow inside computers to have certain types of ports to use, then most of lines 5-31 could be combined with one rule, I believe:
chain=input action=accept protocol=tcp dst-port=20,21,80,… etc

I’m confused by 37-42… not sure what’s going on there. I’m not saying it’s wrong, I just don’t understand it.

The rules all appear to be input chain rules so they are only affecting traffic to the routerboard itself - not the forwarding chain which controls traffic to devices “behind” the router.