how to close all UDP ports on mikrotik?

roz333 · July 21, 2017, 12:41pm

hello guys

i need to some rules for closing all udp ports on mikrotik router. i have received an abuse from hetzner data center regarding to netscan attack through the following ports:

55341 UDP
445 TCP
53047 UDP

its so wired because previously port 445 was closed through windows registery ( regedit rule) i am wondering how is it possible when this port is closed?

i used these two rules for closing all ports
are these true?

/ip firewall filter

/ip firewall filter add action=drop protocol=udp chain=forward
/ip firewall filter add action=drop protocol=tcp chain=forward

BartoszP · July 21, 2017, 12:52pm

Yes. It blocks all traffic passing through you router from WAN side to LAN devices and from LAN to WAN.
It does not block traffic originationg in your firewall and traffic to WAN port from the World.
Can you show us your firewall and nat configuration ? It would be easier to help you.

/ip firewall filter
/export
/ip firewall nat
/export

Cha0s · July 21, 2017, 1:27pm

I think it should be

/ip firewall filter export
/ip firewall nat export

Doing **/**export right after /ip firewall filter will export everything not just firewall filter.

BartoszP · July 21, 2017, 2:06pm

Yes…my mistake..should have been

/ip firewall filter
export
/ip firewall nat
export

or shorter as your version

roz333 · July 21, 2017, 3:01pm

thanks dude
i don’t have any nat rules on my router. i just want to close dangerous ports on my virtual machines thorough mikrotk router

this is the result for firewall filter

add chain=forward comment=“allow established connections” connection-state=
established
add chain=forward comment=“allow related connections” connection-state=related
add action=drop chain=forward comment=“drop invalid connections”
connection-state=invalid
add chain=forward p2p=all-p2p
add chain=forward dst-port=3389 in-interface=ether1 protocol=tcp
add chain=forward dst-port=110 in-interface=ether1 protocol=tcp
add chain=forward dst-port=8080 in-interface=ether1 protocol=tcp
add chain=forward protocol=icmp
add chain=forward dst-port=21 protocol=tcp
add action=drop chain=forward protocol=udp
add action=drop chain=forward protocol=tcp
add action=drop chain=forward in-interface=ether1
add action=drop chain=forward disabled=yes in-interface=ether1 p2p=all-p2p
add action=drop chain=forward comment=keyword_drop content=torrent disabled=yes
add action=drop chain=forward comment=trackers_drop content=tracker disabled=
yes
add action=drop chain=forward comment=get_peers_drop content=getpeers disabled=
yes
add action=drop chain=forward comment=info_hash_drop content=info_hash
disabled=yes
add action=drop chain=forward comment=announce_peers_drop content=
announce_peers disabled=yes
add action=drop chain=forward comment=p2p_drop disabled=yes p2p=all-p2p

after i add following rules web browsing doesn’t work on virtual machines ( windows servers 2008 and 2008r2)

/ip firewall filter add action=drop protocol=udp chain=forward
/ip firewall filter add action=drop protocol=tcp chain=forward

which ports are necessary for web browsing and upload/download on vm?