Hi All
I have been reading through the forum as I need to build a firewall for my gateway router to protect my clients from nasties. And also to prevent spammers/viruses getting my public IP blacklisted. After sifting through all the advide on offer I have come up with the following config. I think I covered most things. I would be very grateful for any comments on my config, I have obviously omitted address lists etc. The router is an RB1000. Single WAn interface supplying 600+ clients via wireless network.
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=1d
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=forward comment=“allow established connections”
connection-state=established disabled=no
add action=accept chain=forward comment=“allow related connections”
connection-state=related disabled=no
add action=drop chain=forward comment=“drop invalid connections”
connection-state=invalid disabled=no
add action=jump chain=forward comment=“jump to the virus chain” disabled=no
jump-target=virus
add action=drop chain=virus comment=“Drop Blaster Worm” disabled=no dst-port=
135-139 protocol=tcp
add action=drop chain=virus comment=“Drop Messenger Worm” disabled=no
dst-port=135-139 protocol=udp
add action=drop chain=virus comment=“Drop Blaster Worm” disabled=no dst-port=
445 protocol=tcp
add action=drop chain=virus comment=“Drop Blaster Worm” disabled=no dst-port=
445 protocol=udp
add action=drop chain=virus comment=________ disabled=no dst-port=593
protocol=tcp
add action=drop chain=virus comment=________ disabled=no dst-port=1024-1030
protocol=tcp
add action=drop chain=virus comment=“Drop MyDoom” disabled=no dst-port=1080
protocol=tcp
add action=drop chain=virus comment=________ disabled=no dst-port=1214
protocol=tcp
add action=drop chain=virus comment=“ndm requester” disabled=no dst-port=1363
protocol=tcp
add action=drop chain=virus comment=“ndm server” disabled=no dst-port=1364
protocol=tcp
add action=drop chain=virus comment=“screen cast” disabled=no dst-port=1368
protocol=tcp
add action=drop chain=virus comment=hromgrafx disabled=no dst-port=1373
protocol=tcp
add action=drop chain=virus comment=cichlid disabled=no dst-port=1377
protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=1433-1434
protocol=tcp
add action=drop chain=virus comment=“Bagle Virus” disabled=no dst-port=2745
protocol=tcp
add action=drop chain=virus comment=“Drop Dumaru.Y” disabled=no dst-port=2283
protocol=tcp
add action=drop chain=virus comment=“Drop Beagle” disabled=no dst-port=2535
protocol=tcp
add action=drop chain=virus comment=“Drop Beagle.C-K” disabled=no dst-port=
2745 protocol=tcp
add action=drop chain=virus comment=“Drop MyDoom” disabled=no dst-port=
3127-3128 protocol=tcp
add action=drop chain=virus comment=“Drop Backdoor OptixPro” disabled=no
dst-port=3410 protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=
tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=
udp
add action=drop chain=virus comment=“Drop Sasser” disabled=no dst-port=5554
protocol=tcp
add action=drop chain=virus comment=“Drop Beagle.B” disabled=no dst-port=8866
protocol=tcp
add action=drop chain=virus comment=“Drop Dabber.A-B” disabled=no dst-port=
9898 protocol=tcp
add action=drop chain=virus comment=“Drop Dumaru.Y” disabled=no dst-port=
10000 protocol=tcp
add action=drop chain=virus comment=“Drop MyDoom.B” disabled=no dst-port=
10080 protocol=tcp
add action=drop chain=virus comment=“Drop NetBus” disabled=no dst-port=12345
protocol=tcp
add action=drop chain=virus comment=“Drop Kuang2” disabled=no dst-port=17300
protocol=tcp
add action=drop chain=virus comment=“Drop SubSeven” disabled=no dst-port=
27374 protocol=tcp
add action=drop chain=virus comment=“Drop PhatBot, Agobot, Gaobot” disabled=
no dst-port=65506 protocol=tcp
add action=accept chain=forward comment=“Allow HTTP” disabled=no dst-port=80
protocol=tcp
add action=accept chain=forward comment=“Authorised Mail” disabled=no
dst-address-list=“safe mailers” dst-port=25 protocol=tcp
add action=drop chain=forward comment=“Unauthorised Mail " disabled=no
dst-address-list=”!safe mailers" dst-port=25 protocol=tcp
add action=add-src-to-address-list address-list=spammer address-list-timeout=
1d chain=forward comment=“Detect and add-list SMTP virus or spammers”
connection-limit=30,24 disabled=no dst-port=25 limit=50,5 protocol=tcp
add action=drop chain=forward comment=“BLOCK SPAMMERS OR INFECTED USERS”
disabled=no dst-port=25 protocol=tcp src-address-list=spammer
add action=accept chain=forward comment=“allow TCP” disabled=no protocol=tcp
add action=accept chain=forward comment=“allow ping” disabled=no protocol=
icmp
add action=accept chain=forward comment=“allow udp” disabled=no protocol=udp
add action=accept chain=forward comment=“VPN pptp (GRE)” disabled=no
add action=drop chain=forward comment=“Drop everything else” disabled=no
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=yes ports=5060,5061
set pptp disabled=no