Need Help on the IP Firewall Filter

RouterOS Beginner Basics
1

Hi,
Can anyone suggest or guide me about to sorting of these rules


/ip firewall filter
add action=jump chain=input comment=In-Mikrotik in-interface-list=WAN \
    jump-target=In-Mikrotik
add action=accept chain=In-Mikrotik comment=Mikrotik dst-port=8291 protocol=\
    tcp
add action=return chain=In-Mikrotik comment="In-Mikrotik Return"
add action=reject chain=input disabled=yes in-interface-list=all reject-with=\
    icmp-host-prohibited src-address-list=BlackList_DHCP
add action=drop chain=forward disabled=yes out-interface-list=all \
    src-address-list=BlackList_DHCP
add action=accept chain=input comment=\
    "Accept established,related connections" connection-state=\
    established,related
add action=drop chain=input comment="invalid connections" connection-state=\
    invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=forward comment=\
    "Accept established,related connections" connection-state=\
    established,related
add action=drop chain=input comment="drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=output comment=\
    "Accept established,related connections" connection-state=\
    established,related
add action=drop chain=forward comment="invalid connections" connection-state=\
    invalid
add action=accept chain=input comment="Allow Wireguard Trrafic" src-address=\
    192.168.99.0/24
add action=accept chain=input src-address=192.168.77.0/24
add action=accept chain=input comment="Allow Wireguard" dst-port=9840 \
    protocol=udp
add action=accept chain=input dst-port=9841 protocol=udp
add action=accept chain=input comment="PPTP VPN" dst-port=1723 protocol=tcp
add action=accept chain=forward dst-address-list="LAN Users" src-address=\
    192.168.77.0/24
add action=accept chain=forward dst-address-list="LAN Users" src-address=\
    192.168.99.0/24
add action=accept chain=forward comment="Allow LAN DNS queries-UDP" dst-port=\
    53 protocol=udp src-address-list="LAN Users"
add action=accept chain=forward comment="Allow LAN DNS queries-TCP" dst-port=\
    53 protocol=tcp src-address-list="LAN Users"
add action=accept chain=input comment=UDP disabled=yes protocol=udp
add action=jump chain=forward connection-state=new jump-target=block-ddos
add action=jump chain=forward comment="jump to the virus chain" jump-target=\
    virus
add action=jump chain=forward jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=drop chain=tcp comment="deny TFTP" dst-port=69 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=111 \
    protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=135 \
    protocol=tcp
add action=drop chain=tcp comment="deny NBT" dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="deny cifs" dst-port=445 protocol=tcp
add action=drop chain=tcp comment="deny NFS" dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=12345-12346 \
    protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" dst-port=3133 protocol=\
    tcp
add action=drop chain=tcp comment="deny DHCP" dst-port=67-68 protocol=tcp \
    src-port=67-68
add action=drop chain=virus comment="Blaster Worm" dst-port=135-139 protocol=\
    tcp
add action=drop chain=virus comment="Blaster Worm" dst-port=445 protocol=tcp
add action=drop chain=virus comment=________ dst-port=593 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1024-1030 protocol=tcp
add action=drop chain=virus comment=MyDoom dst-port=1080 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1214 protocol=tcp
add action=drop chain=virus comment="ndm requester" dst-port=1363 protocol=\
    tcp
add action=drop chain=virus comment="ndm server" dst-port=1364 protocol=tcp
add action=drop chain=virus comment="screen cast" dst-port=1368 protocol=tcp
add action=drop chain=virus comment=hromgrafx dst-port=1373 protocol=tcp
add action=drop chain=virus comment=cichlid dst-port=1377 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=1433-1434 protocol=tcp
add action=drop chain=virus comment="Bagle Virus" dst-port=2745 protocol=tcp
add action=drop chain=virus comment=Dumaru.Y dst-port=2283 protocol=tcp
add action=drop chain=virus comment=Beagle dst-port=2535 protocol=tcp
add action=drop chain=virus comment=Beagle.C-K dst-port=2745 protocol=tcp
add action=drop chain=virus comment=MyDoom dst-port=3127-3128 protocol=tcp
add action=drop chain=virus comment="Backdoor OptixPro" dst-port=3410 \
    protocol=tcp
add action=drop chain=virus comment=Sasser dst-port=5554 protocol=tcp
add action=drop chain=virus comment=Beagle.B dst-port=8866 protocol=tcp
add action=drop chain=virus comment=Dabber.A-B dst-port=9898 protocol=tcp
add action=drop chain=virus comment=Dumaru.Y dst-port=10000 protocol=tcp
add action=drop chain=virus comment=MyDoom.B dst-port=10080 protocol=tcp
add action=drop chain=virus comment=NetBus dst-port=12345 protocol=tcp
add action=drop chain=virus comment=Kuang2 dst-port=17300 protocol=tcp
add action=drop chain=virus comment=SubSeven dst-port=27374 protocol=tcp
add action=drop chain=virus comment="PhatBot, Agobot, Gaobot" dst-port=65506 \
    protocol=tcp
add action=drop chain=virus comment=Trinoo dst-port=27444 protocol=tcp
add action=drop chain=virus comment="Messenger Worm" dst-port=135-139 \
    protocol=udp
add action=drop chain=virus comment="Blaster Worm" dst-port=445 protocol=udp
add action=drop chain=udp comment="deny DHCP" dst-port=67-68 protocol=udp \
    src-port=67-68
add action=drop chain=udp comment="deny TFTP" dst-port=69 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=111 \
    protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=135 \
    protocol=udp
add action=drop chain=udp comment="deny NBT" dst-port=137-139 protocol=udp
add action=drop chain=udp comment="deny NFS" dst-port=2049 protocol=udp
add action=drop chain=udp comment="deny BackOriffice" dst-port=3133 protocol=\
    udp
add action=drop chain=virus comment=Trinoo dst-port=12667 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=27665 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=27444 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=31335 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=34555 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=35555 protocol=udp
add action=drop chain=input comment="ping port scanners" src-address-list=\
    "port scanners"
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2m chain=input comment="Port scanners to list " \
    protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2m chain=input comment="NMAP FIN Stealth scan" \
    protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2m chain=input comment="SYN/FIN scan" protocol=tcp \
    tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2m chain=input comment="SYN/RST scan" protocol=tcp \
    tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2m chain=input comment="FIN/PSH/URG scan" protocol=\
    tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=30m chain=input comment="ALL/ALL scan" protocol=tcp \
    tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2m chain=input comment="NMAP NULL scan" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=forward connection-state=new dst-address-list=ddosed \
    src-address-list=ddoser
add action=return chain=block-ddos dst-limit=50,50,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
    1m chain=block-ddos log=yes
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
    1m chain=block-ddos log=yes
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    bogons
add action=accept chain=forward disabled=yes dst-address-list="LAN Users" \
    src-address-list="LAN Users"
add action=drop chain=tcp dst-port=25 protocol=tcp
add action=drop chain=output comment="invalid connections" connection-state=\
    invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat in-interface-list=WAN
2

I moved and re-titled your post because the term scripting has an unrelated meaning to what you posted above.

But as for that post, I’m not sure what type of “sorting” you’re wanting.

At a quick glance, it looks like nearly all of it can be sorted directly into the round file. There is zero point to those “virus” rules when the default input rule is “drop”.

Did you just go out and Google up a bunch of rules and toss them into the router by the shovel-full, or do you instead have a defined threat model for each one?

If it were me in charge of this network, I’d back up what you have now, return to the default configuration, and then audit each change line-by-line. Anything I cannot justify by drawing a line between an actual ongoing threat and a specific, working remedy would remain on the cutting room floor.

3

Extremely Sorry if i drop it to wrong place
Now a days I’m learning and practicing on Mikrotik router have good commands of Pfsense firewall but i get my hardware base router mikrotik because its good to user friendly for our small office network and applied these rules after reading of multiple posts on this forum.

Just want to know these rules sorting which i have shared. I don’t have expert or advance level experience on it.

I will be appreciate if someone help me in this regards>

4

Complete garbage, and dangerous here is what you need…
First for ease of reading and troubleshooting, keep chains together as the order within a chain is very important.!
PPTV vpn is not secure, and thus not included in your config. If you have wireguard why are using anything else. Especially since you claim to want to be secure!!
One should never access winbox directly over the internet, access from LAN or from VPN incoming to the router.


/interface list members
add etherX list=WAN
add interface=bridge list=LAN
add interface=wireguard1 list=LAN

/ip firewall filter
{ default rules to keep }
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment=“accept ICMP” protocol=icmp
{ admin rules }
add action=accept chain=input comment=“Wireguard handshake” dst-port=9840 protocol=udp
add action=accept chain=input comment=“allow only LAN LIST users” in-interface-list=LAN
add action=drop chain=input comment=“drop all else” { put this rule last in the input chain and only after the above allow LAN rule is in place }
++++++++++++++++++++++++++++++++++++++
{ default rules to keep }
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
{ admin rules }
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“Allow Wireguard Traffic” in-interface=wireguard1 dst-address=192.168.77.0/24
add action=acccept chain=forward comment=“port forwarding” connection-nat-state=dstnat disabled=yes { enable or remove if not required }
add action=drop chain=forward comment=“drop all else”

5

That should be your starting config.
Then ask yourself is there any other traffic I need to allow.
State the requirements so we can assist.