Ok, @anav and @rextended. Most of the rules that currently exist I applied according to some security requirements provided by Mikrotik:
https://help.mikrotik.com/docs/spaces/ROS/pages/28606504/DDoS+Protection
https://help.mikrotik.com/docs/spaces/ROS/pages/268337176/Bruteforce+prevention
I am currently consulting a basic rules manual published by @rextended: http://forum.mikrotik.com/t/buying-rb1100ahx4-dude-edition-questions-about-firewall/148996/4
Currently, my original firewall is an OPNSENSE, which is millions of times easier to configure than Mikrotik. Sometimes I leave Mikrotik in the DMZ for experiments.
I have been studying Mikrotik for 2 years, but my focus is actually on algorithms, competitive programming and machine learning. I may have made some mistakes in the network configurations. For this reason, I am asking for the community’s opinion to mature my knowledge about firewall rules and general settings of my device.
I find it curious that you have so much to criticize, but do not provide adequate guidance on the problems implicit in the implementation. Even so, I respect you both, as you are community entities. You have already helped in many problem corrections.
Even so, I would like you to be clearer about the firewall rules, I am studying the most recommended ones that have been published in the community.
I’ve just implemented most of @rextended’s advice and I see that I have a lot to learn.
Sometimes I forget that networking is about thinking about the relationships between parts in a more general way. I haven’t removed the previous rules or implemented interface lists yet, but I’ll do that by tomorrow.
Currently the firewall rules look like this (I know, a mess):
# 2025-05-15 00:35:23 by RouterOS 7.18.2
# software id = XHA8-7FTF
#
# model = RB760iGS
# serial number = DX50XE76XA6X
/ip ipsec policy group
add name="Grupo IPsec VPN"
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
add dh-group=modp2048 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=\
aes-256,3des hash-algorithm=sha256 name="Perfil IPsec VPN"
/ip ipsec peer
add exchange-mode=ike2 name="Peer IPsec VPN" passive=yes profile=\
"Perfil IPsec VPN"
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc name="IPsec VPN" \
pfs-group=none
/ip pool
add name=PPPoE-Remoto ranges=10.80.80.0/24
add name="Pool VPN" ranges=10.80.88.0/24
/ip ipsec mode-config
add address-pool="Pool VPN" name="IPsec VPN"
/ip smb users
set [ find default=yes ] disabled=yes
add name=admin
/ip address
add address=10.0.0.1 interface=Loopback network=10.0.0.1
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add interface=ether2
/ip dns
set allow-remote-requests=yes cache-max-ttl=2d cache-size=6120KiB \
query-server-timeout=4s query-total-timeout=15s servers=\
8.8.4.4,8.8.8.8,1.1.1.1
/ip firewall address-list
add list=ddos-attackers
add list=ddos-targets
add address=10.80.88.0/24 list=permitidos
add address=192.168.10.0/24 list=permitidos
add address=10.80.80.0/24 comment="Rede interna - PPPOE" list=clientes
add address=10.0.8.0/24 list=permitidos
add address=8.8.4.4 comment=DNS list=dns
add address=8.8.8.8 list=dns
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set rp-filter=strict tcp-syncookies=yes
/ip firewall filter
add action=accept chain=input comment=\
"Permitir respostas estabelecidas e relacionadas" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=fasttrack-connection chain=forward comment=\
"Permitir respostas estabelecidas e relacionadas" connection-state=\
established,related hw-offload=yes
add action=accept chain=forward comment=\
"Permitir respostas estabelecidas e relacionadas" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment=\
"Permitir acesso dos clientes - DNS interno" dst-address=192.168.10.254 \
dst-port=53 protocol=udp src-address-list=clientes
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether2
add action=drop chain=input comment="Bloquear ICMP externo" disabled=yes \
protocol=icmp src-address-list=!permitidos tcp-flags=""
add action=drop chain=input comment="Violou a porta" in-interface=ether2 \
src-address-list=violou
add action=add-src-to-address-list address-list=violou address-list-timeout=\
30m chain=input comment="Tentativa de acesso em portas incorretas" \
connection-state=new dst-port=!81 in-interface=ether2 protocol=tcp \
src-address-list=!permitidos
add action=drop chain=input comment="Drop winbox brute forcers" dst-port=81 \
protocol=tcp src-address-list=winbox_blacklist
add action=add-src-to-address-list address-list=winbox_blacklist \
address-list-timeout=3w4d chain=input connection-state=new dst-port=81 \
protocol=tcp src-address-list=winbox_stage2
add action=add-src-to-address-list address-list=winbox_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=81 \
protocol=tcp src-address-list=winbox_stage1
add action=add-src-to-address-list address-list=winbox_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=81 \
in-interface=ether2 protocol=tcp src-address-list=!permitidos
add action=drop chain=input comment="Drop ssh brute forcers" \
src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=3w4d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=5m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=!permitidos
add action=drop chain=input comment="Drop ftp brute forcers" dst-port=21 \
protocol=tcp src-address-list=ftp_blacklist
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=input content="530 Login incorrect" \
protocol=tcp src-address-list=!permitidos
add action=drop chain=input comment="Solu\C3\A7\C3\A3o: https://packetstormsec\
urity.com/files/172820/Zyxel-IKE-Packet-Decoder-Unauthenticated-Remote-Cod\
e-Execution.html" dst-port="" layer7-protocol=CVE-2023-28771-2 log=yes \
protocol=udp
add action=accept chain=input comment=\
"(Desativado) - Migrado para OPENVPN Permitir conexoes IPSEC/IKE2" \
dst-port=500,4500 protocol=udp src-port=""
add action=accept chain=forward comment="Aceitar pol\C3\ADtica em IPSEC" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment=\
"Aceitar a pol\C3\ADtica IPSEC - Saida de banda pela Mikrotik" \
ipsec-policy=out,ipsec
add action=drop chain=input comment="Scanner de portas" src-address-list=\
port_scanners
add action=add-src-to-address-list address-list=port_scanners \
address-list-timeout=1h chain=input protocol=tcp psd=8,3s,3,2
add action=add-src-to-address-list address-list=port_scanners \
address-list-timeout=1h chain=input protocol=udp psd=8,3s,3,2
add action=jump chain=forward comment="Protect DDOS" connection-state=new \
jump-target=detect-ddos
add action=return chain=detect-ddos comment="Default - Rate: 32, Burst: 48" \
dst-limit=48,64,src-and-dst-addresses/10s
add action=add-src-to-address-list address-list=ddos-attackers \
address-list-timeout=30m chain=detect-ddos
add action=add-dst-to-address-list address-list=ddos-targets \
address-list-timeout=30m chain=detect-ddos
add action=log chain=detect-ddos log-prefix="DDoS Detected: " \
src-address-list=ddos-attackers
add action=log chain=forward comment="SPAMMERS LOG" log-prefix=SMTP \
src-address-list=spammer
add action=add-src-to-address-list address-list=spammer address-list-timeout=\
10m chain=forward comment="AntiSPAM o AntiWORM" connection-limit=20,32 \
dst-port=465 protocol=tcp
add action=add-src-to-address-list address-list=spammer address-list-timeout=\
10m chain=forward connection-limit=20,32 dst-port=25 protocol=tcp
add action=drop chain=forward dst-port=465 protocol=tcp src-address-list=\
spammer
add action=drop chain=forward dst-port=25 protocol=tcp src-address-list=\
spammer
add action=add-src-to-address-list address-list=blocked-addr \
address-list-timeout=1d chain=input comment="SYN Flood protect" \
connection-limit=400,32 protocol=tcp
add action=tarpit chain=input comment="SYN Flood protect" connection-limit=\
3,32 protocol=tcp src-address-list=blocked-addr
add action=jump chain=forward comment="SYN Flood protect" connection-state=\
new jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=accept chain=SYN-Protect comment="SYN Flood protect" \
connection-state=new limit=400,5 protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect comment="SYN Flood protect" \
connection-state=new protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop acesso externo ao DNS - UDP" \
dst-port=53 protocol=udp src-address-list=!clientes
add action=drop chain=input comment="Drop acesso externo ao DNS - TCP" \
dst-port=53 protocol=tcp src-address-list=!clientes
add action=accept chain=input comment=\
"Experimental para desabilitar \r\
\n\"Allow Remote DNS\"" disabled=yes dst-port=53 protocol=udp \
src-address-list=clientes
add action=drop chain=forward comment=\
"Bloquear acesso dos clientes - LAN interna" connection-state=!related \
dst-address=192.168.10.0/24 log=yes log-prefix="Block lan network" \
src-address-list=clientes
add action=log chain=input disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT Link 2" out-interface=ether2
add action=redirect chain=dstnat comment=\
"Redirecionamento UDP para DNS cache" disabled=yes dst-port=53 \
in-interface=!ether2 protocol=udp to-ports=53
add action=redirect chain=dstnat comment=\
"Redirecionamento TCP para DNS cache" disabled=yes dst-port=53 \
in-interface=!ether2 protocol=tcp to-ports=53
/ip firewall raw
add action=drop chain=prerouting comment=Anti-ddos dst-address-list=\
ddos-targets src-address-list=ddos-attackers
add action=drop chain=prerouting comment="Firewall para clientes banda larga" \
protocol=udp src-port=19,25,1900,11211
add action=drop chain=prerouting protocol=tcp src-port=19,25,1900,11211
add action=drop chain=prerouting dst-port=19,25,1900,11211 protocol=udp
add action=drop chain=prerouting dst-port=19,25,1900,11211 protocol=tcp
add action=drop chain=prerouting comment=\
"https://research-scan.sysnet.ucsd.edu/: 169.228.66.212" src-address=\
169.228.66.212
add action=drop chain=output comment="Bloquear o trafego de sa\C3\ADda" \
src-address=169.228.66.212
add action=drop chain=prerouting comment="Clientes inadimplente" \
src-address-list=Bloqueado
/ip ipsec identity
add auth-method=digital-signature certificate="Server VPN" comment=\
"Identidade Ipsec dos usuarios da VPN" generate-policy=port-strict \
match-by=certificate mode-config="IPsec VPN" peer="Peer IPsec VPN" \
policy-template-group="Grupo IPsec VPN" remote-certificate=\
"Certificado Cliente"
/ip ipsec policy
set 0 disabled=yes
add comment="Politicas do IPsec VPN" group="Grupo IPsec VPN" proposal=\
"IPsec VPN" template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set winbox port=81
set api-ssl disabled=yes
/ip smb
set domain=Archives
/ip smb shares
set [ find default=yes ] directory=/flash/pub
add directory=Mikrotik disabled=yes name=Mikrotik
/ip ssh
set strong-crypto=yes