i need help
i need i script that will create
ip firewall filter add chain=forward action=accept port
=1
till 6000
so it will have 6000 filters in my mikrotik router can any1 help me with a script to create this
and what must the chain be if i what it to just do incomming ports from the net input output or forward?
:for x from=1 to=6000 do={/ip firewall filter add chain=forward action=accept protocol=tcp port=$x; /ip firewall filter add chain=forward action=accept protocol=udp port=$x}
For you to specify ports, you must also specify protocol. The script will create 12000 rules, i.e. 6000 rule for TCP and another 6000 rules for UDP
6000 rules is madness
If you want to specify a range ports you could do something like:
/ip firewall filter add chain=forward protocol=tcp port=1-6000
/ip firewall filter add chain=forward protocol=udp port=1-6000
thanks for the help i know 6000 filters are madness
but its for monitoring for a week so i can improve on my firewall
ill dorp the 6000 rules when im done with he groups im looking at
for example 1-11
12-25
26-110 etc
and thats what i want to do
work on improvments
I doubt it would work with 6000 filters. It’s just a cpu killer.
Better make 60 filters with ranges 1-100, 101-200, 201-300 and so on.
After a week investigate more deeply into most used ranges.
thats maybe true will see what ill do thanks for the information
question i added it to the firewall it worked 100 % added it to the top of the list but rx bytes and tx bytes stay at 0 can anyone tell me why
question i added it to the firewall it worked 100 % added it to the top of the list but rx bytes and tx bytes stay at 0 can anyone tell me why
even on port 80, for example?..
all of them even port 80
no port 80 240b 5 packets but i have a constant 460 connections to the net any ideas
no ideas. some misconfiguration =)
hmmmm thats no good ill try this again!
post your /ip firewall export
ill export it tonight
any idea if this is right
:for x from=1 to=254 do={“/ip firewall address-list add address=10.0.0.”$x “comment=”" disabled=no list=smtp-allow"}
/ip firewall address-list add address=10.0.0.0/24 comment=“” disabled=no list=smtp-allow
Why not just add that whole subnet as above and make it more efficient?
:for x from=1 to=254 do={/ip firewall address-list add address=“10.0.0.$x” comment=“” disabled=no list=smtp-allow}
it does true but if i want to disable 10.0.0.11 and 10.0.0.25 etc so i can block port 25 per user
easyer to regulate each ip address
this is all i got at this point
/ip firewall filter
add action=drop chain=input comment=“” disabled=no dst-port=8001
in-interface=ether1 protocol=tcp
add action=drop chain=input comment=“” disabled=no dst-port=8001
in-interface=ether2 protocol=tcp
add action=drop chain=input comment=“” disabled=no dst-port=8001
in-interface=ether3 protocol=tcp
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“Port scanners to list "
disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“NMAP FIN Stealth scan”
disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“SYN/FIN scan” disabled=no
protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“SYN/RST scan” disabled=no
protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“FIN/PSH/URG scan” disabled=
no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“ALL/ALL scan” disabled=no
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“NMAP NULL scan” disabled=no
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment=“dropping port scanners” disabled=no
src-address-list=“port scanners”
add action=drop chain=input comment=“drop ssh brute forcers” disabled=no
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist
address-list-timeout=1w3d chain=input comment=”" connection-state=new
disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage1
address-list-timeout=1m chain=input comment=“” connection-state=new
disabled=no dst-port=22 protocol=tcp
add action=add-src-to-address-list address-list=ssh_stage2
address-list-timeout=1m chain=input comment=“” connection-state=new
disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage3
address-list-timeout=1m chain=input comment=“” connection-state=new
disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=drop chain=input comment=“drop ftp brute forcers” disabled=no
dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=forward comment=“SMTP-ALLOW " disabled=no dst-port=25
protocol=tcp src-address-list=smtp-allow
add action=accept chain=forward comment=”" disabled=no dst-address-list=
smtp-allow dst-port=25 protocol=tcp
add action=drop chain=forward comment=“SMTP Drop” disabled=no dst-port=25
protocol=tcp