Hi all,
This is my attempt at a ZBF on mikrotik, it’s quite clean and seems very effective. Open to criticism.
I don’t think all the brute force rules are even necessary with this setup.
I used Trusted → Input Secure (Dyamic Interfaces) src-address-list=secure for IP ranges that are inherently trusted (VPN lan ranges) as you can’t add a dynamic interface to an interface list permanently, the moment the interface flaps, the item breaks.
/interface list member
add interface=LAN list=trusted
add interface=/29 list=untrusted
add interface=3G list=untrusted
add interface=Dialer1 list=untrusted
[cody@VolckmarHQ] > ip firewall filter export
/ip firewall filter
add action=accept chain=forward comment=“Established, Related” connection-state=established,related log-prefix=“Established, Related”
add action=accept chain=input comment=“Established, Related” connection-state=established,related
add action=add-src-to-address-list address-list=port:xxxx address-list-timeout=1m chain=input dst-port=xxxx log=yes log-prefix=Knock1 protocol=tcp
add action=add-src-to-address-list address-list=secure address-list-timeout=1h chain=input dst-port=xxxx log=yes log-prefix=“NEW ALLOWED IP” protocol=tcp src-address-list=port:9000
add action=accept chain=input comment=“Trusted → Input” in-interface-list=trusted log-prefix=“Allow → Trusted”
add action=accept chain=input comment=“Trusted → Input Secure (Dyamic Interfaces)” log-prefix=“Allow → Secure” src-address-list=secure
add action=accept chain=forward comment=“Trusted → Trusted” dst-address-list=secure log-prefix=“Allow → Trusted” src-address-list=secure
add action=accept chain=forward comment=“Trusted → Untrusted” in-interface-list=trusted log-prefix=“Allow → Trusted” out-interface-list=untrusted
add action=drop chain=forward comment=“Untrusted → Trusted” in-interface-list=untrusted log=yes log-prefix=“Deny → Untrusted” out-interface-list=trusted
add action=drop chain=input comment=“Untrusted → Input” in-interface-list=untrusted log=yes log-prefix=“Deny → Untrusted”
