another question about firewall from me
I'm too paranoid so I want to block everything I don't use. Have RBRB962UiGS.
Using PPPoE from my ISP, SSH on another port, winbox. Curently I have ssh access only from LAN. Using p2p torrents too but I don't want to block them.
Curently have this:
Code: Select all
add action=accept chain=input comment="allow SSH from local" dst-port=1922 in-interface=bridge1 protocol=tcp
add action=add-src-to-address-list address-list=remote_ssh_blacklist address-list-timeout=1w3d chain=input comment="block outside SSH permanently" connection-state=new dst-port=1922 limit=0,5:packet protocol=tcp src-address-list=remote_ssh_blacklist_temp
add action=add-src-to-address-list address-list=remote_ssh_blacklist_temp address-list-timeout=1m chain=input comment="Block outside SSH temp" connection-state=new dst-port=1922 protocol=tcp
add action=drop chain=input comment="Drop outside SSH" dst-port=1922 log=yes protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" disabled=yes dst-port=1922 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new disabled=yes dst-port=1922 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new disabled=yes dst-port=1922 protocol=tcp
add action=add-src-to-address-list address-list=ssh_utok_na_port_22 address-list-timeout=1w3d chain=input comment="block attacks to 22 permanently" connection-state=new dst-port=22 protocol=tcp
add action=drop chain=input comment="drop attack to 22" dst-port=22 log=yes protocol=tcp
add action=add-src-to-address-list address-list=Connection_Limit address-list-timeout=1d chain=input comment="Connection limit because of DDoS" connection-limit=100,32 protocol=tcp
add action=jump chain=forward comment="SYN Flood protect" connection-state=new jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=accept chain=SYN-Protect connection-state=new limit=400,5:packet protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect connection-state=new protocol=tcp tcp-flags=syn
Code: Select all
/ip firewall filter
add chain=forward protocol=tcp connection-state=invalid action=drop comment="drop invalid connections"
add chain=forward connection-state=established action=accept comment="allow already established connections"
add chain=forward connection-state=related action=accept comment="allow related connections"
add chain=forward action=accept protocol=tcp dst-port=53 in-interface=LAN comment "allow DNS"
add chain=forward action=accept protocol=udp dst-port=53 in-interface=LAN comment "allow DNS"
add chain=forward action=accept protocol=tcp dst-port=80 in-interface=LAN comment "allow HTTP"
add chain=forward action=accept protocol=tcp dst-port=443 in-interface=LAN comment "allow HTTPS"
add chain=forward action=accept protocol=tcp dst-port=3389 in-interface=VPN comment "allow RDP via VPN"
add chain=forward action=drop