Sat Mar 10, 2012 1:25 pm
this is my current firewall excl. port forwards, but including blocking port scanners. I did not do the script for the ports scanners. I took from one of the examples on the wiki, but we tested it and it works really well.
/ip firewall filter
add action=log chain=forward comment="" connection-state=invalid disabled=yes log-prefix=""
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid disabled=no
add action=drop chain=forward comment="Drop Invalid connections" connection-state=invalid disabled=no
add action=accept chain=forward comment="Accept New" connection-state=new disabled=no src-address=192.168.0.0/24
add action=accept chain=forward comment="Accept established" connection-state=established disabled=no
add action=accept chain=forward comment="Accept related" connection-state=related disabled=no
add action=accept chain=forward comment=Winbox disabled=no dst-port=20561 protocol=udp
add action=log chain=forward comment="" disabled=yes dst-address=192.168.0.0/24 log-prefix=UNWANTED src-address=!192.168.0.0/24
add action=drop chain=forward comment="" disabled=no dst-address=192.168.0.0/24 src-address=!192.168.0.0/24
add action=accept chain=input comment="" disabled=no dst-port=22 protocol=tcp src-address=192.168.0.0/24
add action=log chain=input comment="" disabled=no dst-port=22 log-prefix="" protocol=tcp
add action=drop chain=input comment="" disabled=no dst-port=22 protocol=tcp
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list " disabled=no \
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" disabled=no \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" disabled=no protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" disabled=no protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" disabled=no protocol=\
tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" disabled=no protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" disabled=no protocol=\
tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" disabled=no src-address-list="port scanners"
add action=accept chain=input comment="Accept established connections" connection-state=established disabled=no
add action=accept chain=input comment="Accept related connections" connection-state=related disabled=no
add action=accept chain=input comment=UDP disabled=no dst-port=53 protocol=udp src-address=192.168.0.0/24
add action=accept chain=input comment=UDP disabled=no dst-port=123,161,5678,9 protocol=udp
add action=accept chain=input comment="Allow limited pings" disabled=no limit=50/5s,2 protocol=icmp
add action=drop chain=input comment="Drop excess pings" disabled=no protocol=icmp
add action=accept chain=input comment=winbox disabled=no dst-port=8291 protocol=tcp
add action=accept chain=input comment="From LAN" disabled=no src-address=192.168.0.0/24
add action=log chain=input comment="Log everything else" disabled=yes log-prefix="DROP INPUT"
add action=add-src-to-address-list address-list="input dropped scr addr" address-list-timeout=0s chain=input comment="Log everything else" disabled=\
yes
add action=drop chain=input comment="Drop everything else" disabled=no