The concept is that if one knows common ports scanned that the router does not need (the people using it dont need),
then this approach will be lighter on the CPU and yet effective. Same idea, if don't expect incoming or plan on outgoing broadcast traffic...
Code: Select all
/ip firewall raw
add action=add-src-to-address-list address-list=DropPortProbes \
address-list-timeout=5d chain=prerouting comment=CaptureUnusedPorts_TCP \
disabled=yes dst-port=0,11,20,21,22,23,79,113,119,135,139,194,389,445 \
in-interface-list=WAN protocol=tcp
add action=add-src-to-address-list address-list=DropPortProbes \
address-list-timeout=5d chain=prerouting comment=CaptureUnusedPorts_TCP2 \
disabled=yes dst-port=\
500,1002,1025,1026,1027,1028,1029,1030,1720,5000,8291 in-interface-list=\
WAN protocol=tcp
add action=add-src-to-address-list address-list=DropPortProbes \
address-list-timeout=5d chain=prerouting comment=CaptureUnusedPortsUDP \
disabled=yes dst-port=0,11,20,21,22,23,79,113,119,135,139,194,389,445 \
in-interface-list=WAN protocol=udp
add action=add-src-to-address-list address-list=DropPortProbes \
address-list-timeout=5d chain=prerouting comment=CaptureUnusedPorts_UDP2 \
disabled=yes dst-port=\
500,1002,1025,1026,1027,1028,1029,1030,1720,5000,8291 in-interface-list=\
WAN protocol=udp
add action=drop chain=prerouting comment=DropPortProbes disabled=yes \
src-address-list=DropPortProbes
add action=drop chain=prerouting comment=DropIncomingBroadcasts disabled=yes \
dst-address-type=broadcast in-interface-list=WAN
add action=drop chain=output comment=DropOutgoingBroadcasts disabled=yes \
dst-address-type=broadcast out-interface-list=WAN