add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port=135-139 protocol=tcp
add action=drop chain=virus comment="Drop Messenger Worm" disabled=no dst-port=135-139 protocol=udp
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port=444-445 protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port=444-445 protocol=udp
this helps ...
As I said before this type of arbitrary port blocking is an amateur's solution. Target specific
behavior not ports. I know I said arbitrary filtering is generally bad practice but what you have is a worm actively attacking other machines, not something like spam. If it's an active attack filter it to protect users on the other end. It would be something like this.
/ip firewall mangle
add action=add-src-to-address-list address-list=Worm-Infected-p445 address-list-timeout=1h chain=prerouting connection-state=new disabled=no dst-port=445 limit=5,10 protocol=tcp
/ip firewall filter
add action=drop chain=forward disabled=no dst-port=445 protocol=tcp src-address-list=Worm-Infected-p445
That way legitimate use isn't blocked but something like a worm sending out mass amounts will be detected and stopped. You may have to play with the rates a little as I don't have traffic to test on, but that's a much more elegant solution than blocking a bunch of ports for
all users. Yes, this could be done with a rate specific firewall rule, but this gives you a nice list of user IPs that need to clean up their machines.
It's best to try and filter the traffic as close to the source of it as you can get. It keeps such things from taking up bandwidth on your links.