what do you think about this firewall?
1. I would like to move what is possible to the Chain RAW.
2. Port scanner, internally and externally
3. SSH, Winbox Blacklist
4.What else would increase security?
Code: Select all
### Telephone
/ip firewall mangle
add action=mark-connection chain=forward dst-address=192.168.141.100 dst-port=5060 new-connection-mark=sip-connection protocol=tcp
add action=mark-packet chain=forward connection-mark=sip-connection new-packet-mark=SIP
add action=mark-connection chain=forward dst-address=192.168.141.100 new-connection-mark=rtp-connection port=10000-20000 protocol=udp
add action=mark-packet chain=forward connection-mark=rtp-connection new-packet-mark=RTP
/ip firewall raw
add action=drop chain=prerouting comment=DDos src-address-list=ddoser
##Address Lists
/ip firewall address-list
add comment="Black List (SSH)" list="Black List (SSH)"
add comment="Black List (Winbox)" list="Black List (Winbox)"
add comment="Black List (Port Scanner WAN)" list="Black List (Port Scanner WAN)"
add comment="Black List (Port Scanner LAN)" list="Black List (Port Scanner LAN)"
add address=192.168.141.0/24 list=local
/ip firewall connection tracking set enabled=yes
/ip settings set tcp-syncookies=yes
/ip firewall filter add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s protocol=tcp tcp-flags=syn,ack
/ip firewall service-port set sip disabled=yes
/ip firewall filter
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add action=drop chain=input comment="Drop Netbios" connection-state="" dst-port=137,138 protocol=udp
###DDOS
add action=jump chain=input comment="Dos protect" connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos dst-limit=32,42,src-and-dst-addresses/10s
add action=return chain=detect-ddos src-address=192.168.141.1
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=1w10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddoser address-list-timeout=1w10m chain=detect-ddos
###Port Scanner
add action=drop chain=input comment="Drop Port Scanner (WAN) list." in-interface-list=WAN log=yes log-prefix="BL_Black List (Port Scanner WAN)" src-address-list=\
"Black List (Port Scanner WAN)"
add action=drop chain=forward comment="Drop Port Scanner (WAN) list." in-interface-list=WAN log=yes log-prefix="BL_Black List (Port Scanner WAN)" src-address-list=\
"Black List (Port Scanner WAN)"
add action=add-src-to-address-list address-list="Black List (Port Scanner WAN)" address-list-timeout=4w2d chain=input comment="Add TCP port scanner to Port Scanner (WAN) list." \
in-interface-list=WAN log=yes log-prefix="Add_Black List (Port Scanner WAN)" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop anyone in the Port Scanner (LAN) list." in-interface-list=WAN log=yes log-prefix="BL_Black List (Port Scanner LAN)" src-address-list=\
"Black List (Port Scanner LAN)"
add action=drop chain=forward comment="Drop anyone in the Port Scanner (LAN) list." in-interface-list=WAN log=yes log-prefix="BL_Black List (Port Scanner LAN)" src-address-list=\
"Black List (Port Scanner LAN)"
add action=add-src-to-address-list address-list="Black List (Port Scanner LAN)" address-list-timeout=4w2d chain=forward comment="Add TCP port scanner to Port Scanner (LAN) list." \
in-interface-list=WAN log=yes log-prefix="Add_Black List (Port Scanner LAN)" protocol=tcp psd=21,3s,3,1
###Winbox
add action=drop chain=input comment="Drop anyone in Black List (Winbox)." in-interface-list=WAN log=yes log-prefix="BL_Black List (Winbox)" src-address-list="Black List (Winbox)"
add action=jump chain=input comment="Jump to Black List (Winbox) chain." dst-port=8291 in-interface-list=WAN jump-target="Black List (Winbox) Chain" protocol=tcp
add action=add-src-to-address-list address-list="Black List (Winbox)" address-list-timeout=4w2d chain="Black List (Winbox) Chain" comment=\
"Transfer repeated attempts from Black List (Winbox) Stage 3 to Black List (Winbox)." connection-state=new in-interface-list=WAN log=yes log-prefix="Add_Black List (Winbox)" \
src-address-list="Black List (Winbox) Stage 3"
add action=add-src-to-address-list address-list="Black List (Winbox) Stage 3" address-list-timeout=1m chain="Black List (Winbox) Chain" comment=\
"Add succesive attempts to Black List (Winbox) Stage 3." connection-state=new in-interface-list=WAN log=yes log-prefix="Add_Black List (Winbox) S3" src-address-list=\
"Black List (Winbox) Stage 2"
add action=add-src-to-address-list address-list="Black List (Winbox) Stage 2" address-list-timeout=1m chain="Black List (Winbox) Chain" comment=\
"Add succesive attempts to Black List (Winbox) Stage 2." connection-state=new in-interface-list=WAN log=yes log-prefix="Add_Black List (Winbox) S2" src-address-list=\
"Black List (Winbox) Stage 1"
add action=add-src-to-address-list address-list="Black List (Winbox) Stage 1" address-list-timeout=1m chain="Black List (Winbox) Chain" comment=\
"Add initial attempt to Black List (Winbox) Stage 1." connection-state=new in-interface-list=WAN log=yes log-prefix="Add_Black List (Winbox) S1"
add action=return chain="Black List (Winbox) Chain" comment="Return From Black List (Winbox) chain."
###SSH
add action=drop chain=input comment="Drop anyone in Black List (SSH)." in-interface-list=WAN log=yes log-prefix="BL_Black List (SSH)" src-address-list="Black List (SSH)"
add action=jump chain=input comment="Jump to Black List (SSH) chain." dst-port=2222 in-interface-list=WAN jump-target="Black List (SSH) Chain" protocol=tcp
add action=add-src-to-address-list address-list="Black List (SSH)" address-list-timeout=4w2d chain="Black List (SSH) Chain" comment=\
"Transfer_repeated attempts from Black List (SSH) Stage 3 to Black List (SSH)." connection-state=new in-interface-list=WAN log=yes log-prefix="Add_Black List (SSH)" \
src-address-list="Black List (SSH) Stage 3"
add action=add-src-to-address-list address-list="Black List (SSH) Stage 3" address-list-timeout=1m chain="Black List (SSH) Chain" comment=\
"Add successive attempts to Black List (SSH) Stage 3." connection-state=new in-interface-list=WAN log=yes log-prefix="Add_Black List (SSH) S3" src-address-list=\
"Black List (SSH) Stage 2"
add action=add-src-to-address-list address-list="Black List (SSH) Stage 2" address-list-timeout=1m chain="Black List (SSH) Chain" comment=\
"Add successive attempts to Black List (SSH) Stage 2." connection-state=new in-interface-list=WAN log=yes log-prefix="Add_Black List (SSH) S2" src-address-list=\
"Black List (SSH) Stage 1"
add action=add-src-to-address-list address-list="Black List (SSH) Stage 1" address-list-timeout=1m chain="Black List (SSH) Chain" comment=\
"Add initial attempt to Black List (SSH) Stage 1." connection-state=new in-interface-list=WAN log=yes log-prefix="Add_Black List (SSH) S1"
add action=return chain="Black List (SSH) Chain" comment="Return From Black List (SSH) chain."
add action=accept chain=input comment="Accept established connections" connection-state=established
###INPUT
add action=accept chain=input comment="Accept related connections" connection-state=related
add action=accept chain=input comment="Allow limited pings" limit=50/5s,2:packet protocol=icmp
add action=drop chain=input comment="Drop excess pings" protocol=icmp
add action=accept chain=input comment="Accept SSH for secure shell" dst-port=2222 protocol=tcp
add action=accept chain=input comment="Accept VPN" protocol=ipsec-esp
add action=accept chain=input comment="Accept OpenVPN" dst-port=1194 protocol=tcp
add action=accept chain=input comment="Accept VPN" dst-port=500,4500,1701 protocol=udp
add action=accept chain=input comment="Accept Winbox access" dst-port=8291 protocol=tcp src-address-list=local
add action=accept chain=input comment="Accept Winbox MAC" dst-port=20561 in-interface-list=!WAN log-prefix=MIKROTIK_MAC_LOGIN protocol=udp src-address-list=local
add action=accept chain=input comment="Accept NDP" dst-port=5678 in-interface-list=!WAN protocol=udp src-address-list=local
add action=accept chain=input comment="Accept DNS Querry" dst-port=53 in-interface-list=!WAN protocol=udp src-address-list=local
add action=accept chain=input comment="Accept NTP Querry" dst-port=123 in-interface-list=!WAN protocol=udp src-address-list=local
add action=accept chain=input comment="Accept DHCP Querry" dst-port=67 in-interface-list=!WAN protocol=udp src-address-list=local src-port=68
add action=accept chain=input comment="CAPsMAN accept all local traffic" src-address-type=local
add action=drop chain=input comment="Drop everything else" log-prefix="IN DROP REST -> "
###FORWARD
add action=accept chain=forward comment=E-MAIL dst-port=80 in-interface=WAN1 log-prefix=80 protocol=tcp
add action=accept chain=forward comment=E-MAIL dst-port=443 in-interface=WAN1 log-prefix=443 protocol=tcp
add action=accept chain=forward comment="Accept established connections" in-interface=l2tp-PGP01
add action=accept chain=forward comment="Accept established connections" out-interface=l2tp-PGP01
add action=accept chain=forward comment="Accept DSTNAT connections" connection-nat-state=dstnat
add action=accept chain=forward comment="Accept established connections" connection-state=established
add action=accept chain=forward comment="Accept related connections" connection-state=related
add action=accept chain=forward comment="Allow Forward to WAN" out-interface=WAN1
add action=accept chain=forward comment="Allow Forward to WAN" out-interface=WAN2
add action=drop chain=forward comment="Drop invalid connections" connection-state=invalid
add action=log chain=forward comment="Log everything else" log=yes log-prefix="DROP FORWARD"
add action=drop chain=forward comment="Drop everything else"