Code: Select all
add action=drop chain=input disabled=yes in-interface=SFP1-combo1 log=yes \
protocol=udp
add action=drop chain=forward disabled=yes in-interface=SFP1-combo1 log=yes \
protocol=udp
add action=add-src-to-address-list address-list=BlackList address-list-timeout=\
3d chain=input comment="Detect Port Scanners" dst-port=\
21-23,53,88,135-139,389,445,1433,3306,3389,5900,6667 in-interface=\
SFP1-combo1 protocol=tcp
add action=add-src-to-address-list address-list=BlackList address-list-timeout=\
3d chain=input comment="Detect UDP WAN DNS Lookups to prevent DDoS" \
dst-port=53 in-interface=SFP1-combo1 protocol=udp
add action=drop chain=input comment="Drop Blacklisted Hosts to Router" \
in-interface=SFP1-combo1 src-address-list=BlackList
add action=drop chain=forward comment="Drop Blacklisted Hosts through Router" \
in-interface=SFP1-combo1 src-address-list=BlackList
add action=drop chain=input comment="Drop port scanners" src-address-list=\
PortScanners
add action=add-src-to-address-list address-list=BlackList address-list-timeout=\
3d chain=input comment="Add Port scanners to blacklist" protocol=tcp psd=\
21,3s,3,1
add action=add-src-to-address-list address-list=BlackList address-list-timeout=\
3d chain=input comment="Add NMAP FIN Stealth scan to list" protocol=tcp \
tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=BlackList address-list-timeout=\
3d chain=input comment="Add SYN/FIN scan to list" protocol=tcp tcp-flags=\
fin,syn
add action=add-src-to-address-list address-list=BlackList address-list-timeout=\
3d chain=input comment="Add SYN/RST scan to list" protocol=tcp tcp-flags=\
syn,rst
add action=add-src-to-address-list address-list=BlackList address-list-timeout=\
3d chain=input comment="Add FIN/PSH/URG scan to list" protocol=tcp \
tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=BlackList address-list-timeout=\
3d chain=input comment="Add ALL/ALL scan to list" protocol=tcp tcp-flags=\
fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=BlackList address-list-timeout=\
3d chain=input comment="Add NMAP NULL scan to list" protocol=tcp tcp-flags=\
!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=AccessRouter1 \
address-list-timeout=10s chain=input comment="Port Knock for Router Access" \
dst-port=10000 protocol=tcp
add action=add-src-to-address-list address-list=AccessRouter2 \
address-list-timeout=10s chain=input dst-port=20000 protocol=udp \
src-address-list=AccessRouter1
add action=add-src-to-address-list address-list=AccessRouter3 \
address-list-timeout=1h chain=input dst-port=30000 protocol=udp \
src-address-list=AccessRouter2
add action=add-src-to-address-list address-list=AccessRouter4 \
address-list-timeout=1h chain=input dst-port=40000 protocol=tcp \
src-address-list=AccessRouter3
add action=accept chain=input comment="Allow in Winbox" dst-port=8291 \
in-interface=SFP1-combo1 protocol=tcp src-address-list=AccessRouter4
add action=tarpit chain=input comment="Suppress DoS attack" connection-limit=\
3,32 protocol=tcp src-address-list=DOSattacker
add action=add-src-to-address-list address-list=DOSattacker \
address-list-timeout=1d chain=input comment="Detect DoS attack" \
connection-limit=20,32 in-interface=SFP1-combo1 log=yes protocol=tcp
add action=accept chain=input comment=\
"suppress ping flood-0:0 and limit for 5pac/s" icmp-options=0:0-255 \
in-interface=SFP1-combo1 limit=5,5:packet protocol=icmp
add action=accept chain=input comment=\
"suppress ping flood-3:3 and limit for 5pac/s" icmp-options=3:3 \
in-interface=SFP1-combo1 limit=5,5:packet protocol=icmp
add action=accept chain=input comment=\
"suppress ping flood-3:4 and limit for 5pac/s" icmp-options=3:4 \
in-interface=SFP1-combo1 limit=5,5:packet protocol=icmp
add action=accept chain=input comment=\
"suppress ping flood-8:0 and limit for 5pac/s" icmp-options=8:0-255 \
in-interface=SFP1-combo1 limit=5,5:packet protocol=icmp
add action=accept chain=input comment=\
"suppress ping flood-11:0 and limit for 5pac/s" icmp-options=11:0-255 \
in-interface=SFP1-combo1 limit=5,5:packet protocol=icmp
add action=drop chain=input comment=DNSDROP dst-port=53 protocol=udp
add action=drop chain=input comment=DNSDROP log=yes protocol=udp src-port=53
add action=drop chain=forward comment=DNSDROP protocol=udp src-port=53
add action=drop chain=input comment=DNSDROP dst-port=53 protocol=tcp
add action=drop chain=input comment="Drop anything else" log=yes protocol=udp \
src-port=389
add action=drop chain=forward comment="Drop anything else" protocol=udp \
src-port=389
add action=drop chain=output comment="Drop anything else" protocol=udp \
src-port=389
add action=drop chain=forward comment="Drop anything else" dst-port=389 log=yes \
protocol=udp
add action=drop chain=output comment="Drop anything else" dst-port=389 log=yes \
protocol=udp
add action=drop chain=input dst-port=10188 protocol=udp
add action=drop chain=input protocol=udp src-port=10188
add action=drop chain=forward protocol=udp src-port=10188
add action=drop chain=forward dst-port=10188 protocol=udp
add action=drop chain=forward dst-port=123 protocol=udp
add action=drop chain=forward protocol=udp src-port=123
add action=drop chain=input protocol=udp src-port=123
add action=drop chain=input dst-port=123 protocol=udp
