Thanks in Advance!
Firewall Raw
Code: Select all
0 ;;; Drop all DNS request from Internet
chain=prerouting action=drop in-interface-list=WAN dst-port=53 log=no log-prefix="" protocol=tcp
1 chain=prerouting action=drop in-interface-list=WAN dst-port=53 log=no log-prefix="" protocol=udp
2 ;;; TCP invalid combination of flags attack (7 rules)
chain=prerouting action=drop tcp-flags=!fin,!syn,!rst,!ack log=no log-prefix="" protocol=tcp
3 chain=prerouting action=drop tcp-flags=fin,syn log=no log-prefix="" protocol=tcp
4 chain=prerouting action=drop tcp-flags=fin,rst log=no log-prefix="" protocol=tcp
5 chain=prerouting action=drop tcp-flags=fin,!ack log=no log-prefix="" protocol=tcp
6 chain=prerouting action=drop tcp-flags=fin,urg log=no log-prefix="" protocol=tcp
7 chain=prerouting action=drop tcp-flags=syn,rst log=no log-prefix="" protocol=tcp
8 chain=prerouting action=drop tcp-flags=rst,urg log=no log-prefix="" protocol=tcp
9 ;;; TCP Port 0 attack (2 rules)
chain=prerouting action=drop src-port=0 log=no log-prefix="" protocol=tcp
10 chain=prerouting action=drop dst-port=0 log=no log-prefix="" protocol=tcp
11 ;;; UDP Port 0 attack (2 rules)
chain=prerouting action=drop src-port=0 log=no log-prefix="" protocol=udp
12 chain=prerouting action=drop dst-port=0 log=no log-prefix="" protocol=udp
13 ;;; Protecting device crash when size > 1024
chain=prerouting action=drop packet-size=1025-1600 log=no log-prefix="" protocol=icmp
14 ;;; ICMP large packet attack
chain=prerouting action=drop packet-size=1601-65535 log=no log-prefix="" protocol=icmp
15 ;;; ICMP fragmentation attack
chain=prerouting action=drop log=no log-prefix="" protocol=icmp fragment=yes
16 ;;; SYN fragmented attack
chain=prerouting action=drop tcp-flags=syn log=no log-prefix="" protocol=tcp fragment=yes
17 ;;; Fragment attack Interface Protection
chain=prerouting action=drop log=no log-prefix="" fragment=yes dst-address-list=LAN Users
18 ;;; IP option loose-source-routing
chain=prerouting action=drop log=no log-prefix="" ipv4-options=loose-source-routing
19 ;;; IP option strict-source-routing
chain=prerouting action=drop log=no log-prefix="" ipv4-options=strict-source-routing
20 ;;; IP option record-route
chain=prerouting action=drop log=no log-prefix="" ipv4-options=record-route
21 ;;; IP option router-alert
chain=prerouting action=drop log=no log-prefix="" ipv4-options=router-alert
22 ;;; IP option timestamp
chain=prerouting action=drop log=no log-prefix="" ipv4-options=timestamp
23 ;;; IP options left, except IP Stream used by the IGMP protocol
chain=prerouting action=drop log=no log-prefix="" protocol=!igmp ipv4-options=any
24 chain=prerouting action=accept log=no log-prefix="" protocol=icmp
25 chain=prerouting action=accept log=no log-prefix="" protocol=igmp
26 chain=prerouting action=accept log=no log-prefix="" protocol=tcp
27 chain=prerouting action=accept log=no log-prefix="" protocol=udp
28 chain=prerouting action=accept log=no log-prefix="" protocol=gre
29 chain=prerouting action=log log=yes log-prefix="Not TCP protocol" protocol=!tcp
30 ;;; Unused protocol protection
chain=prerouting action=drop log=no log-prefix="" protocol=!tcp
Firewall Filter
Code: Select all
0 D chain=forward action=jump jump-target=hs-unauth hotspot=from-client,!auth
1 D chain=forward action=jump jump-target=hs-unauth-to hotspot=to-client,!auth
2 D chain=input action=jump jump-target=hs-input hotspot=from-client
3 D chain=input action=drop protocol=tcp hotspot=!from-client dst-port=64872-64875
4 D chain=hs-input action=jump jump-target=pre-hs-input
5 D chain=hs-input action=accept protocol=udp dst-port=64872
6 D chain=hs-input action=accept protocol=tcp dst-port=64872-64875
7 D chain=hs-input action=jump jump-target=hs-unauth hotspot=!auth
8 D chain=hs-unauth action=reject reject-with=tcp-reset protocol=tcp
9 D chain=hs-unauth action=reject reject-with=icmp-net-prohibited
10 D chain=hs-unauth-to action=reject reject-with=icmp-host-prohibited
11 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
12 ;;; Accept established,related connections
chain=input action=accept connection-state=established,related
13 ;;; Accept established,related connections
chain=forward action=accept connection-state=established,related
14 ;;; Accept established,related connections
chain=output action=accept connection-state=established,related log=no log-prefix=""
15 X ;;; UDP
chain=input action=accept protocol=udp log=no log-prefix=""
16 ;;; Allow LAN DNS queries-UDP
chain=forward action=accept protocol=udp src-address-list=LAN Users dst-port=53 log=no log-prefix=""
17 ;;; Allow LAN DNS queries-TCP
chain=forward action=accept protocol=tcp src-address-list=LAN Users dst-port=53 log=no log-prefix=""
18 ;;; Allow Wireguard Trrafic
chain=input action=accept src-address=192.168.200.0/24 log=no log-prefix=""
19 ;;; Allow Wireguard
chain=input action=accept protocol=udp dst-port=13231
20 chain=forward action=jump jump-target=tcp protocol=tcp
21 chain=forward action=jump jump-target=udp protocol=udp
22 ;;; deny TFTP
chain=tcp action=drop protocol=tcp dst-port=69
23 ;;; deny RPC portmapper
chain=tcp action=drop protocol=tcp dst-port=111
24 ;;; deny RPC portmapper
chain=tcp action=drop protocol=tcp dst-port=135
25 ;;; deny NBT
chain=tcp action=drop protocol=tcp dst-port=137-139
26 ;;; deny cifs
chain=tcp action=drop protocol=tcp dst-port=445
27 ;;; deny NFS
chain=tcp action=drop protocol=tcp dst-port=2049
28 ;;; deny NetBus
chain=tcp action=drop protocol=tcp dst-port=12345-12346
29 ;;; deny NetBus
chain=tcp action=drop protocol=tcp dst-port=20034
30 ;;; deny BackOriffice
chain=tcp action=drop protocol=tcp dst-port=3133
31 ;;; deny DHCP
chain=tcp action=drop protocol=tcp dst-port=67-68
32 ;;; deny TFTP
chain=udp action=drop protocol=udp dst-port=69
33 ;;; deny PRC portmapper
chain=udp action=drop protocol=udp dst-port=111
34 ;;; deny PRC portmapper
chain=udp action=drop protocol=udp dst-port=135
35 ;;; deny NBT
chain=udp action=drop protocol=udp dst-port=137-139
36 ;;; deny NFS
chain=udp action=drop protocol=udp dst-port=2049
37 ;;; deny BackOriffice
chain=udp action=drop protocol=udp dst-port=3133
38 chain=forward action=jump jump-target=block-ddos connection-state=new
39 chain=forward action=drop connection-state=new src-address-list=ddoser dst-address-list=ddosed
40 chain=block-ddos action=return dst-limit=50,50,src-and-dst-addresses/10s
41 chain=block-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=1m log=yes
42 chain=block-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=1m log=yes
43 ;;; ping port scanners
chain=input action=drop src-address-list=port scanners
44 ;;; Port scanners to list
chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=port scanners address-list-timeout=2m
45 ;;; NMAP FIN Stealth scan
chain=input action=add-src-to-address-list tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp address-list=port scanners address-list-timeout=2m
46 ;;; SYN/FIN scan
chain=input action=add-src-to-address-list tcp-flags=fin,syn protocol=tcp address-list=port scanners address-list-timeout=2m
47 ;;; SYN/RST scan
chain=input action=add-src-to-address-list tcp-flags=syn,rst protocol=tcp address-list=port scanners address-list-timeout=2m
48 ;;; FIN/PSH/URG scan
chain=input action=add-src-to-address-list tcp-flags=fin,psh,urg,!syn,!rst,!ack protocol=tcp address-list=port scanners address-list-timeout=2m
49 ;;; ALL/ALL scan
chain=input action=add-src-to-address-list tcp-flags=fin,syn,rst,psh,ack,urg protocol=tcp address-list=port scanners address-list-timeout=30m
50 ;;; NMAP NULL scan
chain=input action=add-src-to-address-list tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp address-list=port scanners address-list-timeout=2m
51 ;;; Blaster Worm
chain=virus action=drop protocol=tcp dst-port=135-139
52 ;;; Blaster Worm
chain=virus action=drop protocol=tcp dst-port=445
53 ;;; Messenger Worm
chain=virus action=drop protocol=udp dst-port=135-139
54 ;;; Blaster Worm
chain=virus action=drop protocol=udp dst-port=445
55 ;;; ________
chain=virus action=drop protocol=tcp dst-port=593
56 ;;; ________
chain=virus action=drop protocol=tcp dst-port=1024-1030
57 ;;; MyDoom
chain=virus action=drop protocol=tcp dst-port=1080
58 ;;; ________
chain=virus action=drop protocol=tcp dst-port=1214
59 ;;; ndm requester
chain=virus action=drop protocol=tcp dst-port=1363
60 ;;; ndm server
chain=virus action=drop protocol=tcp dst-port=1364
61 ;;; screen cast
chain=virus action=drop protocol=tcp dst-port=1368
62 ;;; hromgrafx
chain=virus action=drop protocol=tcp dst-port=1373
63 ;;; cichlid
chain=virus action=drop protocol=tcp dst-port=1377
64 ;;; Worm
chain=virus action=drop protocol=tcp dst-port=1433-1434
65 ;;; Bagle Virus
chain=virus action=drop protocol=tcp dst-port=2745
66 ;;; Dumaru.Y
chain=virus action=drop protocol=tcp dst-port=2283
67 ;;; Beagle
chain=virus action=drop protocol=tcp dst-port=2535
68 ;;; Beagle.C-K
chain=virus action=drop protocol=tcp dst-port=2745
69 ;;; MyDoom
chain=virus action=drop protocol=tcp dst-port=3127-3128
70 ;;; Backdoor OptixPro
chain=virus action=drop protocol=tcp dst-port=3410
71 ;;; Sasser
chain=virus action=drop protocol=tcp dst-port=5554
72 ;;; Beagle.B
chain=virus action=drop protocol=tcp dst-port=8866
73 ;;; Dabber.A-B
chain=virus action=drop protocol=tcp dst-port=9898
74 ;;; Dumaru.Y
chain=virus action=drop protocol=tcp dst-port=10000
75 ;;; MyDoom.B
chain=virus action=drop protocol=tcp dst-port=10080
76 ;;; NetBus
chain=virus action=drop protocol=tcp dst-port=12345
77 ;;; Kuang2
chain=virus action=drop protocol=tcp dst-port=17300
78 ;;; SubSeven
chain=virus action=drop protocol=tcp dst-port=27374
79 ;;; PhatBot, Agobot, Gaobot
chain=virus action=drop protocol=tcp dst-port=65506
80 ;;; Trinoo
chain=virus action=drop protocol=udp dst-port=12667
81 ;;; Trinoo
chain=virus action=drop protocol=udp dst-port=27665
82 ;;; Trinoo
chain=virus action=drop protocol=udp dst-port=31335
83 ;;; Trinoo
chain=virus action=drop protocol=udp dst-port=27444
84 ;;; Trinoo
chain=virus action=drop protocol=udp dst-port=34555
85 ;;; Trinoo
chain=virus action=drop protocol=udp dst-port=35555
86 ;;; Trinoo
chain=virus action=drop protocol=tcp dst-port=27444
87 ;;; Drop Worm Infected (Mangle)
chain=forward action=drop protocol=tcp src-address-list=Worm-Infected-p445 port=445
88 ;;; jump to the virus chain
chain=forward action=jump jump-target=virus
89 ;;; invalid connections
chain=input action=drop connection-state=invalid
90 ;;; invalid connections
chain=forward action=drop connection-state=invalid
91 ;;; invalid connections
chain=output action=drop connection-state=invalid log=no log-prefix=""
92 ;;; Bruteforce
chain=forward action=jump jump-target=Bruteforce connection-state=new protocol=tcp dst-address-list=TechsoftcenterIPBlocks dst-port=22,3389
93 ;;; Drop - Blacklist
chain=Bruteforce action=drop src-address-list=Bruteforce-Blacklist
94 ;;; Add - Blacklist
chain=Bruteforce action=add-src-to-address-list src-address-list=Bruteforce-Stage3 address-list=Bruteforce-Blacklist address-list-timeout=15m
95 ;;; Add - Stage-3
chain=Bruteforce action=add-src-to-address-list src-address-list=Bruteforce-Stage2 address-list=Bruteforce-Stage3 address-list-timeout=30s
96 ;;; Add - Stage-2
chain=Bruteforce action=add-src-to-address-list src-address-list=Bruteforce-Stage1 address-list=Bruteforce-Stage2 address-list-timeout=30s
97 ;;; Add - Stage-1
chain=Bruteforce action=add-src-to-address-list address-list=Bruteforce-Stage1 address-list-timeout=30s
98 ;;; Drop to bogon list
chain=forward action=drop dst-address-list=bogons