I installed DDOS in my firewall. But it happens again and again that my telephone system or my DNS server is blacklisted. Why?
Here is my Firewall:
Code: Select all
# jan/12/2023 10:52:40 by RouterOS 7.6
# software id = S11F-7CCV
#
# model = RB4011iGS+
# serial number = HD30857WKJ4
/ip firewall address-list
add address=10.99.1.0/24 list=local
add address=10.245.1.0/24 list=local
add address=10.178.1.0/24 list=local
add address=10.178.2.0/24 list=local
add address=10.178.3.0/24 list=local
add address=192.168.114.0/24 list=local
add address=10.178.4.0/24 list=local
add address=10.178.5.0/24 list=local
add address=10.178.6.0/24 list=local
add address=10.178.7.0/24 list=local
add address=10.178.8.0/24 list=local
add list=local
add address=8.8.8.8 list=DNS
add comment="Black List (SSH)" list="Black List (SSH)"
add comment="Black List (Winbox)" list="Black List (Winbox)"
add comment="Black List (Port Scanner WAN)" list=\
"Black List (Port Scanner WAN)"
add comment="Black List (Port Scanner LAN)" list=\
"Black List (Port Scanner LAN)"
add address=192.168.111.0/24 list=local
add address=10.246.1.0/24 list=local
add address=10.247.1.0/24 list=local
/ip firewall filter
add action=drop chain=input comment="Drop invalid connections" \
connection-state=invalid
add action=drop chain=input comment="Drop Netbios" connection-state="" \
dst-port=137,138 protocol=udp
add action=jump chain=forward connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=return chain=detect-ddos src-address-list=DNS
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
10m chain=detect-ddos
add action=drop chain=forward comment="Drop DDOS" connection-state=new \
disabled=yes dst-address-list=ddosed src-address-list=ddoser
add action=drop chain=input comment=\
"Drop anyone in the Port Scanner (WAN) list." in-interface-list=WAN log=\
yes log-prefix="BL_Black List (Port Scanner WAN)" src-address-list=\
"Black List (Port Scanner WAN)"
add action=drop chain=forward comment=\
"Drop anyone in the Port Scanner (WAN) list." in-interface-list=WAN log=\
yes log-prefix="BL_Black List (Port Scanner WAN)" src-address-list=\
"Black List (Port Scanner WAN)"
add action=add-src-to-address-list address-list=\
"Black List (Port Scanner WAN)" address-list-timeout=4w2d chain=input \
comment="Add TCP port scanner to Port Scanner (WAN) list." \
in-interface-list=WAN log=yes log-prefix=\
"Add_Black List (Port Scanner WAN)" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment=\
"Drop anyone in the Port Scanner (LAN) list." in-interface-list=WAN log=\
yes log-prefix="BL_Black List (Port Scanner LAN)" src-address-list=\
"Black List (Port Scanner LAN)"
add action=drop chain=forward comment=\
"Drop anyone in the Port Scanner (LAN) list." in-interface-list=WAN log=\
yes log-prefix="BL_Black List (Port Scanner LAN)" src-address-list=\
"Black List (Port Scanner LAN)"
add action=add-src-to-address-list address-list=\
"Black List (Port Scanner LAN)" address-list-timeout=4w2d chain=forward \
comment="Add TCP port scanner to Port Scanner (LAN) list." \
in-interface-list=WAN log=yes log-prefix=\
"Add_Black List (Port Scanner LAN)" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop anyone in Black List (Winbox)." \
in-interface-list=WAN log=yes log-prefix="BL_Black List (Winbox)" \
src-address-list="Black List (Winbox)"
add action=jump chain=input comment="Jump to Black List (Winbox) chain." \
dst-port=8291 in-interface-list=WAN jump-target=\
"Black List (Winbox) Chain" protocol=tcp
add action=add-src-to-address-list address-list="Black List (Winbox)" \
address-list-timeout=4w2d chain="Black List (Winbox) Chain" comment="Trans\
fer repeated attempts from Black List (Winbox) Stage 6 to Black List (Winb\
ox)." connection-state=new in-interface-list=WAN log=yes log-prefix=\
"Add_Black List (Winbox)" src-address-list="Black List (Winbox) Stage 6"
add action=add-src-to-address-list address-list="Black List (Winbox) Stage 6" \
address-list-timeout=1m chain="Black List (Winbox) Chain" comment=\
"Add succesive attempts to Black List (Winbox) Stage 6." \
connection-state=new in-interface-list=WAN log=yes log-prefix=\
"Add_Black List (Winbox) S6" src-address-list=\
"Black List (Winbox) Stage 5"
add action=add-src-to-address-list address-list="Black List (Winbox) Stage 5" \
address-list-timeout=1m chain="Black List (Winbox) Chain" comment=\
"Add succesive attempts to Black List (Winbox) Stage 5." \
connection-state=new in-interface-list=WAN log=yes log-prefix=\
"Add_Black List (Winbox) S5" src-address-list=\
"Black List (Winbox) Stage 4"
add action=add-src-to-address-list address-list="Black List (Winbox) Stage 4" \
address-list-timeout=1m chain="Black List (Winbox) Chain" comment=\
"Add succesive attempts to Black List (Winbox) Stage 4." \
connection-state=new in-interface-list=WAN log=yes log-prefix=\
"Add_Black List (Winbox) S4" src-address-list=\
"Black List (Winbox) Stage 3"
add action=add-src-to-address-list address-list="Black List (Winbox) Stage 3" \
address-list-timeout=1m chain="Black List (Winbox) Chain" comment=\
"Add succesive attempts to Black List (Winbox) Stage 3." \
connection-state=new in-interface-list=WAN log=yes log-prefix=\
"Add_Black List (Winbox) S3" src-address-list=\
"Black List (Winbox) Stage 2"
add action=add-src-to-address-list address-list="Black List (Winbox) Stage 2" \
address-list-timeout=1m chain="Black List (Winbox) Chain" comment=\
"Add succesive attempts to Black List (Winbox) Stage 2." \
connection-state=new in-interface-list=WAN log=yes log-prefix=\
"Add_Black List (Winbox) S2" src-address-list=\
"Black List (Winbox) Stage 1"
add action=add-src-to-address-list address-list="Black List (Winbox) Stage 1" \
address-list-timeout=1m chain="Black List (Winbox) Chain" comment=\
"Add initial attempt to Black List (Winbox) Stage 1." connection-state=\
new in-interface-list=WAN log=yes log-prefix="Add_Black List (Winbox) S1"
add action=return chain="Black List (Winbox) Chain" comment=\
"Return From Black List (Winbox) chain."
add action=drop chain=input comment="Drop anyone in Black List (SSH)." \
in-interface-list=WAN log=yes log-prefix="BL_Black List (SSH)" \
src-address-list="Black List (SSH)"
add action=jump chain=input comment="Jump to Black List (SSH) chain." \
dst-port=45735 in-interface-list=WAN jump-target="Black List (SSH) Chain" \
protocol=tcp
add action=add-src-to-address-list address-list="Black List (SSH)" \
address-list-timeout=4w2d chain="Black List (SSH) Chain" comment="Transfer\
_repeated attempts from Black List (SSH) Stage 3 to Black List (SSH)." \
connection-state=new in-interface-list=WAN log=yes log-prefix=\
"Add_Black List (SSH)" src-address-list="Black List (SSH) Stage 3"
add action=add-src-to-address-list address-list="Black List (SSH) Stage 3" \
address-list-timeout=1m chain="Black List (SSH) Chain" comment=\
"Add successive attempts to Black List (SSH) Stage 3." connection-state=\
new in-interface-list=WAN log=yes log-prefix="Add_Black List (SSH) S3" \
src-address-list="Black List (SSH) Stage 2"
add action=add-src-to-address-list address-list="Black List (SSH) Stage 2" \
address-list-timeout=1m chain="Black List (SSH) Chain" comment=\
"Add successive attempts to Black List (SSH) Stage 2." connection-state=\
new in-interface-list=WAN log=yes log-prefix="Add_Black List (SSH) S2" \
src-address-list="Black List (SSH) Stage 1"
add action=add-src-to-address-list address-list="Black List (SSH) Stage 1" \
address-list-timeout=1m chain="Black List (SSH) Chain" comment=\
"Add initial attempt to Black List (SSH) Stage 1." connection-state=new \
in-interface-list=WAN log=yes log-prefix="Add_Black List (SSH) S1"
add action=return chain="Black List (SSH) Chain" comment=\
"Return From Black List (SSH) chain."
add action=accept chain=input comment="Accept established connections" \
connection-state=established
add action=accept chain=input comment="Accept related connections" \
connection-state=related
add action=accept chain=input comment="Accept SSH for secure shell" dst-port=\
45735 log=yes log-prefix=SSH_LOGIN protocol=tcp
add action=accept chain=input comment="Allow limited pings" limit=\
50/5s,2:packet protocol=icmp
add action=drop chain=input comment="Drop excess pings" protocol=icmp
add action=accept chain=input comment="Accept VPN" protocol=ipsec-esp
add action=accept chain=input comment="Accept OpenVPN" dst-port=1194 log=yes \
log-prefix=VPN_LOGIN protocol=tcp
add action=accept chain=input comment="Accept VPN" dst-port=500,4500,1701 \
protocol=udp
add action=accept chain=input comment="Accept Winbox access" dst-port=8291 \
log=yes log-prefix=MIKROTIK_LOGIN protocol=tcp src-address-list=local
add action=accept chain=input comment="Accept Winbox access" dst-port=51308 \
log=yes log-prefix=MIKROTIK_LOGIN protocol=udp
add action=accept chain=input comment="Accept Winbox MAC" dst-port=20561 \
in-interface-list=!WAN log=yes log-prefix=MIKROTIK_MAC_LOGIN protocol=udp \
src-address-list=local
add action=accept chain=input comment="Accept NDP" dst-port=5678 \
in-interface-list=!WAN protocol=udp src-address-list=local
add action=accept chain=input comment="Accept DNS Querry" dst-port=53 \
in-interface-list=!WAN protocol=udp src-address-list=local
add action=accept chain=input comment="Accept NTP Querry" dst-port=123 \
in-interface-list=!WAN protocol=udp src-address-list=local
add action=accept chain=input comment="Accept DHCP Querry" dst-port=67 \
in-interface-list=!WAN protocol=udp src-address-list=local src-port=68
add action=accept chain=input comment="Accept SNMP" dst-port=161 \
in-interface-list=!WAN protocol=udp src-address-list=local
add action=accept chain=input comment="Accept Winbox http" dst-port=1455 \
in-interface-list=!WAN protocol=tcp src-address-list=local
add action=accept chain=input comment="Accept Radius" dst-port=3799,1812,1813 \
in-interface-list=!WAN protocol=udp src-address-list=local
add action=accept chain=input comment="CAPsMAN accept all local traffic" \
src-address-type=local
add action=drop chain=input comment="Drop everything else" log=yes \
log-prefix="IN DROP REST -> "
add action=accept chain=forward comment="PF Mailserver" disabled=yes \
dst-port=443 protocol=tcp
add action=accept chain=forward comment="PF Mailserver" disabled=yes \
dst-port=80 protocol=tcp
add action=accept chain=forward comment="Accept DSTNAT connections" \
connection-nat-state=dstnat
add action=accept chain=forward comment="Accept established connections" \
connection-state=established
add action=accept chain=forward comment="Accept related connections" \
connection-state=related
add action=accept chain=forward comment="Accept VPN" in-interface=l2tp-XX
add action=accept chain=forward comment="Accept VPN" in-interface=CLOUD
add action=accept chain=forward comment="Accept VPN" out-interface=l2tp-XX
add action=accept chain=forward comment="Accept VPN" out-interface=CLOUD
add action=accept chain=forward comment="Accept VPN" in-interface=\
l2tp-MKI01DK01
add action=accept chain=forward comment="Accept VPN" out-interface=\
l2tp-MKI01DK01
# l2tp-MKI01DK02 not ready
add action=accept chain=forward comment="Accept VPN" in-interface=\
l2tp-MKI01DK02 log=yes
# l2tp-MKI01DK02 not ready
add action=accept chain=forward comment="Accept VPN" out-interface=\
l2tp-MKI01DK02
add action=accept chain=forward comment="Allow Forward to WAN1" \
out-interface=WAN1
add action=accept chain=forward comment="Allow Forward to WAN2" \
out-interface=WAN2
add action=accept chain=forward comment="Allow Forward to WAN3" disabled=yes \
out-interface=ether10
add action=drop chain=forward comment="Drop invalid connections" \
connection-state=invalid
add action=log chain=forward comment="Log everything else" log-prefix=\
"DROP FORWARD"
add action=drop chain=forward comment="Drop everything else"
/ip firewall nat
add action=accept chain=srcnat disabled=yes dst-address=10.52.31.0/24 \
src-address=10.245.1.0/24
add action=dst-nat chain=dstnat disabled=yes dst-port=443 in-interface=WAN1 \
log=yes protocol=tcp to-addresses=192.168.0.10 to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface=WAN1 \
log=yes protocol=tcp to-addresses=192.168.0.10 to-ports=80
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2
add action=masquerade chain=srcnat disabled=yes out-interface=ether10
add action=accept chain=srcnat
/ip firewall service-port
set sip disabled=yes