LINE BY LINE:
Code: Select all
# TCP Services
/ip firewall filter add chain=forward protocol=tcp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=53 comment="DNS"
/ip firewall filter add chain=forward protocol=tcp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=88 comment="Kerberos"
/ip firewall filter add chain=forward protocol=tcp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=135 comment="RPC Endpoint Mapper"
/ip firewall filter add chain=forward protocol=tcp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=389 comment="LDAP"
/ip firewall filter add chain=forward protocol=tcp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=636 comment="LDAP SSL"
/ip firewall filter add chain=forward protocol=tcp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=445 comment="SMB (SMB2, SMB3)"
/ip firewall filter add chain=forward protocol=tcp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=464 comment="Kerberos password change"
/ip firewall filter add chain=forward protocol=tcp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=3268 comment="Global Catalog lookup"
/ip firewall filter add chain=forward protocol=tcp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=3269 comment="Global Catalog lookup SSL"
/ip firewall filter add chain=forward protocol=tcp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=5722 comment="File Replication Service"
/ip firewall filter add chain=forward protocol=tcp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=49152-65535 comment="Dynamic RPC ports"
/ip firewall filter add chain=forward protocol=tcp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=443 comment="HTTP SSL"
/ip firewall filter add chain=forward protocol=tcp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=80 comment="HTTP"
/ip firewall filter add chain=forward protocol=tcp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=427 comment="Service Location Protocol"
/ip firewall filter add chain=forward protocol=tcp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=631 comment="Internet Printing Protocol"
/ip firewall filter add chain=forward protocol=tcp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=9100 comment="Direct IP-based Printing"
Code: Select all
# UDP Services
/ip firewall filter add chain=forward protocol=udp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=53 comment="DNS"
/ip firewall filter add chain=forward protocol=udp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=88 comment="Kerberos"
/ip firewall filter add chain=forward protocol=udp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=389 comment="LDAP"
/ip firewall filter add chain=forward protocol=udp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=123 comment="Windows Time service"
/ip firewall filter add chain=forward protocol=udp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=464 comment="Kerberos password change"
/ip firewall filter add chain=forward protocol=udp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=3702 comment="WS-Discovery"
/ip firewall filter add chain=forward protocol=udp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=161,162 comment="SNMP"
/ip firewall filter add chain=forward protocol=udp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=427 comment="Service Location Protocol"
Code: Select all
# NetBIOS
/ip firewall filter add chain=forward protocol=udp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=137,138 comment="NetBIOS Name Service, NetBIOS Datagram Service"
/ip firewall filter add chain=forward protocol=tcp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=139 comment="NetBIOS Session (Older Printer & File Sharing, SMB1/CIFS)"ONE LINERS:
Code: Select all
# TCP Services
/ip firewall filter add chain=forward protocol=tcp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=53,88,135,389,636,445,464,3268,3269,5722,443,80,427,631,9100 comment="Main TCP Services (Part 1)"
/ip firewall filter add chain=forward protocol=tcp in-interface-list="LOCAL LANS" out-interface="SERVERS_VLAN" dst-port=49152-65535 comment="Main TCP Services (Part 2)"
Code: Select all
# UDP Services
/ip firewall filter add chain=forward protocol=udp in-interface-list="LOCAL LANS" dst-port=53,88,389,123,464,3702,161-162,427 comment="DNS, Kerberos, LDAP, Windows Time service, Kerberos password change, WS-Discovery, SNMP, Service Location Protocol"
Code: Select all
# Separate rules for NetBIOS ports TCP
/ip firewall filter add chain=forward protocol=udp in-interface-list="LOCAL LANS" dst-port=137,138 comment="NetBIOS Name Service, NetBIOS Datagram Service"Code: Select all
# Separate rules for NetBIOS ports UDP
/ip firewall filter add chain=forward protocol=tcp in-interface-list="LOCAL LANS" dst-port=139 comment="NetBIOS Session (Older Printer & File Sharing, SMB1/CIFS)"
