0% found this document useful (0 votes)

51 views

Firewall

This document contains firewall configuration rules for address lists, filters, and chains. It defines rules for common reserved and private IP ranges, as well as rules to detect and block potential threats like SYN floods, port scanning, and spamming. The rules are designed to allow legitimate traffic while protecting the network.

Uploaded by

Pepi To

Available Formats

Download as XLSX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

51 views

Firewall

Uploaded by

Pepi To

Available Formats

Download as XLSX, PDF, TXT or read online on Scribd

You are on page 1/ 6

/ip firewall address-list

1 add address=0.0.0.0/8
add address=10.0.0.0/8
2

3 disabled=yes list=bogons
4 add address=127.0.0.0/8
5 add address=169.254.0.0/16
add address=172.16.0.0/12
6

7 disabled=yes list=bogons
add address=192.168.0.0/16
8

9 disabled=yes list=bogons
10 add address=192.0.2.0/24
add address=192.88.99.0/24
11

12 add address=198.18.0.0/15
13 add address=198.51.100.0/24
14 add address=203.0.113.0/24
add address=224.0.0.0/4
15

16
add action=add-src-to-address-list address-
17 list=Syn_Flooder address-list-timeout=30m
chain=input \

add action=drop chain=input

18
add action=add-src-to-address-list address-
19 list=Port_Scanner address-list-timeout=1w
chain=input

20 disabled=no protocol=tcp psd=21,3s,3,1

add action=drop chain=input
21
add action=jump chain=input
22

23 add action=drop chain=input\

disabled=yes dst-port=8291 protocol=tcp src-address-

25 list=!support
add action=jump chain=forward
26
add action=drop chain=forward
27
add action=add-src-to-address-list address-
28 list=spammers address-list-timeout=3h chain=forward

add action=drop chain=forward

30 add action=accept chain=input

31 add action=accept chain=input
add action=accept chain=input
32

33 disabled=no
add action=accept chain=input
34
add action=accept chain=input
35
add action=drop chain=input
36

add action=accept chain=ICMP

38
add action=accept chain=ICMP
39
add action=accept chain=ICMP
40

41 add action=accept chain=ICMP

42 add action=drop chain=ICMP
add action=jump chain=output
43

44 /ip firewall filter

add chain=input
45
add chain=input
46

47 add action=drop chain=input

add action=drop chain=input
48
add action=drop chain=input
49
add action=drop chain=input
50
51 /ip firewall filter
add chain=forward
52

53 add action=drop chain=forward

add action=drop chain=forward
54

add action=drop chain=forward

58 /ip firewall filter

add action=drop chain=forward
59
Self-Identification [RFC 3330] disabled=no list=bogons
Private[RFC 1918] - CLASS A # Check if you need this subnet
before enable it\

Loopback [RFC 3330] disabled=no list=bogons

Link Local [RFC 3330] disabled=no list=bogons
Private[RFC 1918] - CLASS B # Check if you need this subnet
before enable it\

Private[RFC 1918] - CLASS C # Check if you need this subnet

before enable it\

Reserved - IANA - TestNet1 disabled=no list=bogons

6to4 Relay Anycast [RFC 3068] disabled=no list=bogons

NIDB Testing disabled=no list=bogons

Reserved - IANA - TestNet2 disabled=no list=bogons
Reserved - IANA - TestNet3 disabled=no list=bogons
MC, Class D, IANA # Check if you need this subnet before
enable it\

Add Syn Flood IP to the list connection-limit=30,32

disabled=no protocol=tcp tcp-flags=syn

Drop to syn flood list disabled=no src-address-

list=Syn_Flooder
Port Scanner Detect\

Drop to port scan list disabled=no src-address-

list=Port_Scanner
Jump for icmp input flow disabled=no jump-target=ICMP
protocol=icmp

Block all access to the winbox - except to support list # DO

NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE
SUPPORT ADDRESS LIST\

Jump for icmp forward flow disabled=no jump-target=ICMP

protocol=icmp
Drop to bogon list disabled=no dst-address-list=bogons

Add Spammers to the list for 3 hours\

Avoid spammers action disabled=no dst-port=25,587

protocol=tcp src-address-list=spammers
Accept DNS - UDP disabled=no port=53 protocol=udp
Accept DNS - TCP disabled=no port=53 protocol=tcp
Accept to established connections connection-
state=established\

Accept to related connections connection-state=related

disabled=no
Full access to SUPPORT address list disabled=no src-address-
list=support
Drop anything else! # DO NOT ENABLE THIS RULE BEFORE
YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED\

Echo request - Avoiding Ping Flood, adjust the limit as

needed disabled=no icmp-options=8:0 limit=2,5
protocol=icmp

Echo reply disabled=no icmp-options=0:0 protocol=icmp

Time Exceeded disabled=no icmp-options=11:0

protocol=icmp
Destination unreachable disabled=no icmp-options=3:0-1
protocol=icmp
PMTUD disabled=no icmp-options=3:4 protocol=icmp
Drop to the other ICMPs disabled=no protocol=icmp
Jump for icmp output disabled=no jump-target=ICMP
protocol=icmp

Accept established and related packets connection-

state=established,related
Accept all connections from local network in-interface=LAN

Drop invalid packets connection-state=invalid

Drop all packets which are not destined to routes IP address
dst-address-type=!local
Drop all packets which does not have unicast source IP
address src-address-type=!unicast
Drop all packets from public internet which should not exist
in public network in-interface=WAN src-address-
list=NotPublic
Accept established and related packets connection-
state=established,related
Drop invalid packets connection-state=invalid
Drop new connections from internet which are not dst-
natted connection-nat-state=!dstnat connection-state=new
in-interface=WAN

Drop all packets from public internet which should not exist
in public network in-interface=WAN src-address-
list=NotPublic

Drop all packets from local network to internet which should

not exist in public network dst-address-list=NotPublic in-
interface=LAN

Drop all packets in local network which does not have local
network address in-interface=LAN src-address=!
192.168.88.0/24

Drop new connections from internet which are not dst-

natted connection-nat-state=!dstnat connection-state=new
in-interface=WAN

Network Security All-in-one: ASA Firepower WSA Umbrella VPN ISE Layer 2 Security
From Everand
Network Security All-in-one: ASA Firepower WSA Umbrella VPN ISE Layer 2 Security
Redouane MEDDANE
No ratings yet
Script 1 ISP Plug N' Play (1x Klik Langsung Ke Kazakhstan)
100% (2)
Script 1 ISP Plug N' Play (1x Klik Langsung Ke Kazakhstan)
12 pages
Balaceo Pcc+failover
No ratings yet
Balaceo Pcc+failover
2 pages
DSP Module 5 Notes
100% (6)
DSP Module 5 Notes
17 pages
Basic Universal Firewall Script - MikroTik Wiki PDF
No ratings yet
Basic Universal Firewall Script - MikroTik Wiki PDF
2 pages
Reglas Firewall Basicas
No ratings yet
Reglas Firewall Basicas
3 pages
IFG Firewall
No ratings yet
IFG Firewall
3 pages
Script 1 ISP Plug & Play
No ratings yet
Script 1 ISP Plug & Play
14 pages
Firewall MK Basico
No ratings yet
Firewall MK Basico
2 pages
Filter Rule
No ratings yet
Filter Rule
2 pages
2isp Khususgame
No ratings yet
2isp Khususgame
8 pages
Balanceo 7 Lineas Ppoe
No ratings yet
Balanceo 7 Lineas Ppoe
5 pages
Versi Lite 2isp
No ratings yet
Versi Lite 2isp
4 pages
Anti Net Cut
No ratings yet
Anti Net Cut
3 pages
Hafalan MIKROTIK Ujikom 2013
No ratings yet
Hafalan MIKROTIK Ujikom 2013
2 pages
Script Speedtest
No ratings yet
Script Speedtest
1 page
Block Scanner Mikrotik
0% (1)
Block Scanner Mikrotik
2 pages
Script
No ratings yet
Script
5 pages
Bloqueo p2p
No ratings yet
Bloqueo p2p
2 pages
Port Flooding Mikrotik
No ratings yet
Port Flooding Mikrotik
3 pages
my dual wan and pppoe setup
No ratings yet
my dual wan and pppoe setup
2 pages
Mikrotik Warnet
No ratings yet
Mikrotik Warnet
43 pages
Aula 36 - Prevenindo Ataques de Login Por Força-Bruta
No ratings yet
Aula 36 - Prevenindo Ataques de Login Por Força-Bruta
2 pages
CHR
No ratings yet
CHR
8 pages
Firewall
No ratings yet
Firewall
4 pages
Cara Block SSH FTP Brute Force MikroTik
No ratings yet
Cara Block SSH FTP Brute Force MikroTik
1 page
Ip VLN Routs
No ratings yet
Ip VLN Routs
8 pages
Configuração RB SPECELESS - Filter
No ratings yet
Configuração RB SPECELESS - Filter
5 pages
hardening-mikrotik
No ratings yet
hardening-mikrotik
4 pages
Firewall
No ratings yet
Firewall
3 pages
Firewall Mikrotik
No ratings yet
Firewall Mikrotik
4 pages
Balanceo de Carga NTH
100% (1)
Balanceo de Carga NTH
3 pages
Annisa Rezdky Andini Ab Xii TKJ 5
No ratings yet
Annisa Rezdky Andini Ab Xii TKJ 5
6 pages
Tproxyloss
No ratings yet
Tproxyloss
4 pages
Script Ok
No ratings yet
Script Ok
2 pages
RB450G
No ratings yet
RB450G
10 pages
Setting Mikrotik Warnet
No ratings yet
Setting Mikrotik Warnet
9 pages
Basic Universal Firewall Script
No ratings yet
Basic Universal Firewall Script
3 pages
Bảo Mật
No ratings yet
Bảo Mật
2 pages
Backup Ro Nin
No ratings yet
Backup Ro Nin
5 pages
Plantilla Configuracion Mocrotik VER 6.29.1
No ratings yet
Plantilla Configuracion Mocrotik VER 6.29.1
10 pages
Escrip Basica RB Mikrotik
No ratings yet
Escrip Basica RB Mikrotik
3 pages
interface bridge
No ratings yet
interface bridge
2 pages
By Pass
No ratings yet
By Pass
1 page
mikrotik-ftth-movistar
No ratings yet
mikrotik-ftth-movistar
2 pages
Konfigurasi CLI Mikrotik Lengkap
100% (1)
Konfigurasi CLI Mikrotik Lengkap
16 pages
Cara Setting Mikrotik Anti NetCut Firewall Mikrotik
No ratings yet
Cara Setting Mikrotik Anti NetCut Firewall Mikrotik
2 pages
Workshop Firewall
No ratings yet
Workshop Firewall
10 pages
Firewall Mikrotik L3
No ratings yet
Firewall Mikrotik L3
5 pages
Simple and Powerfull Firewall Filter
No ratings yet
Simple and Powerfull Firewall Filter
4 pages
Konfig Mikrotik Hex
No ratings yet
Konfig Mikrotik Hex
1 page
Script Ganti Nama Isp Di Speedtest Dan Whatsmyip Labkom - Co.Id Nama Interface VPN L2tp-Out1
No ratings yet
Script Ganti Nama Isp Di Speedtest Dan Whatsmyip Labkom - Co.Id Nama Interface VPN L2tp-Out1
4 pages
Firewall Filters: Las Reglas Más Básicas Que Debe Tener Un RB Mikrotik
No ratings yet
Firewall Filters: Las Reglas Más Básicas Que Debe Tener Un RB Mikrotik
3 pages
Ganti Nama Isp Di Speedtest
No ratings yet
Ganti Nama Isp Di Speedtest
4 pages
Ganti Nama Isp Di Speedtest
No ratings yet
Ganti Nama Isp Di Speedtest
4 pages
333333333
No ratings yet
333333333
2 pages
Balaceo Pcc+failover
No ratings yet
Balaceo Pcc+failover
1 page
Scripts Moroso
No ratings yet
Scripts Moroso
1 page
reglas de corte (1)
No ratings yet
reglas de corte (1)
1 page
Configuration of a Simple Samba File Server, Quota and Schedule Backup
From Everand
Configuration of a Simple Samba File Server, Quota and Schedule Backup
Dr. Hedaya Alasooly
No ratings yet
VPS Server Setup
From Everand
VPS Server Setup
L Mohan Arun
5/5 (1)
PNMTj-5000s Operation
No ratings yet
PNMTj-5000s Operation
83 pages
J 1417-Information Security (2014 Admn Onwards
No ratings yet
J 1417-Information Security (2014 Admn Onwards
10 pages
CAZ60 LA-E671P ITALIA Pilot MB r1.0
No ratings yet
CAZ60 LA-E671P ITALIA Pilot MB r1.0
61 pages
Apache Kafka Essentials
No ratings yet
Apache Kafka Essentials
10 pages
CSV Files Worksheet2
No ratings yet
CSV Files Worksheet2
7 pages
Rdbms - One Shot
No ratings yet
Rdbms - One Shot
67 pages
Guidelines For Online Aptitude Assessment
No ratings yet
Guidelines For Online Aptitude Assessment
3 pages
Mid Term Multiple Choice
No ratings yet
Mid Term Multiple Choice
5 pages
File Handling in Java Using Filewriter and Filereader
No ratings yet
File Handling in Java Using Filewriter and Filereader
32 pages
312-50v13-demo
No ratings yet
312-50v13-demo
10 pages
Kassas GNSS Software Defined Radio History Current Developments and Standardization Efforts
No ratings yet
Kassas GNSS Software Defined Radio History Current Developments and Standardization Efforts
30 pages
ICT-Computer System Services (NC II) 9 Fourth
No ratings yet
ICT-Computer System Services (NC II) 9 Fourth
5 pages
Mina Mofied Lamei C.V 2.1V2023
No ratings yet
Mina Mofied Lamei C.V 2.1V2023
2 pages
Hindu
No ratings yet
Hindu
4 pages
SalesForce Unit Wise Trail Head Links (1)
No ratings yet
SalesForce Unit Wise Trail Head Links (1)
2 pages
SIP Assessment Format
No ratings yet
SIP Assessment Format
7 pages
MIC 15 - Arduino Assembly
No ratings yet
MIC 15 - Arduino Assembly
11 pages
Scripting
No ratings yet
Scripting
130 pages
Computer Practical File
No ratings yet
Computer Practical File
28 pages
Wireless Networks Lab 01 1
No ratings yet
Wireless Networks Lab 01 1
4 pages
DIT Level 1 Computer Systems Architecture I - June Final Examination 2016
No ratings yet
DIT Level 1 Computer Systems Architecture I - June Final Examination 2016
3 pages
Problem Set #4: Combinational Logic Circuits
No ratings yet
Problem Set #4: Combinational Logic Circuits
3 pages
CF Final Term Exam PDF
No ratings yet
CF Final Term Exam PDF
8 pages
Unit 2
No ratings yet
Unit 2
16 pages
KUKA Sim 31 Installation en
No ratings yet
KUKA Sim 31 Installation en
43 pages
Nuevo Carnic - DELL Server T550 Especifi. Tecn. - 22-03-23 Etect
No ratings yet
Nuevo Carnic - DELL Server T550 Especifi. Tecn. - 22-03-23 Etect
2 pages
01.HART Communication Tutorial Part 1 - Inst Tools
No ratings yet
01.HART Communication Tutorial Part 1 - Inst Tools
13 pages
Lab Security Policy Cyber Security Policy
No ratings yet
Lab Security Policy Cyber Security Policy
4 pages
Cisco 200 125
No ratings yet
Cisco 200 125
561 pages