Scribd
Upload
71 views

Reglas Firewall Basicas

The firewall configuration document contains rules for filtering, NAT, and address lists. Filtering rules accept established/related connections, ICMP, DNS, and traffic from the support address list. Traffic is dropped for port scanning, spamming, and bogon addresses. NAT rules provide masquerading and destination NAT for local networks to access the internet.

Uploaded by

Alexander Hernandez
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
71 views

Reglas Firewall Basicas

The firewall configuration document contains rules for filtering, NAT, and address lists. Filtering rules accept established/related connections, ICMP, DNS, and traffic from the support address list. Traffic is dropped for port scanning, spamming, and bogon addresses. NAT rules provide masquerading and destination NAT for local networks to access the internet.

Uploaded by

Alexander Hernandez
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 3

/ip firewall address-list

add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you need


this subnet before enable it" disabled=yes list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you need
this subnet before enable it" disabled=yes list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you need
this subnet before enable it" disabled=yes list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" disabled=no list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" disabled=no list=bogons
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" disabled=no
list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" disabled=no
list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" disabled=no
list=bogons
add address=198.18.0.0/15 comment="NIDB Testing" disabled=no list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" disabled=no
list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" disabled=no
list=bogons
add address=224.0.0.0/4 comment="MC, Class D, IANA # Check if you need this subnet
before enable it" disabled=yes list=bogons
add address=10.10.101.0/24 list=support

/ip firewall filter


add action=add-src-to-address-list address-list=Syn_Flooder address-list-
timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-
limit=30,32 disabled=no protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" disabled=no src-
address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner address-list-
timeout=1w chain=input comment="Port Scanner Detect" disabled=no protocol=tcp
psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" disabled=no src-
address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" disabled=no jump-
target=ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except to
support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT
ADDRESS LIST"\
disabled=yes dst-port=8291 protocol=tcp src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" disabled=no
jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" disabled=no dst-address-
list=bogons
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h
chain=forward comment="Add Spammers to the list for 3 hours" connection-limit=30,32
disabled=no dst-port=25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" disabled=no dst-
port=25,587 protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" disabled=no port=53
protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" disabled=no port=53
protocol=tcp
add action=accept chain=input comment="Accept to established connections"
connection-state=established disabled=no
add action=accept chain=input comment="Accept to related connections" connection-
state=related disabled=no
add action=accept chain=input comment="Full access to SUPPORT address list"
disabled=no src-address-list=support
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE
BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood, adjust
the limit as needed" disabled=no icmp-options=8:0 limit=2,5 protocol=icmp
add action=accept chain=ICMP comment="Echo reply" disabled=no icmp-options=0:0
protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" disabled=no icmp-options=11:0
protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" disabled=no icmp-
options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD disabled=no icmp-options=3:4
protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" disabled=no
protocol=icmp
add action=jump chain=output comment="Jump for icmp output" disabled=no jump-
target=ICMP protocol=icmp

********************

/ip firewall filter


add action=accept chain=input comment="Accept established,related,untracked"
connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept to local loopback (for CAPsMAN)" dst-
address=127.0.0.1
add action=accept chain=input comment=L2TP-IPSEC protocol=ipsec-esp
add action=accept chain=input dst-port=1701,500,4500 protocol=udp
add action=accept chain=input comment="vpn: allow wireguard-rw" dst-port=13231
protocol=udp
add action=drop chain=input comment=NO-PING in-interface-list=WANs protocol=icmp
add action=drop chain=input comment=NO-WAN dst-port=8291 in-interface-list=WANs
protocol=tcp disabled=yes
add action=drop chain=input dst-port=8888 in-interface-list=WANs protocol=tcp
add action=drop chain=input comment="Drop all not coming from LAN" in-interface-
list=!LANs
add action=accept chain=forward comment="Accept in ipsec policy" ipsec-
policy=in,ipsec
add action=accept chain=forward comment="Accept out ipsec policy" ipsec-
policy=out,ipsec
add action=accept chain=forward comment="Accept established,related, untracked"
connection-state=established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=drop chain=forward comment="Drop all from WAN not DSTNATed" connection-
nat-state=!dstnat connection-state=new in-interface-list=WANs
add action=drop chain=forward comment=LOCAL-ONLY disabled=yes src-
address=192.168.1.54
add action=drop chain=forward disabled=yes src-address=192.168.1.29

/ip firewall nat


add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-
policy=out,none out-interface-list=WANs
add action=masquerade chain=srcnat comment=NAT disabled=yes out-interface-list=WANs
add action=masquerade chain=srcnat comment=HAIRPIN disabled=yes dst-
address=192.168.1.30 dst-port=8123 out-interface-list=LAN protocol=tcp src-
address=192.168.1.0/24
add action=dst-nat chain=dstnat disabled=yes dst-address=!192.168.1.0/24 dst-
port=8123 protocol=tcp to-addresses=192.168.1.30
add action=masquerade chain=srcnat comment=NATLOOP dst-address=192.168.1.0/24 src-
address=192.168.1.0/24
add action=dst-nat chain=dstnat dst-port=8123 in-interface-list=LANs protocol=tcp
to-addresses=192.168.1.30 to-ports=8123
add action=dst-nat chain=dstnat comment=FORWARD dst-port=8123 in-interface-
list=WANs protocol=tcp to-addresses=192.168.1.30 to-ports=8123
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface-list=WANs
protocol=tcp to-addresses=192.168.1.30 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-port=443 in-interface-list=WANs
protocol=tcp to-addresses=192.168.1.30 to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-port=1701 in-interface-list=WANs
protocol=udp to-addresses=192.168.1.1 to-ports=1701
add action=dst-nat chain=dstnat disabled=yes dst-port=500 in-interface-list=WANs
protocol=udp to-addresses=192.168.1.1 to-ports=500
add action=dst-nat chain=dstnat disabled=yes dst-port=4500 in-interface-list=WANs
protocol=udp to-addresses=192.168.1.1 to-ports=4500
add action=dst-nat chain=dstnat disabled=yes dst-port=8022 in-interface-list=WANs
protocol=tcp to-addresses=192.168.1.10 to-ports=22
add action=dst-nat chain=dstnat disabled=yes dst-port=13231 in-interface-list=WANs
protocol=udp to-addresses=192.168.1.1 to-ports=13231

You might also like