/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=drop chain=input comment="Drop SSH brute forcers" disabled=no dst-port=22 protocol=tcp src-address-list=\
ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input comment="" \
connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input comment="" \
connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input comment="" \
connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input comment="" \
connection-state=new disabled=no dst-port=22 protocol=tcp
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment=\
"Port Scanners to list" disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="" disabled=\
no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="" disabled=\
no protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="" disabled=\
no protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="" disabled=\
no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="" disabled=\
no protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="" disabled=\
no protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="" disabled=no src-address-list="port scanners"
add action=drop chain=input comment="Filter FTP to Box" disabled=no dst-port=21 protocol=tcp src-address-list=\
ftp_blacklist
add action=accept chain=output comment="" content="530 Login incorrect" disabled=no dst-limit=1/1m,9,dst-address/1m \
protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output comment="" content=\
"530 Login incorrect" disabled=no protocol=tcp
add action=jump chain=forward comment="Separate Protocol into Chains" disabled=no jump-target=tcp protocol=tcp
add action=jump chain=forward comment="" disabled=no jump-target=udp protocol=udp
add action=jump chain=forward comment="" disabled=no jump-target=icmp protocol=icmp
add action=drop chain=udp comment="Blocking UDP Packet" disabled=no dst-port=69 protocol=udp
add action=drop chain=udp comment="" disabled=no dst-port=111 protocol=udp
add action=drop chain=udp comment="" disabled=no dst-port=135 protocol=udp
add action=drop chain=udp comment="" disabled=no dst-port=137-139 protocol=udp
add action=drop chain=udp comment="" disabled=no dst-port=2049 protocol=udp
add action=drop chain=udp comment="" disabled=no dst-port=3133 protocol=udp
add action=drop chain=tcp comment="Bloking TCP Packet" disabled=no dst-port=69 protocol=tcp
add action=drop chain=tcp comment="" disabled=no dst-port=111 protocol=tcp
add action=drop chain=tcp comment="" disabled=no dst-port=119 protocol=tcp
add action=drop chain=tcp comment="" disabled=no dst-port=135 protocol=tcp
add action=drop chain=tcp comment="" disabled=no dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="" disabled=no dst-port=445 protocol=tcp
add action=drop chain=tcp comment="" disabled=no dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="" disabled=no dst-port=12345-12346 protocol=tcp
add action=drop chain=tcp comment="" disabled=no dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="" disabled=no dst-port=3133 protocol=tcp
add action=drop chain=tcp comment="" disabled=no dst-port=67-68 protocol=tcp
add action=drop chain=forward comment="Allow SMTP" disabled=no dst-port=25 protocol=tcp
add action=accept chain=icmp comment="Limited Ping Flood" disabled=no icmp-options=0:0-255 limit=5,5 protocol=icmp
add action=accept chain=icmp comment="" disabled=no icmp-options=3:3 limit=5,5 protocol=icmp
add action=accept chain=icmp comment="" disabled=no icmp-options=3:4 limit=5,5 protocol=icmp
add action=accept chain=icmp comment="" disabled=no icmp-options=8:0-255 limit=5,5 protocol=icmp
add action=accept chain=icmp comment="" disabled=no icmp-options=11:0-255 limit=5,5 protocol=icmp
add action=drop chain=icmp comment="" disabled=no protocol=icmp
add action=accept chain=input comment="Connection State" connection-state=established disabled=no
add action=accept chain=input comment="" connection-state=related disabled=no
add action=drop chain=input comment="" connection-state=invalid disabled=no
add action=drop chain=forward comment="" disabled=no dst-port=135-139 protocol=tcp
add action=drop chain=forward comment="" disabled=no dst-port=135-139 protocol=udp
add action=drop chain=forward comment="" disabled=no dst-port=445 protocol=tcp
add action=drop chain=forward comment="" disabled=no dst-port=445 protocol=udp
add action=drop chain=forward comment="" disabled=no dst-port=593 protocol=tcp
add action=drop chain=forward comment="" disabled=no dst-port=4444 protocol=tcp
add action=drop chain=forward comment="" disabled=no dst-port=5554 protocol=tcp
add action=drop chain=forward comment="" disabled=no dst-port=9996 protocol=tcp
add action=drop chain=forward comment="" disabled=no dst-port=995-999 protocol=udp
add action=drop chain=forward comment="" disabled=no dst-port=53 protocol=tcp
add action=drop chain=forward comment="" disabled=no dst-port=55 protocol=tcp
0 komentar:
Post a Comment