Mikrotik Firewall

###################################################################################
######################
# Rick Frey's Basic MikroTik Firewall Rev 5.0 (Free Version)
#
###################################################################################
######################
# Author: Rick Frey
#
# email: support@rickfreyconsulting.com
#
# Username in MikroTik Forum is rickfrey
#
###################################################################################
######################
# License
#
# This script has been created for use by the general public and may be used
freely. This script may #
# not be sold!
#
###################################################################################
######################
###################################################################################
######################
# Features
#
# -Detect and block brute force attacks to the routers via SSH, Telnet, and Winbox
(Disables WWW & FTP) #
# -Basic Antivirus filtering
#
# -P2P Blocking
#
# -High Connection Rate detection
#
# -Basic Spam detection
#
# -Basic Port Scanner Detection
#
# -Bogon Address Blocking
#
###################################################################################
######################
###################################################################################
########################################
###################################################################################
########################################
#### Firewall Settings
####
###################################################################################
########################################
/ip firewall connection tracking
set enabled=yes
###################################################################################
########################################
#### Drop Invalid Connections
####
#### To make this more useful, create a copy of the forward chain rule and set the
interface for each LAN intface ####
#### on your network. Remember to remove the orginal rule.
####
###################################################################################
########################################
/ip firewall filter
add action=drop chain=input comment="Drop Invalid Connections" connection-
state=invalid disabled=no
add action=drop chain=forward comment="Drop Invalid Connections" connection-
state=invalid disabled=no
###################################################################################
########################################
#### Must Add Admin IP Addresses in the Address List for Administering the Network
in "Exempt Addresses" #####
###################################################################################
########################################
add action=accept chain=input comment="Accept Exempt IP Addresses" disabled=no src-

address-list="Exempt Addresses"
add action=accept chain=forward comment="Accept Exempt IP Addresses" disabled=no
src-address-list="Exempt Addresses"
###################################################################################
#########################################
#### Multiple "Black Lists" have been created to help identify why any given person
has been blocked.#######################
#### By default Port Scanners Black List is disabled. The Firewall will continue to
add these people to the ################
#### the Black List, but will not block them unless the Black List is enabled. Use
with caution!!!! ########################
#### Once someone is on a Black List they are permanently recorded there. To remove
them, go to the address list.###########
###################################################################################
#########################################
add action=drop chain=input comment="Drop anyone in the Black List (Manually

Added)" disabled=no src-address-list="Black List"
add action=drop chain=forward comment="Drop anyone in the Black List (Manually
Added)" disabled=no src-address-list="Black List"
add action=drop chain=input comment="Drop anyone in the Black List (SSH)"
disabled=no src-address-list="Black List (SSH)"
add action=drop chain=forward comment="Drop anyone in the Black List (SSH)"
disabled=no src-address-list="Black List (SSH)"
add action=drop chain=input comment="Drop anyone in the Black List (Telnet)"
disabled=no src-address-list="Black List (Telnet)"
add action=drop chain=forward comment="Drop anyone in the Black List (Telnet)"
disabled=no src-address-list="Black List (Telnet)"
add action=drop chain=input comment="Drop anyone in the Black List (Winbox)"
disabled=no src-address-list="Black List (Winbox)"
add action=drop chain=forward comment="Drop anyone in the Black List (Winbox)"
disabled=no src-address-list="Black List (Winbox)"
add action=drop chain=input comment="Drop anyone in the WAN Port Scanner List"
disabled=yes src-address-list="WAN Port Scanners"
add action=drop chain=forward comment="Drop anyone in the WAN Port Scanner List"
disabled=yes src-address-list="WAN Port Scanners"
add action=drop chain=input comment="Drop anyone in the LAN Port Scanner List"
disabled=yes src-address-list="LAN Port Scanners"
add action=drop chain=forward comment="Drop anyone in the LAN Port Scanner List"
disabled=yes src-address-list="LAN Port Scanners"
add action=drop chain=input comment="Drop all Bogons" disabled=no src-address-
list=Bogons
add action=drop chain=forward comment="Drop all Bogons" disabled=no src-address-
list=Bogons
add action=drop chain=forward comment="Drop all P2P" disabled=yes p2p=all-p2p
add chain=output comment="Section Break" disabled=yes
###################################################################################
########################################
#### Detect & Block Brute Force Login Attempts
####
###################################################################################
########################################
add action=jump chain=input comment="Jump to RFC SSH Chain" disabled=no jump-
target="RFC SSH Chain"
add action=add-src-to-address-list address-list="Black List (SSH)" address-list-
timeout=0s chain="RFC SSH Chain" comment="Transfer repeated attempts from SSH Stage
3 to Black-List" connection-state=new disabled=no dst-port=22 protocol=tcp src-
address-list="SSH Stage 3"
add action=add-src-to-address-list address-list="SSH Stage 3" address-list-
timeout=1m chain="RFC SSH Chain" comment="Add succesive attempts to SSH Stage 3"
connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list="SSH
Stage 2"
timeout=1m chain="RFC SSH Chain" comment="Add succesive attempts to SSH Stage 2"
connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list="SSH
Stage 1"
timeout=1m chain="RFC SSH Chain" comment="Add intial attempt to SSH Stage 1 List"
connection-state=new disabled=no dst-port=22 protocol=tcp
add action=return chain="RFC SSH Chain" comment="Return From RFC SSH Chain"
disabled=no
add action=jump chain=input comment="Jump to RFC Telnet Chain" disabled=no jump-

target="RFC Telnet Chain"
add action=add-src-to-address-list address-list="Black List (Telnet)" address-list-
timeout=0s chain="RFC Telnet Chain" comment="Transfer repeated attempts from Telnet
Stage 3 to Black-List" connection-state=new disabled=no dst-port=23 protocol=tcp
src-address-list="Telnet Stage 3"
add action=add-src-to-address-list address-list="Telnet Stage 3" address-list-
timeout=1m chain="RFC Telnet Chain" comment="Add succesive attempts to Telnet Stage
3" connection-state=new disabled=no dst-port=23 protocol=tcp src-address-
list="Telnet Stage 2"
timeout=1m chain="RFC Telnet Chain" comment="Add succesive attempts to Telnet Stage
list="Telnet Stage 1"
timeout=1m chain="RFC Telnet Chain" comment="Add Intial attempt to Telnet Stage 1"
add action=return chain="RFC Telnet Chain" comment="Return From RFC Telnet Chain"
disabled=no
add action=jump chain=input comment="Jump to RFC Winbox Chain" disabled=no jump-

target="RFC Winbox Chain"
add action=add-src-to-address-list address-list="Black List (Winbox)" address-list-
timeout=0s chain="RFC Winbox Chain" comment="Transfer repeated attempts from Winbox
Stage 3 to Black-List" connection-state=new disabled=no dst-port=8291 protocol=tcp
src-address-list="Winbox Stage 3"
add action=add-src-to-address-list address-list="Winbox Stage 3" address-list-
timeout=1m chain="RFC Winbox Chain" comment="Add succesive attempts to Winbox Stage
list="Winbox Stage 2"
timeout=1m chain="RFC Winbox Chain" comment="Add succesive attempts to Winbox Stage
list="Winbox Stage 1"
timeout=1m chain="RFC Winbox Chain" comment="Add Intial attempt to Winbox Stage 1"
add action=return chain="RFC Winbox Chain" comment="Return From RFC Winbox Chain"
disabled=no
###################################################################################
########################################
#### Detect & Manage Port Scanners
####
###################################################################################
########################################
/ip firewall filter
add action=add-src-to-address-list address-list="Wan Port Scanners" chain=input
comment="Add TCP Port Scanners to Address List" protocol=tcp psd=40,3s,2,1
add action=add-src-to-address-list address-list="LAN Port Scanners" chain=forward
comment="Add TCP Port Scanners to Address List" protocol=tcp psd=40,3s,2,1
###################################################################################
########################################
#### Detect & Manage High Connection Rates
####
###################################################################################
########################################
/ip firewall filter
add action=add-src-to-address-list address-list="(WAN High Connection Rates)"
chain=input comment="Add WAN High Connections to Address List" connection-
limit=100,32 protocol=tcp
add action=add-src-to-address-list address-list="(LAN High Connection Rates)"
chain=forward comment="Add LAN High Connections to Address List" connection-
limit=100,32 protocol=tcp
###################################################################################
#########################################
#### The Virus Chain has been added at the request of customers, but there is no
guarantee expressed or implied with the ###
#### Virus Chain.
###################################################################################
#######################
###################################################################################
#########################################
add action=jump chain=input comment="Jump to Virus Chain" disabled=no jump-
target=Virus
add action=drop chain=Virus comment="Drop Blaster Worm" disabled=no dst-port=135-
139 protocol=tcp
add action=drop chain=Virus comment="Drop Blaster Worm" disabled=no dst-port=445
protocol=tcp
add action=drop chain=Virus comment="Drop Blaster Worm" disabled=no dst-port=445
protocol=udp
add action=drop chain=Virus comment="Drop Messenger Worm" disabled=no dst-port=135-
139 protocol=udp
add action=drop chain=Virus comment=Conficker disabled=no dst-port=593 protocol=tcp
add action=drop chain=Virus comment=Worm disabled=no dst-port=1024-1030
protocol=tcp
add action=drop chain=Virus comment="ndm requester" disabled=no dst-port=1363
protocol=tcp
add action=drop chain=Virus comment="ndm server" disabled=no dst-port=1364
protocol=tcp
add action=drop chain=Virus comment="screen cast" disabled=no dst-port=1368
protocol=tcp
add action=drop chain=Virus comment=hromgrafx disabled=no dst-port=1373
protocol=tcp
add action=drop chain=Virus comment="Drop MyDoom" disabled=no dst-port=1080
protocol=tcp
add action=drop chain=Virus comment=cichlid disabled=no dst-port=1377 protocol=tcp
add action=drop chain=Virus comment=Worm disabled=no dst-port=1433-1434
protocol=tcp
add action=drop chain=Virus comment="Drop Dumaru.Y" disabled=no dst-port=2283
protocol=tcp
add action=drop chain=Virus comment="Drop Beagle" disabled=no dst-port=2535
protocol=tcp
add action=drop chain=Virus comment="Drop Beagle.C-K" disabled=no dst-port=2745
protocol=tcp
add action=drop chain=Virus comment="Drop MyDoom" disabled=no dst-port=3127-3128
protocol=tcp
add action=drop chain=Virus comment="Drop Backdoor OptixPro" disabled=no dst-
port=3410 protocol=tcp
add action=drop chain=Virus comment="Drop Sasser" disabled=no dst-port=5554
protocol=tcp
add action=drop chain=Virus comment=Worm disabled=no dst-port=4444 protocol=tcp
add action=drop chain=Virus comment=Worm disabled=no dst-port=4444 protocol=udp
add action=drop chain=Virus comment="Drop Beagle.B" disabled=no dst-port=8866
protocol=tcp
add action=drop chain=Virus comment="Drop Dabber.A-B" disabled=no dst-port=9898
protocol=tcp
add action=drop chain=Virus comment="Drop Dumaru.Y" disabled=no dst-port=10000
protocol=tcp
add action=drop chain=Virus comment="Drop MyDoom.B" disabled=no dst-port=10080
protocol=tcp
add action=drop chain=Virus comment="Drop NetBus" disabled=no dst-port=12345
protocol=tcp
add action=drop chain=Virus comment="Drop Kuang2" disabled=no dst-port=17300
protocol=tcp
add action=drop chain=Virus comment="Drop SubSeven" disabled=no dst-port=27374
protocol=tcp
add action=drop chain=Virus comment="Drop PhatBot, Agobot, Gaobot" disabled=no dst-
add action=return chain=Virus comment="Return From Virus Chain" disabled=no
###################################################################################
########################################
#### This is the BOGON short list.
####
####!!!!! All subnets in this list will be blocked!!! Disable or remove any subnets
that you are using!!!##################
###################################################################################
########################################
/ip firewall address-list

add address=0.0.0.0/8 comment="RFC 1122 \"This host on this network\"" disabled=yes
list=Bogons
add address=10.0.0.0/8 comment="RFC 1918 (Private Use IP Space)" disabled=yes
list=Bogons
add address=100.64.0.0/10 comment="RFC 6598 (Shared Address Space)" disabled=yes
list=Bogons
add address=127.0.0.0/8 comment="RFC 1122 (Loopback)" disabled=yes list=Bogons
add address=169.254.0.0/16 comment="RFC 3927 (Dynamic Configuration of IPv4 Link-
Local Addresses)" disabled=yes list=Bogons
list=Bogons
add address=192.0.0.0/24 comment="RFC 6890 (IETF Protocol Assingments)"
disabled=yes list=Bogons
add address=192.0.2.0/24 comment="RFC 5737 (Test-Net-1)" disabled=yes list=Bogons
list=Bogons
add address=198.18.0.0/15 comment="RFC 2544 (Benchmarking)" disabled=yes
list=Bogons
add address=198.51.100.0/24 comment="RFC 5737 (Test-Net-2)" disabled=yes
list=Bogons
add address=203.0.113.0/24 comment="RFC 5737 (Test-Net-3)" disabled=yes list=Bogons
add address=224.0.0.0/4 comment="RFC 5771 (Multicast Addresses) - Will affect OSPF,
RIP, PIM, VRRP, IS-IS, and others. Use with caution.)" disabled=yes list=Bogons
add address=240.0.0.0/4 comment="RFC 1112 (Reserved)" disabled=yes list=Bogons
add address=192.31.196.0/24 comment="RFC 7535 (AS112-v4)" disabled=yes list=Bogons
add address=192.52.193.0/24 comment="RFC 7450 (AMT)" disabled=yes list=Bogons
add address=192.88.99.0/24 comment="RFC 7526 (Deprecated (6to4 Relay Anycast))"
add address=192.175.48.0/24 comment="RFC 7534 (Direct Delegation AS112 Service)"
add address=255.255.255.255 comment="RFC 919 (Limited Broadcast)" disabled=yes
list=Bogons
###################################################################################
###########################################################
#### This is a list of all common ports as found on
http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers and other sources.
##
#### By default they are enabled to prevent immediate problems when applying the
script. Carefully review the list of ##
#### ports and remove or disable entries that are not needed.
##
###################################################################################
###########################################################
/ip firewall filter
add action=jump chain=forward comment="Jump to \"Manage Common Ports\" Chain" jump-
target="Manage Common Ports"
add chain="Manage Common Ports" comment="\"All hosts on this subnet\" Broadcast"
src-address=224.0.0.1
add chain="Manage Common Ports" comment="\"All routers on this subnet\" Broadcast"
src-address=224.0.0.2
add chain="Manage Common Ports" comment="DVMRP (Distance Vector Multicast Routing
Protocol)" src-address=224.0.0.4
add chain="Manage Common Ports" comment="OSPF - All OSPF Routers Broadcast" src-
address=224.0.0.5
add chain="Manage Common Ports" comment="OSPF - OSPF DR Routers Broadcast" src-
address=224.0.0.6
add chain="Manage Common Ports" comment="RIP Broadcast" src-address=224.0.0.9
add chain="Manage Common Ports" comment="EIGRP Broadcast" src-address=224.0.0.10
add chain="Manage Common Ports" comment="PIM Broadcast" src-address=224.0.0.13
add chain="Manage Common Ports" comment="VRRP Broadcast" src-address=224.0.0.18
add chain="Manage Common Ports" comment="IS-IS Broadcast" src-address=224.0.0.19
add chain="Manage Common Ports" comment="IGMP Broadcast" src-address=224.0.0.22
add chain="Manage Common Ports" comment="GRE Protocol (Local Management)"
protocol=gre
add chain="Manage Common Ports" comment="FTPdata transfer" port=20 protocol=tcp
add chain="Manage Common Ports" comment="FTPdata transfer" port=20 protocol=udp
add chain="Manage Common Ports" comment="FTPcontrol (command)" port=21 protocol=tcp
add chain="Manage Common Ports" comment="Secure Shell(SSH)" port=22 protocol=tcp
add chain="Manage Common Ports" comment="Secure Shell(SSH)" port=22 protocol=udp
add chain="Manage Common Ports" comment=Telnet port=23 protocol=tcp
add chain="Manage Common Ports" comment=Telnet port=23 protocol=udp
add chain="Manage Common Ports" comment="Priv-mail: any privatemailsystem." port=24
protocol=tcp
add chain="Manage Common Ports" comment="Priv-mail: any privatemailsystem." port=24
protocol=udp
add chain="Manage Common Ports" comment="Simple Mail Transfer Protocol(SMTP)"
add chain="Manage Common Ports" comment="Simple Mail Transfer Protocol(SMTP)"
port=25 protocol=udp
add chain="Manage Common Ports" comment="TIME protocol" port=37 protocol=tcp
add chain="Manage Common Ports" comment="TIME protocol" port=37 protocol=udp
add chain="Manage Common Ports" comment="ARPA Host Name Server Protocol & WINS"
add chain="Manage Common Ports" comment="ARPA Host Name Server Protocol & WINS"
add chain="Manage Common Ports" comment="WHOIS protocol" port=43 protocol=tcp
add chain="Manage Common Ports" comment="WHOIS protocol" port=43 protocol=udp
add chain="Manage Common Ports" comment="Domain Name System (DNS)" port=53
protocol=tcp
add chain="Manage Common Ports" comment="Domain Name System (DNS)" port=53
protocol=udp
add chain="Manage Common Ports" comment="Mail Transfer Protocol(RFC 780)" port=57
protocol=tcp
add chain="Manage Common Ports" comment="(BOOTP) Server & (DHCP)" port=67
protocol=udp
add chain="Manage Common Ports" comment="(BOOTP) Client & (DHCP)" port=68
protocol=udp
add chain="Manage Common Ports" comment="Trivial File Transfer Protocol (TFTP)"
add chain="Manage Common Ports" comment="Gopher protocol" port=70 protocol=tcp
add chain="Manage Common Ports" comment="Finger protocol" port=79 protocol=tcp
add chain="Manage Common Ports" comment="Hypertext Transfer Protocol (HTTP)"
add chain="Manage Common Ports" comment="RemoteTELNETService protocol" port=107
protocol=tcp
add chain="Manage Common Ports" comment="Post Office Protocolv2 (POP2)" port=109
protocol=tcp
add chain="Manage Common Ports" comment="Post Office Protocolv3 (POP3)" port=110
protocol=tcp
add chain="Manage Common Ports" comment="IdentAuthentication Service/Identification
Protocol" port=113 protocol=tcp
add chain="Manage Common Ports" comment="Authentication Service (auth)" port=113
protocol=udp
add chain="Manage Common Ports" comment="Simple File Transfer Protocol (SFTP)"
add chain="Manage Common Ports" comment="Network Time Protocol(NTP)" port=123
protocol=udp
add chain="Manage Common Ports" comment="NetBIOSNetBIOS Name Service" port=137
protocol=tcp
add chain="Manage Common Ports" comment="NetBIOSNetBIOS Name Service" port=137
protocol=udp
add chain="Manage Common Ports" comment="NetBIOSNetBIOS Datagram Service" port=138
protocol=tcp
add chain="Manage Common Ports" comment="NetBIOSNetBIOS Datagram Service" port=138
protocol=udp
add chain="Manage Common Ports" comment="NetBIOSNetBIOS Session Service" port=139
protocol=tcp
add chain="Manage Common Ports" comment="NetBIOSNetBIOS Session Service" port=139
protocol=udp
add chain="Manage Common Ports" comment="Internet Message Access Protocol (IMAP)"
add chain="Manage Common Ports" comment="Background File Transfer Program (BFTP)"
add chain="Manage Common Ports" comment="Background File Transfer Program (BFTP)"
add chain="Manage Common Ports" comment="SGMP,Simple Gateway Monitoring Protocol"
add chain="Manage Common Ports" comment="SGMP,Simple Gateway Monitoring Protocol"
add chain="Manage Common Ports" comment="DMSP, Distributed Mail Service Protocol"
add chain="Manage Common Ports" comment="DMSP, Distributed Mail Service Protocol"
add chain="Manage Common Ports" comment="Simple Network Management Protocol(SNMP)"
add chain="Manage Common Ports" comment="Simple Network Management ProtocolTrap
(SNMPTRAP)" port=162 protocol=tcp
add chain="Manage Common Ports" comment="Simple Network Management ProtocolTrap
(SNMPTRAP)" port=162 protocol=udp
add chain="Manage Common Ports" comment="BGP (Border Gateway Protocol)" port=179
protocol=tcp
add chain="Manage Common Ports" comment="Internet Message Access Protocol (IMAP),
version 3" port=220 protocol=tcp
add chain="Manage Common Ports" comment="Internet Message Access Protocol (IMAP),
version 3" port=220 protocol=udp
add chain="Manage Common Ports" comment="BGMP, Border Gateway Multicast Protocol"
add chain="Manage Common Ports" comment="BGMP, Border Gateway Multicast Protocol"
add chain="Manage Common Ports" comment="Lightweight Directory Access Protocol
(LDAP)" port=389 protocol=tcp
add chain="Manage Common Ports" comment="Lightweight Directory Access Protocol
(LDAP)" port=389 protocol=udp
add chain="Manage Common Ports" comment="SSTP TCP Port 443 (Local Management) &
HTTPS" port=443 protocol=tcp
add chain="Manage Common Ports" comment="Microsoft-DSActive Directory, Windows
shares" port=445 protocol=tcp
add chain="Manage Common Ports" comment="L2TP/ IPSEC UDP Port 500 (Local
Management)" port=500 protocol=udp
add chain="Manage Common Ports" comment="Modbus, Protocol" port=502 protocol=tcp
add chain="Manage Common Ports" comment="Modbus, Protocol " port=502 protocol=udp
add chain="Manage Common Ports" comment="Shell (Remote Shell, rsh, remsh)" port=514
protocol=tcp
add chain="Manage Common Ports" comment="Syslog - used for system logging" port=514
protocol=udp
add chain="Manage Common Ports" comment="Routing Information Protocol (RIP)"
add chain="Manage Common Ports" comment="e-mail message submission (SMTP)" port=587
protocol=tcp
add chain="Manage Common Ports" comment="LDP,Label Distribution Protocol" port=646
protocol=tcp
add chain="Manage Common Ports" comment="LDP,Label Distribution Protocol" port=646
protocol=udp
add chain="Manage Common Ports" comment="FTPS Protocol (data):FTP over TLS/SSL"
add chain="Manage Common Ports" comment="FTPS Protocol (data):FTP over TLS/SSL"
add chain="Manage Common Ports" comment="FTPS Protocol (control):FTP over TLS/SSL"
add chain="Manage Common Ports" comment="FTPS Protocol (control):FTP over TLS/SSL"
add chain="Manage Common Ports" comment="TELNET protocol overTLS/SSL" port=992
protocol=tcp
add chain="Manage Common Ports" comment="TELNET protocol overTLS/SSL" port=992
protocol=udp
add chain="Manage Common Ports" comment="Internet Message Access Protocol over
TLS/SSL (IMAPS)" port=993 protocol=tcp
add chain="Manage Common Ports" comment="Post Office Protocol3 over TLS/SSL
(POP3S)" port=995 protocol=tcp
add chain="Manage Common Ports" comment="OVPN TCP Port 1194 (Local Management)"
add chain="Manage Common Ports" comment="PPTP Port 1723 (Local Management)"
add chain="Manage Common Ports" comment="L2TP UDP Port 1701 (Local Management)"
add chain="Manage Common Ports" comment="L2TP UDP Port 4500 (Local Management)"
/ip firewall filter

add chain=input comment="Accept Related or Established Connections" connection-
state=established,related disabled=yes
add chain=forward comment="Accept New Connections" connection-state=new
disabled=yes
add chain=forward comment="Accept Related or Established Connections" connection-
state=established,related disabled=yes
###################################################################################
#######################################
#### Enable this rule in SAFE MODE and test before
using##################################################################
###################################################################################
#######################################
add action=drop chain=forward comment="Drop all other LAN Traffic" disabled=yes

add action=drop chain=input comment="Drop all other WAN Traffic" disabled=yes
-----------------------------------------------------------------------------------
-----------------------------------------------
###################################################################################
######################
# Rick Frey's MikroTik DNS Attack Prevention Rev 3.0
#
###################################################################################
######################
# Author: Rick Frey
#
# email: support@rickfreyconsulting.com
#
# Username in MikroTik Forum is rickfrey
#
###################################################################################
######################
# License
#
# This script has been created for use by the general public and may be used
freely. This script may #
# not be sold!
#
###################################################################################
#####################
# Features
# #
# -Mitigates DNS based attack on your MikroTik router
#
###################################################################################
######################
###################################################################################
#########################################
#### Remove any private subnets that you are not using. Ensure that your LAN subnet
is listed here. ##
###################################################################################
#########################################
/ip firewall address-list
add address=172.20.255.0/24 list=DNS_Accept

add address=192.168.255.252/30 list=DNS_Accept
###################################################################################
#########################################
#### Add your DNS servers to the DNS_Accept list. Remove and DNS servers you are
not using for your router. ##
###################################################################################
#########################################
add address=192.168.255.254/30 list=DNS_Accept disabled=no comment="Add DNS Server

to this List"
add address=172.20.255.250/24 list=DNS_Accept disabled=no comment="Add DNS Server
to this List"
/ip firewall filter

add action=jump chain=input comment="Jump to DNS_DDoS Chain" disabled=no jump-
target=DNS_DDoS
add action=accept chain=DNS_DDoS comment="Make exceptions for DNS" disabled=no
port=53 protocol=udp src-address-list=DNS_Accept
add action=accept chain=DNS_DDoS comment="Make exceptions for DNS" disabled=no dst-
address-list=DNS_Accept port=53 protocol=udp
add action=add-src-to-address-list address-list=DNS_DDoS address-list-timeout=0s
chain=DNS_DDoS comment="Add DNS_DDoS Offenders to Blacklist" disabled=no port=53
protocol=udp src-address-list=!DNS_Accept
add action=drop chain=DNS_DDoS comment="Drop DNS_DDoS Offenders" disabled=no src-
address-list=DNS_DDoS
add action=return chain=DNS_DDoS comment="Return from DNS_DDoS Chain" disabled=no
/

Mikrotik Firewall

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Mikrotik Firewall

Hochgeladen von

Copyright:

Verfügbare Formate

###################################################################################

add action=accept chain=input comment="Accept Exempt IP Addresses" disabled=no src-

add action=drop chain=input comment="Drop anyone in the Black List (Manually

add action=jump chain=input comment="Jump to RFC Telnet Chain" disabled=no jump-

add action=jump chain=input comment="Jump to RFC Winbox Chain" disabled=no jump-

/ip firewall address-list

/ip firewall filter

add action=drop chain=forward comment="Drop all other LAN Traffic" disabled=yes

add address=172.20.255.0/24 list=DNS_Accept

add address=192.168.255.254/30 list=DNS_Accept disabled=no comment="Add DNS Server

/ip firewall filter

Das könnte Ihnen auch gefallen