Scribd
Upload
29 views4 pages

FIREAWALL

The document outlines firewall filter rules for a network setup, detailing actions for various connection states and protocols. It includes rules for accepting, dropping, and rejecting connections based on source and destination addresses, as well as specific ports for services like VPN and ICMP. Additionally, it implements security measures against port scanning and brute force attacks by maintaining blacklists and logging suspicious activities.

Uploaded by

cpct1981
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
29 views4 pages

FIREAWALL

The document outlines firewall filter rules for a network setup, detailing actions for various connection states and protocols. It includes rules for accepting, dropping, and rejecting connections based on source and destination addresses, as well as specific ports for services like VPN and ICMP. Additionally, it implements security measures against port scanning and brute force attacks by maintaining blacklists and logging suspicious activities.

Uploaded by

cpct1981
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd

/ip firewall filter

add chain=forward action=fasttrack-connection connection-state=established,related


add chain=forward action=accept connection-state=established,related
add action=accept chain=forward comment="Aceptar Adminolt" in-interface=AdminOLTVPN
src-address-list=adminolt
add action=accept chain=input dst-port=8728 protocol=tcp
add action=accept chain=input dst-port=8282 log=yes log-prefix=CHECK-API2222
protocol=tcp
add action=accept chain=input dst-port=9393 log=yes log-prefix=CHECK-API2222
protocol=tcp
add action=accept chain=input comment="Aceptar conexiones (Establecidas y
Relacionadas)" connection-state=\
established,related
add action=drop chain=input comment="Descartar conexiones (Invalidas)" connection-
state=invalid
add action=accept chain=input comment="Aceptar peticiones OSPF" in-interface-
list=LAN protocol=ospf
add action=accept chain=input comment="Aceptar conexiones - Administradores" src-
address-list=Administradores
add action=accept chain=input comment="Aceptar conexiones - Servidores WispHub"
src-address-list=\
servers_wisphub
add action=reject chain=input comment="Descartar conexiones (Port Scan) de
direcciones IPs en lista negra" \
reject-with=icmp-host-unreachable src-address-list=Blacklist-PortScan
add action=jump chain=input comment="Saltar al bloque de reglas para analizar tr\
E1fico ICMP" jump-target=icmp \
protocol=icmp
add action=add-src-to-address-list address-list=Blacklist-PortScan address-list-
timeout=2w chain=input \
comment="Enlistar conexiones sospechosas de Port Scan" protocol=tcp
psd=21,3s,3,1
add action=add-src-to-address-list address-list=Blacklist-PortScan address-list-
timeout=2w chain=input \
comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!
ack,!urg
add action=add-src-to-address-list address-list=Blacklist-PortScan address-list-
timeout=2w chain=input \
comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=Blacklist-PortScan address-list-
timeout=2w chain=input \
comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=Blacklist-PortScan address-list-
timeout=2w chain=input \
comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=Blacklist-PortScan address-list-
timeout=2w chain=input \
comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=Blacklist-PortScan address-list-
timeout=2w chain=input \
comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=Blacklist-PPTP address-list-
timeout=1w3d chain=input comment=\
"Enlistar 3 intentos de conexion PPTP (Brute Force)" dst-port=1723 protocol=tcp
src-address-list=\
PPTP-3erIntento
add action=add-src-to-address-list address-list=PPTP-3erIntento address-list-
timeout=1m chain=input \
connection-state=new dst-port=1723 protocol=tcp src-address-list=PPTP-
2doIntento
add action=add-src-to-address-list address-list=PPTP-2doIntento address-list-
timeout=1m chain=input \
connection-state=new dst-port=1723 protocol=tcp src-address-list=PPTP-
1erIntento
add action=add-src-to-address-list address-list=PPTP-1erIntento address-list-
timeout=1m chain=input \
connection-state=new dst-port=1723 protocol=tcp
add action=accept chain=input comment="Aceptar conexiones (PPTP,EoIP)" dst-
port=1723 protocol=tcp
add action=accept chain=input protocol=gre
add action=add-src-to-address-list address-list=Blacklist-L2TP address-list-
timeout=1w3d chain=input comment=\
"Enlistar 3 intentos de conexion L2TP (Brute Force)" dst-port=500,4500
protocol=udp src-address-list=\
L2TP-3erIntento
add action=add-src-to-address-list address-list=L2TP-3erIntento address-list-
timeout=1m chain=input \
connection-state=new dst-port=500,4500 protocol=udp src-address-list=L2TP-
2doIntento
add action=add-src-to-address-list address-list=L2TP-2doIntento address-list-
timeout=1m chain=input \
connection-state=new dst-port=500,4500 protocol=udp src-address-list=L2TP-
1erIntento
add action=add-src-to-address-list address-list=L2TP-1erIntento address-list-
timeout=1m chain=input \
connection-state=new dst-port=500,4500 protocol=udp
add action=accept chain=input comment="Aceptar conexiones (L2TP)" connection-
state=new dst-port=1701 protocol=\
udp
add action=accept chain=input connection-state=new dst-port=500,4500 protocol=udp
add action=accept chain=input comment="Aceptar conexiones (IPSec)" protocol=ipsec-
esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input comment="Aceptar peticiones (DNS) desde interfaces
LAN" connection-state=new \
dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input connection-state=new dst-port=53 in-interface-
list=LAN protocol=udp
add action=accept chain=input comment="Aceptar acceso al router (WinBox)"
connection-state=new dst-port=8291 \
log=yes log-prefix=AccesoWinBox protocol=tcp
add action=drop chain=input comment="Descartar conexiones (Todo lo demas)"
add action=drop chain=forward comment="Descarta conexiones (SMTP:25)" dst-port=25
protocol=tcp
add action=accept chain=forward comment="Aceptar conexiones
(Establecidas,Relacionadas)" connection-state=\
established,related
add action=drop chain=forward comment="Descatar conexiones (Invalidas)" connection-
state=invalid
add action=accept chain=forward comment="Aceptar conexiones - Grupo:
Administradores" connection-state=new \
src-address-list=Administradores
add action=reject chain=forward comment="Descartar conexiones (Port Scan) de
direcciones IPs en lista negra" \
reject-with=icmp-host-unreachable src-address-list=Blacklist-PortScan
add action=jump chain=forward comment="Saltar al bloque de reglas para analizar tr\
E1fico ICMP" jump-target=\
icmp protocol=icmp
add action=accept chain=forward comment="Aceptar conexiones (Redes-Privadas -
RFC1918)" connection-state=new \
dst-address-list="Redes-Privadas(RFC1918)" src-address-list="Redes-
Privadas(RFC1918)" tcp-flags=""
add action=accept chain=forward comment="Aceptar conexiones desde Interfaces LAN"
in-interface-list=LAN
add action=accept chain=forward comment="Aceptar conexiones (Port Forward) desde
interfaces WAN" \
connection-nat-state=dstnat connection-state=new in-interface-
list=Lista_WAN_WispHub
add action=drop chain=forward comment="Descartar conexiones (Todo lo demas)"
disabled=yes
add action=accept chain=icmp comment="ICMP (Echo Request)" icmp-options=8:0
protocol=icmp
add action=accept chain=icmp comment="ICMP (Echo Reply)" icmp-options=0:0
protocol=icmp
add action=accept chain=icmp comment="ICMP (Time Exceed)" icmp-options=11:0
limit=5,5:packet protocol=icmp
add action=accept chain=icmp comment="ICMP (Net Unreachable)" icmp-options=3:0
limit=5,5:packet protocol=icmp
add action=accept chain=icmp comment="ICMP (Host Unreachable)" icmp-options=3:1
limit=5,5:packet protocol=icmp
add action=accept chain=icmp comment="ICMP (Host Unreachable Fragmentation
Required)" icmp-options=3:4 limit=\
5,5:packet protocol=icmp
add action=accept chain=icmp comment="ICMP (Source Quench)" icmp-options=4:0
limit=5,5:packet protocol=icmp
add action=accept chain=icmp comment="ICMP (Parameter Bad)" icmp-options=12:0
limit=5,5:packet protocol=icmp
add action=drop chain=icmp comment="ICMP (Descartar todo lo demas)" protocol=icmp
add action=drop chain=input comment="WispHub - Bloquear puerto WebProxy desde WANs"
dst-port=999 \
in-interface-list=Lista_WAN_WispHub protocol=tcp

/ip firewall raw


add action=accept chain=prerouting comment="Aceptar conexiones (Servidores
WispHub)" src-address-list=\
servers_wisphub
add action=accept chain=prerouting comment=ADMINOLT in-interface=AdminOLTVPN src-
address-list=adminolt
add action=accept chain=prerouting comment=\
"Aceptar conexiones VPN (PPTP) de las direcciones IPs en lista blanca" dst-
port=1723 protocol=tcp \
src-address-list=Whitelist-PPTP
add action=drop chain=prerouting comment=\
"Descartar conexiones VPN (PPTP) de las direcciones IPs en lista negra " dst-
port=1723 protocol=tcp \
src-address-list=Blacklist-PPTP
add action=accept chain=prerouting comment=\
"Aceptar conexiones VPN (L2TP) de las direcciones IPs en lista blanca" dst-
port=1701 protocol=udp \
src-address-list=Whitelist-L2TP
add action=drop chain=prerouting comment=\
"Descartar conexiones VPN (L2TP) de las direcciones IPs en lista negra " dst-
port=1701 protocol=udp \
src-address-list=Blacklist-L2TP
add action=drop chain=prerouting comment="Descartar conexiones ICMP a direcciones
de Broadcast" \
dst-address-type=broadcast protocol=icmp
add action=drop chain=prerouting comment=\
"Descartar conexiones (Sospechosas como ataques y puertos vulnerables]" dst-
address-list=\
"Blacklist(IPs Sospechosas]"
add action=drop chain=prerouting dst-port=445 protocol=tcp
add action=drop chain=prerouting dst-port=445 protocol=udp
add action=drop chain=prerouting protocol=tcp src-port=49306
add action=drop chain=prerouting protocol=udp src-port=49306
add action=drop chain=prerouting dst-port=25 protocol=tcp
add action=drop chain=prerouting comment="Descartar conexiones (Interfaces WAN]"
dst-port=21,22,23 \
in-interface-list=Lista_WAN_WispHub protocol=tcp
add action=drop chain=prerouting dst-port=53 in-interface-list=Lista_WAN_WispHub
protocol=udp
add action=drop chain=prerouting dst-port=53 in-interface-list=Lista_WAN_WispHub
protocol=tcp
add action=drop chain=prerouting dst-port=389 in-interface-list=Lista_WAN_WispHub
protocol=udp
add action=drop chain=prerouting dst-port=389,636 in-interface-
list=Lista_WAN_WispHub protocol=tcp
add action=drop chain=prerouting dst-port=445 in-interface-list=Lista_WAN_WispHub
protocol=tcp
add action=drop chain=prerouting dst-port=445 in-interface-list=Lista_WAN_WispHub
protocol=udp
add action=drop chain=prerouting dst-port=5060 in-interface-list=Lista_WAN_WispHub
protocol=tcp
add action=drop chain=prerouting dst-port=5060 in-interface-list=Lista_WAN_WispHub
protocol=udp
add action=drop chain=prerouting dst-port=80,443,8080 in-interface-
list=Lista_WAN_WispHub protocol=tcp

Miri@nLleren@1982

You might also like