Podstawowy zestaw reguł dla Firewall’a w RouterOS

Poniżej znajduje się podstawowy zestaw reguł który można zastosować “defaultowo” na urządzeniach MikroTik zakładając iż port ether1 jest portem WAN. Zamieszczam ten zestaw reguł ponieważ często podczas przeglądania stron padało pytanie o podstawową konfiguracje.

/ip firewall filter
add action=drop chain=input comment="Drop recursive DNS traffic" dst-port=53 protocol=tcp
add action=drop chain=input comment="Drop SSH brute force users" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=4w2d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add action=drop chain=input comment="Drop Telnet brute force users" dst-port=23 protocol=tcp src-address-list=telnet_blacklist
add action=add-src-to-address-list address-list=telnet_blacklist address-list-timeout=4w2d chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=ether1 log=yes

 

Podziel się:

Dodaj komentarz

This site uses Akismet to reduce spam. Learn how your comment data is processed.