Scribd Logo
Upload

Welcome to Scribd!

  • Adv Firewall Script

    Uploaded by

    Raul Cespedes Ichazo
    15 views2 pages

    Original Title

    Adv_Firewall_Script.txt

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    15 views2 pages

    Adv Firewall Script

    Uploaded by

    Raul Cespedes Ichazo

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    *****Reemplaza donde dice "ether1_WAN" y escribe el nombre de tu interface WAN,

    luego copia todo


    *****desde :global wan hacia abajo y haz paste en la terminal de tu Router. Asegura
    no tener reglas
    *****adicionales en tu Firewall.

    ------------------------------------------
    :global wan "ether1_WAN"

    /ip firewall address-list

    add address=192.168.0.0/16 list=private


    add address=172.16.0.0/12 list=private
    add address=10.0.0.0/8 list=private

    add address=0.0.0.0/8 list=bogons


    add address=10.0.0.0/8 list=bogons
    add address=127.0.0.0/8 list=bogons
    add address=169.254.0.0/16 list=bogons
    add address=172.16.0.0/12 list=bogons
    add address=192.0.2.0/24 list=bogons
    add address=192.168.0.0/16 list=bogons
    add address=198.18.0.0/15 list=bogons
    add address=224.0.0.0/4 list=bogons
    add address=224.0.0.0/8 list=bogons
    add address=239.0.0.0/9 list=bogons
    add address=255.255.255.255 list=bogons

    /ip firewall filter

    add action=tarpit chain=input comment="Drop blacklist" protocol=tcp src-address-


    list=blacklist
    add action=tarpit chain=forward comment="Drop blacklist" protocol=tcp src-address-
    list=blacklist
    add action=drop chain=input comment="Drop blacklist" src-address-list=blacklist
    add action=drop chain=forward comment="Drop blacklist" src-address-list=blacklist

    add chain=input src-address-list=bogons in-interface=$wan action=tarpit


    protocol=tcp
    add chain=input src-address-list=bogons in-interface=$wan action=drop

    add action=add-src-to-address-list address-list=blacklist chain=input comment="Port


    scan" protocol=tcp psd=21,3s,3,1 src-address-list=!private
    add action=add-src-to-address-list address-list=blacklist chain=input comment="NMAP
    FIN Stealth scan" protocol=tcp src-address-list=!private tcp-flags=fin,!syn,!rst,!
    psh,!ack,!urg
    add action=add-src-to-address-list address-list=blacklist chain=input
    comment="SYN/FIN scan" protocol=tcp src-address-list=!private tcp-flags=fin,syn
    add action=add-src-to-address-list address-list=blacklist chain=input
    comment="SYN/RST scan" protocol=tcp src-address-list=!private tcp-flags=syn,rst
    add action=add-src-to-address-list address-list=blacklist chain=input
    comment="FIN/PSH/URG scan" protocol=tcp src-address-list=!private tcp-
    flags=fin,psh,urg,!syn,!rst,!ack
    add action=add-src-to-address-list address-list=blacklist chain=input
    comment="ALL/ALL scan" protocol=tcp src-address-list=!private tcp-
    flags=fin,syn,rst,psh,ack,urg
    add action=add-src-to-address-list address-list=blacklist chain=input comment="NMAP
    NULL scan" protocol=tcp src-address-list=!private tcp-flags=!fin,!syn,!rst,!psh,!
    ack,!urg
    add action=add-src-to-address-list address-list=blacklist chain=input comment="SSH
    Port scan" dst-port=22 protocol=tcp src-address-list=!private
    add action=add-src-to-address-list address-list=blacklist chain=input
    comment="Telnet Port scan" dst-port=23 protocol=tcp src-address-list=!private
    add action=add-src-to-address-list address-list=blacklist chain=input comment="FTP
    Port scan" dst-port=21 protocol=tcp src-address-list=!private

    add action=drop chain=input connection-state=invalid


    add chain=input connection-state=established
    add chain=input icmp-options=3 protocol=icmp
    add chain=input icmp-options=8 protocol=icmp
    add chain=input dst-port=8291 protocol=tcp
    add chain=input dst-port=8728 protocol=tcp
    add chain=input src-address-list=private
    add action=tarpit chain=input protocol=tcp
    add action=drop chain=input

    add action=drop chain=forward connection-state=invalid


    add chain=forward connection-state=established
    add chain=forward connection-state=related
    add action=drop chain=forward dst-address-list=private out-interface=$wan
    add action=drop chain=forward dst-address-list=bogons out-interface=$wan
    add chain=forward dst-address-list=private src-address-list=private
    add action=drop chain=forward comment=drop dst-address-list=dst_drop src-address-
    list=private

    add chain=forward icmp-options=8 protocol=icmp src-address-list=private


    add chain=forward icmp-options=3 protocol=icmp src-address-list=private

    add chain=forward dst-port=80 protocol=tcp src-address-list=private


    add chain=forward dst-port=443 protocol=tcp src-address-list=private
    add chain=forward dst-port=53 protocol=udp src-address-list=private

    add chain=forward action=log log-prefix="forward_drop"


    add action=drop chain=forward

    You might also like