##### Prote��o do router

/ip firewall filter add chain=input connection-state=invalid action=drop \

comment="Drop Invalid connections"

/ip firewall filter add chain=input connection-state=established action=accept \

comment="Allow Established connections"

/ip firewall filter add chain=input protocol=icmp action=accept \ comment="Allow

ICMP"

/ip firewall filter add chain=input action=drop comment="Drop everything else"

/ip firewall filter add chain=input src-address=(SEU BLOCO DE IP) action=accept \

in-interface=!ether1

##### Prote��o Customizada

/ip firewall filter add chain=forward protocol=tcp connection-state=invalid \

action=drop comment="drop invalid connections"

/ip firewall filter add chain=forward connection-state=established action=accept \

comment="allow already established connections"

/ip firewall filter add chain=forward connection-state=related action=accept \

comment="allow related connections"

##### Bloqueio de "Bogon IP Addresses"

/ip firewall filter add chain=forward src-address=0.0.0.0/8 action=drop

/ip firewall filter add chain=forward dst-address=0.0.0.0/8 action=drop

/ip firewall filter add chain=forward src-address=127.0.0.0/8 action=drop

/ip firewall filter add chain=forward dst-address=127.0.0.0/8 action=drop

/ip firewall filter add chain=forward src-address=224.0.0.0/3 action=drop

/ip firewall filter add chain=forward dst-address=224.0.0.0/3 action=drop

##### Marque "jumps" para novos "chains"

/ip firewall filter add chain=forward protocol=tcp action=jump jump-target=tcp

/ip firewall filter add chain=forward protocol=udp action=jump jump-target=udp

/ip firewall filter add chain=forward protocol=icmp action=jump jump-target=icmp

##### Cria tcp chain e nega tcp portas entrada

/ip firewall filter add chain=tcp protocol=tcp dst-port=69 action=drop \

comment="deny TFTP"

/ip firewall filter add chain=tcp protocol=tcp dst-port=111 action=drop \

comment="deny RPC portmapper"

/ip firewall filter add chain=tcp protocol=tcp dst-port=135 action=drop \

comment="deny RPC portmapper"

/ip firewall filter add chain=tcp protocol=tcp dst-port=137-139 action=drop \

comment="deny NBT"

/ip firewall filter add chain=tcp protocol=tcp dst-port=445 action=drop \

comment="deny cifs"

/ip firewall filter add chain=tcp protocol=tcp dst-port=2049 action=drop

comment="deny NFS"

/ip firewall filter add chain=tcp protocol=tcp dst-port=12345-12346 action=drop

comment="deny NetBus"

/ip firewall filter add chain=tcp protocol=tcp dst-port=20034 action=drop

comment="deny NetBus"

/ip firewall filter add chain=tcp protocol=tcp dst-port=3133 action=drop

comment="deny BackOriffice"

/ip firewall filter add chain=tcp protocol=tcp dst-port=67-68 action=drop

comment="deny DHCP"

##### Nega udp portas entrada udp chain:

/ip firewall filter add chain=udp protocol=udp dst-port=69 action=drop

comment="deny TFTP"

/ip firewall filter add chain=udp protocol=udp dst-port=111 action=drop

comment="deny PRC portmapper"

/ip firewall filter add chain=udp protocol=udp dst-port=135 action=drop

comment="deny PRC portmapper"

/ip firewall filter add chain=udp protocol=udp dst-port=137-139 action=drop

comment="deny NBT"

/ip firewall filter add chain=udp protocol=udp dst-port=2049 action=drop

comment="deny NFS"
/ip firewall filter add chain=udp protocol=udp dst-port=3133 action=drop
comment="deny BackOriffice"

##### Permite todos needed icmp codes in icmp chain:

/ip firewall filter add chain=icmp protocol=icmp icmp-options=0:0 action=accept \

comment="echo reply"

/ip firewall filter add chain=icmp protocol=icmp icmp-options=3:0 action=accept \

comment="net unreachable"

/ip firewall filter add chain=icmp protocol=icmp icmp-options=3:1 action=accept \

comment="host unreachable"

/ip firewall filter add chain=icmp protocol=icmp icmp-options=3:4 action=accept \

comment="host unreachable fragmentation required"

/ip firewall filter add chain=icmp protocol=icmp icmp-options=4:0 action=accept \

comment="allow source quench"

/ip firewall filter add chain=icmp protocol=icmp icmp-options=8:0 action=accept \

comment="allow echo request"

/ip firewall filter add chain=icmp protocol=icmp icmp-options=11:0 action=accept \

comment="allow time exceed"

/ip firewall filter add chain=icmp protocol=icmp icmp-options=12:0 action=accept \

comment="allow parameter bad"

/ip firewall filter add chain=icmp action=drop comment="deny all other types"

##### Somente 10 FTP login incorrect

/ip firewall filter add chain=input protocol=tcp dst-port=21 src-address-

list=ftp_blacklist action=drop \ comment="drop ftp brute forcers"

/ip firewall filter add chain=output action=accept protocol=tcp content="530 Login

incorrect" dst-limit=1/1m,9,dst-address/1m

/ip firewall filter add chain=output action=add-dst-to-address-list protocol=tcp

content="530 Login incorrect" \ address-list=ftp_blacklist address-list-timeout=3h

##### Somente 10 SSH login incorrect

/ip firewall filter add chain=input protocol=tcp dst-port=22 src-address-

list=ssh_blacklist action=drop \ comment="drop ssh brute forcers" disabled=no

/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new \

src-address-list=ssh_stage3 action=add-src-to-address-list address-
list=ssh_blacklist \ address-list-timeout=10d comment="" disabled=no

/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new \

src-address-list=ssh_stage2 action=add-src-to-address-list address-
list=ssh_stage3 \ address-list-timeout=1m comment="" disabled=no

/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new

src-address-list=ssh_stage1 \ action=add-src-to-address-list address-
list=ssh_stage2 address-list-timeout=1m comment="" disabled=no

/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new

action=add-src-to-address-list \ address-list=ssh_stage1 address-list-timeout=1m
comment="" disabled=no

##### Bloqueio downstream access as well

/ip firewall filter add chain=forward protocol=tcp dst-port=22 src-address-

list=ssh_blacklist action=drop \ comment="drop ssh brute downstream" disabled=no

##### Protege o Router para portas scanners

/ip firewall filter add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-

address-list address-list="port scanners" address-list-timeout=2w comment="Port
scanners to list " disabled=no

/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!

ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-
timeout=2w comment="NMAP FIN Stealth scan"

/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-

to-address-list address-list="port scanners" address-list-timeout=2w
comment="SYN/FIN scan"

/ip firewall filter add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-

to-address-list address-list="port scanners" address-list-timeout=2w
comment="SYN/RST scan"

/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!

ack action=add-src-to-address-list address-list="port scanners" address-list-
timeout=2w comment="FIN/PSH/URG scan"

/ip firewall filter add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg

action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w
comment="ALL/ALL scan"

/ip firewall filter add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!

ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-
timeout=2w comment="NMAP NULL scan"

/ip firewall filter add chain=input src-address-list="port scanners" action=drop

comment="dropping port scanners" disabled=no

##### Protect DDoS

/tool torch

/ip firewall filter add chain=tcp protocol=tcp dst-port=53 in-interface=(NOME DE

SUA INTERFACE DO LINK INTERNET) action=drop \ comment="Bloqueio Porta 53 By Grupo
Sistemax"

/ip firewall filter add chain=input protocol=tcp connection-limit=LIMIT,32 \

action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d

/ip firewall filter add chain=input protocol=tcp src-address-list=blocked-addr \

connection-limit=3,32 action=tarpit

/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-

state=new \ action=jump jump-target=SYN-Protect comment="SYN Flood protect"
disabled=yes

/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5

connection-state=new \ action=accept comment="" disabled=no

/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn connection-

state=new \ action=drop comment="" disabled=no

/ip firewall connection tracking set tcp-syncookie=yes

##### Detectar e bloquear Bad Hosts

/ip firewall rules add action=reject chain=forward comment="Reject if in the 24-

hour-list" disabled=no reject-with=icmp-network-unreachable src-address-list=24-
hour-list