Полный текст по ссылке: https://www.ionline.by/hardware/mikroti ... 5-04-2018/
Автор в статье приводит следующий набор правил дополнительных к стандартному для /ip firewall filter для "повышения безопасности" :
/ip firewall filter
add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m disabled=no comment="FTP Brutforce"
add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" address-list="Blocked IP's" address-list-timeout=3h comment="FTP Brutforce"
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="Blocked IP's" address-list-timeout=2w comment="BAN port scaners" disabled=no
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan"
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan"
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan"
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan"
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan"
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan"
add chain=forward src-address=0.0.0.0/8 action=drop comment="DROP BOGONS"
add chain=forward dst-address=0.0.0.0/8 action=drop comment="DROP BOGONS"
add chain=forward src-address=127.0.0.0/8 action=drop comment="DROP BOGONS"
add chain=forward dst-address=127.0.0.0/8 action=drop comment="DROP BOGONS"
add chain=forward src-address=224.0.0.0/3 action=drop comment="DROP BOGONS"
add chain=forward dst-address=224.0.0.0/3 action=drop comment="DROP BOGONS"
add chain=forward protocol=tcp action=jump jump-target=tcp comment="DROP BOGONS"
add chain=forward protocol=udp action=jump jump-target=udp comment="DROP BOGONS"
add chain=forward protocol=icmp action=jump jump-target=icmp comment="DROP BOGONS"
add chain=tcp protocol=tcp dst-port=69 action=drop comment="deny TFTP"
add chain=tcp protocol=tcp dst-port=111 action=drop comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=135 action=drop comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=137-139 action=drop comment="deny NBT"
add chain=tcp protocol=tcp dst-port=445 action=drop comment="deny cifs"
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS"
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice"
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"
add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"
add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"
add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"
add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"
add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment="drop invalid connections"
add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment="allow established connections"
add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment="allow already established connections"
add chain=icmp protocol=icmp icmp-options=4:0 action=accept comment="allow source quench"
add chain=icmp protocol=icmp icmp-options=8:0 action=accept comment="allow echo request"
add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment="allow time exceed"
add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment="allow parameter bad"
add chain=icmp action=drop comment="deny all other types"
add chain=icmp protocol=icmp icmp-options=0:0-255 action=accept comment="Ping Flood Limited" disabled=no limit=5,5:packet
add chain=icmp protocol=icmp icmp-options=3:3 limit=5,5:packet action=accept comment="Ping Flood Limited" disabled=no
add chain=icmp protocol=icmp icmp-options=3:4 limit=5,5:packet action=accept comment="Ping Flood Limited" disabled=no
add chain=icmp protocol=icmp icmp-options=8:0-255 limit=5,5:packet action=accept comment="Ping Flood Limited" disabled=no
add chain=icmp protocol=icmp icmp-options=11:0-255 limit=5,5:packet action=accept comment="Ping Flood Limited" disabled=no
add chain=icmp protocol=icmp action=drop comment="Ping Flood Limited" disabled=no
add chain= forward p2p= all-p2p action= accept comment= "P2P traffic" disabled= no
add chain=input action=drop comment="All other drop"
add chain=forward action=drop comment="All other drop"
add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m disabled=no comment="FTP Brutforce"
add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" address-list="Blocked IP's" address-list-timeout=3h comment="FTP Brutforce"
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="Blocked IP's" address-list-timeout=2w comment="BAN port scaners" disabled=no
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan"
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan"
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan"
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan"
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan"
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan"
add chain=forward src-address=0.0.0.0/8 action=drop comment="DROP BOGONS"
add chain=forward dst-address=0.0.0.0/8 action=drop comment="DROP BOGONS"
add chain=forward src-address=127.0.0.0/8 action=drop comment="DROP BOGONS"
add chain=forward dst-address=127.0.0.0/8 action=drop comment="DROP BOGONS"
add chain=forward src-address=224.0.0.0/3 action=drop comment="DROP BOGONS"
add chain=forward dst-address=224.0.0.0/3 action=drop comment="DROP BOGONS"
add chain=forward protocol=tcp action=jump jump-target=tcp comment="DROP BOGONS"
add chain=forward protocol=udp action=jump jump-target=udp comment="DROP BOGONS"
add chain=forward protocol=icmp action=jump jump-target=icmp comment="DROP BOGONS"
add chain=tcp protocol=tcp dst-port=69 action=drop comment="deny TFTP"
add chain=tcp protocol=tcp dst-port=111 action=drop comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=135 action=drop comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=137-139 action=drop comment="deny NBT"
add chain=tcp protocol=tcp dst-port=445 action=drop comment="deny cifs"
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS"
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice"
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"
add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"
add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"
add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"
add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"
add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment="drop invalid connections"
add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment="allow established connections"
add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment="allow already established connections"
add chain=icmp protocol=icmp icmp-options=4:0 action=accept comment="allow source quench"
add chain=icmp protocol=icmp icmp-options=8:0 action=accept comment="allow echo request"
add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment="allow time exceed"
add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment="allow parameter bad"
add chain=icmp action=drop comment="deny all other types"
add chain=icmp protocol=icmp icmp-options=0:0-255 action=accept comment="Ping Flood Limited" disabled=no limit=5,5:packet
add chain=icmp protocol=icmp icmp-options=3:3 limit=5,5:packet action=accept comment="Ping Flood Limited" disabled=no
add chain=icmp protocol=icmp icmp-options=3:4 limit=5,5:packet action=accept comment="Ping Flood Limited" disabled=no
add chain=icmp protocol=icmp icmp-options=8:0-255 limit=5,5:packet action=accept comment="Ping Flood Limited" disabled=no
add chain=icmp protocol=icmp icmp-options=11:0-255 limit=5,5:packet action=accept comment="Ping Flood Limited" disabled=no
add chain=icmp protocol=icmp action=drop comment="Ping Flood Limited" disabled=no
add chain= forward p2p= all-p2p action= accept comment= "P2P traffic" disabled= no
add chain=input action=drop comment="All other drop"
add chain=forward action=drop comment="All other drop"