Russian Users MikroTik | Форум пользователей MikroTik

Код: Выделить всё

@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; Accept from outside all packets with connection status "Established" and "Related"
      chain=input action=accept connection-state=established,related log=no log-prefix="" 

 2    ;;; Accept packets if the IP address from which they are accessing is in the "allowed_to_router" list
      chain=input action=accept src-address-list=allowed_to_router log=no log-prefix="" 

 3    ;;; This command allows receiving and processing ICMP packets from outside
      chain=input action=accept protocol=icmp log=no log-prefix="" 

 4    ;;; Discard all remaining packets that do not match the rules above
      chain=input action=drop log=no log-prefix="" 

 5    ;;; FastTrack
      chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related log=no log-prefix="" 

 6    ;;; Processing established connections in the Forward chain
      chain=forward action=accept connection-state=established,related log=no log-prefix="" 

 7    ;;; Drop invalid
      chain=forward action=drop connection-state=invalid log=yes log-prefix="invalid" 

 8    ;;; Drop tries to reach not public addresses from LAN
      chain=forward action=drop dst-address-list=not_in_internet in-interface=bridge1 out-interface=!bridge1 log=yes log-prefix="!public_from_LAN" 

 9    ;;; Drop incoming packets that are not NAT
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1 log=yes log-prefix="!NAT" 

10    ;;; Drop incoming from internet which is not public IP
      chain=forward action=drop src-address-list=not_in_internet in-interface=ether1 log=yes log-prefix="!public" 

11    ;;; Drop packets from LAN that do not have LAN IP
      chain=forward action=drop src-address=!192.168.88.0/24 in-interface=bridge1 log=yes log-prefix="LAN_!LAN" 

12    ;;; Drop SSH brutforce
      chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22 log=no log-prefix="" 

13    ;;; Stage1
      chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1 address-list-timeout=1m dst-port=22 log=no 
      log-prefix="" 

14    ;;; Stage2
      chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 
      address-list-timeout=1m dst-port=22 log=no log-prefix="" 

15    ;;; Stage3
      chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3 
      address-list-timeout=1m dst-port=22 log=no log-prefix="" 

16    ;;; ssh blacklist
      chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist 
      address-list-timeout=1w3d dst-port=22 log=no log-prefix=""