Forked from gmanual/Mikrotik Default Firewall Rules with Bogan+RemoteAccess Lists
Created
August 5, 2024 00:38
-
-
Save haastecnologia/04088e760528ffb3fe02340075e2e344 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /interface list | |
| add comment=defconf name=WAN | |
| add comment=defconf name=LAN | |
| /interface list member | |
| add interface=ether1 list=WAN | |
| /ip firewall address-list | |
| add address=192.168.0.0/16 list=Bogon | |
| add address=10.0.0.0/8 list=Bogon | |
| add address=172.16.0.0/12 list=Bogon | |
| add address=127.0.0.0/8 list=Bogon | |
| add address=0.0.0.0/8 list=Bogon | |
| add address=169.254.0.0/16 list=Bogon | |
| add address=192.168.88.0/24 list=Remote_Access | |
| /ip firewall filter | |
| add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked | |
| add action=accept chain=input src-address-list=Remote_Access | |
| add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid | |
| add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp | |
| add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN | |
| add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec | |
| add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec | |
| add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related | |
| add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked | |
| add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid | |
| add action=drop chain=forward comment="Drop Bogon Forward -> Ether1" in-interface-list=WAN src-address-list=Bogon | |
| add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN | |
| add action=drop chain=forward | |
| /ip firewall service-port | |
| set ftp disabled=yes | |
| set tftp disabled=yes | |
| set irc disabled=yes | |
| set h323 disabled=yes | |
| set sip disabled=yes | |
| set pptp disabled=yes | |
| set udplite disabled=yes | |
| set dccp disabled=yes | |
| set sctp disabled=yes | |
| /ip service | |
| set telnet disabled=yes | |
| set ftp disabled=yes | |
| set www disabled=yes | |
| set ssh disabled=yes | |
| set api disabled=yes | |
| set winbox address=192.168.88.0/24 | |
| set api-ssl disabled=yes | |
| /ip firewall nat | |
| add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN | |
| /tool bandwidth-server | |
| set enabled=no | |
| /tool mac-server | |
| set allowed-interface-list=none | |
| /tool mac-server mac-winbox | |
| set allowed-interface-list=none | |
| /tool mac-server ping | |
| set enabled=no | |
| /ip neighbor discovery-settings | |
| set discover-interface-list=none | |
| /ip settings set rp-filter=strict | |
| /system ntp client | |
| set primary-ntp=216.239.35.0 secondary-ntp=129.250.35.250 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment