/ip firewall filter
add chain=input connection-state=invalid action=drop \
comment="Drop Invalid connections"
add chain=input connection-state=established action=accept \
comment="Allow Established connections"
add chain=input protocol=icmp action=accept \
comment="Allow ICMP"
add chain=input src-address=192.168.0.0/24 action=accept \
in-interface=!ether1
add chain=input action=drop comment="Drop everything else"
/ip firewall filter
add chain=forward protocol=tcp connection-state=invalid \
action=drop comment="drop invalid connections"
add chain=forward connection-state=established action=accept \
comment="allow already established connections"
add chain=forward connection-state=related action=accept \
comment="allow related connections"
add chain=forward src-address=0.0.0.0/8 action=drop
add chain=forward dst-address=0.0.0.0/8 action=drop
add chain=forward src-address=127.0.0.0/8 action=drop
add chain=forward dst-address=127.0.0.0/8 action=drop
add chain=forward src-address=224.0.0.0/3 action=drop
add chain=forward dst-address=224.0.0.0/3 action=drop
add chain=forward protocol=tcp action=jump jump-target=tcp
add chain=forward protocol=udp action=jump jump-target=udp
add chain=forward protocol=icmp action=jump jump-target=icmp
add chain=tcp protocol=tcp dst-port=69 action=drop \
comment="deny TFTP"
add chain=tcp protocol=tcp dst-port=111 action=drop \
comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=135 action=drop \
comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=137-139 action=drop \
comment="deny NBT"
add chain=tcp protocol=tcp dst-port=445 action=drop \
comment="deny cifs"
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS"
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice"
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"
add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"
add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"
add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"
add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice
add chain=icmp protocol=icmp icmp-options=0:0 action=accept \
comment="echo reply"
add chain=icmp protocol=icmp icmp-options=3:0 action=accept \
comment="net unreachable"
add chain=icmp protocol=icmp icmp-options=3:1 action=accept \
comment="host unreachable"
add chain=icmp protocol=icmp icmp-options=4:0 action=accept \
comment="allow source quench"
add chain=icmp protocol=icmp icmp-options=8:0 action=accept \
comment="allow echo request"
add chain=icmp protocol=icmp icmp-options=11:0 action=accept \
comment="allow time exceed"
add chain=icmp protocol=icmp icmp-options=12:0 action=accept \
comment="allow parameter bad"
add chain=icmp action=drop comment="deny all other types"
Popular Posts
-
Motherboard alias mainboard alias system board, ketiganya mengacu pada satu barang yang sama, yakni sebuah papan sirkuit dan panel-panel ele... -
hapus atau disable registed windowsnya. enjoy ...... !!!!! Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Policies\Micro...
-
Its been a few days that I did some tweaking on Squid Proxy and it appears stable! This all came about as I was trying to speed-up data fetc...
-
RouterOS Configuration L2TP Server configuration / interface l2tp-server server set enabled=yes Enable L2TP server; / ppp secret add name=12...
-
Langkah – langkah nya :: UTP >>> USB putih oranye – oranye (2 kabel) >>> merah putih hijau (1 kabel) ...
-
Dewi adalah sahabat saya, ia adalah seorang mahasiswi yang berotak cemerlang dan memiliki idealisme yang tinggi. Sejak masuk kampus, sikap d...
-
Sometimes Novell can make a Linux fan rip their hair out! Novell never develops their mainstream products to work outside of SUSE Linux Ente... -
Cache peers or neighbors Cache peers or neighbors are the other proxy servers with which our Squid proxy server can: Share its cache w...
-
Semoga peristiwa di bawah ini membuat kita belajar bersyukur untuk apa yang kita miliki : Aku membencinya, itulah yang selalu kubisikkan dal...
-
/ip firewall filter add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list \ address-list="port scanners" addre...
Share
1 komentar:
waduh dari dulu nyari kaya beginian g pernah tau maksudnya apa trus ngaruhnya apa mending cari tau fungsi processor
Posting Komentar