/ip firewall filter add action=accept chain=input comment=”accept established, related, untracked” connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment=”drop invalid” connection-state=invalid
/ip firewall filter add action=accept chain=input comment=”accept normal ping from anywhere (type 8 code 0)” icmp-options=8:0 protocol=icmp
/ip firewall filter add action=drop chain=input comment=”drop first TCP packet from WAN (1/min+0 exp60 addr+dstport)” dst-limit=1/1m,0,addresses-and-dst-port/1m in-interface-list=WAN-list protocol=tcp src-address-list=!fragment-allow
/ip firewall filter add action=drop chain=input comment=”drop first UDP packet from WAN (1/min+0 exp60 addr+dstport)” dst-limit=1/1m,0,addresses-and-dst-port/1m in-interface-list=WAN-list protocol=udp src-address-list=!fragment-allow
/ip firewall filter add action=drop chain=input comment=”drop port scanners” src-address-list=portscan
/ip firewall filter add action=add-src-to-address-list address-list=portscan address-list-timeout=1w chain=input comment=”hack-detect by TCP port (FTP-SSH-TELNET,MSSQL,RDP)” dst-port=21-23,1433-1434,3389 in-interface-list=WAN-list log-prefix=”[hack-TCP]” protocol=tcp src-address-list=!bypass
/ip firewall filter add action=add-src-to-address-list address-list=portscan address-list-timeout=1w chain=input comment=”hack-detect by UDP port (DNS,SNMP,RDP)” dst-port=53,161,1434 in-interface-list=WAN-list log-prefix=”[hack-UDP]” protocol=udp src-address-list=!bypass
/ip firewall filter add action=add-src-to-address-list address-list=portscan address-list-timeout=2w chain=input comment=”PSD TCP weight weight 32 dl 120 8/4″ in-interface-list=WAN-list log=yes log-prefix=”[PSD-TCP]” protocol=tcp psd=32,2m,8,4 src-address-list=!bypass
/ip firewall filter add action=add-src-to-address-list address-list=portscan address-list-timeout=2w chain=input comment=”PSD UDP weight 48 dl 120 8/4″ in-interface-list=WAN-list log=yes log-prefix=”[PSD-UDP]” protocol=udp psd=48,2m,8,4 src-address-list=!bypass
/ip firewall filter add action=drop chain=input comment=”drop all from WAN” in-interface-list=WAN-list
/ip firewall filter add action=accept chain=forward comment=”nofasttrack forward” connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment=”drop invalid from WAN” connection-state=invalid in-interface-list=WAN-list
/ip firewall filter add action=drop chain=forward comment=”drop from WAN exept dstnat” connection-nat-state=!dstnat in-interface-list=WAN-list
/ip firewall filter add action=drop chain=forward comment=”drop first TCP packet from WAN (1/min+0 exp60 addr+dstport)” dst-limit=1/1m,0,addresses-and-dst-port/1m in-interface-list=WAN-list protocol=tcp src-address-list=!fragment-allow
/ip firewall filter add action=drop chain=forward comment=”drop first UDP packet from WAN (1/min+0 exp60 addr+dstport)” dst-limit=1/1m,0,addresses-and-dst-port/1m in-interface-list=WAN-list protocol=udp src-address-list=!fragment-allow
/ip firewall filter add action=drop chain=forward comment=”drop port scanners forward” in-interface-list=WAN-list src-address-list=portscan