# This script will create and enable some new chains
# Be SURE you read through and UNDERSTAND what this script will do
# BEFORE you run it on your router
#
# To use, simply customize where needed, ftp it to your router
# and run "/import filename" where "filename" is the name of the
# file you ftp'd to your router. The extension on this file should be
# ".rsc"
#
# This is a reorganization of a firewall script that was first
# written by Eje Gustafsson of http://www.wisp-router.com/
# It was modified by Butch Evans of BPS Networks (BPS Networks)

# accept_list is for exceptions to the general rules you
# will be setting below.

/ip firewall add name=accept_list
/ip firewall rule accept_list

add src-address=x.x.x.x/32 dst-address=10.0.0.0/8 action=accept \
comment="allow mgmt station full access to management network" disabled=no
add src-address=y.y.y.y/27 dst-address=10.0.0.0/8 action=accept \
comment="allow office network access to management network" disabled=no

# This is the shortened list of viruses. It is intended to get
# you started with creating your own rules.
# You will possibly want to move these around to put the "busiest"
# ones near the top of this chain to help with server load

/ ip firewall add name=known_viruses
/ ip firewall rule known_viruses
add dst-address=:135-139 protocol=tcp action=drop \
comment="windows - not EXACTLY a virus" \
disabled=no
add dst-address=:135-139 protocol=udp action=drop \
comment="windows - not EXACTLY a virus" \
disabled=no
add dst-address=:445 protocol=udp action=drop \
comment="winXP netbios not EXACTLY a virus" disabled=no
add dst-address=:445 protocol=tcp action=drop \
comment="winXP netbios not EXACTLY a virus" disabled=no
add dst-address=:593 protocol=tcp action=drop \
comment="msblast worm" disabled=no
add dst-address=:4444 protocol=tcp action=drop \
comment="msblast worm" disabled=no

# This is a list of known hackers/spammers/other "bad folks"

/ ip firewall add name=bad_people
/ ip firewall rule bad_people
add src-address=81.180.98.3/32 action=drop \
comment="Known Spammer" disabled=no
add src-address=67.75.20.112/32 action=drop \
comment="http://isc.incidents.org/top10.html listed" disabled=no
add src-address=218.104.138.166/32 action=drop \
comment="http://isc.incidents.org/top10.html listed" disabled=no
add src-address=212.3.250.194/32 action=drop \
comment="http://isc.incidents.org/top10.html listed" disabled=no
add src-address=80.132.187.0/24 action=drop \
comment="http://isc.incidents.org/top10.html listed" disabled=no
add src-address=218.104.138.0/24 action=drop \
comment="http://isc.incidents.org/top10.html listed" disabled=no
add src-address=219.77.152.0/24 action=drop \
comment="http://isc.incidents.org/top10.html listed" disabled=no

# These are the rules that implement the new chains

/ ip firewall rule forward
add connection-state=established action=accept \
comment="allow established connections" disabled=no
add connection-state=related action=accept \
comment="allow related connections" disabled=no
add action=jump jump-target=accept_list \
comment="process exceptions first" disabled=no
add action=jump jump-target=known_viruses \
comment="Known virus ports" disabled=no
add action=jump jump-target=bad_people \
comment="kill known bad source addresses" disabled=no



موضوعات مشابه: