Scribd Logo
Upload

Welcome to Scribd!

  • Configuração RB SPECELESS - Filter

    Uploaded by

    Flash Internet
    34 views5 pages
    The document contains firewall configuration settings for a MikroTik router. It lists a number of rules that detect traffic from specific services and applications, like WhatsApp, speed tests, gaming apps, and social media. It also includes rules for blocking spoofed traffic and mitigating DDoS attacks by blacklisting sources of suspicious traffic on common ports. The configuration aims to secure the firewall by filtering inbound connections while allowing necessary outbound access.

    Original Description:

    Original Title

    Configuração RB SPECELESS - filter

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document contains firewall configuration settings for a MikroTik router. It lists a number of rules that detect traffic from specific services and applications, like WhatsApp, speed tests, gaming apps, and social media. It also includes rules for blocking spoofed traffic and mitigating DDoS attacks by blacklisting sources of suspicious traffic on common ports. The configuration aims to secure the firewall by filtering inbound connections while allowing necessary outbound access.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as txt, pdf, or txt
    34 views5 pages

    Configuração RB SPECELESS - Filter

    Uploaded by

    Flash Internet
    The document contains firewall configuration settings for a MikroTik router. It lists a number of rules that detect traffic from specific services and applications, like WhatsApp, speed tests, gaming apps, and social media. It also includes rules for blocking spoofed traffic and mitigating DDoS attacks by blacklisting sources of suspicious traffic on common ports. The configuration aims to secure the firewall by filtering inbound connections while allowing necessary outbound access.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as txt, pdf, or txt
    of 5

    #Configuração RB SPECELESS

    /ip firewall filter


    add action=add-dst-to-address-list address-list=whatsapp address-list-timeout=1d
    chain=forward comment="Detecta Ip Whatsapp" protocol=tcp tls-host=*whatsapp.com
    add action=add-dst-to-address-list address-list=speedtest address-list-timeout=1d
    chain=forward comment="Detecta Ip Teste de Velocidade" protocol=tcp tls-host=\
    *speedtest*
    add action=add-dst-to-address-list address-list=speedtest address-list-timeout=1d
    chain=forward protocol=tcp tls-host=*ookla*
    add action=add-dst-to-address-list address-list=speedtest address-list-timeout=1d
    chain=forward protocol=tcp tls-host=*minhaconexao*
    add action=add-dst-to-address-list address-list=speedtest address-list-timeout=1d
    chain=forward protocol=tcp tls-host=*fast.com
    add action=add-dst-to-address-list address-list=speedtest address-list-timeout=1d
    chain=forward protocol=tcp tls-host=*velocidade*
    add action=add-dst-to-address-list address-list=speedtest address-list-timeout=1d
    chain=forward protocol=tcp tls-host=*velocimetro*
    add action=add-dst-to-address-list address-list=speedtest address-list-timeout=1d
    chain=forward protocol=tcp tls-host=*speed*
    add action=add-dst-to-address-list address-list=speedtest address-list-timeout=1d
    chain=forward protocol=tcp tls-host=*teste*
    add action=add-dst-to-address-list address-list=freefire address-list-timeout=1d
    chain=forward comment="Detecta Ip Freefire" protocol=tcp tls-host=*freefire*
    add action=add-dst-to-address-list address-list=garena address-list-timeout=1d
    chain=forward protocol=tcp tls-host=*garena*
    add action=add-dst-to-address-list address-list=instagram address-list-timeout=1d
    chain=forward comment="Detecta Ip Instagram" protocol=tcp tls-host=*instagram.com
    add action=add-dst-to-address-list address-list=facebook address-list-timeout=1d
    chain=forward comment="Detecta Ip Facebook" protocol=tcp tls-host=*facebook.com
    add action=add-dst-to-address-list address-list=google address-list-timeout=1d
    chain=forward comment="Detecta Ip Google" protocol=tcp tls-host=*google.com
    add action=add-dst-to-address-list address-list=youtube address-list-timeout=1d
    chain=forward comment="Detecta Ip Youtube" protocol=tcp tls-host=*youtube.com
    add action=add-dst-to-address-list address-list=globoplay address-list-timeout=1d
    chain=forward comment="Detecta Ip Globoplay" protocol=tcp tls-
    host=*globoplay.globo.com
    add action=add-dst-to-address-list address-list=netflix address-list-timeout=1d
    chain=forward comment="Detecta Ip Netflix" protocol=tcp tls-host=*netflix.com
    add action=add-dst-to-address-list address-list=globoplay address-list-timeout=1d
    chain=forward protocol=tcp tls-host=*live.video*
    add action=add-dst-to-address-list address-list=vimeo address-list-timeout=1d
    chain=forward comment="Detecta Ip Vimeo" protocol=tcp tls-host=*vimeo.com
    add action=accept chain=input comment="Aceitar Conexoes Input established,related"
    connection-state=established,related,untracked
    add action=drop chain=input comment="Descartar Conexoes Input Invalidas"
    connection-state=invalid log-prefix=invalid
    add action=accept chain=icmp comment="Protecao Icmp" icmp-options=0:0 in-interface-
    list=wan protocol=icmp
    add action=accept chain=icmp icmp-options=3:0 in-interface-list=wan protocol=icmp
    add action=accept chain=icmp icmp-options=3:4 in-interface-list=wan protocol=icmp
    add action=accept chain=icmp icmp-options=4:0 in-interface-list=wan protocol=icmp
    add action=accept chain=icmp icmp-options=8:0 in-interface-list=wan protocol=icmp
    add action=accept chain=icmp icmp-options=11:0 in-interface-list=wan protocol=icmp
    add action=accept chain=icmp icmp-options=12:0 in-interface-list=wan protocol=icmp
    add action=drop chain=icmp in-interface-list=wan
    add action=accept chain=input comment="Permite Ping de Entrada" in-interface-
    list=wan protocol=icmp
    add action=jump chain=forward comment=SYN-Protect connection-state=new in-
    interface-list=wan jump-target=SYN-Protect protocol=tcp tcp-flags=syn
    add action=accept chain=SYN-Protect comment=SYN-Protect connection-state=new in-
    interface-list=wan limit=500,5:packet protocol=tcp tcp-flags=syn
    add action=tarpit chain=SYN-Protect comment=SYN-Protect connection-state=new in-
    interface-list=wan protocol=tcp tcp-flags=syn
    add action=jump chain=input comment="Anti-spoofing Mitigacao DDOS Conexoes
    Simultaneas" connection-state=new in-interface-list=wan jump-target=detect-ddos
    add action=return chain=detect-ddos dst-limit=500,5,src-and-dst-addresses/10s in-
    interface-list=wan
    add action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m
    chain=detect-ddos in-interface-list=wan
    add action=add-src-to-address-list address-list=ddoser address-list-timeout=10m
    chain=detect-ddos in-interface-list=wan
    add action=add-src-to-address-list address-list=qotd_blacklist address-list-
    timeout=5m chain=input comment="Anti-spoofing Mitigacao DDOS QOTD" connection-
    state=new \
    in-interface-list=wan protocol=udp src-port=17
    add action=add-src-to-address-list address-list=chargen_blacklist address-list-
    timeout=5m chain=input comment="Anti-spoofing Mitigacao DDOS Chargen" connection-
    state=new \
    in-interface-list=wan protocol=udp src-port=19
    add action=add-src-to-address-list address-list=smtp_blacklist address-list-
    timeout=5m chain=input comment="Anti-spoofing Mitigacao DDOS SMTP" connection-
    state=new \
    in-interface-list=wan protocol=udp src-port=25
    add action=add-src-to-address-list address-list=dns_blacklist address-list-
    timeout=5m chain=input comment="Anti-spoofing Mitigacao DDOS DNS" connection-
    state=new \
    in-interface-list=wan protocol=udp src-address-list=!lista_dns src-port=53
    add action=add-src-to-address-list address-list=tftp_blacklist address-list-
    timeout=5m chain=input comment="Anti-spoofing Mitigacao DDOS Tftp" connection-
    state=new \
    in-interface-list=wan protocol=udp src-port=69
    add action=add-src-to-address-list address-list=http_blacklist address-list-
    timeout=5m chain=input comment="Anti-spoofing Mitigacao DDOS Http" connection-
    state=new \
    in-interface-list=wan protocol=udp src-port=80
    add action=add-src-to-address-list address-list=portmap_blacklist address-list-
    timeout=5m chain=input comment="Anti-spoofing Mitigacao DDOS Portmap" connection-
    state=new \
    in-interface-list=wan protocol=udp src-port=111
    add action=add-src-to-address-list address-list=ntp_blacklist address-list-
    timeout=5m chain=input comment="Anti-spoofing Mitigacao DDOS NTP" connection-
    state=new \
    in-interface-list=wan protocol=udp src-port=123
    add action=add-src-to-address-list address-list=netbios_blacklist address-list-
    timeout=5m chain=input comment="Anti-spoofing Mitigacao DDOS Netbios" connection-
    state=new \
    in-interface-list=wan protocol=udp src-port=137-139
    add action=add-src-to-address-list address-list=snmp_blacklist address-list-
    timeout=5m chain=input comment="Anti-spoofing Mitigacao DDOS SNMP" connection-
    state=new \
    in-interface-list=wan protocol=udp src-port=161,162
    add action=add-src-to-address-list address-list=ldap_blacklist address-list-
    timeout=5m chain=input comment="Anti-spoofing Mitigacao DDOS LDAP" connection-
    state=new \
    in-interface-list=wan protocol=udp src-port=389
    add action=add-src-to-address-list address-list=rip_blacklist address-list-
    timeout=5m chain=input comment="Anti-spoofing Mitigacao DDOS RIP" connection-
    state=new \
    in-interface-list=wan protocol=udp src-port=520
    add action=add-src-to-address-list address-list=kad_p2p_blacklist address-list-
    timeout=5m chain=input comment="Anti-spoofing Mitigacao DDOS Kad P2p" connection-
    state=new \
    in-interface-list=wan protocol=udp src-port=751
    add action=add-src-to-address-list address-list=mysql_blacklist address-list-
    timeout=5m chain=input comment="Anti-spoofing Mitigacao DDOS Mysql" connection-
    state=new \
    in-interface-list=wan protocol=udp src-port=1434
    add action=add-src-to-address-list address-list=ssdp_blacklist address-list-
    timeout=5m chain=input comment="Anti-spoofing Mitigacao DDOS SSDP" connection-
    state=new \
    in-interface-list=wan protocol=udp src-port=1900
    add action=add-src-to-address-list address-list=ard_blacklist address-list-
    timeout=5m chain=input comment="Anti-spoofing Mitigacao DDOS ARD" connection-
    state=new \
    in-interface-list=wan protocol=udp src-port=3283
    add action=add-src-to-address-list address-list=multicastdns_blacklist address-
    list-timeout=5m chain=input comment="Anti-spoofing Mitigacao DDOS Multicast DNS" \
    connection-state=new in-interface-list=wan protocol=udp src-address-list=!
    lista_dns src-port=5353
    add action=add-src-to-address-list address-list=memcached_blacklist address-list-
    timeout=5m chain=input comment="Anti-spoofing Mitigacao DDOS Memcached" \
    connection-state=new in-interface-list=wan protocol=udp src-port=11211
    add action=add-src-to-address-list address-list=steam_blacklist address-list-
    timeout=5m chain=input comment="Anti-spoofing Mitigacao DDOS Steam Protocol" \
    connection-state=new in-interface-list=wan protocol=udp src-port=27015
    add action=add-src-to-address-list address-list=quake_blacklist address-list-
    timeout=5m chain=input comment="Anti-spoofing Mitigacao DDOS Quake Protocol" \
    connection-state=new in-interface-list=wan protocol=udp src-port=27960
    add action=add-src-to-address-list address-list=wsd_blacklist address-list-
    timeout=5m chain=input comment="Anti-spoofing Mitigacao DDOS WSD Protocol"
    connection-state=\
    new in-interface-list=wan protocol=udp src-port=3702
    add action=add-src-to-address-list address-list=wsd_blacklist address-list-
    timeout=5m chain=input connection-state=new in-interface-list=wan protocol=tcp src-
    port=3702
    add action=add-src-to-address-list address-list=port_scanners address-list-
    timeout=1d chain=input comment="Port scanners para blacklist" in-interface-list=wan
    protocol=\
    tcp psd=21,3s,3,1 src-address-list=!rede_local
    add action=add-src-to-address-list address-list=port_scanners address-list-
    timeout=1d chain=input in-interface-list=wan protocol=tcp src-address-list=!
    rede_local \
    tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
    add action=add-src-to-address-list address-list=port_scanners address-list-
    timeout=1d chain=input in-interface-list=wan protocol=tcp src-address-list=!
    rede_local \
    tcp-flags=fin,syn
    add action=add-src-to-address-list address-list=port_scanners address-list-
    timeout=1d chain=input in-interface-list=wan protocol=tcp src-address-list=!
    rede_local \
    tcp-flags=syn,rst
    add action=add-src-to-address-list address-list=port_scanners address-list-
    timeout=1d chain=input in-interface-list=wan protocol=tcp src-address-list=!
    rede_local \
    tcp-flags=fin,psh,urg,!syn,!rst,!ack
    add action=add-src-to-address-list address-list=port_scanners address-list-
    timeout=1d chain=input in-interface-list=wan protocol=tcp src-address-list=!
    rede_local \
    tcp-flags=fin,syn,rst,psh,ack,urg
    add action=add-src-to-address-list address-list=port_scanners address-list-
    timeout=1d chain=input in-interface-list=wan protocol=tcp src-address-list=!
    rede_local \
    tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
    add action=add-src-to-address-list address-list=ftp_blacklist address-list-
    timeout=1d chain=input comment="FTP Brute Forces para blacklist" dst-port=21 \
    in-interface-list=wan protocol=tcp src-address-list=ftp_stage2
    add action=add-src-to-address-list address-list=ftp_stage2 address-list-timeout=5m
    chain=input dst-port=21 in-interface-list=wan protocol=tcp src-address-
    list=ftp_stage1
    add action=add-src-to-address-list address-list=ftp_stage1 address-list-timeout=5m
    chain=input dst-port=21 in-interface-list=wan protocol=tcp src-address-list=\
    !rede_local
    add action=add-src-to-address-list address-list=ssh_blacklist address-list-
    timeout=1d chain=input comment="SSH Brute Forces para blacklist" dst-port=22 \
    in-interface-list=wan protocol=tcp src-address-list=ssh_stage2
    add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=5m
    chain=input dst-port=22 in-interface-list=wan protocol=tcp src-address-
    list=ssh_stage1
    add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=5m
    chain=input dst-port=22 in-interface-list=wan protocol=tcp src-address-list=\
    !rede_local
    add action=add-src-to-address-list address-list=telnet_blacklist address-list-
    timeout=1d chain=input comment="Telnet Brute Forces para blacklist" dst-port=23 \
    in-interface-list=wan protocol=tcp src-address-list=telnet_stage2
    add action=add-src-to-address-list address-list=telnet_stage2 address-list-
    timeout=5m chain=input dst-port=23 in-interface-list=wan protocol=tcp src-address-
    list=\
    telnet_stage1
    add action=add-src-to-address-list address-list=telnet_stage1 address-list-
    timeout=5m chain=input dst-port=23 in-interface-list=wan protocol=tcp src-address-
    list=\
    !rede_local
    add action=add-src-to-address-list address-list=winbox_blacklist address-list-
    timeout=1d chain=input comment="Winbox Brute Forces para blacklist" dst-
    port=8291,8292 \
    in-interface-list=wan protocol=tcp src-address-list=winbox_stage2
    add action=add-src-to-address-list address-list=winbox_stage2 address-list-
    timeout=5m chain=input dst-port=8291,8292 in-interface-list=wan protocol=tcp src-
    address-list=\
    winbox_stage1
    add action=add-src-to-address-list address-list=winbox_stage1 address-list-
    timeout=5m chain=input dst-port=8291,8292 in-interface-list=wan protocol=tcp src-
    address-list=\
    !rede_local
    add action=add-src-to-address-list address-list=api_blacklist address-list-
    timeout=1d chain=input comment="API Brute Forces para blacklist" dst-port=8728,8729
    \
    in-interface-list=wan protocol=tcp src-address-list=api_stage2
    add action=add-src-to-address-list address-list=api_stage2 address-list-timeout=5m
    chain=input dst-port=8728,8729 in-interface-list=wan protocol=tcp src-address-
    list=\
    api_stage1
    add action=add-src-to-address-list address-list=api_stage1 address-list-timeout=5m
    chain=input dst-port=8728,8729 in-interface-list=wan protocol=tcp src-address-
    list=\
    !rede_local
    add action=add-src-to-address-list address-list=pptp_blacklist address-list-
    timeout=1d chain=input comment="PPTP Brute Forces para blacklist" dst-port=1723 \
    in-interface-list=wan protocol=tcp src-address-list=pptp_stage2
    add action=add-src-to-address-list address-list=pptp_stage2 address-list-timeout=5m
    chain=input dst-port=1723 in-interface-list=wan protocol=tcp src-address-list=\
    pptp_stage1
    add action=add-src-to-address-list address-list=pptp_stage1 address-list-timeout=5m
    chain=input dst-port=1723 in-interface-list=wan protocol=tcp src-address-list=\
    !rede_local
    add action=add-src-to-address-list address-list=l2tp_blacklist address-list-
    timeout=1d chain=input comment="L2TP Brute Forces para blacklist" dst-
    port=500,1701,4500 \
    in-interface-list=wan protocol=udp src-address-list=l2tp_stage2
    add action=add-src-to-address-list address-list=l2tp_stage2 address-list-timeout=5m
    chain=input dst-port=500,1701,4500 in-interface-list=wan protocol=udp \
    src-address-list=l2tp_stage1
    add action=add-src-to-address-list address-list=l2tp_stage1 address-list-timeout=5m
    chain=input dst-port=500,1701,4500 in-interface-list=wan protocol=udp \
    src-address-list=!rede_local
    add action=accept chain=forward comment="Aceitar Conexoes Forward
    established,related" connection-state=established,related,untracked
    add action=accept chain=forward comment="Permite Ping de Forward" protocol=icmp
    add action=drop chain=forward comment="Controle de Conexoes Simultaneas por
    usuario" connection-limit=500,32 connection-state=new log-prefix=limite
    protocol=tcp \
    src-address-list=limitatados_simultaneos
    add action=accept chain=input comment="Portas Permitidas" dst-port=61700 in-
    interface-list=wan protocol=tcp
    add action=drop chain=forward comment="Descartar Conexoes Forward Invalidas"
    connection-state=invalid log-prefix=invalid
    add action=drop chain=input comment="Bloqueia o Restante do Trafego" in-interface-
    list=wan log-prefix=drop_restante
    add action=accept chain=forward comment="MKFULL 1 - ACEITA DNS" dst-port=53
    protocol=udp src-address-list=mkfull_pgcorte
    add action=drop chain=forward comment="MKFULL 2 - DROP TUDO" dst-address-list=!
    mkfull_libera src-address-list=mkfull_pgcorte
    [moacir@FLORES103612G4S] >

    You might also like