Mikrotik Ön Tanımlı Kurallar

Güvenlik duvarı kurallarınızı bir şekilde bozdunuz veya kaybettiyseniz aşağıdaki kuralları kullanabilirsiniz. Bu yapılandırmaya ek olarak güvenlik önlemleri de eklenmiştir, ddos ve spam aksiyonları ön tanımlı olarak alınmıştır. Onun dışında yer alan diğer yapılandırmalar kullanıcıya bırakılmıştır.

/ip firewall address-list add address=192.168.88.0/24 disabled=no list=support

/ip firewall address-list
add address=0.0.0.0/8 comment=Self-Identification [RFC 3330] disabled=no list=bogons
add address=10.0.0.0/8 comment=Private[RFC 1918] - CLASS A # Check if you need this subnet before enable it disabled=yes list=bogons
add address=127.0.0.0/8 comment=Loopback [RFC 3330] disabled=no list=bogons
add address=169.254.0.0/16 comment=Link Local [RFC 3330] disabled=no list=bogons
add address=172.16.0.0/12 comment=Private[RFC 1918] - CLASS B # Check if you need this subnet before enable it disabled=yes list=bogons
add address=192.168.0.0/16 comment=Private[RFC 1918] - CLASS C # Check if you need this subnet before enable it disabled=yes list=bogons
add address=192.0.2.0/24 comment=Reserved - IANA - TestNet1 disabled=no list=bogons
add address=192.88.99.0/24 comment=6to4 Relay Anycast [RFC 3068] disabled=no list=bogons
add address=198.18.0.0/15 comment=NIDB Testing disabled=no list=bogons
add address=198.51.100.0/24 comment=Reserved - IANA - TestNet2 disabled=no list=bogons
add address=203.0.113.0/24 comment=Reserved - IANA - TestNet3 disabled=no list=bogons
add address=224.0.0.0/4 comment=MC, Class D, IANA # Check if you need this subnet before enable it disabled=yes list=bogons

/ip firewall filter
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment=Add Syn Flood IP to the list connection-limit=30,32 disabled=no protocol=tcp tcp-flags=syn
add action=drop chain=input comment=Drop to syn flood list disabled=no src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment=Port Scanner Detect disabled=no protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment=Drop to port scan list disabled=no src-address-list=Port_Scanner
add action=jump chain=input comment=Jump for icmp input flow disabled=no jump-target=ICMP protocol=icmp
add action=drop chain=input comment=Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST disabled=yes dst-port=8291 protocol=tcp src-address-list=!support
add action=jump chain=forward comment=Jump for icmp forward flow disabled=no jump-target=ICMP protocol=icmp
add action=drop chain=forward comment=Drop to bogon list disabled=no dst-address-list=bogons
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment=Add Spammers to the list for 3 hours connection-limit=30,32 disabled=no dst-port=25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment=Avoid spammers action disabled=no dst-port=25,587 protocol=tcp src-address-list=spammers
add action=accept chain=input comment=Accept DNS - UDP disabled=no port=53 protocol=udp
add action=accept chain=input comment=Accept DNS - TCP disabled=no port=53 protocol=tcp
add action=accept chain=input comment=Accept to established connections connection-state=established disabled=no
add action=accept chain=input comment=Accept to related connections connection-state=related disabled=no
add action=accept chain=input comment=Full access to SUPPORT address list disabled=no src-address-list=support
add action=drop chain=input comment=Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED disabled=yes
add action=accept chain=ICMP comment=Echo request - Avoiding Ping Flood, adjust the limit as needed disabled=no icmp-options=8:0 limit=2,5 protocol=icmp
add action=accept chain=ICMP comment=Echo reply disabled=no icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment=Time Exceeded disabled=no icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment=Destination unreachable disabled=no icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD disabled=no icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment=Drop to the other ICMPs disabled=no protocol=icmp
add action=jump chain=output comment=Jump for icmp output disabled=no jump-target=ICMP protocol=icmp

Kullanmakta olduğum yapılandırma ise Mikrotik Router Güvenlik Duvarı Kuralları makalesinde yer almakta olup isterseniz onu da kullanabilirsiniz.