Reglas de Firewall.docx
- 1. Reglas de Firewall: /ip firewall filter add action=add-src-to-address-list address-list=Block- DDoS address-list-timeout=none-dynamic chain=input comment=" Block DDoS" connection- limit=32,32 disabled=yes protocol=tcp add action=tarpit chain=input connection-limit=10,32 protocol=tcp src-address-list=Block-DDoS comment="" disabled=yes add action=accept chain=input comment="Acceso winbox desde trunk" dst-port= 8291 disabled=yes protocol=tcp add action=drop chain=input dst-port=53 in-interface=ether4 log-prefix= DNS protocol=udp disabled=yes comment=" Bloquea consultas DNS desde Internet" add action=accept chain=input disabled=yes comment= " Permite sesiones TCP input establecidas" connection- state=established add action=accept chain=input comment= " Permite sesiones TCP input relacionadas" disabled=yes connection-state=related add action=accept chain=input comment=" Acceso al DHCP server" disabled=yes dst-port=67-68 log-prefix="DHCP REQUEST" protocol=udp add action=accept chain=input comment= " Permite utilizar el MK como DNS Server" disabled=yes dst-port=53 protocol=udp add action=drop chain=input comment=" No permite sesiones TCP input invalidas" connection-state=invalid log- prefix="DROP INPUT INVALIDAS" disabled=yes add action=drop chain=input comment=" DENIEGO TODO LO QUE ENTRE AL ROUTER Y NO ESTC9 EXPLICITAMENTE PERMITIDO" log-prefix="DROP INPUT" protocol=!icmp disabled=yes add action=accept chain=forward comment=" Permite sesiones TCP establecidas" connection-state=established disabled=yes add action=accept chain=forward comment=" Permite sesiones TCP relacionadas" connection-state=related disabled=yes add action=accept chain=forward comment=" Permite PING" log-prefix=PING protocol=icmp disabled=yes add action=accept chain=forward comment=" Permite HTTP" dst-port=80 protocol= tcp disabled=yes add action=accept chain=forward comment=" Permite 587 Secure Mail" dst-port=587 protocol=tcp disabled=yes add action=accept chain=forward comment=" Permite HTTPS" dst-port=443 protocol=tcp disabled=yes add action=accept chain=forward comment=" Permite FTP" dst- port=21 protocol= tcp disabled=yes add action=accept chain=forward comment=" Permite SSH" dst-port=22 protocol= tcp disabled=yes add action=accept chain=forward comment=" Permite SSH 1122" dst-port=1122 protocol=tcp disabled=yes add action=accept chain=forward comment=" Permite DNS" dst-port=53 protocol= udp disabled=yes add action=accept chain=forward comment=" Permite SMTP" dst-port=25 protocol= tcp disabled=yes add action=accept chain=forward comment=" Permite SMTP" dst-port=465 protocol= tcp disabled=yes add action=accept chain=forward comment=" Permite POP3" dst- port=110 protocol= tcp disabled=yes add action=accept chain=forward comment=" Permite POP3S" dst-port=995 protocol=tcp disabled=yes add action=accept chain=forward comment=" Permite IMAP" dst-port=143 protocol= tcp disabled=yes add action=accept chain=forward comment=" Permite IMAPS" dst-port=993 protocol=tcp disabled=yes add action=accept chain=forward comment=" Permite RDP" dst-port=3389 protocol= tcp disabled=yes add action=drop chain=forward comment=" DISABLED No permite sesiones TCP invalidas" connection-state=invalid disabled=yes log-prefix="DROP FORWARD INVALIDAS" add action=drop chain=forward comment=" DENIEGO TODO LO QUE ATRAVIESE EL ROUTER _Y NO ESTC9 EXPLICITAMENTE PERMITIDO" log=yes log- prefix="DROP FORWARD" disabled=yes