Firewall 1

/ ip firewall filter
add chain=RouterServices action=accept protocol=icmp comment="Allow ICMP" disabled=no
add chain=RouterServices action=accept dst-port=67-68 protocol=udp comment="Allow DHCP" disabled=no
add chain=RouterServices action=accept dst-port=53 protocol=udp comment="Allow DNS" disabled=no
add chain=RouterServices action=accept dst-port=20561 protocol=udp comment="Allow MAC-Winbox" disabled=no
add chain=RouterServices action=accept dst-port=8291 protocol=tcp comment="Allow Winbox" disabled=no
add chain=RouterServices action=accept src-port=123 protocol=udp comment="Allow NTP" disabled=no
add chain=RouterServices action=accept dst-port=123 protocol=udp comment="Allow NTP server "If we are running NTP server" disabled=no

add chain=RouterServices action=accept protocol=ospf comment="Allow OSPF" disabled=yes
add chain=RouterServices action=accept src-port=520-521 protocol=udp comment="Allow RIP" disabled=yes

add chain=RouterServices action=accept src-port=520-521 protocol=tcp fragment=no time=0s-23h59m,sat,fri,thu,wed,tue,mon,sun psd=21,3s,3,1 src-address-type="" dst-address-type="" comment="Allow RIP" disabled=yes

add chain=RouterServices action=accept dst-port=179 protocol=tcp comment="Allow BGP" disabled=yes
add chain=RouterServices action=accept dst-port=3128 protocol=tcp comment="Allow web-proxy "If we are running web-proxy - DEFAULT PORT" disabled=yes

add chain=RouterServices action=accept src-address=127.0.0.1 dst-address=127.0.0.1 comment="Allow localhost comms to work" disabled=no
add chain=RouterServices action=accept dst-port=2000 protocol=tcp comment="Allow TCP bandwidth test" disabled=no
add chain=RouterServices action=accept dst-port=2000 protocol=udp comment="Allow UDP bandwidth test" disabled=no
add chain=RouterServices action=accept dst-port=5678 protocol=udp comment="Allow Mikrotik router discovery" disabled=no

add chain=RouterServices action=accept dst-port=1701 protocol=udp comment="Allow L2TP" disabled=yes
add chain=RouterServices action=accept dst-port=1701 protocol=tcp comment="Allow L2TP" disabled=yes

add chain=RouterServices action=accept dst-port=1723 protocol=tcp comment="Allow PPTP" disabled=no
add chain=RouterServices action=accept protocol=gre comment="Allow GRE - for PPtP and EoIP" disabled=no

add chain=RouterServices action=accept dst-port=500 protocol=tcp comment="Allow ISAKMP - for IPSEC" disabled=yes
add chain=RouterServices action=accept dst-port=500 protocol=udp comment="Allow ISAKMP - for IPSEC" disabled=yes
add chain=RouterServices action=accept protocol=ipsec-esp comment="Allow protocol 50 - IPSEC" disabled=yes
add chain=RouterServices action=accept protocol=ipsec-ah comment="Allow protocol 51 - IPSEC" disabled=yes
add chain=RouterServices action=accept protocol=vrrp comment="Allow VRRP" disabled=yes

add chain=input action=accept dst-port=80 protocol=tcp src-address-list=webadmin comment="Allow webadmins access to webbox - DISABLED BY DEFAULT - example for how to limit access for certain admin types" disabled=yes
add chain=input action=accept src-address=10.10.100.101 dst-port=161 protocol=udp src-address-list=MONITORS comment="Allow the NMS to monitor SNMP on this machine - DISABLED BY DEFAULT - use only if you have an SNMP monitoring machine" disabled=yes

add chain=hackertraps action=add-src-to-address-list dst-port=22 protocol=tcp address-list=hacker address-list-timeout=10s comment="Add SSH attempts to hacker list" disabled=no
add chain=hackertraps action=add-src-to-address-list dst-port=21 protocol=tcp address-list=hacker address-list-timeout=10s comment="Add FTP attempts to hacker list" disabled=no
add chain=hackertraps action=add-src-to-address-list dst-port=23 protocol=tcp address-list=hacker address-list-timeout=1m comment="Add telnet attempts to hacker list" disabled=no
add chain=hackertraps action=add-src-to-address-list protocol=tcp psd=15,3s,3,1 address-list=hacker address-list-timeout=0s comment="Add port scanners to hacker list - DISABLED BY DEFAULT" disabled=no

add chain=traphackers action=return src-address-list=LOCALIP comment="Insure we do not drop our local IPs if they get added to the hacker list accidentally" disabled=no

add chain=input action=accept connection-state=established comment="Accept Established" disabled=no
add chain=input action=accept connection-state=related comment="Accept Related" disabled=no
add chain=input action=accept src-address-list=fulladmin comment="Accept ALL from fulladmin address list" disabled=no

add chain=input action=jump jump-target=RouterServices comment="Jump to Router Services chain" disabled=no
add chain=forward action=jump jump-target=traphackers comment="Jump to traphackers chain "Check to see if we have detected a hacker" disabled=no
add chain=forward action=jump jump-target=known_viruses comment="Jump to known_viruses chain "Check for Virus Traffic" disabled=no

add chain=input action=jump jump-target=hackertraps comment="Jump to hackertraps chain "trap Hacker Behavior" disabled=no
add chain=input action=log log-prefix="INPUTFW:" comment="" disabled=no

add chain=traphackers action=drop src-address-list=hacker comment="Protect customers from known hackers" disabled=no

add chain=forward action=drop tcp-flags=syn protocol=tcp connection-limit=21,32 comment="allow only 20 simultaneous connections from each of the clients" disabled=no

add chain=input action=drop connection-state=invalid comment="Drop invalid" disabled=no

add chain=forward action=drop dst-port=25 protocol=tcp src-address-list=spammer comment="BLOCK SPAMMERS OR INFECTED USERS" disabled=no
add chain=forward action=add-src-to-address-list dst-port=25 protocol=tcp connection-limit=30,32 limit=50,5 address-list=spammer address-list-timeout=1d comment="Detect and add-list SMTP virus or spammers" disabled=no
add chain=forward action=drop p2p=all-p2p comment="DROP Most popular p2p protocols recognized by the MirkoTik RouterOS" disabled=no

add chain=known_viruses action=drop dst-port=135-139 protocol=tcp comment="Windows Netbios" disabled=no
add chain=known_viruses action=drop dst-port=135-139 protocol=udp comment="Windows Netbios" disabled=no
add chain=known_viruses action=drop dst-port=445 protocol=tcp comment="Windows Netbios" disabled=no
add chain=known_viruses action=drop dst-port=445 protocol=udp comment="Windows Netbios" disabled=no

add chain=input action=drop comment="Drop all remaining traffic" disabled=no

/ ip firewall address-list
add list=fulladmin address=xx.xx.xxx.xx comment="Access for Butch home" disabled=no
add list=fulladmin address=xx.xxxx.xxx.xxx/28 comment="Access for Jim" disabled=no
add list=fulladmin address=10.1.3.0/24 comment="Access from private network" disabled=no
add list=fulladmin address=xx.xx.xx.xx/27 comment="Access from public range" disabled=no
add list=LOCALIP address=10.0.0.0/8 comment="Private Range" disabled=no
add list=LOCALIP address=192.168.0.0/16 comment="Private Range" disabled=no
add list=LOCALIP address=172.16.0.0/20 comment="Private Range" disabled=no
add list=LOCALIP address=xx.xx.xx.xx/27 comment="Public Range" disabled=no
add list=MONITORS address=10.11.1.3 comment="This is for monitoring servers" disabled=no
add list=MONITORS address=10.13.1.3 comment="This is for monitoring servers" disabled=no
add list=fulladmin address=192.168.200.1 comment="Allow from Border MT" disabled=no

/ ip firewall service-port
set ftp ports=21 disabled=no
set tftp ports=69 disabled=no
set irc ports=6667 disabled=no
set h323 disabled=yes
set quake3 disabled=no
set gre disabled=yes
set pptp disabled=yes

/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m tcp-syncookie=no

by Christapher James Hasher