I've use a combination of the default firewall rules and add a few other rules. Since I'm a newbie to setting my own firewall rules, I'm a bit worried that I could get hacked if something was not done right. I'm also not exactly sure on how to order those rules. Also our IP was blocked many times since last week on https://www.spamhaus.org/lookup/. I've blocked port 25, but our IP keeps getting on those lists: CSS and XBL.
Would someone please double check it, to make sure it's right?
Here are the Firewall Rules:
Code: Select all
# dec/02/2020 23:07:35 by RouterOS 6.47.7
# software id = H2RB-DILS
#
# model = RB750Gr3
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=drop chain=output comment="Block port 25 Out (SMTP)" log=yes \
log-prefix=Spammers_BlockPort25_Out_ port=25 protocol=tcp
add action=drop chain=input comment="Block port 25 In (SMTP)" log=yes \
log-prefix=Spammers_BlockPort25_In_ port=25 protocol=tcp
add action=add-src-to-address-list address-list=spammers \
address-list-timeout=3h chain=forward comment=\
"Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
25,587,465 limit=30/1m,0:packet log=yes log-prefix=\
Spammers_AddSpammersToList_ protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=\
25,587,465 log=yes log-prefix=Spammers_DropConnectionsInSpammersList_ \
protocol=tcp src-address-list=spammers
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="Prevent inter LANs communications" \
in-interface=ether4-LAN2 out-interface=ether5-LAN1
add action=drop chain=forward comment="Prevent inter LANs communications" \
in-interface=ether5-LAN1 out-interface=ether4-LAN2
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set sip disabled=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN