Wed Nov 02, 2022 6:21 am
Hi everyone! Can anyone help me with improving or making better firewall based on those rules below which i use for my company router?
Thanks in Advance!
Firewall Raw
0 ;;; Drop all DNS request from Internet chain=prerouting action=drop in-interface-list=WAN dst-port=53 log=no log-prefix="" protocol=tcp 1 chain=prerouting action=drop in-interface-list=WAN dst-port=53 log=no log-prefix="" protocol=udp 2 ;;; TCP invalid combination of flags attack (7 rules) chain=prerouting action=drop tcp-flags=!fin,!syn,!rst,!ack log=no log-prefix="" protocol=tcp 3 chain=prerouting action=drop tcp-flags=fin,syn log=no log-prefix="" protocol=tcp 4 chain=prerouting action=drop tcp-flags=fin,rst log=no log-prefix="" protocol=tcp 5 chain=prerouting action=drop tcp-flags=fin,!ack log=no log-prefix="" protocol=tcp 6 chain=prerouting action=drop tcp-flags=fin,urg log=no log-prefix="" protocol=tcp 7 chain=prerouting action=drop tcp-flags=syn,rst log=no log-prefix="" protocol=tcp 8 chain=prerouting action=drop tcp-flags=rst,urg log=no log-prefix="" protocol=tcp 9 ;;; TCP Port 0 attack (2 rules) chain=prerouting action=drop src-port=0 log=no log-prefix="" protocol=tcp 10 chain=prerouting action=drop dst-port=0 log=no log-prefix="" protocol=tcp 11 ;;; UDP Port 0 attack (2 rules) chain=prerouting action=drop src-port=0 log=no log-prefix="" protocol=udp 12 chain=prerouting action=drop dst-port=0 log=no log-prefix="" protocol=udp 13 ;;; Protecting device crash when size > 1024 chain=prerouting action=drop packet-size=1025-1600 log=no log-prefix="" protocol=icmp 14 ;;; ICMP large packet attack chain=prerouting action=drop packet-size=1601-65535 log=no log-prefix="" protocol=icmp 15 ;;; ICMP fragmentation attack chain=prerouting action=drop log=no log-prefix="" protocol=icmp fragment=yes 16 ;;; SYN fragmented attack chain=prerouting action=drop tcp-flags=syn log=no log-prefix="" protocol=tcp fragment=yes 17 ;;; Fragment attack Interface Protection chain=prerouting action=drop log=no log-prefix="" fragment=yes dst-address-list=LAN Users 18 ;;; IP option loose-source-routing chain=prerouting action=drop log=no log-prefix="" ipv4-options=loose-source-routing 19 ;;; IP option strict-source-routing chain=prerouting action=drop log=no log-prefix="" ipv4-options=strict-source-routing 20 ;;; IP option record-route chain=prerouting action=drop log=no log-prefix="" ipv4-options=record-route 21 ;;; IP option router-alert chain=prerouting action=drop log=no log-prefix="" ipv4-options=router-alert 22 ;;; IP option timestamp chain=prerouting action=drop log=no log-prefix="" ipv4-options=timestamp 23 ;;; IP options left, except IP Stream used by the IGMP protocol chain=prerouting action=drop log=no log-prefix="" protocol=!igmp ipv4-options=any 24 chain=prerouting action=accept log=no log-prefix="" protocol=icmp 25 chain=prerouting action=accept log=no log-prefix="" protocol=igmp 26 chain=prerouting action=accept log=no log-prefix="" protocol=tcp 27 chain=prerouting action=accept log=no log-prefix="" protocol=udp 28 chain=prerouting action=accept log=no log-prefix="" protocol=gre 29 chain=prerouting action=log log=yes log-prefix="Not TCP protocol" protocol=!tcp 30 ;;; Unused protocol protection chain=prerouting action=drop log=no log-prefix="" protocol=!tcp
0 D chain=forward action=jump jump-target=hs-unauth hotspot=from-client,!auth 1 D chain=forward action=jump jump-target=hs-unauth-to hotspot=to-client,!auth 2 D chain=input action=jump jump-target=hs-input hotspot=from-client 3 D chain=input action=drop protocol=tcp hotspot=!from-client dst-port=64872-64875 4 D chain=hs-input action=jump jump-target=pre-hs-input 5 D chain=hs-input action=accept protocol=udp dst-port=64872 6 D chain=hs-input action=accept protocol=tcp dst-port=64872-64875 7 D chain=hs-input action=jump jump-target=hs-unauth hotspot=!auth 8 D chain=hs-unauth action=reject reject-with=tcp-reset protocol=tcp 9 D chain=hs-unauth action=reject reject-with=icmp-net-prohibited 10 D chain=hs-unauth-to action=reject reject-with=icmp-host-prohibited 11 X ;;; place hotspot rules here chain=unused-hs-chain action=passthrough 12 ;;; Accept established,related connections chain=input action=accept connection-state=established,related 13 ;;; Accept established,related connections chain=forward action=accept connection-state=established,related 14 ;;; Accept established,related connections chain=output action=accept connection-state=established,related log=no log-prefix="" 15 X ;;; UDP chain=input action=accept protocol=udp log=no log-prefix="" 16 ;;; Allow LAN DNS queries-UDP chain=forward action=accept protocol=udp src-address-list=LAN Users dst-port=53 log=no log-prefix="" 17 ;;; Allow LAN DNS queries-TCP chain=forward action=accept protocol=tcp src-address-list=LAN Users dst-port=53 log=no log-prefix="" 18 ;;; Allow Wireguard Trrafic chain=input action=accept src-address=192.168.200.0/24 log=no log-prefix="" 19 ;;; Allow Wireguard chain=input action=accept protocol=udp dst-port=13231 20 chain=forward action=jump jump-target=tcp protocol=tcp 21 chain=forward action=jump jump-target=udp protocol=udp 22 ;;; deny TFTP chain=tcp action=drop protocol=tcp dst-port=69 23 ;;; deny RPC portmapper chain=tcp action=drop protocol=tcp dst-port=111 24 ;;; deny RPC portmapper chain=tcp action=drop protocol=tcp dst-port=135 25 ;;; deny NBT chain=tcp action=drop protocol=tcp dst-port=137-139 26 ;;; deny cifs chain=tcp action=drop protocol=tcp dst-port=445 27 ;;; deny NFS chain=tcp action=drop protocol=tcp dst-port=2049 28 ;;; deny NetBus chain=tcp action=drop protocol=tcp dst-port=12345-12346 29 ;;; deny NetBus chain=tcp action=drop protocol=tcp dst-port=20034 30 ;;; deny BackOriffice chain=tcp action=drop protocol=tcp dst-port=3133 31 ;;; deny DHCP chain=tcp action=drop protocol=tcp dst-port=67-68 32 ;;; deny TFTP chain=udp action=drop protocol=udp dst-port=69 33 ;;; deny PRC portmapper chain=udp action=drop protocol=udp dst-port=111 34 ;;; deny PRC portmapper chain=udp action=drop protocol=udp dst-port=135 35 ;;; deny NBT chain=udp action=drop protocol=udp dst-port=137-139 36 ;;; deny NFS chain=udp action=drop protocol=udp dst-port=2049 37 ;;; deny BackOriffice chain=udp action=drop protocol=udp dst-port=3133 38 chain=forward action=jump jump-target=block-ddos connection-state=new 39 chain=forward action=drop connection-state=new src-address-list=ddoser dst-address-list=ddosed 40 chain=block-ddos action=return dst-limit=50,50,src-and-dst-addresses/10s 41 chain=block-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=1m log=yes 42 chain=block-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=1m log=yes 43 ;;; ping port scanners chain=input action=drop src-address-list=port scanners 44 ;;; Port scanners to list chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=port scanners address-list-timeout=2m 45 ;;; NMAP FIN Stealth scan chain=input action=add-src-to-address-list tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp address-list=port scanners address-list-timeout=2m 46 ;;; SYN/FIN scan chain=input action=add-src-to-address-list tcp-flags=fin,syn protocol=tcp address-list=port scanners address-list-timeout=2m 47 ;;; SYN/RST scan chain=input action=add-src-to-address-list tcp-flags=syn,rst protocol=tcp address-list=port scanners address-list-timeout=2m 48 ;;; FIN/PSH/URG scan chain=input action=add-src-to-address-list tcp-flags=fin,psh,urg,!syn,!rst,!ack protocol=tcp address-list=port scanners address-list-timeout=2m 49 ;;; ALL/ALL scan chain=input action=add-src-to-address-list tcp-flags=fin,syn,rst,psh,ack,urg protocol=tcp address-list=port scanners address-list-timeout=30m 50 ;;; NMAP NULL scan chain=input action=add-src-to-address-list tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp address-list=port scanners address-list-timeout=2m 51 ;;; Blaster Worm chain=virus action=drop protocol=tcp dst-port=135-139 52 ;;; Blaster Worm chain=virus action=drop protocol=tcp dst-port=445 53 ;;; Messenger Worm chain=virus action=drop protocol=udp dst-port=135-139 54 ;;; Blaster Worm chain=virus action=drop protocol=udp dst-port=445 55 ;;; ________ chain=virus action=drop protocol=tcp dst-port=593 56 ;;; ________ chain=virus action=drop protocol=tcp dst-port=1024-1030 57 ;;; MyDoom chain=virus action=drop protocol=tcp dst-port=1080 58 ;;; ________ chain=virus action=drop protocol=tcp dst-port=1214 59 ;;; ndm requester chain=virus action=drop protocol=tcp dst-port=1363 60 ;;; ndm server chain=virus action=drop protocol=tcp dst-port=1364 61 ;;; screen cast chain=virus action=drop protocol=tcp dst-port=1368 62 ;;; hromgrafx chain=virus action=drop protocol=tcp dst-port=1373 63 ;;; cichlid chain=virus action=drop protocol=tcp dst-port=1377 64 ;;; Worm chain=virus action=drop protocol=tcp dst-port=1433-1434 65 ;;; Bagle Virus chain=virus action=drop protocol=tcp dst-port=2745 66 ;;; Dumaru.Y chain=virus action=drop protocol=tcp dst-port=2283 67 ;;; Beagle chain=virus action=drop protocol=tcp dst-port=2535 68 ;;; Beagle.C-K chain=virus action=drop protocol=tcp dst-port=2745 69 ;;; MyDoom chain=virus action=drop protocol=tcp dst-port=3127-3128 70 ;;; Backdoor OptixPro chain=virus action=drop protocol=tcp dst-port=3410 71 ;;; Sasser chain=virus action=drop protocol=tcp dst-port=5554 72 ;;; Beagle.B chain=virus action=drop protocol=tcp dst-port=8866 73 ;;; Dabber.A-B chain=virus action=drop protocol=tcp dst-port=9898 74 ;;; Dumaru.Y chain=virus action=drop protocol=tcp dst-port=10000 75 ;;; MyDoom.B chain=virus action=drop protocol=tcp dst-port=10080 76 ;;; NetBus chain=virus action=drop protocol=tcp dst-port=12345 77 ;;; Kuang2 chain=virus action=drop protocol=tcp dst-port=17300 78 ;;; SubSeven chain=virus action=drop protocol=tcp dst-port=27374 79 ;;; PhatBot, Agobot, Gaobot chain=virus action=drop protocol=tcp dst-port=65506 80 ;;; Trinoo chain=virus action=drop protocol=udp dst-port=12667 81 ;;; Trinoo chain=virus action=drop protocol=udp dst-port=27665 82 ;;; Trinoo chain=virus action=drop protocol=udp dst-port=31335 83 ;;; Trinoo chain=virus action=drop protocol=udp dst-port=27444 84 ;;; Trinoo chain=virus action=drop protocol=udp dst-port=34555 85 ;;; Trinoo chain=virus action=drop protocol=udp dst-port=35555 86 ;;; Trinoo chain=virus action=drop protocol=tcp dst-port=27444 87 ;;; Drop Worm Infected (Mangle) chain=forward action=drop protocol=tcp src-address-list=Worm-Infected-p445 port=445 88 ;;; jump to the virus chain chain=forward action=jump jump-target=virus 89 ;;; invalid connections chain=input action=drop connection-state=invalid 90 ;;; invalid connections chain=forward action=drop connection-state=invalid 91 ;;; invalid connections chain=output action=drop connection-state=invalid log=no log-prefix="" 92 ;;; Bruteforce chain=forward action=jump jump-target=Bruteforce connection-state=new protocol=tcp dst-address-list=TechsoftcenterIPBlocks dst-port=22,3389 93 ;;; Drop - Blacklist chain=Bruteforce action=drop src-address-list=Bruteforce-Blacklist 94 ;;; Add - Blacklist chain=Bruteforce action=add-src-to-address-list src-address-list=Bruteforce-Stage3 address-list=Bruteforce-Blacklist address-list-timeout=15m 95 ;;; Add - Stage-3 chain=Bruteforce action=add-src-to-address-list src-address-list=Bruteforce-Stage2 address-list=Bruteforce-Stage3 address-list-timeout=30s 96 ;;; Add - Stage-2 chain=Bruteforce action=add-src-to-address-list src-address-list=Bruteforce-Stage1 address-list=Bruteforce-Stage2 address-list-timeout=30s 97 ;;; Add - Stage-1 chain=Bruteforce action=add-src-to-address-list address-list=Bruteforce-Stage1 address-list-timeout=30s 98 ;;; Drop to bogon list chain=forward action=drop dst-address-list=bogons