/ip firewall filter add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid add action=accept chain=input comment="Allow Established connections" connection-state=established add action=accept chain=input comment="Allow ICMP" protocol=icmp add action=drop chain=input comment="Drop everything else" add action=drop chain=forward comment="drop invalid connections" connection-state=invalid protocol=tcp add action=accept chain=forward comment="allow already established connections" connection-state=established add action=accept chain=forward comment="allow related connections" connection-state=related add action=drop chain=forward src-address=0.0.0.0/8 add action=drop chain=forward dst-address=0.0.0.0/8 add action=drop chain=forward src-address=127.0.0.0/8 add action=drop chain=forward dst-address=127.0.0.0/8 add action=drop chain=forward src-address=224.0.0.0/3 add action=drop chain=forward dst-address=224.0.0.0/3 add action=jump chain=forward jump-target=tcp protocol=tcp add action=jump chain=forward jump-target=udp protocol=udp add action=jump chain=forward jump-target=icmp protocol=icmp add action=drop chain=tcp comment="deny TFTP" dst-port=69 protocol=tcp add action=drop chain=tcp comment="deny RPC portmapper" dst-port=111 protocol=tcp add action=drop chain=tcp comment="deny RPC portmapper" dst-port=135 protocol=tcp add action=drop chain=tcp comment="deny NBT" dst-port=137-139 protocol=tcp add action=drop chain=tcp comment="deny cifs" dst-port=445 protocol=tcp add action=drop chain=tcp comment="deny NFS" dst-port=2049 protocol=tcp add action=drop chain=tcp comment="deny NetBus" dst-port=12345-12346 protocol=tcp add action=drop chain=tcp comment="deny NetBus" dst-port=20034 protocol=tcp add action=drop chain=tcp comment="deny BackOriffice" dst-port=3133 protocol=tcp add action=drop chain=tcp comment="deny DHCP" dst-port=67-68 protocol=tcp add action=drop chain=udp comment="deny TFTP" dst-port=69 protocol=udp add action=drop chain=udp comment="deny PRC portmapper" dst-port=111 protocol=udp add action=drop chain=udp comment="deny PRC portmapper" dst-port=135 protocol=udp add action=drop chain=udp comment="deny NBT" dst-port=137-139 protocol=udp add action=drop chain=udp comment="deny NFS" dst-port=2049 protocol=udp add action=drop chain=udp comment="deny BackOriffice" dst-port=3133 protocol=udp add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp add action=accept chain=icmp comment="allow source quench" icmp-options=4:0 protocol=icmp add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp add action=drop chain=icmp comment="deny all other types"
