ده رول لتحسين التصفح
/ip firewall mangle add chain=prerouting action=mark-packet new-packet-mark=all passthrough=no
وده كمان لتحسين التصفح
ip firewall mangle
add action=jump chain=prerouting comment="" connection-state=new disabled=no jump-target=tcp-services protocol=tcp
add action=jump chain=prerouting comment="" connection-state=new disabled=no jump-target=udp-services protocol=udp
add action=jump chain=prerouting comment="" connection-state=new disabled=no jump-target=other-services
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=20-21 new-connection-mark=ftp passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=22 new-connection-mark=ssh passthrough=yes protocol=tcp src-port=513-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=23 new-connection-mark=telnet passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=25 new-connection-mark=smtp passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=53 new-connection-mark=dns passthrough=yes protocol=tcp src-port=53
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=53 new-connection-mark=dns passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=80 new-connection-mark=http passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=110 new-connection-mark=pop3 passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=113 new-connection-mark=auth passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=119 new-connection-mark=nntp passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=143 new-connection-mark=imap passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=161-162 new-connection-mark=snmp passthrough=yes protocol=tcp \
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=443 new-connection-mark=https passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=465 new-connection-mark=smtps passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=993 new-connection-mark=imaps passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=995 new-connection-mark=pop3s passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=1723 new-connection-mark=pptp passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=2379 new-connection-mark=kgs passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=3128 new-connection-mark=proxy passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=3987 new-connection-mark=win-ts passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=4242-4243 new-connection-mark=emule passthrough=yes protocol=tcp \
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=1024-65535 new-connection-mark=overnet passthrough=yes protocol=tcp \
src-port=4661-4662
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=1024-65535 new-connection-mark=emule passthrough=yes protocol=tcp src-port=4711
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=5900-5901 new-connection-mark=vnc passthrough=yes protocol=tcp \
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=6667-6669 new-connection-mark=irc passthrough=yes protocol=tcp \
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=6881-6889 new-connection-mark=bittorrent passthrough=yes protocol=tcp \
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=8080 new-connection-mark=http passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=8291 new-connection-mark=winbox passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no new-connection-mark=other-tcp passthrough=yes protocol=tcp
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=53 new-connection-mark=dns passthrough=yes protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=123 new-connection-mark=ntp passthrough=yes protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=1701 new-connection-mark=l2tp passthrough=yes protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=4665 new-connection-mark=emule passthrough=yes protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=4672 new-connection-mark=emule passthrough=yes protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=1024-65535 new-connection-mark=emule passthrough=yes protocol=udp src-port=4672
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=12053 new-connection-mark=overnet passthrough=yes protocol=udp \
src-port=1024-6553
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=1024-65535 new-connection-mark=overnet passthrough=yes protocol=udp \
src-port=12053
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=1024-65535 new-connection-mark=skype passthrough=yes protocol=udp src-port=36725
add action=mark-connection chain=udp-services comment="" connection-state=new disabled=no new-connection-mark=other-udp passthrough=yes protocol=udp
add action=mark-connection chain=other-services comment="" disabled=no icmp-options=8:0-255 new-connection-mark=ping passthrough=yes protocol=icmp
add action=mark-connection chain=other-services comment="" disabled=no new-connection-mark=gre passthrough=yes protocol=gre
add action=mark-connection chain=other-services comment="" disabled=no new-connection-mark=other passthrough=yes
add action=change-mss chain=forward comment="" disabled=no new-mss=1448 protocol=tcp tcp-flags=syn__________________
وده رول مهم جدا وفائده فصل الدون لود عن التصفح
/ip firewall mangle add chain=postrouting action=mark-packet new-packet-mark=proxy-hit passthrough=no \
tos=48 comment="Proxy Cache Hits Mark" disabled=no
اعداد الكاش
/ ip firewall nat
add chain=dstnat dst-port=80 protocol=tcp action=redirect to-ports=3128 comment="PROXY REDIRECTION" disabled=no
/ ip web-proxy
set enabled=yes src-address=0.0.0.0 port=3128 hostname="proxy" transparent-proxy=yes parent-proxy=0.0.0.0:0 cache-administrator="webmaster" max-object-size=4096KiB cache-drive=system max-cache-size=380000KiB max-ram-cache-size=64000KiB
/ ip web-proxy access
add dst-port=23-25 action=deny comment="block telnet & spam e-mail relaying" disabled=no
/ip firewall filter
add chain=input dst-port=3128 protocol=tcp in-interface=wan action=drop comment="EXTERNAL PROXY BLOCK" disabled=no
لتنظيف البروكسي سيرفر او الكاش كل 3 ايام
/ system script
add name="proxyclear" source=":log info \"Cleaning web-proxy\" \n
/ ip web-proxy set enabled=no \n
:delay 60s \n
/ ip web-proxy clear-cache \n
:delay 60s \n
/ ip web-proxy set enabled=yes \n
:log info \"Clear web-proxy done\"
\n" \policy=ftp,reboot,read,write,policy,test,winbox,p assword
/ system scheduler
add name="palmcse_proxyclear" on-event=proxyclear start-date=feb/13/1977 start-time=04
00 interval=72:00:00 comment="" disabled=no
سكربت لاخذ باك اب يومي
/ system script
add name="abackup" source="/sys bac sa name=\(\[/sys id g na\] . \"_\" . \
\[:pick \[/sys cl g da\] 7 11\] . \[:pick \[/sys cl g da\] 0 3\] . \[:pick \
\[/sys cl g da\] 4 6\]\)\n
\n/ export file=\(\[/sys id g na\] . \"_\" . \
\[:pick \[/sys cl g da\] 7 11\] . \[:pick \[/sys cl g da\] 0 3\] . \[:pick \
\[/sys cl g da\] 4 6\]\)" \
policy=ftp,reboot,read,write,policy,test,winbox,pa ssword
/ system scheduler
add name="palmcse_abackup" on-event="abackup" interval=24:00:00 start-time=23:59:30 comment="Auto backup script"
حجب اجهزة الزبون من الاتصال باجهزة الزبون الاخرى على كل البورتات
/ ip firewall filter
add chain=forward src-address=192.168.0.0/24 dst-address=192.168.0.0/24 action=drop comment="Block client to client traffic in all ports" disabled=no
واخيرا اهم من كل شئ قفل ال telnet منعا لاختراق الميكروتك
ip
service
ip service list
telnet كلك يمين ودس ايبل
/ip firewall mangle add chain=prerouting action=mark-packet new-packet-mark=all passthrough=no
وده كمان لتحسين التصفح
ip firewall mangle
add action=jump chain=prerouting comment="" connection-state=new disabled=no jump-target=tcp-services protocol=tcp
add action=jump chain=prerouting comment="" connection-state=new disabled=no jump-target=udp-services protocol=udp
add action=jump chain=prerouting comment="" connection-state=new disabled=no jump-target=other-services
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=20-21 new-connection-mark=ftp passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=22 new-connection-mark=ssh passthrough=yes protocol=tcp src-port=513-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=23 new-connection-mark=telnet passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=25 new-connection-mark=smtp passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=53 new-connection-mark=dns passthrough=yes protocol=tcp src-port=53
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=53 new-connection-mark=dns passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=80 new-connection-mark=http passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=110 new-connection-mark=pop3 passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=113 new-connection-mark=auth passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=119 new-connection-mark=nntp passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=143 new-connection-mark=imap passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=161-162 new-connection-mark=snmp passthrough=yes protocol=tcp \
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=443 new-connection-mark=https passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=465 new-connection-mark=smtps passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=993 new-connection-mark=imaps passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=995 new-connection-mark=pop3s passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=1723 new-connection-mark=pptp passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=2379 new-connection-mark=kgs passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=3128 new-connection-mark=proxy passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=3987 new-connection-mark=win-ts passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=4242-4243 new-connection-mark=emule passthrough=yes protocol=tcp \
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=1024-65535 new-connection-mark=overnet passthrough=yes protocol=tcp \
src-port=4661-4662
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=1024-65535 new-connection-mark=emule passthrough=yes protocol=tcp src-port=4711
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=5900-5901 new-connection-mark=vnc passthrough=yes protocol=tcp \
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=6667-6669 new-connection-mark=irc passthrough=yes protocol=tcp \
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=6881-6889 new-connection-mark=bittorrent passthrough=yes protocol=tcp \
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=8080 new-connection-mark=http passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=8291 new-connection-mark=winbox passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no new-connection-mark=other-tcp passthrough=yes protocol=tcp
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=53 new-connection-mark=dns passthrough=yes protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=123 new-connection-mark=ntp passthrough=yes protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=1701 new-connection-mark=l2tp passthrough=yes protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=4665 new-connection-mark=emule passthrough=yes protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=4672 new-connection-mark=emule passthrough=yes protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=1024-65535 new-connection-mark=emule passthrough=yes protocol=udp src-port=4672
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=12053 new-connection-mark=overnet passthrough=yes protocol=udp \
src-port=1024-6553
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=1024-65535 new-connection-mark=overnet passthrough=yes protocol=udp \
src-port=12053
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=1024-65535 new-connection-mark=skype passthrough=yes protocol=udp src-port=36725
add action=mark-connection chain=udp-services comment="" connection-state=new disabled=no new-connection-mark=other-udp passthrough=yes protocol=udp
add action=mark-connection chain=other-services comment="" disabled=no icmp-options=8:0-255 new-connection-mark=ping passthrough=yes protocol=icmp
add action=mark-connection chain=other-services comment="" disabled=no new-connection-mark=gre passthrough=yes protocol=gre
add action=mark-connection chain=other-services comment="" disabled=no new-connection-mark=other passthrough=yes
add action=change-mss chain=forward comment="" disabled=no new-mss=1448 protocol=tcp tcp-flags=syn__________________
وده رول مهم جدا وفائده فصل الدون لود عن التصفح
/ip firewall mangle add chain=postrouting action=mark-packet new-packet-mark=proxy-hit passthrough=no \
tos=48 comment="Proxy Cache Hits Mark" disabled=no
اعداد الكاش
/ ip firewall nat
add chain=dstnat dst-port=80 protocol=tcp action=redirect to-ports=3128 comment="PROXY REDIRECTION" disabled=no
/ ip web-proxy
set enabled=yes src-address=0.0.0.0 port=3128 hostname="proxy" transparent-proxy=yes parent-proxy=0.0.0.0:0 cache-administrator="webmaster" max-object-size=4096KiB cache-drive=system max-cache-size=380000KiB max-ram-cache-size=64000KiB
/ ip web-proxy access
add dst-port=23-25 action=deny comment="block telnet & spam e-mail relaying" disabled=no
/ip firewall filter
add chain=input dst-port=3128 protocol=tcp in-interface=wan action=drop comment="EXTERNAL PROXY BLOCK" disabled=no
لتنظيف البروكسي سيرفر او الكاش كل 3 ايام
/ system script
add name="proxyclear" source=":log info \"Cleaning web-proxy\" \n
/ ip web-proxy set enabled=no \n
:delay 60s \n
/ ip web-proxy clear-cache \n
:delay 60s \n
/ ip web-proxy set enabled=yes \n
:log info \"Clear web-proxy done\"
\n" \policy=ftp,reboot,read,write,policy,test,winbox,p assword
/ system scheduler
add name="palmcse_proxyclear" on-event=proxyclear start-date=feb/13/1977 start-time=04
00 interval=72:00:00 comment="" disabled=no سكربت لاخذ باك اب يومي
/ system script
add name="abackup" source="/sys bac sa name=\(\[/sys id g na\] . \"_\" . \
\[:pick \[/sys cl g da\] 7 11\] . \[:pick \[/sys cl g da\] 0 3\] . \[:pick \
\[/sys cl g da\] 4 6\]\)\n
\n/ export file=\(\[/sys id g na\] . \"_\" . \
\[:pick \[/sys cl g da\] 7 11\] . \[:pick \[/sys cl g da\] 0 3\] . \[:pick \
\[/sys cl g da\] 4 6\]\)" \
policy=ftp,reboot,read,write,policy,test,winbox,pa ssword
/ system scheduler
add name="palmcse_abackup" on-event="abackup" interval=24:00:00 start-time=23:59:30 comment="Auto backup script"
حجب اجهزة الزبون من الاتصال باجهزة الزبون الاخرى على كل البورتات
/ ip firewall filter
add chain=forward src-address=192.168.0.0/24 dst-address=192.168.0.0/24 action=drop comment="Block client to client traffic in all ports" disabled=no
واخيرا اهم من كل شئ قفل ال telnet منعا لاختراق الميكروتك
ip
service
ip service list
telnet كلك يمين ودس ايبل
الرول دة لتثبيت البنج لاى موقع
يقوم بتحويل البنج من ع الموقع الى البنج ع السيرفرip firewall nat
add action=netmap chain=dstnat comment="Best ping" disabled=no protocol=icmp
to-addresses=5.5.5.5
اكتب بدل 5.5.5.5
الجيتواى بتاعك
فائدتها: منع التورنت والبير توبيرp2p
/ip firewall filter add chain=forward p2p=bit-torrent action=drop
ملحوظة هااااااامة جدا
لو حد هيحط رول فيها ارقام ايبيهات كارت الدخول او الخروج ياريت يبين او يحط مكانها xxx.xxx.xxx.xx
ولو حد هيحط رول فيه سرعات برده ياريت يبين السرعات اللى حاططها كام لان مش كل الناس هيناسبها الرول
او السرعة اللى فيه
الرول الخاص بتفريغ الكاش كل اسبوع اوتوماتيك
وقف الروف الاول بتاعت الكاش فى النات وبعدين يوقف الكاش وبعدين يمسح الكاش يعمله ريبلد وبعدين يشغله والفتره الى انا محاددها كافيه لعمل كل ده
/ system script
add name="Proxy-off" source="/ip firewall nat set \[/ip firewall nat find \
comment=\"proxy for HTTP requests\"\] disable=yes\n/ip web-proxy set \
enabled=no" policy=ftp,reboot,read,write,policy,test,winbox,pa ssword
add name="clear-cache" source="/ip web-proxy clear-cache"
policy=ftp,reboot,read,write,policy,test,winbox,pa ssword
add name="Proxy-on" source="/ip web-proxy set enabled=yes\n/ip firewall nat \
set \[/ip firewall nat find comment=\"proxy for HTTP requests\"\] \
disable=no\n" policy=ftp,reboot,read,write,policy,test,winbox,pa ssword
add name="Proxy-off" source="/ip firewall nat set \[/ip firewall nat find \
comment=\"proxy for HTTP requests\"\] disable=yes\n/ip web-proxy set \
enabled=no" policy=ftp,reboot,read,write,policy,test,winbox,pa ssword
add name="clear-cache" source="/ip web-proxy clear-cache"
policy=ftp,reboot,read,write,policy,test,winbox,pa ssword
add name="Proxy-on" source="/ip web-proxy set enabled=yes\n/ip firewall nat \
set \[/ip firewall nat find comment=\"proxy for HTTP requests\"\] \
disable=no\n" policy=ftp,reboot,read,write,policy,test,winbox,pa ssword
/ system scheduler
add name="Proxy-off" on-event=Proxy-off start-date=jan/01/1970
start-time=00:00:00 interval=1w comment="Proxy-off every 7 day"
disabled=no
add name="clear-cache" on-event=clear-cache start-date=jan/01/1970
start-time=00:00:00 interval=1w13s comment="clear-cache every 7 day"
disabled=no
add name="Proxy-on" on-event=Proxy-on start-date=jan/01/1970
start-time=00:00:00 interval=1w1m20s comment="Proxy-on every 7 day"
disabled=no
add name="Proxy-off" on-event=Proxy-off start-date=jan/01/1970
start-time=00:00:00 interval=1w comment="Proxy-off every 7 day"
disabled=no
add name="clear-cache" on-event=clear-cache start-date=jan/01/1970
start-time=00:00:00 interval=1w13s comment="clear-cache every 7 day"
disabled=no
add name="Proxy-on" on-event=Proxy-on start-date=jan/01/1970
start-time=00:00:00 interval=1w1m20s comment="Proxy-on every 7 day"
disabled=no
رول رسترت السيرفر كل 12 ساعة / system script
add name="system reboot" source="/system reboot" \ policy=ftp,reboot,read,write,policy,test,winbox,pa ssword
/ system scheduler
add name="preans" on-event="system reboot" interval=12:00:00 start-time=02:00:00 comment="auto reboot script
add name="system reboot" source="/system reboot" \ policy=ftp,reboot,read,write,policy,test,winbox,pa ssword
/ system scheduler
add name="preans" on-event="system reboot" interval=12:00:00 start-time=02:00:00 comment="auto reboot script
رسترة السيرفر كل 24 ساعة
/ system script
add name="system reboot" source="/system reboot" \ policy=ftp,reboot,read,write,policy,test,winbox,pa ssword
/ system scheduler
add name="preans" on-event="system reboot" interval=24:00:00 start-time=02:00:00 comment="auto reboot script
add name="system reboot" source="/system reboot" \ policy=ftp,reboot,read,write,policy,test,winbox,pa ssword
/ system scheduler
add name="preans" on-event="system reboot" interval=24:00:00 start-time=02:00:00 comment="auto reboot script
قفل ابديت الوندوز والانتى فيرس وجميع الابديت الاوتوماتيك على الشبكة
نيجة بقة للحماية من الفيرساول رول
الرول التانى
/ip firewall filter
add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster Worm" disabled=no
add chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster Worm" disabled=no
add chain=virus protocol=tcp dst-port=593 action=drop comment="________" disabled=no
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="________" disabled=no
add chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop MyDoom" disabled=no
add chain=virus protocol=tcp dst-port=1214 action=drop comment="________" disabled=no
add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester" disabled=no
add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server" disabled=no
add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast" disabled=no
add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx" disabled=no
add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid" disabled=no
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm" disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus" disabled=no
add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y" disabled=no
add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Beagle" disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop Beagle.C-K" disabled=no
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop MyDoom" disabled=no
add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor OptixPro" disabled=no
add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm" disabled=no
add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm" disabled=no
add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser" disabled=no
add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B" disabled=no
add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop Dabber.A-B" disabled=no
add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop Dumaru.Y" disabled=no
add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop MyDoom.B" disabled=no
add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus" disabled=no
add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2" disabled=no
add chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop SubSeven" disabled=no
add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBotالرول التالت /ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=drop chain=forward comment="" disabled=no p2p=all-p2p
add action=drop chain=forward comment="" disabled=no p2p=bit-torrent
add action=drop chain=forward comment="" disabled=no p2p=blubster
add action=drop chain=forward comment="" disabled=no p2p=direct-connect
add action=drop chain=forward comment="" disabled=no p2p=edonkey
add action=drop chain=forward comment="" disabled=no p2p=fasttrack
add action=drop chain=forward comment="" disabled=no p2p=gnutella
add action=drop chain=forward comment="" disabled=no p2p=soulseek
add action=drop chain=forward comment="" disabled=no p2p=warez
add action=drop chain=forward comment="" disabled=no p2p=winmx
add action=jump chain=input comment="!!! Check for well-known viruses !!!" \
disabled=no jump-target=virus
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port=\
135-139 protocol=tcp
add action=drop chain=virus comment="Drop Messenger Worm" disabled=no \
dst-port=135-139 protocol=udp
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port=\
445 protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port=\
445 protocol=udp
add action=drop chain=virus comment=________ disabled=no dst-port=593 \
protocol=tcp
add action=drop chain=virus comment=________ disabled=no dst-port=1024-1030 \
protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" disabled=no dst-port=1080 \
protocol=tcp
add action=drop chain=virus comment=________ disabled=no dst-port=1214 \
protocol=tcp
add action=drop chain=virus comment="ndm requester" disabled=no dst-port=1363 \
protocol=tcp
add action=drop chain=virus comment="ndm server" disabled=no dst-port=1364 \
protocol=tcp
add action=drop chain=virus comment="screen cast" disabled=no dst-port=1368 \
protocol=tcp
add action=drop chain=virus comment=hromgrafx disabled=no dst-port=1373 \
protocol=tcp
add action=drop chain=virus comment=cichlid disabled=no dst-port=1377 \
protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=1433-1434 \
protocol=tcp
add action=drop chain=virus comment="Bagle Virus" disabled=no dst-port=2745 \
protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" disabled=no dst-port=2283 \
protocol=tcp
add action=drop chain=virus comment="Drop Beagle" disabled=no dst-port=2535 \
protocol=tcp
add action=drop chain=virus comment="Drop Beagle.C-K" disabled=no dst-port=\
2745 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" disabled=no dst-port=\
3127-3128 protocol=tcp
add action=drop chain=virus comment="Drop Backdoor OptixPro" disabled=no \
dst-port=3410 protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=\
tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=\
udp
add action=drop chain=virus comment="Drop Sasser" disabled=no dst-port=5554 \
protocol=tcp
add action=drop chain=virus comment="Drop Beagle.B" disabled=no dst-port=8866 \
protocol=tcp
add action=drop chain=virus comment="Drop Dabber.A-B" disabled=no dst-port=\
9898 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" disabled=no dst-port=\
10000 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom.B" disabled=no dst-port=\
10080 protocol=tcp
add action=drop chain=virus comment="Drop NetBus" disabled=no dst-port=12345 \
protocol=tcp
add action=drop chain=virus comment="Drop Kuang2" disabled=no dst-port=17300 \
protocol=tcp
add action=drop chain=virus comment="Drop SubSeven" disabled=no dst-port=\
27374 protocol=tcp
add action=drop chain=virus comment="Drop PhatBot, Agobot, Gaobot" disabled=\
no dst-port=65506 protocol=tcp
add action=drop chain=forward comment="" disabled=no layer7-protocol=torren
add action=drop chain=forward comment="" disabled=no layer7-protocol=\
torrent-dns
/ip firewall mangle
add action=mark-packet chain=prerouting comment=icmp disabled=no \
in-interface=wan new-packet-mark=icmp_in passthrough=no protocol=icmp
add action=mark-packet chain=postrouting comment="" disabled=no \
new-packet-mark=icmp_out out-interface=wan passthrough=no protocol=icmp
add action=mark-packet chain=prerouting comment=p2p disabled=no in-interface=\
wan new-packet-mark=p2p_in p2p=all-p2p passthrough=no
add action=mark-packet chain=postrouting comment="" disabled=no \
new-packet-mark=p2p_out out-interface=wan p2p=all-p2p passthrough=no
add action=mark-packet chain=prerouting comment=pop3 disabled=no \
in-interface=wan new-packet-mark=pop3_in passthrough=no protocol=tcp \
src-port=110
add action=mark-packet chain=postrouting comment="" disabled=no dst-port=110 \
new-packet-mark=pop3_out out-interface=wan passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment=smtp disabled=no \
in-interface=wan new-packet-mark=smtp_in passthrough=no protocol=tcp \
src-port=25
add action=mark-packet chain=postrouting comment="" disabled=no dst-port=25 \
new-packet-mark=smtp_out out-interface=wan passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment=imap disabled=no \
in-interface=wan new-packet-mark=imap_in passthrough=no protocol=tcp \
src-port=143
add action=mark-packet chain=postrouting comment="" disabled=no dst-port=143 \
new-packet-mark=imap_out out-interface=wan passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment=ssh disabled=no dst-port=22 \
in-interface=wan new-packet-mark=ssh_in passthrough=no protocol=tcp
add action=mark-packet chain=postrouting comment="" disabled=no \
new-packet-mark=ssh_out out-interface=wan passthrough=no protocol=tcp \
src-port=22
add action=mark-packet chain=prerouting comment=winbox disabled=no dst-port=\
8291 in-interface=wan new-packet-mark=winbox_in passthrough=no protocol=\
tcp
add action=mark-packet chain=postrouting comment="" disabled=no \
new-packet-mark=winbox_out out-interface=wan passthrough=no protocol=tcp \
src-port=8291
add action=mark-packet chain=prerouting comment=dns disabled=no in-interface=\
wan new-packet-mark=dns_in passthrough=no protocol=udp src-port=53
add action=mark-packet chain=postrouting comment="" disabled=no dst-port=53 \
new-packet-mark=dns_out out-interface=wan passthrough=no protocol=udp
add action=mark-packet chain=prerouting comment=www disabled=no in-interface=\
wan new-packet-mark=www_in passthrough=no protocol=tcp src-port=80
add action=mark-packet chain=postrouting comment="" disabled=no dst-port=80 \
new-packet-mark=www_out out-interface=wan passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment=ssl disabled=no in-interface=\
wan new-packet-mark=ssl_in passthrough=no protocol=tcp src-port=443
add action=mark-packet chain=postrouting comment="" disabled=no dst-port=443 \
new-packet-mark=ssl_out out-interface=wan passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment=udp disabled=no in-interface=\
wan new-packet-mark=udp_in passthrough=no protocol=udp
add action=mark-packet chain=postrouting comment="" disabled=no \
new-packet-mark=udp_out out-interface=wan passthrough=no protocol=udp
add action=mark-packet chain=prerouting comment=tcp disabled=no in-interface=\
wan new-packet-mark=tcp_in passthrough=no protocol=tcp
add action=mark-packet chain=postrouting comment="" disabled=no \
new-packet-mark=tcp_out out-interface=wan passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment=other disabled=no \
in-interface=wan new-packet-mark=other_in passthrough=no
add action=mark-packet chain=postrouting comment="" disabled=no \
new-packet-mark=other_out out-interface=wan passthrough=no
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=yes
/ip firewall filter
add action=drop chain=forward comment="" content=update disabled=no
add action=drop chain=forward comment="" content=update disabled=no
لعزل الاجهزة المتفيرسة فى الشبكة
/ip firewall filter
add chain=forward protocol=tcp dst-port=25 src-address-list=spammer action=drop comment="BLOCK SPAMMERS OR INFECTED USERS" add chain=forward protocol=tcp dst-port=25 connection-limit=30,32 limit=50,5 action=add-src-to-address-list address-list=spammer address-list-timeout=1d comment="Detect and add-list SMTP virus or spammers"
add chain=forward protocol=tcp dst-port=25 src-address-list=spammer action=drop comment="BLOCK SPAMMERS OR INFECTED USERS" add chain=forward protocol=tcp dst-port=25 connection-limit=30,32 limit=50,5 action=add-src-to-address-list address-list=spammer address-list-timeout=1d comment="Detect and add-list SMTP virus or spammers"
منع ظهور الماكات
add chain=virus protocol=tcp dst-port=1363 action=accept comment=""
disabled=no
add chain=input protocol=tcp dst-port=21-24 action=drop comment="ndm server"
disabled=no
add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast"
disabled=no
add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx"
disabled=no
add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid"
disabled=no
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm"
disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus"
disabled=no
add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y"
disabled=no
add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Beagle"
disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop \
Beagle.C-K" disabled=no
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop \
MyDoom" disabled=no
add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor \
OptixPro" disabled=no
add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm"
disabled=no
add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm"
disabled=no
add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser"
disabled=no
add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B"
disabled=no
add chain=virus protocol=tcp dst-port=9898 action=accept comment=""
disabled=no
disabled=no
add chain=input protocol=tcp dst-port=21-24 action=drop comment="ndm server"
disabled=no
add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast"
disabled=no
add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx"
disabled=no
add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid"
disabled=no
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm"
disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus"
disabled=no
add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y"
disabled=no
add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Beagle"
disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop \
Beagle.C-K" disabled=no
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop \
MyDoom" disabled=no
add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor \
OptixPro" disabled=no
add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm"
disabled=no
add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm"
disabled=no
add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser"
disabled=no
add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B"
disabled=no
add chain=virus protocol=tcp dst-port=9898 action=accept comment=""
disabled=no
لقفل الشير والتورنت
/ip firewall filter
add action=drop chain=forward comment="" disabled=no p2p=all-p2p
add action=drop chain=forward comment="" disabled=no p2p=bit-torrent
add action=drop chain=forward comment="" disabled=no p2p=blubster
add action=drop chain=forward comment="" disabled=no p2p=direct-connect
add action=drop chain=forward comment="" disabled=no p2p=edonkey
add action=drop chain=forward comment="" disabled=no p2p=fasttrack
add action=drop chain=forward comment="" disabled=no p2p=gnutella
add action=drop chain=forward comment="" disabled=no p2p=soulseek
add action=drop chain=forward comment="" disabled=no p2p=warez
add action=drop chain=forward comment="" disabled=no p2p=winmx
add action=drop chain=forward comment="" disabled=no p2p=all-p2p
add action=drop chain=forward comment="" disabled=no p2p=bit-torrent
add action=drop chain=forward comment="" disabled=no p2p=blubster
add action=drop chain=forward comment="" disabled=no p2p=direct-connect
add action=drop chain=forward comment="" disabled=no p2p=edonkey
add action=drop chain=forward comment="" disabled=no p2p=fasttrack
add action=drop chain=forward comment="" disabled=no p2p=gnutella
add action=drop chain=forward comment="" disabled=no p2p=soulseek
add action=drop chain=forward comment="" disabled=no p2p=warez
add action=drop chain=forward comment="" disabled=no p2p=winmx
الرول الخاص بالياهو فى الفصل والتقطيع
/ip firewall mangle
add action=jump chain=prerouting comment="" connection-state=new disabled=no jump-target=tcp-services protocol=tcp
add action=jump chain=prerouting comment="" connection-state=new disabled=no jump-target=udp-services protocol=udp
add action=jump chain=prerouting comment="" connection-state=new disabled=no jump-target=other-services
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=20-21 new-connection-mark=ftp passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=22 new-connection-mark=ssh passthrough=yes protocol=tcp src-port=513-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=23 new-connection-mark=telnet passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=25 new-connection-mark=smtp passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=53 new-connection-mark=dns passthrough=yes protocol=tcp src-port=53
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=53 new-connection-mark=dns passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=80 new-connection-mark=http passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=110 new-connection-mark=pop3 passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=113 new-connection-mark=auth passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=119 new-connection-mark=nntp passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=143 new-connection-mark=imap passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=161-162 new-connection-mark=snmp passthrough=yes protocol=tcp
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=443 new-connection-mark=https passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=465 new-connection-mark=smtps passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=993 new-connection-mark=imaps passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=995 new-connection-mark=pop3s passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=1723 new-connection-mark=pptp passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=2379 new-connection-mark=kgs passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=3128 new-connection-mark=proxy passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=3987 new-connection-mark=win-ts passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=4242-4243 new-connection-mark=emule passthrough=yes protocol=tcp
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=1024-65535 new-connection-mark=overnet passthrough=yes protocol=tcp
src-port=4661-4662
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=1024-65535 new-connection-mark=emule passthrough=yes protocol=tcp src-port=4711
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=5900-5901 new-connection-mark=vnc passthrough=yes protocol=tcp
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=6667-6669 new-connection-mark=irc passthrough=yes protocol=tcp
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=6881-6889 new-connection-mark=bittorrent passthrough=yes protocol=tcp
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=8080 new-connection-mark=http passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=8291 new-connection-mark=winbox passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no new-connection-mark=other-tcp passthrough=yes protocol=tcp
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=53 new-connection-mark=dns passthrough=yes protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=123 new-connection-mark=ntp passthrough=yes protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=1701 new-connection-mark=l2tp passthrough=yes protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=4665 new-connection-mark=emule passthrough=yes protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=4672 new-connection-mark=emule passthrough=yes protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=1024-65535 new-connection-mark=emule passthrough=yes protocol=udp src-port=4672
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=12053 new-connection-mark=overnet passthrough=yes protocol=udp
src-port=1024-6553
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=1024-65535 new-connection-mark=overnet passthrough=yes protocol=udp
src-port=12053
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=1024-65535 new-connection-mark=skype passthrough=yes protocol=udp src-port=36725
add action=mark-connection chain=udp-services comment="" connection-state=new disabled=no new-connection-mark=other-udp passthrough=yes protocol=udp
add action=mark-connection chain=other-services comment="" disabled=no icmp-options=8:0-255 new-connection-mark=ping passthrough=yes protocol=icmp
add action=mark-connection chain=other-services comment="" disabled=no new-connection-mark=gre passthrough=yes protocol=gre
add action=mark-connection chain=other-services comment="" disabled=no new-connection-mark=other passthrough=yes
add action=change-mss chain=forward comment="" disabled=no new-mss=1448 protocol=tcp tcp-flags=syn
add action=jump chain=prerouting comment="" connection-state=new disabled=no jump-target=tcp-services protocol=tcp
add action=jump chain=prerouting comment="" connection-state=new disabled=no jump-target=udp-services protocol=udp
add action=jump chain=prerouting comment="" connection-state=new disabled=no jump-target=other-services
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=20-21 new-connection-mark=ftp passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=22 new-connection-mark=ssh passthrough=yes protocol=tcp src-port=513-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=23 new-connection-mark=telnet passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=25 new-connection-mark=smtp passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=53 new-connection-mark=dns passthrough=yes protocol=tcp src-port=53
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=53 new-connection-mark=dns passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=80 new-connection-mark=http passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=110 new-connection-mark=pop3 passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=113 new-connection-mark=auth passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=119 new-connection-mark=nntp passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=143 new-connection-mark=imap passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=161-162 new-connection-mark=snmp passthrough=yes protocol=tcp
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=443 new-connection-mark=https passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=465 new-connection-mark=smtps passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=993 new-connection-mark=imaps passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=995 new-connection-mark=pop3s passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=1723 new-connection-mark=pptp passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=2379 new-connection-mark=kgs passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=3128 new-connection-mark=proxy passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=3987 new-connection-mark=win-ts passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=4242-4243 new-connection-mark=emule passthrough=yes protocol=tcp
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=1024-65535 new-connection-mark=overnet passthrough=yes protocol=tcp
src-port=4661-4662
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=1024-65535 new-connection-mark=emule passthrough=yes protocol=tcp src-port=4711
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=5900-5901 new-connection-mark=vnc passthrough=yes protocol=tcp
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=6667-6669 new-connection-mark=irc passthrough=yes protocol=tcp
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=6881-6889 new-connection-mark=bittorrent passthrough=yes protocol=tcp
src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=8080 new-connection-mark=http passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=8291 new-connection-mark=winbox passthrough=yes protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services comment="" disabled=no new-connection-mark=other-tcp passthrough=yes protocol=tcp
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=53 new-connection-mark=dns passthrough=yes protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=123 new-connection-mark=ntp passthrough=yes protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=1701 new-connection-mark=l2tp passthrough=yes protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=4665 new-connection-mark=emule passthrough=yes protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=4672 new-connection-mark=emule passthrough=yes protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=1024-65535 new-connection-mark=emule passthrough=yes protocol=udp src-port=4672
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=12053 new-connection-mark=overnet passthrough=yes protocol=udp
src-port=1024-6553
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=1024-65535 new-connection-mark=overnet passthrough=yes protocol=udp
src-port=12053
add action=mark-connection chain=udp-services comment="" disabled=no dst-port=1024-65535 new-connection-mark=skype passthrough=yes protocol=udp src-port=36725
add action=mark-connection chain=udp-services comment="" connection-state=new disabled=no new-connection-mark=other-udp passthrough=yes protocol=udp
add action=mark-connection chain=other-services comment="" disabled=no icmp-options=8:0-255 new-connection-mark=ping passthrough=yes protocol=icmp
add action=mark-connection chain=other-services comment="" disabled=no new-connection-mark=gre passthrough=yes protocol=gre
add action=mark-connection chain=other-services comment="" disabled=no new-connection-mark=other passthrough=yes
add action=change-mss chain=forward comment="" disabled=no new-mss=1448 protocol=tcp tcp-flags=syn
/ ip firewall filter
add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop Blaster Worm" disabled=no
add chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop Messenger Worm" disabled=no
add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster Worm" disabled=no
add chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster Worm" disabled=no
add chain=virus protocol=tcp dst-port=593 action=drop comment="________" disabled=no
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="________" disabled=no
add chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop MyDoom" disabled=no
add chain=virus protocol=tcp dst-port=1214 action=drop comment="________" disabled=no
add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester" disabled=no
add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server" disabled=no
add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast" disabled=no
add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx" disabled=no
add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid" disabled=no
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm" disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus" disabled=no
add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y" disabled=no
add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Beagle" disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop Beagle.C-K" disabled=no
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop MyDoom" disabled=no
add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor OptixPro" disabled=no
add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm" disabled=no
add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm" disabled=no
add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser" disabled=no
add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B" disabled=no
add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop Dabber.A-B" disabled=no
add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop Dumaru.Y" disabled=no
add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop MyDoom.B" disabled=no
add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus" disabled=no
add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2" disabled=no
add chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop SubSeven" disabled=no
add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot, Agobot, Gaobot" disabled=no
add chain=forward action=jump jump-target=virus comment="jump to the virus chain" disabled=no
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list \
" disabled=no
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w \
comment="NMAP FIN Stealth scan\n" disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="" disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan" \
disabled=no
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan" \
disabled=no
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w \
comment="FIN/PSH/URG scan" disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w \
comment="ALL/ALL scan" disabled=no
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w \
comment="NMAP NULL scan" disabled=no
add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no
add chain=forward protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to \
list " disabled=no
add chain=forward protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w \
comment="NMAP FIN Stealth scan\n" disabled=no
add chain=forward protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="" disabled=no
add chain=forward protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan" \
disabled=no
add chain=forward protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan" \
disabled=no
add chain=forward protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w \
comment="FIN/PSH/URG scan" disabled=no
add chain=forward protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w \
comment="ALL/ALL scan" disabled=no
add chain=forward protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w \
comment="NMAP NULL scan" disabled=no
add chain=forward src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no
add chain=forward protocol=tcp action=jump jump-target=restrict-tcp comment="" disabled=no
add chain=forward protocol=udp action=jump jump-target=restrict-udp comment="" disabled=no
add chain=forward action=jump jump-target=restrict-ip comment="" disabled=no
add chain=restrict-tcp connection-mark=auth action=reject reject-with=icmp-network-unreachable comment="" disabled=no
add chain=restrict-tcp connection-mark=smtp action=jump jump-target=smtp-first-drop comment="anti-spam policy" disabled=no
add chain=smtp-first-drop src-address-list=first-smtp action=add-src-to-address-list address-list=approved-smtp address-list-timeout=5s comment="" disabled=no
add chain=smtp-first-drop src-address-list=approved-smtp action=return comment="" disabled=no
add chain=smtp-first-drop action=add-src-to-address-list address-list=first-smtp address-list-timeout=5s comment="" disabled=no
add chain=smtp-first-drop action=reject reject-with=icmp-network-unreachable comment="" disabled=no
add chain=restrict-tcp connection-mark=other-tcp action=jump jump-target=drop comment="" disabled=no
add chain=restrict-udp connection-mark=other-udp action=jump jump-target=drop comment="" disabled=no
add chain=restrict-ip connection-mark=other action=jump jump-target=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop Blaster Worm" disabled=no
add chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop Messenger Worm" disabled=no
add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster Worm" disabled=no
add chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster Worm" disabled=no
add chain=virus protocol=tcp dst-port=593 action=drop comment="________" disabled=no
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="________" disabled=no
add chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop MyDoom" disabled=no
add chain=virus protocol=tcp dst-port=1214 action=drop comment="________" disabled=no
add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester" disabled=no
add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server" disabled=no
add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast" disabled=no
add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx" disabled=no
add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid" disabled=no
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm" disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus" disabled=no
add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y" disabled=no
add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Beagle" disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop Beagle.C-K" disabled=no
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop MyDoom" disabled=no
add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor OptixPro" disabled=no
add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm" disabled=no
add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm" disabled=no
add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser" disabled=no
add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B" disabled=no
add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop Dabber.A-B" disabled=no
add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop Dumaru.Y" disabled=no
add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop MyDoom.B" disabled=no
add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus" disabled=no
add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2" disabled=no
add chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop SubSeven" disabled=no
add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot, Agobot, Gaobot" disabled=no
add chain=forward action=jump jump-target=virus comment="jump to the virus chain" disabled=no
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list \
" disabled=no
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w \
comment="NMAP FIN Stealth scan\n" disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="" disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan" \
disabled=no
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan" \
disabled=no
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w \
comment="FIN/PSH/URG scan" disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w \
comment="ALL/ALL scan" disabled=no
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w \
comment="NMAP NULL scan" disabled=no
add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no
add chain=forward protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to \
list " disabled=no
add chain=forward protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w \
comment="NMAP FIN Stealth scan\n" disabled=no
add chain=forward protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="" disabled=no
add chain=forward protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan" \
disabled=no
add chain=forward protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan" \
disabled=no
add chain=forward protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w \
comment="FIN/PSH/URG scan" disabled=no
add chain=forward protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w \
comment="ALL/ALL scan" disabled=no
add chain=forward protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w \
comment="NMAP NULL scan" disabled=no
add chain=forward src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no
add chain=forward protocol=tcp action=jump jump-target=restrict-tcp comment="" disabled=no
add chain=forward protocol=udp action=jump jump-target=restrict-udp comment="" disabled=no
add chain=forward action=jump jump-target=restrict-ip comment="" disabled=no
add chain=restrict-tcp connection-mark=auth action=reject reject-with=icmp-network-unreachable comment="" disabled=no
add chain=restrict-tcp connection-mark=smtp action=jump jump-target=smtp-first-drop comment="anti-spam policy" disabled=no
add chain=smtp-first-drop src-address-list=first-smtp action=add-src-to-address-list address-list=approved-smtp address-list-timeout=5s comment="" disabled=no
add chain=smtp-first-drop src-address-list=approved-smtp action=return comment="" disabled=no
add chain=smtp-first-drop action=add-src-to-address-list address-list=first-smtp address-list-timeout=5s comment="" disabled=no
add chain=smtp-first-drop action=reject reject-with=icmp-network-unreachable comment="" disabled=no
add chain=restrict-tcp connection-mark=other-tcp action=jump jump-target=drop comment="" disabled=no
add chain=restrict-udp connection-mark=other-udp action=jump jump-target=drop comment="" disabled=no
add chain=restrict-ip connection-mark=other action=jump jump-target=drop comment="" disabled=no
الرول التانى/ip firewall filter
add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster Worm" disabled=no
add chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster Worm" disabled=no
add chain=virus protocol=tcp dst-port=593 action=drop comment="________" disabled=no
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="________" disabled=no
add chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop MyDoom" disabled=no
add chain=virus protocol=tcp dst-port=1214 action=drop comment="________" disabled=no
add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester" disabled=no
add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server" disabled=no
add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast" disabled=no
add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx" disabled=no
add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid" disabled=no
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm" disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus" disabled=no
add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y" disabled=no
add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Beagle" disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop Beagle.C-K" disabled=no
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop MyDoom" disabled=no
add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor OptixPro" disabled=no
add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm" disabled=no
add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm" disabled=no
add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser" disabled=no
add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B" disabled=no
add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop Dabber.A-B" disabled=no
add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop Dumaru.Y" disabled=no
add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop MyDoom.B" disabled=no
add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus" disabled=no
add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2" disabled=no
add chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop SubSeven" disabled=no
add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot
الرول التالت /ip firewall connection trackingset enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=drop chain=forward comment="" disabled=no p2p=all-p2p
add action=drop chain=forward comment="" disabled=no p2p=bit-torrent
add action=drop chain=forward comment="" disabled=no p2p=blubster
add action=drop chain=forward comment="" disabled=no p2p=direct-connect
add action=drop chain=forward comment="" disabled=no p2p=edonkey
add action=drop chain=forward comment="" disabled=no p2p=fasttrack
add action=drop chain=forward comment="" disabled=no p2p=gnutella
add action=drop chain=forward comment="" disabled=no p2p=soulseek
add action=drop chain=forward comment="" disabled=no p2p=warez
add action=drop chain=forward comment="" disabled=no p2p=winmx
add action=jump chain=input comment="!!! Check for well-known viruses !!!" \
disabled=no jump-target=virus
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port=\
135-139 protocol=tcp
add action=drop chain=virus comment="Drop Messenger Worm" disabled=no \
dst-port=135-139 protocol=udp
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port=\
445 protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port=\
445 protocol=udp
add action=drop chain=virus comment=________ disabled=no dst-port=593 \
protocol=tcp
add action=drop chain=virus comment=________ disabled=no dst-port=1024-1030 \
protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" disabled=no dst-port=1080 \
protocol=tcp
add action=drop chain=virus comment=________ disabled=no dst-port=1214 \
protocol=tcp
add action=drop chain=virus comment="ndm requester" disabled=no dst-port=1363 \
protocol=tcp
add action=drop chain=virus comment="ndm server" disabled=no dst-port=1364 \
protocol=tcp
add action=drop chain=virus comment="screen cast" disabled=no dst-port=1368 \
protocol=tcp
add action=drop chain=virus comment=hromgrafx disabled=no dst-port=1373 \
protocol=tcp
add action=drop chain=virus comment=cichlid disabled=no dst-port=1377 \
protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=1433-1434 \
protocol=tcp
add action=drop chain=virus comment="Bagle Virus" disabled=no dst-port=2745 \
protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" disabled=no dst-port=2283 \
protocol=tcp
add action=drop chain=virus comment="Drop Beagle" disabled=no dst-port=2535 \
protocol=tcp
add action=drop chain=virus comment="Drop Beagle.C-K" disabled=no dst-port=\
2745 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" disabled=no dst-port=\
3127-3128 protocol=tcp
add action=drop chain=virus comment="Drop Backdoor OptixPro" disabled=no \
dst-port=3410 protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=\
tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=\
udp
add action=drop chain=virus comment="Drop Sasser" disabled=no dst-port=5554 \
protocol=tcp
add action=drop chain=virus comment="Drop Beagle.B" disabled=no dst-port=8866 \
protocol=tcp
add action=drop chain=virus comment="Drop Dabber.A-B" disabled=no dst-port=\
9898 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" disabled=no dst-port=\
10000 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom.B" disabled=no dst-port=\
10080 protocol=tcp
add action=drop chain=virus comment="Drop NetBus" disabled=no dst-port=12345 \
protocol=tcp
add action=drop chain=virus comment="Drop Kuang2" disabled=no dst-port=17300 \
protocol=tcp
add action=drop chain=virus comment="Drop SubSeven" disabled=no dst-port=\
27374 protocol=tcp
add action=drop chain=virus comment="Drop PhatBot, Agobot, Gaobot" disabled=\
no dst-port=65506 protocol=tcp
add action=drop chain=forward comment="" disabled=no layer7-protocol=torren
add action=drop chain=forward comment="" disabled=no layer7-protocol=\
torrent-dns
/ip firewall mangle
add action=mark-packet chain=prerouting comment=icmp disabled=no \
in-interface=wan new-packet-mark=icmp_in passthrough=no protocol=icmp
add action=mark-packet chain=postrouting comment="" disabled=no \
new-packet-mark=icmp_out out-interface=wan passthrough=no protocol=icmp
add action=mark-packet chain=prerouting comment=p2p disabled=no in-interface=\
wan new-packet-mark=p2p_in p2p=all-p2p passthrough=no
add action=mark-packet chain=postrouting comment="" disabled=no \
new-packet-mark=p2p_out out-interface=wan p2p=all-p2p passthrough=no
add action=mark-packet chain=prerouting comment=pop3 disabled=no \
in-interface=wan new-packet-mark=pop3_in passthrough=no protocol=tcp \
src-port=110
add action=mark-packet chain=postrouting comment="" disabled=no dst-port=110 \
new-packet-mark=pop3_out out-interface=wan passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment=smtp disabled=no \
in-interface=wan new-packet-mark=smtp_in passthrough=no protocol=tcp \
src-port=25
add action=mark-packet chain=postrouting comment="" disabled=no dst-port=25 \
new-packet-mark=smtp_out out-interface=wan passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment=imap disabled=no \
in-interface=wan new-packet-mark=imap_in passthrough=no protocol=tcp \
src-port=143
add action=mark-packet chain=postrouting comment="" disabled=no dst-port=143 \
new-packet-mark=imap_out out-interface=wan passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment=ssh disabled=no dst-port=22 \
in-interface=wan new-packet-mark=ssh_in passthrough=no protocol=tcp
add action=mark-packet chain=postrouting comment="" disabled=no \
new-packet-mark=ssh_out out-interface=wan passthrough=no protocol=tcp \
src-port=22
add action=mark-packet chain=prerouting comment=winbox disabled=no dst-port=\
8291 in-interface=wan new-packet-mark=winbox_in passthrough=no protocol=\
tcp
add action=mark-packet chain=postrouting comment="" disabled=no \
new-packet-mark=winbox_out out-interface=wan passthrough=no protocol=tcp \
src-port=8291
add action=mark-packet chain=prerouting comment=dns disabled=no in-interface=\
wan new-packet-mark=dns_in passthrough=no protocol=udp src-port=53
add action=mark-packet chain=postrouting comment="" disabled=no dst-port=53 \
new-packet-mark=dns_out out-interface=wan passthrough=no protocol=udp
add action=mark-packet chain=prerouting comment=www disabled=no in-interface=\
wan new-packet-mark=www_in passthrough=no protocol=tcp src-port=80
add action=mark-packet chain=postrouting comment="" disabled=no dst-port=80 \
new-packet-mark=www_out out-interface=wan passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment=ssl disabled=no in-interface=\
wan new-packet-mark=ssl_in passthrough=no protocol=tcp src-port=443
add action=mark-packet chain=postrouting comment="" disabled=no dst-port=443 \
new-packet-mark=ssl_out out-interface=wan passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment=udp disabled=no in-interface=\
wan new-packet-mark=udp_in passthrough=no protocol=udp
add action=mark-packet chain=postrouting comment="" disabled=no \
new-packet-mark=udp_out out-interface=wan passthrough=no protocol=udp
add action=mark-packet chain=prerouting comment=tcp disabled=no in-interface=\
wan new-packet-mark=tcp_in passthrough=no protocol=tcp
add action=mark-packet chain=postrouting comment="" disabled=no \
new-packet-mark=tcp_out out-interface=wan passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment=other disabled=no \
in-interface=wan new-packet-mark=other_in passthrough=no
add action=mark-packet chain=postrouting comment="" disabled=no \
new-packet-mark=other_out out-interface=wan passthrough=no
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=yes
لو عاوز البنج يعد اخرة30/40 بنج وهمى
add action=netmap chain=dstnat comment="" disabled=no protocol=icmp
to-addresses=41.128.225.225
to-addresses=41.128.225.225
قفل المواقع نهائى عن طريق اضافة هذا الدى ان اسPrimary DNS : 67.150.159.81
Secondary DNS : 67.150.159.13
Secondary DNS : 67.150.159.13
0 التعليقات:
إرسال تعليق