add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot, Agobot, Gaobot" disabled=no
add chain=forward action=jump jump-target=virus comment="jump to the virus chain" disabled=yes
add chain=forward connection-state=established action=accept comment="allow established connections" disabled=no
add chain=forward connection-state=related action=accept comment="allow related connections" disabled=no
add chain=forward connection-state=invalid action=drop comment="drop invalid connections" disabled=no
add chain=forward protocol=icmp action=accept comment="allow ping" disabled=no
add chain=forward protocol=udp action=accept comment="allow udp" disabled=no
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=0s comment="" disabled=no
add chain=forward action=drop comment="drop everything else" disabled=yes
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=accept comment="" disabled=no
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=accept comment="" disabled=no
################### Essas são do mangle
ip firewall mangle
add chain=forward src-address=172.128.254.0/24 action=mark-connection new-connection-mark=users-con passthrough=yes \
comment="Marca o pacotes Usuarios" disabled=no
add chain=forward connection-mark=users-con action=mark-packet new-packet-mark=users passthrough=yes comment="" \
disabled=no
add chain=prerouting protocol=tcp connection-state=new action=jump jump-target=tcp-services comment="" disabled=no
add chain=prerouting protocol=udp connection-state=new action=jump jump-target=udp-services comment="" disabled=no
add chain=prerouting connection-state=new action=jump jump-target=other-services comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=20-21 action=mark-connection new-connection-mark=ftp \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=513-65535 dst-port=22 action=mark-connection new-connection-mark=ssh \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=23 action=mark-connection new-connection-mark=telnet \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=25 action=mark-connection new-connection-mark=smtp \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=53 dst-port=53 action=mark-connection new-connection-mark=dns passthrough=no \
comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=53 action=mark-connection new-connection-mark=dns \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=80 action=mark-connection new-connection-mark=http \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=110 action=mark-connection new-connection-mark=pop3 \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=113 action=mark-connection new-connection-mark=auth \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=119 action=mark-connection new-connection-mark=nntp \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=143 action=mark-connection new-connection-mark=imap \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=161-162 action=mark-connection new-connection-mark=snmp \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=443 action=mark-connection new-connection-mark=https \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=465 action=mark-connection new-connection-mark=smtps \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=993 action=mark-connection new-connection-mark=imaps \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=995 action=mark-connection new-connection-mark=pop3s \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=1723 action=mark-connection new-connection-mark=pptp \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=2379 action=mark-connection new-connection-mark=kgs \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=3128 action=mark-connection new-connection-mark=proxy \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=3987 action=mark-connection new-connection-mark=win-ts \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=4242-4243 action=mark-connection \
new-connection-mark=emule passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=4661-4662 dst-port=1024-65535 action=mark-connection \
new-connection-mark=overnet passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=4711 dst-port=1024-65535 action=mark-connection new-connection-mark=emule \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=5900-5901 action=mark-connection new-connection-mark=vnc \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=6667-6669 action=mark-connection new-connection-mark=irc \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=6881-6889 action=mark-connection \
new-connection-mark=bittorrent passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=8080 action=mark-connection new-connection-mark=http \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=8291 action=mark-connection new-connection-mark=winbox \
passthrough=no comment="" disabled=no
add chain=tcp-services protocol=tcp action=mark-connection new-connection-mark=other-tcp passthrough=no comment="" \
disabled=no
add chain=udp-services protocol=udp src-port=1024-65535 dst-port=53 action=mark-connection new-connection-mark=dns \
passthrough=no comment="" disabled=no
add chain=udp-services protocol=udp src-port=1024-65535 dst-port=123 action=mark-connection new-connection-mark=ntp \
passthrough=no comment="" disabled=no
add chain=udp-services protocol=udp src-port=1024-65535 dst-port=1701 action=mark-connection new-connection-mark=l2tp \
passthrough=no comment="" disabled=no
add chain=udp-services protocol=udp src-port=1024-65535 dst-port=4665 action=mark-connection new-connection-mark=emule \
passthrough=no comment="" disabled=no
add chain=udp-services protocol=udp src-port=1024-65535 dst-port=4672 action=mark-connection new-connection-mark=emule \
passthrough=no comment="" disabled=no
add chain=udp-services protocol=udp src-port=4672 dst-port=1024-65535 action=mark-connection new-connection-mark=emule \
passthrough=no comment="" disabled=no
add chain=udp-services protocol=udp src-port=1024-65535 dst-port=12053 action=mark-connection new-connection-mark=overnet \
passthrough=no comment="" disabled=no
add chain=udp-services protocol=udp src-port=12053 dst-port=1024-65535 action=mark-connection new-connection-mark=overnet \
passthrough=no comment="" disabled=no
add chain=udp-services protocol=udp src-port=36725 dst-port=1024-65535 action=mark-connection new-connection-mark=skype \
passthrough=no comment="" disabled=no
add chain=udp-services protocol=udp connection-state=new action=mark-connection new-connection-mark=other-udp \
passthrough=no comment="" disabled=no
add chain=other-services protocol=icmp icmp-options=8:0-255 action=mark-connection new-connection-mark=ping passthrough=no \
comment="" disabled=no
add chain=other-services protocol=gre action=mark-connection new-connection-mark=gre passthrough=no comment="" disabled=no
add chain=other-services action=mark-connection new-connection-mark=other passthrough=no comment="" disabled=no
add chain=prerouting in-interface=Public dst-address-list=nat-addr action=mark-packet new-packet-mark=nat-traversal \
passthrough=no comment="" disabled=no
##############################################################
:)Bom pessoal essa coletanea de regras de firewal são utilizadas pelo meu servidor e gostaria de informar que todas elas estão nos documentos do sistema mikrotik.
outra coisa tambem que depois que eu add essas regras o rendimento de meu servidor aumentou.
nessas regras constan proteção ao proprio roteador
protecao aos seus cliente
monitoramento do servicos de rede
drop de pacotes mal intencionados
protecao na rede contra virus e etc
espero que essas informações sirvam para outra pessoa pois lutei muito para deixar a minha rede do jeito que esta perfeita com mais de 100 clientes no cabo mesmo