+ Responder ao Tópico



  1. #1

    Padrão Regras de segurança no mk

    Boa noite
    sou iniciante em mk e tenho um pequeno provedor com mk, eu uso pppoe e hotspot para fazer autenticaçao dos clientes.
    Gostaria de saber de voçes que tem muita experiencia o que devo fazer e quais regras usar para manter a segurança no provedor.
    -Tenho que colocar alguma regra de bloqueio de port scan ou virus ?

  2. #2

    Padrão Re: Regras de segurança no mk

    Citação Postado originalmente por paulosjbv Ver Post
    Boa noite
    sou iniciante em mk e tenho um pequeno provedor com mk, eu uso pppoe e hotspot para fazer autenticaçao dos clientes.
    Gostaria de saber de voçes que tem muita experiencia o que devo fazer e quais regras usar para manter a segurança no provedor.
    -Tenho que colocar alguma regra de bloqueio de port scan ou virus ?
    Paulo é sempre bom você ter essas regras para que venha se proteger de eventuais problemas.
    Da uma pesquisada aqui no forum que você acha o pessoal postando varias regras de firewall ai é só você ir testando e adaptando para sua rede.



  3. #3

    Padrão Re: Regras de segurança no mk

    entao
    achei varias mas gostaria de saber quais devo usar.
    ex: eu na minha opiniao nao devemos colocar regras de bloqueio de virus no router pois pode deixa-lo lento ou mesmo barrrar algum serviço basico, mas tem gente usando será que estou errado?
    uma regra que achei interessante foi a de bloquear port scan até coloquei aqui mas fui testar um por scan na minha maquina e vi que nao bloqueou entao gostaria de saber quais sao e se as regras funcionan mesmo.

  4. #4

    Padrão Re: Regras de segurança no mk

    o que acham de fazermos uma lista com regras basicas de segurança onde protegesse o router e todos pudeseem usar ? isso é possivel ?



  5. #5

    Padrão Re: Regras de segurança no mk

    Ai vai algumas para voce ver

    http://wiki.mikrotik.com/wiki/DoS_attack_protection

    http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter Neste link veja sobre Router Protection

    as regras de virus que voce achar na net tem que ter cuidado pois pode estar barrando portas de serviços que voce ou seu cliente precise.

  6. #6

    Padrão Re: Regras de segurança no mk

    Bom, vamos tentar melhorar bem essas regras que vou postar.

    /ip firewall address-list
    add address=177.XX.YY.12 comment="" disabled=no list=SERVIDOR
    add address=177.XX.YY.19 comment="" disabled=no list=SERVIDOR
    add address=0.0.0.0/8 comment="illegal addresses" disabled=no list=illegal-addr
    add address=127.0.0.0/8 comment="" disabled=no list=illegal-addr
    add address=224.0.0.0/3 comment="" disabled=no list=illegal-addr
    add address=10.0.0.0/8 comment="" disabled=no list=illegal-addr
    add address=172.16.0.0/12 comment="" disabled=no list=illegal-addr
    add address=192.168.0.0/16 comment="" disabled=no list=illegal-addr
    add address=177.XX.YY.0/20 comment="my local network" disabled=no list=local-addr
    /ip firewall connection tracking
    set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
    /ip firewall filter
    add action=drop chain=forward comment="Barrando SPAM" disabled=yes dst-port=587 protocol=tcp src-address=!177.XX.YY.0/20
    add action=accept chain=forward comment="Allow traffic between wired and wireless networks" disabled=no in-interface=Local out-interface=Local
    add action=jump chain=forward comment="Sanity Check Forward" disabled=no jump-target=sanity-check
    add action=jump chain=sanity-check comment="Deny illegal NAT traversal" disabled=no jump-target=drop packet-mark=nat-traversal
    add action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d chain=sanity-check comment="Block port scans" disabled=no protocol=tcp psd=20,3s,3,1
    add action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d chain=sanity-check comment="Block TCP Null scan" disabled=no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
    add action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d chain=sanity-check comment="Block TCP Xmas scan" disabled=no protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
    add action=jump chain=sanity-check comment="" disabled=no jump-target=drop protocol=tcp src-address-list=blocked-addr
    add action=jump chain=sanity-check comment="Drop TCP RST" disabled=no jump-target=drop protocol=tcp tcp-flags=rst
    add action=jump chain=sanity-check comment="Drop TCP SYN+FIN" disabled=no jump-target=drop protocol=tcp tcp-flags=fin,syn
    add action=jump chain=sanity-check comment="Dropping invalid connections at once" connection-state=invalid disabled=no jump-target=drop
    add action=accept chain=sanity-check comment="Accepting already established connections" connection-state=established disabled=no
    add action=accept chain=sanity-check comment="Also accepting related connections" connection-state=related disabled=no
    add action=jump chain=sanity-check comment="Drop all traffic that goes to multicast or broadcast addresses" disabled=no dst-address-type=broadcast,multicast jump-target=drop
    add action=jump chain=sanity-check comment="Drop illegal destination addresses" disabled=no dst-address-list=illegal-addr dst-address-type=!local in-interface=Local jump-target=drop
    add action=jump chain=sanity-check comment="Drop everything that goes from local interface but not from local address" disabled=no in-interface=Local jump-target=drop src-address-list=!local-addr
    add action=jump chain=sanity-check comment="Drop illegal source addresses" disabled=no in-interface=Public jump-target=drop src-address-list=illegal-addr
    add action=jump chain=sanity-check comment="Drop everything that goes from public interface but not to local address" disabled=no dst-address-list=!local-addr in-interface=Public jump-target=drop
    add action=jump chain=sanity-check comment="Drop all traffic that comes from multicast or broadcast addresses" disabled=no jump-target=drop src-address-type=broadcast,multicast
    add action=jump chain=forward comment="" disabled=no jump-target=restrict-tcp protocol=tcp
    add action=jump chain=forward comment="" disabled=no jump-target=restrict-udp protocol=udp
    add action=jump chain=forward comment="" disabled=no jump-target=restrict-ip
    add action=reject chain=restrict-tcp comment="" connection-mark=auth disabled=no reject-with=icmp-network-unreachable
    add action=jump chain=restrict-tcp comment="anti-spam policy" connection-mark=smtp disabled=no jump-target=smtp-first-drop
    add action=add-src-to-address-list address-list=approved-smtp address-list-timeout=0s chain=smtp-first-drop comment="" disabled=no src-address-list=first-smtp
    add action=return chain=smtp-first-drop comment="" disabled=no src-address-list=approved-smtp
    add action=add-src-to-address-list address-list=first-smtp address-list-timeout=0s chain=smtp-first-drop comment="" disabled=no
    add action=reject chain=smtp-first-drop comment="" disabled=no reject-with=icmp-network-unreachable src-address-list=!SERVIDOR
    add action=jump chain=restrict-tcp comment="" connection-mark=other-tcp disabled=no jump-target=drop
    add action=jump chain=restrict-udp comment="" connection-mark=other-udp disabled=no jump-target=drop
    add action=jump chain=restrict-ip comment="" connection-mark=other disabled=no jump-target=drop
    add action=accept chain=input comment="Allow local traffic (between router applications)" disabled=no dst-address-type=local src-address-type=local
    add action=jump chain=input comment="DHCP protocol would not pass sanity checking, so enabling it explicitly before other checks" disabled=no dst-port=67 in-interface=Local jump-target=dhcp protocol=udp src-port=68
    add action=jump chain=input comment="Sanity Check" disabled=no jump-target=sanity-check
    add action=jump chain=input comment="Dropping packets not destined to the router itself, including all broadcast traffic" disabled=no dst-address-type=!local jump-target=drop
    add action=accept chain=input comment="Allow pings, but at a very limited rate (5 packets per sec)" connection-mark=ping disabled=no limit=5,5
    add action=jump chain=input comment="Allowing some services to be accessible from the local network" disabled=no in-interface=Local jump-target=local-services
    add action=jump chain=input comment="Allowing some services to be accessible from the Internet" disabled=no in-interface=Public jump-target=public-services
    add action=jump chain=input comment="" disabled=no jump-target=drop
    add action=accept chain=dhcp comment="" disabled=no dst-address=255.255.255.255 src-address=0.0.0.0
    add action=accept chain=dhcp comment="" disabled=no dst-address-type=local src-address=0.0.0.0
    add action=accept chain=dhcp comment="" disabled=no dst-address-type=local src-address-list=local-addr
    add action=accept chain=local-services comment="SSH (22/TCP)" connection-mark=ssh disabled=no
    add action=accept chain=local-services comment=DNS connection-mark=dns disabled=no
    add action=accept chain=local-services comment=Radius connection-mark=radius disabled=no
    add action=accept chain=local-services comment="Winbox (8291/TCP)" connection-mark=winbox disabled=no
    add action=log chain=local-services comment="Log & Drop Other Local Services" disabled=no log-prefix=""
    add action=drop chain=local-services comment="" disabled=no
    add action=accept chain=public-services comment="SSH (22/TCP)" connection-mark=ssh disabled=no
    add action=accept chain=public-services comment="PPTP (1723/TCP)" connection-mark=pptp disabled=no
    add action=accept chain=public-services comment="Winbox (8291/TCP)" connection-mark=winbox disabled=no
    add action=accept chain=public-services comment="GRE for PPTP" connection-mark=gre disabled=no
    add action=accept chain=public-services comment=Radius connection-mark=radius disabled=no
    add action=log chain=public-services comment="Log & Drop Other Public Services" disabled=no log-prefix=""
    add action=drop chain=public-services comment="" disabled=no
    add action=log chain=drop comment="Log Everything that we drop" disabled=yes log-prefix=""
    add action=drop chain=drop comment="" disabled=no


    Continua...



  7. #7

    Padrão Re: Regras de segurança no mk

    /ip firewall mangle
    add action=jump chain=prerouting comment="" connection-state=new disabled=no jump-target=tcp-services protocol=tcp
    add action=jump chain=prerouting comment="" connection-state=new disabled=no jump-target=udp-services protocol=udp
    add action=jump chain=prerouting comment="" connection-state=new disabled=no jump-target=other-services
    add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=20-21 new-connection-mark=ftp passthrough=no protocol=tcp src-port=1024-65535
    add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=22 new-connection-mark=ssh passthrough=no protocol=tcp src-port=513-65535
    add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=23 new-connection-mark=telnet passthrough=no protocol=tcp src-port=1024-65535
    add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=25 new-connection-mark=smtp passthrough=no protocol=tcp src-port=1024-65535
    add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=587 new-connection-mark=smtp passthrough=no protocol=tcp src-port=1024-65535
    add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=53 new-connection-mark=dns passthrough=no protocol=tcp src-port=53
    add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=53 new-connection-mark=dns passthrough=no protocol=tcp src-port=1024-65535
    add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=80 new-connection-mark=http passthrough=no protocol=tcp src-port=1024-65535
    add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=110 new-connection-mark=pop3 passthrough=no protocol=tcp src-port=1024-65535
    add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=113 new-connection-mark=auth passthrough=no protocol=tcp src-port=1024-65535
    add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=119 new-connection-mark=nntp passthrough=no protocol=tcp src-port=1024-65535
    add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=143 new-connection-mark=imap passthrough=no protocol=tcp src-port=1024-65535
    add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=161-162 new-connection-mark=snmp passthrough=no protocol=tcp src-port=1024-65535
    add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=443 new-connection-mark=https passthrough=no protocol=tcp src-port=1024-65535
    add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=465 new-connection-mark=smtps passthrough=no protocol=tcp src-port=1024-65535
    add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=993 new-connection-mark=imaps passthrough=no protocol=tcp src-port=1024-65535
    add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=995 new-connection-mark=pop3s passthrough=no protocol=tcp src-port=1024-65535
    add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=1723 new-connection-mark=pptp passthrough=no protocol=tcp src-port=1024-65535
    add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=2379 new-connection-mark=kgs passthrough=no protocol=tcp src-port=1024-65535
    add action=mark-connection chain=tcp-services comment="" disabled=yes dst-port=3128 new-connection-mark=proxy passthrough=no protocol=tcp src-port=1024-65535
    add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=3389 new-connection-mark=win-ts passthrough=no protocol=tcp src-port=1024-65535
    add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=4242-4243 new-connection-mark=emule passthrough=no protocol=tcp src-port=1024-65535
    add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=1024-65535 new-connection-mark=overnet passthrough=no protocol=tcp src-port=4661-4662
    add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=1024-65535 new-connection-mark=emule passthrough=no protocol=tcp src-port=4711
    add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=5900-5901 new-connection-mark=vnc passthrough=no protocol=tcp src-port=1024-65535
    add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=6667-6669 new-connection-mark=irc passthrough=no protocol=tcp src-port=1024-65535
    add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=6881-6889 new-connection-mark=bittorrent passthrough=no protocol=tcp src-port=1024-65535
    add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=8080 new-connection-mark=http passthrough=no protocol=tcp src-port=1024-65535
    add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=8291 new-connection-mark=winbox passthrough=no protocol=tcp src-port=1024-65535
    add action=mark-connection chain=tcp-services comment="" disabled=no dst-port=8728 new-connection-mark=api-mk passthrough=no protocol=tcp src-port=1024-65535
    add action=mark-connection chain=tcp-services comment="" disabled=no new-connection-mark=other-tcp passthrough=no protocol=tcp
    add action=mark-connection chain=udp-services comment="" disabled=no dst-port=53 new-connection-mark=dns passthrough=no protocol=udp src-port=1024-65535
    add action=mark-connection chain=udp-services comment="" disabled=no dst-port=123 new-connection-mark=ntp passthrough=no protocol=udp src-port=1024-65535
    add action=mark-connection chain=udp-services comment="" disabled=no dst-port=1701 new-connection-mark=l2tp passthrough=no protocol=udp src-port=1024-65535
    add action=mark-connection chain=udp-services comment="" disabled=no dst-port=4665 new-connection-mark=emule passthrough=no protocol=udp src-port=1024-65535
    add action=mark-connection chain=udp-services comment="" disabled=no dst-port=4672 new-connection-mark=emule passthrough=no protocol=udp src-port=1024-65535
    add action=mark-connection chain=udp-services comment="" disabled=no dst-port=1024-65535 new-connection-mark=emule passthrough=no protocol=udp src-port=4672
    add action=mark-connection chain=udp-services comment="" disabled=no dst-port=12053 new-connection-mark=overnet passthrough=no protocol=udp src-port=1024-65535
    add action=mark-connection chain=udp-services comment="" disabled=no dst-port=1024-65535 new-connection-mark=overnet passthrough=no protocol=udp src-port=12053
    add action=mark-connection chain=udp-services comment="" disabled=no dst-port=1024-65535 new-connection-mark=skype passthrough=no protocol=udp src-port=36725
    add action=mark-connection chain=udp-services comment="" disabled=no dst-port=1812-1813 new-connection-mark=radius passthrough=no protocol=udp src-port=1024-65535
    add action=mark-connection chain=udp-services comment="" connection-state=new disabled=no new-connection-mark=other-udp passthrough=no protocol=udp
    add action=mark-connection chain=other-services comment="" disabled=no icmp-options=8:0-255 new-connection-mark=ping passthrough=no protocol=icmp
    add action=mark-connection chain=other-services comment="" disabled=no new-connection-mark=gre passthrough=no protocol=gre
    add action=mark-connection chain=other-services comment="" disabled=no new-connection-mark=other passthrough=no
    add action=mark-packet chain=prerouting comment="Detect NAT Traversal" disabled=no dst-address-list=nat-addr in-interface=Public new-packet-mark=nat-traversal passthrough=no

  8. #8

    Padrão Re: Regras de segurança no mk

    o que não falta agora é regra, agora é colocar em um RB de teste e ir adequando a sua necessidade.



  9. #9

    Padrão Re: Regras de segurança no mk

    Citação Postado originalmente por farias Ver Post
    Bom, vamos tentar melhorar bem essas regras que vou postar.

    /ip firewall address-list
    add address=177.XX.YY.12 comment="" disabled=no list=SERVIDOR
    add address=177.XX.YY.19 comment="" disabled=no list=SERVIDOR
    add address=0.0.0.0/8 comment="illegal addresses" disabled=no list=illegal-addr
    add address=127.0.0.0/8 comment="" disabled=no list=illegal-addr
    add address=224.0.0.0/3 comment="" disabled=no list=illegal-addr
    add address=10.0.0.0/8 comment="" disabled=no list=illegal-addr
    add address=172.16.0.0/12 comment="" disabled=no list=illegal-addr
    add address=192.168.0.0/16 comment="" disabled=no list=illegal-addr
    add address=177.XX.YY.0/20 comment="my local network" disabled=no list=local-addr
    /ip firewall connection tracking
    set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
    /ip firewall filter
    add action=drop chain=forward comment="Barrando SPAM" disabled=yes dst-port=587 protocol=tcp src-address=!177.XX.YY.0/20
    add action=accept chain=forward comment="Allow traffic between wired and wireless networks" disabled=no in-interface=Local out-interface=Local
    add action=jump chain=forward comment="Sanity Check Forward" disabled=no jump-target=sanity-check
    add action=jump chain=sanity-check comment="Deny illegal NAT traversal" disabled=no jump-target=drop packet-mark=nat-traversal
    add action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d chain=sanity-check comment="Block port scans" disabled=no protocol=tcp psd=20,3s,3,1
    add action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d chain=sanity-check comment="Block TCP Null scan" disabled=no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
    add action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d chain=sanity-check comment="Block TCP Xmas scan" disabled=no protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
    add action=jump chain=sanity-check comment="" disabled=no jump-target=drop protocol=tcp src-address-list=blocked-addr
    add action=jump chain=sanity-check comment="Drop TCP RST" disabled=no jump-target=drop protocol=tcp tcp-flags=rst
    add action=jump chain=sanity-check comment="Drop TCP SYN+FIN" disabled=no jump-target=drop protocol=tcp tcp-flags=fin,syn
    add action=jump chain=sanity-check comment="Dropping invalid connections at once" connection-state=invalid disabled=no jump-target=drop
    add action=accept chain=sanity-check comment="Accepting already established connections" connection-state=established disabled=no
    add action=accept chain=sanity-check comment="Also accepting related connections" connection-state=related disabled=no
    add action=jump chain=sanity-check comment="Drop all traffic that goes to multicast or broadcast addresses" disabled=no dst-address-type=broadcast,multicast jump-target=drop
    add action=jump chain=sanity-check comment="Drop illegal destination addresses" disabled=no dst-address-list=illegal-addr dst-address-type=!local in-interface=Local jump-target=drop
    add action=jump chain=sanity-check comment="Drop everything that goes from local interface but not from local address" disabled=no in-interface=Local jump-target=drop src-address-list=!local-addr
    add action=jump chain=sanity-check comment="Drop illegal source addresses" disabled=no in-interface=Public jump-target=drop src-address-list=illegal-addr
    add action=jump chain=sanity-check comment="Drop everything that goes from public interface but not to local address" disabled=no dst-address-list=!local-addr in-interface=Public jump-target=drop
    add action=jump chain=sanity-check comment="Drop all traffic that comes from multicast or broadcast addresses" disabled=no jump-target=drop src-address-type=broadcast,multicast
    add action=jump chain=forward comment="" disabled=no jump-target=restrict-tcp protocol=tcp
    add action=jump chain=forward comment="" disabled=no jump-target=restrict-udp protocol=udp
    add action=jump chain=forward comment="" disabled=no jump-target=restrict-ip
    add action=reject chain=restrict-tcp comment="" connection-mark=auth disabled=no reject-with=icmp-network-unreachable
    add action=jump chain=restrict-tcp comment="anti-spam policy" connection-mark=smtp disabled=no jump-target=smtp-first-drop
    add action=add-src-to-address-list address-list=approved-smtp address-list-timeout=0s chain=smtp-first-drop comment="" disabled=no src-address-list=first-smtp
    add action=return chain=smtp-first-drop comment="" disabled=no src-address-list=approved-smtp
    add action=add-src-to-address-list address-list=first-smtp address-list-timeout=0s chain=smtp-first-drop comment="" disabled=no
    add action=reject chain=smtp-first-drop comment="" disabled=no reject-with=icmp-network-unreachable src-address-list=!SERVIDOR
    add action=jump chain=restrict-tcp comment="" connection-mark=other-tcp disabled=no jump-target=drop
    add action=jump chain=restrict-udp comment="" connection-mark=other-udp disabled=no jump-target=drop
    add action=jump chain=restrict-ip comment="" connection-mark=other disabled=no jump-target=drop
    add action=accept chain=input comment="Allow local traffic (between router applications)" disabled=no dst-address-type=local src-address-type=local
    add action=jump chain=input comment="DHCP protocol would not pass sanity checking, so enabling it explicitly before other checks" disabled=no dst-port=67 in-interface=Local jump-target=dhcp protocol=udp src-port=68
    add action=jump chain=input comment="Sanity Check" disabled=no jump-target=sanity-check
    add action=jump chain=input comment="Dropping packets not destined to the router itself, including all broadcast traffic" disabled=no dst-address-type=!local jump-target=drop
    add action=accept chain=input comment="Allow pings, but at a very limited rate (5 packets per sec)" connection-mark=ping disabled=no limit=5,5
    add action=jump chain=input comment="Allowing some services to be accessible from the local network" disabled=no in-interface=Local jump-target=local-services
    add action=jump chain=input comment="Allowing some services to be accessible from the Internet" disabled=no in-interface=Public jump-target=public-services
    add action=jump chain=input comment="" disabled=no jump-target=drop
    add action=accept chain=dhcp comment="" disabled=no dst-address=255.255.255.255 src-address=0.0.0.0
    add action=accept chain=dhcp comment="" disabled=no dst-address-type=local src-address=0.0.0.0
    add action=accept chain=dhcp comment="" disabled=no dst-address-type=local src-address-list=local-addr
    add action=accept chain=local-services comment="SSH (22/TCP)" connection-mark=ssh disabled=no
    add action=accept chain=local-services comment=DNS connection-mark=dns disabled=no
    add action=accept chain=local-services comment=Radius connection-mark=radius disabled=no
    add action=accept chain=local-services comment="Winbox (8291/TCP)" connection-mark=winbox disabled=no
    add action=log chain=local-services comment="Log & Drop Other Local Services" disabled=no log-prefix=""
    add action=drop chain=local-services comment="" disabled=no
    add action=accept chain=public-services comment="SSH (22/TCP)" connection-mark=ssh disabled=no
    add action=accept chain=public-services comment="PPTP (1723/TCP)" connection-mark=pptp disabled=no
    add action=accept chain=public-services comment="Winbox (8291/TCP)" connection-mark=winbox disabled=no
    add action=accept chain=public-services comment="GRE for PPTP" connection-mark=gre disabled=no
    add action=accept chain=public-services comment=Radius connection-mark=radius disabled=no
    add action=log chain=public-services comment="Log & Drop Other Public Services" disabled=no log-prefix=""
    add action=drop chain=public-services comment="" disabled=no
    add action=log chain=drop comment="Log Everything that we drop" disabled=yes log-prefix=""
    add action=drop chain=drop comment="" disabled=no


    Continua...


    pra qual e a vesao essas regras ae amigo