/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=accept chain=ICMP comment="0:0 and limit for 5pac/s" disabled=no icmp-options=0:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:3 and limit for 5pac/s" disabled=no icmp-options=3:3 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" disabled=no icmp-options=3:4 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="8:0 and limit for 5pac/s" disabled=no icmp-options=8:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="11:0 and limit for 5pac/s" disabled=no icmp-options=11:0-255 limit=5,5 protocol=\
icmp
add action=accept chain=services comment="allow http, webbox" disabled=no dst-port=8081 protocol=tcp
add action=accept chain=services comment="allow winbox" disabled=no dst-port=8291 protocol=tcp
add action=accept chain=services comment="allow DNS request" disabled=no dst-port=53 protocol=tcp
add action=accept chain=services comment="allow DNS request" disabled=no dst-port=53 protocol=udp
add action=accept chain=services comment="alllow MACwinbox" disabled=no dst-port=20561 protocol=udp
add action=accept chain=services comment=" MT Discovery Protocol" disabled=no dst-port=5678 protocol=udp
add action=accept chain=forward comment="Bloqueio Inadimplentes" disabled=yes dst-port=81 protocol=tcp
add action=drop chain=forward comment="" disabled=yes src-address-list=bloqueio
add action=add-src-to-address-list address-list=spammer address-list-timeout=3d chain=forward comment=\
"Detect and add-list SMTP virus or spammers" connection-limit=30,32 disabled=no dst-port=25 limit=10/1m,1 protocol=\
tcp
add action=drop chain=forward comment="BLOCK SPAMMERS OR INFECTED USERS" disabled=no dst-port=25 protocol=tcp \
src-address-list=spammer
add action=drop chain=virus comment="BLOQUEIO LISTA DE VIRUS CONHECIDOS" disabled=no dst-port=135-139 protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=135-139 protocol=udp
add action=drop chain=forward comment="BLOQUEIO WAREZ/ARES" disabled=no dst-port=0 protocol=udp
add action=drop chain=forward comment="" disabled=no dst-port=0 protocol=tcp
add action=drop chain=forward comment="" disabled=no p2p=warez
add action=drop chain=virus comment="!!! DROP PORTA PROXY !!!" disabled=yes dst-port=3127-3128 protocol=tcp
add action=drop chain=input comment="BLOQUEIO DE SSH - PORTA 22 e 23" disabled=no dst-port=22-23 protocol=tcp
add action=drop chain=output comment="drop invalid packets" connection-state=invalid disabled=no
add action=accept chain=output comment="accept related packets" connection-state=related disabled=no
add action=accept chain=output comment="accept established packets" connection-state=established disabled=no
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid disabled=no
add action=accept chain=input comment="Accept related connections" connection-state=related disabled=no
add action=drop chain=input comment="detect and drop port scan connections" disabled=no protocol=tcp psd=21,3s,3,1
add action=jump chain=input comment="!!! Check for well-known viruses !!!" disabled=no jump-target=virus
add action=drop chain=forward comment="BLOQUEIO ENTRE USUARIOS" disabled=no dst-port=135-139 protocol=tcp
add action=drop chain=forward comment="" disabled=no dst-port=445 protocol=tcp
add action=drop chain=forward comment="" disabled=no dst-port=445 protocol=udp
add action=drop chain=forward comment="" disabled=no dst-port=135-139 protocol=udp
add action=drop chain=forward comment="" disabled=no dst-port=1900 protocol=udp
add action=drop chain=forward comment="" disabled=no protocol=udp src-port=1900
add action=drop chain=forward comment="drop invalid packets" connection-state=invalid disabled=no
add action=accept chain=forward comment="accept related packets" connection-state=related disabled=no
add action=drop chain=forward comment="CONEXOES SIMULTANEAS ESPECIAIS" connection-limit=60,32 disabled=yes protocol=tcp \
src-address=192.168.2.201 tcp-flags=syn
add action=drop chain=forward comment="## CONTROLE CONEXOES SIMULTANEAS CLIENTES ##" connection-limit=20,24 disabled=no \
protocol=tcp src-address=192.168.5.0 tcp-flags=syn
add action=drop chain=forward comment="" connection-limit=20,24 disabled=yes protocol=tcp src-address=192.168.3.0 \
tcp-flags=syn
add action=accept chain=input comment="Allow limited pings" disabled=no limit=50/5s,2 protocol=icmp
add action=drop chain=input comment="Drop excess pings" disabled=no protocol=icmp
add action=accept chain=forward comment="" disabled=no dst-port=25 protocol=tcp src-address-list=spammer
add action=add-src-to-address-list address-list=excess_ping address-list-timeout=0s chain=forward comment="" \
connection-limit=30,32 disabled=no dst-port=25 limit=50,5 protocol=tcp