Cuidadín con la regla que apliqué el otro día, que lo hace demasiado bien y no deja pasar absolutamente ninguna petición de DNS :P
Aquí os dejo 3 protecciones interesantes.
Protección del login ssh
/ip firewall filter add action=drop chain=input comment="BLOQUEJA DURANT 24 hores qui fa 5 intents seguits de login SSH!" dst-port=22 protocol=tcp src-address-list=black_list_ssh add action=add-src-to-address-list address-list=black_list_ssh address-list-timeout=1d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list= ssh_stage4 add action=add-src-to-address-list address-list=ssh_stage4 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list= ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list= ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list= ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
Protege los intentos de login al 8291 (winbox)
/ip firewall filter add action=drop chain=input comment="BLOQUEJA DURANT 24 hores qui fa 5 intents seguits de login winbox!" dst-port=8291 protocol=tcp src-address-list= black_list_winbox add action=add-src-to-address-list address-list=black_list_winbox address-list-timeout=1d chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list=winbox_stage4 add action=add-src-to-address-list address-list=winbox_stage4 address-list-timeout=3m chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list= winbox_stage3 add action=add-src-to-address-list address-list=winbox_stage3 address-list-timeout=3m chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list= winbox_stage2 add action=add-src-to-address-list address-list=winbox_stage2 address-list-timeout=3m chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list= winbox_stage1 add action=add-src-to-address-list address-list=winbox_stage1 address-list-timeout=3m chain=input connection-state=new dst-port=8291 protocol=tcp
Proteger de ataques de DoS (denegación de servicio)
add action=jump chain=forward connection-state=new jump-target=detect-ddos add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s add action=return chain=detect-ddos src-address=192.168.0.0/16 add action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m chain=detect-ddos add action=add-src-to-address-list address-list=ddoser address-list-timeout=10m chain=detect-ddos add action=drop chain=forward connection-state=new dst-address-list=ddosed src-address-list=ddoser…