The text file version is located here: RFC_Port_Scan_Protection_Chain
#########################################################################################################
# Rick Frey Consulting Port Scan Protection Chain #
#########################################################################################################
# Author: Rick Frey #
# email: rickfrey1000@gmail.com #
# Username in MikroTik Forum is rickfrey #
#########################################################################################################
# License #
# This script has been created for use by the general public and may be used freely. #
#########################################################################################################
#########################################################################################################
# Features
# – Protects against multiple types of TCP and UDP Port Scans
# – Uses the Interface lists for “WAN Interfaces” and “LAN Interfaces”
#########################################################################################################
/ip firewall filter
add action=jump chain=input comment=”Jump to RFC Port Scans” jump-target=”RFC Port Scans” protocol=tcp
add action=jump chain=input comment=”Jump to RFC Port Scans” jump-target=”RFC Port Scans” protocol=udp
add action=jump chain=forward comment=”Jump to RFC Port Scans” jump-target=”RFC Port Scans” protocol=tcp
add action=jump chain=forward comment=”Jump to RFC Port Scans” jump-target=”RFC Port Scans” protocol=udp
add action=add-src-to-address-list address-list=”WAN Port Scanners” address-list-timeout=none-dynamic chain=”RFC Port Scans” comment=\
“Detect WAN TCP Port Scans” in-interface-list=”WAN Interfaces” protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=”WAN Port Scanners” address-list-timeout=none-dynamic chain=”RFC Port Scans” comment=\
“Detect WAN UDP Port Scans” in-interface-list=”WAN Interfaces” protocol=udp psd=21,3s,3,1
add action=add-src-to-address-list address-list=”WAN Port Scanners” address-list-timeout=2w chain=”RFC Port Scans” comment=\
“Detect WAN NMAP FIN Stealth scan” in-interface-list=”WAN Interfaces” protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=”WAN Port Scanners” address-list-timeout=2w chain=”RFC Port Scans” comment=\
“Detect WAN SYN/FIN scan” in-interface-list=”WAN Interfaces” protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=”WAN Port Scanners” address-list-timeout=2w chain=”RFC Port Scans” comment=\
“Detect WAN SYN/RST scan” in-interface-list=”WAN Interfaces” protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w chain=”RFC Port Scans” comment=\
“Detect WAN FIN/PSH/URG scan” in-interface-list=”WAN Interfaces” protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=”WAN Port Scanners” address-list-timeout=2w chain=”RFC Port Scans” comment=\
“Detect WAN ALL/ALL scan” in-interface-list=”WAN Interfaces” protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=”WAN Port Scanners” address-list-timeout=2w chain=”RFC Port Scans” comment=\
“Detect WAN NMAP NULL scan” in-interface-list=”WAN Interfaces” protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=”LAN Port Scanners” address-list-timeout=none-dynamic chain=”RFC Port Scans” comment=\
“Detect LAN TCP Port Scans” in-interface-list=”LAN Interfaces” protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=”LAN Port Scanners” address-list-timeout=none-dynamic chain=”RFC Port Scans” comment=\
“Detect LAN UDP Port Scans” in-interface-list=”LAN Interfaces” protocol=udp psd=21,3s,3,1
add action=add-src-to-address-list address-list=”LAN Port Scanners” address-list-timeout=2w chain=”RFC Port Scans” comment=\
“Detect LAN NMAP FIN Stealth scan” in-interface-list=”LAN Interfaces” protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=”LAN Port Scanners” address-list-timeout=2w chain=”RFC Port Scans” comment=\
“Detect LAN SYN/FIN scan” in-interface-list=”LAN Interfaces” protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=”LAN Port Scanners” address-list-timeout=2w chain=”RFC Port Scans” comment=\
“Detect LAN SYN/RST scan” in-interface-list=”LAN Interfaces” protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=”LAN Port Scanners” address-list-timeout=2w chain=”RFC Port Scans” comment=\
“Detect LAN FIN/PSH/URG scan” in-interface-list=”LAN Interfaces” protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=”LAN Port Scanners” address-list-timeout=2w chain=”RFC Port Scans” comment=\
“Detect LAN ALL/ALL scan” in-interface-list=”LAN Interfaces” protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=”LAN Port Scanners” address-list-timeout=2w chain=”RFC Port Scans” comment=\
“Detect LAN NMAP NULL scan” in-interface-list=”LAN Interfaces” protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=”RFC Port Scans” comment=”Drop anyone in the WAN Port Scanner List” src-address-list=”WAN Port Scanners”
add action=drop chain=”RFC Port Scans” comment=”Drop anyone in the WAN Port Scanner List” dst-address-list=”WAN Port Scanners”
add action=drop chain=”RFC Port Scans” comment=”Drop anyone in the LAN Port Scanner List” src-address-list=”LAN Port Scanners”
add action=drop chain=”RFC Port Scans” comment=”Drop anyone in the LAN Port Scanner List” dst-address-list=”LAN Port Scanners”
add action=return chain=”RFC Port Scans” comment=”Return from RFC Port Scans”
looks like these are duplicates
add action=drop chain=”RFC Port Scans” comment=”Drop anyone in the WAN Port Scanner List” src-address-list=”WAN Port Scanners”
add action=drop chain=”RFC Port Scans” comment=”Drop anyone in the WAN Port Scanner List” dst-address-list=”WAN Port Scanners”
add action=drop chain=”RFC Port Scans” comment=”Drop anyone in the LAN Port Scanner List” src-address-list=”LAN Port Scanners”
add action=drop chain=”RFC Port Scans” comment=”Drop anyone in the LAN Port Scanner List” dst-address-list=”LAN Port Scanners”
would it better to put them in RAW?
cannot not edit my post,
overlooked :
src-address-list=”WAN Port Scanners”
dst-address-list=”WAN Port Scanners”
but still, RAW?
The things that we traditionally used to do in the Filters section are moving to the RAW section due to the performance increase.
No, they are refrenceing the “to/ DST” and “from/ SRC” aspects of the packet.