RFC Port Scan Protection Chain


The text file version is located here: RFC_Port_Scan_Protection_Chain

#########################################################################################################
# Rick Frey Consulting Port Scan Protection Chain #
#########################################################################################################
# Author: Rick Frey #
# email: rickfrey1000@gmail.com #
# Username in MikroTik Forum is rickfrey #
#########################################################################################################
# License #
# This script has been created for use by the general public and may be used freely. #
#########################################################################################################
#########################################################################################################
# Features
# – Protects against multiple types of TCP and UDP Port Scans
# – Uses the Interface lists for “WAN Interfaces” and “LAN Interfaces”
#########################################################################################################

/ip firewall filter
add action=jump chain=input comment=”Jump to RFC Port Scans” jump-target=”RFC Port Scans” protocol=tcp
add action=jump chain=input comment=”Jump to RFC Port Scans” jump-target=”RFC Port Scans” protocol=udp
add action=jump chain=forward comment=”Jump to RFC Port Scans” jump-target=”RFC Port Scans” protocol=tcp
add action=jump chain=forward comment=”Jump to RFC Port Scans” jump-target=”RFC Port Scans” protocol=udp
add action=add-src-to-address-list address-list=”WAN Port Scanners” address-list-timeout=none-dynamic chain=”RFC Port Scans” comment=\
“Detect WAN TCP Port Scans” in-interface-list=”WAN Interfaces” protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=”WAN Port Scanners” address-list-timeout=none-dynamic chain=”RFC Port Scans” comment=\
“Detect WAN UDP Port Scans” in-interface-list=”WAN Interfaces” protocol=udp psd=21,3s,3,1
add action=add-src-to-address-list address-list=”WAN Port Scanners” address-list-timeout=2w chain=”RFC Port Scans” comment=\
“Detect WAN NMAP FIN Stealth scan” in-interface-list=”WAN Interfaces” protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=”WAN Port Scanners” address-list-timeout=2w chain=”RFC Port Scans” comment=\
“Detect WAN SYN/FIN scan” in-interface-list=”WAN Interfaces” protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=”WAN Port Scanners” address-list-timeout=2w chain=”RFC Port Scans” comment=\
“Detect WAN SYN/RST scan” in-interface-list=”WAN Interfaces” protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w chain=”RFC Port Scans” comment=\
“Detect WAN FIN/PSH/URG scan” in-interface-list=”WAN Interfaces” protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=”WAN Port Scanners” address-list-timeout=2w chain=”RFC Port Scans” comment=\
“Detect WAN ALL/ALL scan” in-interface-list=”WAN Interfaces” protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=”WAN Port Scanners” address-list-timeout=2w chain=”RFC Port Scans” comment=\
“Detect WAN NMAP NULL scan” in-interface-list=”WAN Interfaces” protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=”LAN Port Scanners” address-list-timeout=none-dynamic chain=”RFC Port Scans” comment=\
“Detect LAN TCP Port Scans” in-interface-list=”LAN Interfaces” protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=”LAN Port Scanners” address-list-timeout=none-dynamic chain=”RFC Port Scans” comment=\
“Detect LAN UDP Port Scans” in-interface-list=”LAN Interfaces” protocol=udp psd=21,3s,3,1
add action=add-src-to-address-list address-list=”LAN Port Scanners” address-list-timeout=2w chain=”RFC Port Scans” comment=\
“Detect LAN NMAP FIN Stealth scan” in-interface-list=”LAN Interfaces” protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=”LAN Port Scanners” address-list-timeout=2w chain=”RFC Port Scans” comment=\
“Detect LAN SYN/FIN scan” in-interface-list=”LAN Interfaces” protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=”LAN Port Scanners” address-list-timeout=2w chain=”RFC Port Scans” comment=\
“Detect LAN SYN/RST scan” in-interface-list=”LAN Interfaces” protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=”LAN Port Scanners” address-list-timeout=2w chain=”RFC Port Scans” comment=\
“Detect LAN FIN/PSH/URG scan” in-interface-list=”LAN Interfaces” protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=”LAN Port Scanners” address-list-timeout=2w chain=”RFC Port Scans” comment=\
“Detect LAN ALL/ALL scan” in-interface-list=”LAN Interfaces” protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=”LAN Port Scanners” address-list-timeout=2w chain=”RFC Port Scans” comment=\
“Detect LAN NMAP NULL scan” in-interface-list=”LAN Interfaces” protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=”RFC Port Scans” comment=”Drop anyone in the WAN Port Scanner List” src-address-list=”WAN Port Scanners”
add action=drop chain=”RFC Port Scans” comment=”Drop anyone in the WAN Port Scanner List” dst-address-list=”WAN Port Scanners”
add action=drop chain=”RFC Port Scans” comment=”Drop anyone in the LAN Port Scanner List” src-address-list=”LAN Port Scanners”
add action=drop chain=”RFC Port Scans” comment=”Drop anyone in the LAN Port Scanner List” dst-address-list=”LAN Port Scanners”
add action=return chain=”RFC Port Scans” comment=”Return from RFC Port Scans”


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

4 thoughts on “RFC Port Scan Protection Chain

  • Stefan Müller

    looks like these are duplicates
    add action=drop chain=”RFC Port Scans” comment=”Drop anyone in the WAN Port Scanner List” src-address-list=”WAN Port Scanners”
    add action=drop chain=”RFC Port Scans” comment=”Drop anyone in the WAN Port Scanner List” dst-address-list=”WAN Port Scanners”
    add action=drop chain=”RFC Port Scans” comment=”Drop anyone in the LAN Port Scanner List” src-address-list=”LAN Port Scanners”
    add action=drop chain=”RFC Port Scans” comment=”Drop anyone in the LAN Port Scanner List” dst-address-list=”LAN Port Scanners”

    would it better to put them in RAW?