RFC Port Scan Protection Chain

The text file version is located here: RFC_Port_Scan_Protection_Chain

#########################################################################################################
# Rick Frey Consulting Port Scan Protection Chain #
#########################################################################################################
# Author: Rick Frey #
# email: rickfrey1000@gmail.com #
# Username in MikroTik Forum is rickfrey #
#########################################################################################################
# License #
# This script has been created for use by the general public and may be used freely. #
#########################################################################################################
#########################################################################################################
# Features
# – Protects against multiple types of TCP and UDP Port Scans
# – Uses the Interface lists for “WAN Interfaces” and “LAN Interfaces”
#########################################################################################################

/ip firewall filter
add action=jump chain=input comment=”Jump to RFC Port Scans” jump-target=”RFC Port Scans” protocol=tcp
add action=jump chain=input comment=”Jump to RFC Port Scans” jump-target=”RFC Port Scans” protocol=udp
add action=jump chain=forward comment=”Jump to RFC Port Scans” jump-target=”RFC Port Scans” protocol=tcp
add action=jump chain=forward comment=”Jump to RFC Port Scans” jump-target=”RFC Port Scans” protocol=udp
add action=add-src-to-address-list address-list=”WAN Port Scanners” address-list-timeout=none-dynamic chain=”RFC Port Scans” comment=\
“Detect WAN TCP Port Scans” in-interface-list=”WAN Interfaces” protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=”WAN Port Scanners” address-list-timeout=none-dynamic chain=”RFC Port Scans” comment=\
“Detect WAN UDP Port Scans” in-interface-list=”WAN Interfaces” protocol=udp psd=21,3s,3,1
add action=add-src-to-address-list address-list=”WAN Port Scanners” address-list-timeout=2w chain=”RFC Port Scans” comment=\
“Detect WAN NMAP FIN Stealth scan” in-interface-list=”WAN Interfaces” protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=”WAN Port Scanners” address-list-timeout=2w chain=”RFC Port Scans” comment=\
“Detect WAN SYN/FIN scan” in-interface-list=”WAN Interfaces” protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=”WAN Port Scanners” address-list-timeout=2w chain=”RFC Port Scans” comment=\
“Detect WAN SYN/RST scan” in-interface-list=”WAN Interfaces” protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=”port scanners” address-list-timeout=2w chain=”RFC Port Scans” comment=\
“Detect WAN FIN/PSH/URG scan” in-interface-list=”WAN Interfaces” protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=”WAN Port Scanners” address-list-timeout=2w chain=”RFC Port Scans” comment=\
“Detect WAN ALL/ALL scan” in-interface-list=”WAN Interfaces” protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=”WAN Port Scanners” address-list-timeout=2w chain=”RFC Port Scans” comment=\
“Detect WAN NMAP NULL scan” in-interface-list=”WAN Interfaces” protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=”LAN Port Scanners” address-list-timeout=none-dynamic chain=”RFC Port Scans” comment=\
“Detect LAN TCP Port Scans” in-interface-list=”LAN Interfaces” protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=”LAN Port Scanners” address-list-timeout=none-dynamic chain=”RFC Port Scans” comment=\
“Detect LAN UDP Port Scans” in-interface-list=”LAN Interfaces” protocol=udp psd=21,3s,3,1
add action=add-src-to-address-list address-list=”LAN Port Scanners” address-list-timeout=2w chain=”RFC Port Scans” comment=\
“Detect LAN NMAP FIN Stealth scan” in-interface-list=”LAN Interfaces” protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=”LAN Port Scanners” address-list-timeout=2w chain=”RFC Port Scans” comment=\
“Detect LAN SYN/FIN scan” in-interface-list=”LAN Interfaces” protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=”LAN Port Scanners” address-list-timeout=2w chain=”RFC Port Scans” comment=\
“Detect LAN SYN/RST scan” in-interface-list=”LAN Interfaces” protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=”LAN Port Scanners” address-list-timeout=2w chain=”RFC Port Scans” comment=\
“Detect LAN FIN/PSH/URG scan” in-interface-list=”LAN Interfaces” protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=”LAN Port Scanners” address-list-timeout=2w chain=”RFC Port Scans” comment=\
“Detect LAN ALL/ALL scan” in-interface-list=”LAN Interfaces” protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=”LAN Port Scanners” address-list-timeout=2w chain=”RFC Port Scans” comment=\
“Detect LAN NMAP NULL scan” in-interface-list=”LAN Interfaces” protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=”RFC Port Scans” comment=”Drop anyone in the WAN Port Scanner List” src-address-list=”WAN Port Scanners”
add action=drop chain=”RFC Port Scans” comment=”Drop anyone in the WAN Port Scanner List” dst-address-list=”WAN Port Scanners”
add action=drop chain=”RFC Port Scans” comment=”Drop anyone in the LAN Port Scanner List” src-address-list=”LAN Port Scanners”
add action=drop chain=”RFC Port Scans” comment=”Drop anyone in the LAN Port Scanner List” dst-address-list=”LAN Port Scanners”
add action=return chain=”RFC Port Scans” comment=”Return from RFC Port Scans”

4 thoughts on “RFC Port Scan Protection Chain”

Log in to Reply

Stefan Müller June 18, 2023 at 11:49 AM

looks like these are duplicates
add action=drop chain=”RFC Port Scans” comment=”Drop anyone in the WAN Port Scanner List” src-address-list=”WAN Port Scanners”
add action=drop chain=”RFC Port Scans” comment=”Drop anyone in the WAN Port Scanner List” dst-address-list=”WAN Port Scanners”
add action=drop chain=”RFC Port Scans” comment=”Drop anyone in the LAN Port Scanner List” src-address-list=”LAN Port Scanners”
add action=drop chain=”RFC Port Scans” comment=”Drop anyone in the LAN Port Scanner List” dst-address-list=”LAN Port Scanners”

would it better to put them in RAW?

Loading...
- Log in to Reply
  
  Stefan Müller June 18, 2023 at 11:58 AM
  
  cannot not edit my post,
  overlooked :
  src-address-list=”WAN Port Scanners”
  dst-address-list=”WAN Port Scanners”
  
  but still, RAW?
  
  Loading...
  - Log in to Reply
    
    rickfrey1000 Post author October 25, 2023 at 5:37 PM
    
    The things that we traditionally used to do in the Filters section are moving to the RAW section due to the performance increase.
    
    Loading...
- Log in to Reply
  
  rickfrey1000 Post author October 25, 2023 at 5:36 PM
  
  No, they are refrenceing the “to/ DST” and “from/ SRC” aspects of the packet.
  
  Loading...

The Next Generation of Networking Now – 1-430-236-5829

The Next Generation of Networking Now – 1-430-236-5829

RFC Port Scan Protection Chain

Like this:

Related

Leave a ReplyCancel reply

4 thoughts on “RFC Port Scan Protection Chain”

Share this:

Like this:

Related

Leave a ReplyCancel reply

4 thoughts on “RFC Port Scan Protection Chain”