The text file version is located here: RFC_Protect_ROS_Services
#########################################################################################################
# Rick Frey Consulting Protect RouterOS Services Chain #
#########################################################################################################
# Author: Rick Frey #
# email: rickfrey1000@gmail.com #
# Username in MikroTik Forum is rickfrey #
#########################################################################################################
# License #
# This script has been created for use by the general public and may be used freely. #
#########################################################################################################
#########################################################################################################
# Features
# – Provides access to commonly used services that the router provides. This would be used before dropping
# – all other traffic.
#########################################################################################################
/ip firewall filter
add action=jump chain=input comment=”Protect RouterOS Services” jump-target=”Protect RouterOS Services”
add action=jump chain=forward comment=”Protect RouterOS Services” jump-target=”Protect RouterOS Services”
add action=accept chain=”Protect RouterOS Services” comment=”Allow BW Test Server from LAN” in-interface-list=”LAN Interfaces” port=2000 protocol=udp
add action=accept chain=”Protect RouterOS Services” comment=”Allow MAC Winbox from the LAN” in-interface-list=”LAN Interfaces” port=20561 protocol=udp
add action=accept chain=”Protect RouterOS Services” comment=”Allow Bootstrap and DHCP from LAN” in-interface-list=”LAN Interfaces” port=67-68 protocol=udp
add action=accept chain=”Protect RouterOS Services” comment=”Allow SNMP from LAN” in-interface-list=”LAN Interfaces” port=161,162 protocol=udp
add action=accept chain=”Protect RouterOS Services” comment=”Allow RIP from LAN” in-interface-list=”LAN Interfaces” port=520,521 protocol=udp
add action=accept chain=”Protect RouterOS Services” comment=”Allow DHCPv6 Client and Server Messages from LAN” in-interface-list=”LAN Interfaces” port=546,547 protocol=udp
add action=accept chain=”Protect RouterOS Services” comment=”Allow LDP Transport Session from LAN” in-interface-list=”LAN Interfaces” port=646 protocol=tcp
add action=accept chain=”Protect RouterOS Services” comment=”Allow LDP Hello Messages from LAN” in-interface-list=”LAN Interfaces” port=646 protocol=udp
add action=accept chain=”Protect RouterOS Services” comment=”Allow RSVP TE Tunnels from LAN” in-interface-list=”LAN Interfaces” port=1698,1699 protocol=udp
add action=accept chain=”Protect RouterOS Services” comment=”Allow L2TP from LAN & WAN” port=1701 protocol=udp
add action=accept chain=”Protect RouterOS Services” comment=”Allow PPTP from LAN & WAN” port=1723 protocol=tcp
add action=accept chain=”Protect RouterOS Services” comment=”Allow BGP (TCP 179) from LAN & WAN” port=179 protocol=tcp
add action=accept chain=”Protect RouterOS Services” comment=”Allow CAPsMAN from LAN” in-interface-list=”LAN Interfaces” port=5246,5247 protocol=udp
add action=accept chain=”Protect RouterOS Services” comment=”Allow IGMP/ Multicast from LAN” in-interface-list=”LAN Interfaces” protocol=igmp
add action=accept chain=”Protect RouterOS Services” comment=”Allow OSPF from LAN” in-interface-list=”LAN Interfaces” protocol=ospf
add action=accept chain=”Protect RouterOS Services” comment=”Allow GRE from LAN & WAN” protocol=gre
add action=accept chain=”Protect RouterOS Services” comment=”Allow ESP LAN & WAN” protocol=ipsec-esp
add action=accept chain=”Protect RouterOS Services” comment=”Allow PIM/ Multicast from LAN” in-interface-list=”LAN Interfaces” protocol=pim
add action=accept chain=”Protect RouterOS Services” comment=”Allow VRRP from LAN & WAN” protocol=vrrp
add action=accept chain=”Protect RouterOS Services” comment=”Allow AH from LAN & WAN” protocol=ipsec-ah
add action=accept chain=”Protect RouterOS Services” comment=”Allow OpenFlow from LAN & WAN” port=6343 protocol=tcp
add action=accept chain=”Protect RouterOS Services” comment=”Allow MNDP from LAN” in-interface-list=”LAN Interfaces” port=5678 protocol=udp
add action=drop chain=”Protect RouterOS Services” comment=”Drop attempts to access the SOCKs Proxy” port=1080 protocol=tcp
add action=return chain=”Protect RouterOS Services” comment=”Return from Protect RouterOS Services”