Les paso mi coleccion de ajustes favoritos del "firewall" Mikrotik (nota uso ether1 en un RB2011 como conexion al exterior) :
/ip firewall address-list
add address=192.168.0.0/24 list="Local LAN" <---aqui la subred local, modifique segun corresponda
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add list=ddos-attackers
add list=ddos-target
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=input comment="Acepto trafico local" src-address-list="Local LAN"
add action=accept chain=input comment="Acepto trafico de la intranet" in-interface-list=INTRANET
add chain=forward connection-state=new action=jump comment="Deteccion DDOS" in-interface=ether1 jump-target=detect-ddos
add action=return chain=detect-ddos comment="Control DDOS" dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-target address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=10m chain=detect-ddos
###ESTA SECCION SE PUEDE ELIMINAR SI NO SE USA UNA VPN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=input comment=500,4500 dst-port=500,4500 in-interface=ether1 protocol=udp src-port=500,4500
add action=accept chain=input in-interface-list=WAN in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input in-interface-list=WAN in-interface=ether1 protocol=ipsec-ah
add action=accept chain=input in-interface-list=WAN in-interface=ether1 protocol=ipencap
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
###FIN DE LA SECCION VPN
##ANTIESCANEO
add action=add-src-to-address-list address-list=Escaner_de_puertos address-list-timeout=2w chain=input comment="Lista con IP que escanean puertos" protocol=tcp psd=21,3s,3,1 src-address-list=!LAN
add action=add-src-to-address-list address-list=Escaner_de_puertos address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp src-address-list=!LAN tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=Escaner_de_puertos address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp src-address-list=!LAN tcp-flags=fin,syn
add action=add-src-to-address-list address-list=Escaner_de_puertos address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp src-address-list=!LAN tcp-flags=syn,rst
add action=add-src-to-address-list address-list=Escaner_de_puertos address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp src-address-list=!LAN tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=Escaner_de_puertos address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp src-address-list=!LAN tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=Escaner_de_puertos address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp src-address-list=!LAN tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="Volteando escaners" src-address-list=Escaner_de_puertos
##FIN ANTIESCANEO
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp protocol=icmp
add action=accept chain=icmp comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 limit=1,5
acket log-prefix=pingFlood protocol=icmp
add action=accept chain=icmp comment=PMTUD icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="Destination unreachable" icmp-options=3:0-1 log-prefix=Inalcanzable protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=drop chain=icmp comment="deny all other types"
add action=drop chain=input comment="Bloqueo SSH (estandar) WAN" in-interface=ether1 port=22 protocol=tcp
add action=drop chain=input comment="Proteccion entradas" dst-port=53,5678,8291,8728,8729 in-interface=ether1 protocol=tcp
add action=drop chain=input dst-port=53,5678,8291,8728,8729 in-interface=ether1 protocol=udp
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" disabled=yes in-interface=ether1 log-prefix=!public src-address-list=not_in_internet
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall raw
add action=drop chain=prerouting dst-address-list=ddos-target src-address-list=ddos-attackers
www.pfsense.org
