Last active
February 7, 2021 15:24
-
-
Save DrMeosch/3ca29529fd6759cb1149f96a7351673e to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # https://mum.mikrotik.com/presentations/EU17/presentation_4088_1492591370.pdf | |
| # http://tools.ietf.org/html/rfc792 | |
| /ipv6 firewall filter | |
| add action=accept chain=input comment="Accept Established and Related Connections" connection-state=established,related | |
| add action=accept chain=input comment="Accept Connections from IPv6 administrative addresses" src-address-list="Administrative IPv6 Adressess“ | |
| add action=accept chain=input comment="Accept DHCPv6 (UDP ports 547->546)" dst-port=546 protocol=udp src-port=547 | |
| add action=accept chain=input comment="Accept DHCPv6 (TCP ports 547->546)" dst-port=546 protocol=tcp src-port=547 | |
| add action=jump chain=input comment="Jump to ICMPv6 Control" connection-state="" jump-target=ICMPv6_Control | |
| add action=drop chain=input comment="Drop all the rest" | |
| add action=accept chain=output comment="Accept Established and Related Connections" connection-state=established,related | |
| add action=accept chain=output comment="Accept Connections from IPv6 administrative addresses" src-address-list="Administrative IPv6 Adressess“ | |
| add action=accept chain=output comment="Accept DHCPv6 (UDP ports 546->547)" dst-port=547 protocol=udp src-port=546 | |
| add action=accept chain=output comment="Accept DHCPv6 (TCP ports 546->547)" dst-port=547 protocol=tcp src-port=546 | |
| add action=jump chain=output comment="Jump to ICMPv6 Control" connection-state="" jump-target=ICMPv6_Control | |
| add action=drop chain=output comment="Drop all the rest" | |
| add action=accept chain=forward comment="Transparent mode" disabled=yes | |
| add action=accept chain=forward comment="Accept connections originated inside the network" connection-state=new out-interface=sit1 | |
| add action=accept chain=forward comment="Accept established connections" connection-state=established,related | |
| add action=accept chain=forward comment="Accept IPSec-esp" connection-state=related protocol=ipsec-esp | |
| add action=accept chain=forward comment="Accept IPSec-ah" connection-state=related protocol=ipsec-ah | |
| add action=accept chain=forward comment="Accept TCP connections to port 500" dst-port=500 protocol=tcp | |
| add action=accept chain=forward comment="Accept TCP connections from port 500" protocol=tcp src-port=500 | |
| add action=jump chain=forward comment="Jump to Bogons and Illegal Addresses blocking" jump-target="Illegal Addresses" | |
| add action=jump chain=forward comment="Jump to Illegal Multicast Adresses" jump-target="Illegal Addresses" | |
| add action=jump chain=forward comment="Jump to ICMPv6 Control" jump-target=ICMPv6_Control protocol=icmpv6 | |
| add action=accept chain=forward in-interface=!sit1 comment="Accept clients traffic" | |
| add chain=forward action=accept in-interface=sit1 out-interface=bridge-tunnels comment="for vremote ipv6 openvpn" | |
| add action=drop chain=forward comment="Drop all the rest" | |
| add action=accept chain=ICMPv6_Control comment="Accept Destination Unreacheable (type 1)" icmp-options=1:0-255 protocol=icmpv6 | |
| add action=accept chain=ICMPv6_Control comment="Accept Packet too big (type 2)" icmp-options=2:0-255 protocol=icmpv6 | |
| add action=accept chain=ICMPv6_Control comment="Accept Time exceeded (type 3, code 0)" icmp-options=3:0 protocol=icmpv6 | |
| add action=accept chain=ICMPv6_Control comment="Accept Parameter problem (type 4, code 1)" icmp-options=4:1 protocol=icmpv6 | |
| add action=accept chain=ICMPv6_Control comment="Accept Parameter problem (type 4)" icmp-options=4:2 protocol=icmpv6 | |
| add action=accept chain=ICMPv6_Control comment="Accept Parameter problem (type 4, code 2)" icmp-options=4:0-255 protocol=icmpv6 | |
| add action=accept chain=ICMPv6_Control comment="Accept limited Echo Requests (type 128) - 5/sec, burst 10" icmp-options=128:0-255 protocol=icmpv6 | |
| add action=accept chain=ICMPv6_Control comment="Accept limited Echo Replies (type 129) - 5/sec, burst 10" icmp-options=129:0-255 limit=5,10:packet protocol=icmpv6 | |
| add action=accept chain=ICMPv6_Control comment="Accept 143, code 0, hop limit 255" hop-limit=equal:255 icmp-options=143:0 protocol=icmpv6 | |
| add action=accept chain=ICMPv6_Control comment="Accept 133, code 0, hop limit 255" hop-limit=equal:255 icmp-options=133:0 protocol=icmpv6 | |
| add action=accept chain=ICMPv6_Control comment="Accept 134, code 0, hop limit 255" hop-limit=equal:255 icmp-options=134:0 protocol=icmpv6 | |
| add action=accept chain=ICMPv6_Control comment="Accept 135, code 0, hop limit 255" hop-limit=equal:255 icmp-options=135:0 protocol=icmpv6 | |
| add action=accept chain=ICMPv6_Control comment="Accept 136, code 0, hop limit 255" hop-limit=equal:255 icmp-options=136:0 protocol=icmpv6 | |
| add action=drop chain=ICMPv6_Control protocol=icmpv6 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment