/ip firewall filter export compact
# apr/05/2020 17:48:31 by RouterOS 6.44.3
# software id = NTYY-PJHF
#
# model = RB760iGS
# serial number = A8150AC4FC7D
/ip firewall filter
add action=accept chain=input dst-port=35351 protocol=tcp
add action=accept chain=input comment=WinBox connection-state="" dst-port=28291 \
protocol=tcp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input port=1701,500,4500 protocol=udp
add action=accept chain=output out-interface-list=internet port=1701,500,4500 \
protocol=udp
add action=accept chain=input comment="CAPsMAN accept all local traffic" \
dst-address-type=local dst-port=5246,5247 protocol=udp src-address-type=\
local
add action=drop chain=input comment="drop service" dst-port=\
69,111,135-139,445,548 protocol=tcp
add action=drop chain=input dst-port=69,111,135-139,548 protocol=udp
add action=drop chain=input protocol=ipv6-encap
add action=drop chain=input protocol=ipv6-frag
add action=drop chain=input protocol=ipv6-nonxt
add action=drop chain=input protocol=ipv6-opts
add action=drop chain=input protocol=ipv6-route
add action=drop chain=input protocol=icmpv6
add action=drop chain=input comment="drop invalid connections" \
connection-state=invalid in-interface-list=internet
add action=accept chain=input comment="Input CAPSMAN" in-interface=\
bridge-capsman src-address=192.168.99.0/29
add action=drop chain=input in-interface=bridge-capsman
add action=accept chain=input comment="Input Lan" in-interface-list=lan \
src-address-list=LOCAL_LAN
add action=accept chain=input dst-address=255.255.255.255 dst-port=67 \
in-interface-list=lan protocol=udp src-address=0.0.0.0 src-port=68
add action=drop chain=input in-interface-list=lan
add action=drop chain=input comment="short udp" in-interface-list=internet \
packet-size=0-28 protocol=udp
add action=accept chain=input comment=SSH connection-state=\
established,related,new dst-port=2200 protocol=tcp src-port=1024-65535
add action=accept chain=input comment="Allow established,relate connections" \
connection-state=established,related
add action=drop chain=input comment="Block All wan" in-interface-list=internet
add action=drop chain=forward comment="Deny invalid forward" connection-state=\
invalid
add action=drop chain=forward comment="Deny not DSTNAT from WAN" \
connection-nat-state=!dstnat connection-state=new in-interface-list=\
internet
add action=accept chain=forward comment="Internet Allow" in-interface=\
bridge-lan out-interface-list=internet src-address=192.168.100.0/24
add action=accept chain=forward comment="Internet Allow" dst-address=\
192.168.100.0/24 in-interface-list=internet out-interface=bridge-lan
# l2tp-in1 not ready
add action=accept chain=forward comment="l2tp to internet" in-interface=\
l2tp-in1 out-interface-list=internet src-address=192.168.7.0/24
# l2tp-in1 not ready
add action=accept chain=forward comment="l2tp to internet" dst-address=\
192.168.7.0/24 in-interface-list=internet out-interface=l2tp-in1
# l2tp-in1 not ready
add action=accept chain=forward comment="l2tp to lan" in-interface=l2tp-in1 \
out-interface-list=lan src-address=192.168.7.0/24
# l2tp-in1 not ready
add action=accept chain=forward comment="l2tp to lan" dst-address=\
192.168.7.0/24 in-interface-list=lan out-interface=l2tp-in1
add action=accept chain=forward in-interface=bridge-guest out-interface-list=\
internet src-address=192.168.101.0/24
add action=accept chain=forward dst-address=192.168.101.0/24 in-interface-list=\
internet out-interface=bridge-guest
add action=drop chain=forward