====== Некоторая защита RDP внутри сети ======

<code bash>
/ip firewall mangle

add action=add-src-to-address-list address-list=rdp_drop address-list-timeout=30m chain=forward comment=rdp_drop connection-state=\
    new dst-port=3389 protocol=tcp src-address-list=rdp_stage5

add action=add-src-to-address-list address-list=rdp_stage5 address-list-timeout=30s chain=forward comment=rdp_stage5 \
    connection-state=new dst-port=3389 protocol=tcp src-address-list=rdp_stage4

add action=add-src-to-address-list address-list=rdp_stage4 address-list-timeout=30s chain=forward comment=rdp_stage4 \
    connection-state=new dst-port=3389 protocol=tcp src-address-list=rdp_stage3

add action=add-src-to-address-list address-list=rdp_stage3 address-list-timeout=30s chain=forward comment=rdp_stage3 \
    connection-state=new dst-port=3389 protocol=tcp src-address-list=rdp_stage2

add action=add-src-to-address-list address-list=rdp_stage2 address-list-timeout=30s chain=forward comment=rdp_stage2 \
    connection-state=new dst-port=3389 protocol=tcp src-address-list=rdp_stage1

add action=add-src-to-address-list address-list=rdp_stage1 address-list-timeout=1m chain=forward comment=rdp_stage1 \
    connection-state=new dst-port=3389 log-prefix=MANGLE protocol=tcp

</code>

<code bash>
/ip firewall raw

add action=drop chain=prerouting comment="// ~ ~ ~ rdp_drop" in-interface=pppoe-out1 log-prefix=PRE src-address-list=rdp_drop
</code>