I have no problem with this myself, I only watch the loads of naive users who view some youtube movie aboutWhile it may sound reasonable at the beginning, it may cause problems in other configurations. Unfortunately we cannot make default configuration to suite all possible scenarios. So if you change WAN interface in default configuration, you MUST change also other relevant parts of configuration, including security settings.
There is no such thing as single button "make my router secure", you must know what you are doing and why you are doing.
MikroTik routers are not insecure. User alters configuration and makes router insecure, there is only one configuration change that can fix it. Set admin password and do not let such users touch the router )When you think it is a good situation that people think that MikroTik routers are insecure
I don't think that is the proper solution.Is this really so hard to block UDP 53 in the default configuration ?
You have added undeletable fast-forward rules (quite annoying decision for some users) so you can add this one. Don't you ?
The big difference is that in these cases the error is noticed quickly because something that should be passed isAnd what rules do you propose to fix setups where clients adds another lan interface or adds VPN? This is also configured in completely different place and instantly blocks DNS for new LAN interfaces.
Did you use quickset to setup PPPoE and did it not set your firewall correctly?quick set for pppoe should change the default drop input firewall (input interface) from ether1-gateway to pppoe-out1.
i was one of the unlucky guys having 100% cpu usage from dns attack! (at my first steps with ros)
That was already stated, but still the default configuration should not leave gaping holes when newbies configureIt is not possible to satisfy everyone and make perfect configuration for any possible case.
That is great, but apparently a lot of newbies don't use quickset and instead follow incomplete instructions theyDefault firewall at the moment is correct and does everything what is necessary for default configuration.
As soon as you change something it is you responsibility to adjust rest of configuration except cases when you use QuickSet.
If you use QuickSet, then firewall is automatically adjusted and WAN interface from ether1 changes to tunnel.
As ROS just received new funcionality calld "interface list" the new default router configuration ought to use them.If you can think set of rules not complicated to fix problems above I will gladly change set in default configuration.
But user can add just created interface to default rules....My English should be betterDefault configuration cannot add user created pppoe interface to wan address list, because such interface does not exist during reset
Then again it requires user configuration in the list. Do you really think that user which does not know hot to add simple rule to protect his new port will know where to find this new interface list?But user can add just created interface to default rules....My English should be betterDefault configuration cannot add user created pppoe interface to wan address list, because such interface does not exist during reset
There should be default in-interface-group list and out-interface-group list. All rules should use these lists as sources, targets etc.
If I add the new interface I need only to put it into particular interface groups and ... voila ... all rules cover new interface.
Yes. Especially if she/he could add PPoE interface.Then again it requires user configuration in the list. Do you really think that user which does not know hot to add simple rule to protect his new port will know where to find this new interface list?
That is right, that is the intention of the proposal.I think nobody bothered to actually read and understand the proposal. It's no bloat, just a paradigm shift improving security.
Instead of "accept connected and related, allow all new except ether1" it was proposed to be changed to "accept connected and related, accept new only from local bridge".
In a default configuration, the behavior is identical. It would just protect newly added interfaces from being left wide open by mistake, treating any added interface as a WAN, not a LAN connection. This happens more often, by adding a PPPoE interface required by a lot of providers, than any other scenario.
Oh yes it does. Adding a WAN interface without adapting the firewall rules will not expose the router and the LAN to the internet (assuming the rules are duplicated in the input and forward chains). Incoming WAN connections will remain blocked, in contrast to the current set, where they are allowed by the default rules (because the new interface name will not match the WAN drop rule).so far "dropping anything not established on wan"(and "related" maybe) in input/forward chain is quite coommon/popular thing and accepting "new" lan-side not change anything a lot.
With no password till the proud admin changes it.So, under these conditions, there will be default access to webfig, winbox, ftp, ssh, dns (remember, we have the default setup and those are active) and any other possible open service.