Discuss best practices of securing your routers with firewall and other methods.
Before rextended can post I will say, the default setup for firewall is REALLY ONLY designed for a few devices on the flat bridge ( one subnet approach .88.0/24 ). It allows one to securely connect to the internet and browse get email etc… However, as soon as more requirements need to be addressed and added to the config, its best to make some fundamental changes. The default blocks some stuff and allow all other traffic. Its more secure/polished, to allow only needed traffic and block everything else.
The beauty of this approach is that when one introduces other subnets, aka taking a port off a bridge and assigning it a subnet, or converting subnets to vlans, the new approach meshes very well, maintaining solid security.
STEP1 changing default vision default to allow only needed block all else
FROM:
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
++++++++++++++++++++++++++++++++++++
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
TO:
/firewall filter
{ default rules to keep }
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked*
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
(admin rules)
add action=accept chain=input comment=“allow ONLY LAN originated traffic”
in-interface-list=LAN
add action=drop chain=input comment="drop all else"
++++++++++++++++++++++++++++++++++++
{ default rules to keep }
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec ( remove if not doing ipsec )
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec ( remove if not doing ipsec )
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
(admin rules)
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat disabled=yes { enable if required or remove }
add action=drop chain=forward comment=“drop all else”
Discussion: Although subtle, the changes remove the complexity of using the ! symbol, which if not understood can cause issues later on. The input chain changes, allow one to later easily limit access to the router to LAN users for services and only to the admin for configuration purposes. The forward chain changes, ensure any LAN to LAN traffic, vice just WAN to LAN, is blocked, when other subnets or vlans are added to the mix. The port forwarding rule is disabled unless needed and is formatted to allow both external and internal use of any servers via the wanip/URL.