Someone please explain me where is the point on default configuration that permit DNS from WAN,
or why on default configuration is needed to drop incoming DNS request from WAN on input chain…
http://forum.mikrotik.com/t/buying-rb1100ahx4-dude-edition-questions-about-firewall/148996/4
/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
[...]
On the OP “export”:
/ip firewall filter
[...]
add action=drop chain=input comment="defconf: drop all else not coming from LAN" in-interface-list=!LAN
add action=accept chain=input comment="Allow DNS, UDP" dst-port=53 protocol=udp
add action=accept chain=input comment="Allow DNS, TCP" dst-port=53 protocol=tcp
add action=accept chain=input comment="Allow NTP" dst-port=123 protocol=udp
[...]
The rules “opened to the entire world” are putted after “drop all from the outside world”
and really (ON THAT POSITION) are perfectly secure because the traffic coming from WAN is already blocked.
As @anav suggest, is better specify “coming from LAN” because if are accidentally moved on wrong place… BANG!