Anyone have a set of basic firewall hardening commands I can put into the routerOS?
Hopefully with explanations as to what they do so I can learn.
Basically keep the bad guys out and other probes.
RouterOS v6.49.15
Thanks!
Welcome.
Something to get you started. There is a whole heap of info under help.mikrotik.com/docs
https://help.mikrotik.com/docs/display/ROS/Filter
It is a learning curve. Enjoy
You’re more than welcome to try to harden the firewall. But here is my 5 cents worth of advice: if your MT device (you didn’t tell which one you’re using) comes with default setup which features decently long list of firewall rules (around 5 rules for chain=input and 6 rules for chain=forward), then it’s likely that default firewall is pretty sound. In this case I recommend you to build on default, but first understand it thoroughly (e.g. what does in-interface-list=WAN actually mean).
Many “firewall hardening recipes” add “port scanning detection” which usually don’t add any security to the system. Many “make your firewall safe” actually make it worse due to following “block the forbidden” concept instead of using “pass the allowed” concept. Etc.
MT also provides a document with some recipes to harden the firewall … but even those rules don’t add to security of default firewall.
What many users do is they add rules (because they need to allow some services) and they often f**k up the firewall because they add rules in wrong place (rules are evaluated in order from top to bottom) or the rules are plain wrong or …
The “best” thing some users do is to add logging rules (to log forbidden traffic) and then they become upset due to excessive logs … the reality of internet is that there will always be a lot of probing, trying to find a vulnerable device. If firewall is “water tight”, then logging is not necessary.
I’d like to point to another thing: IPv6 firewall. IPv6 is a pretty different beast than IPv4 so one should not try to “map IPv4 rules to IPv6”, this won’t work well. Also: in ROS v6, IPv6 is an optional thing. If IPv6 is enabled, the default rules are not applied (default is only applied when device config is reset to factory defaults and only defaults for modules installed and enabled get applied). So it’s crucial to apply some IPv6 firewall rules immediately after enabling it … it’s possible to “hand apply defaults” by copy-pasting defaults (which are displayed by command /system default-configuration print inside a really wide terminal window).
Excellent summary! This should be included as the introduction to the chapter “Securing Your Router.”
Thank you mkx I second Larsa’s comment - a very cogent, clear, understandable and useful post. Especially along the “clear” and “understandable” aspects. It’s an SXT for what that’s worth and it does come with some basic firewall rules which look very good.
Appreciate the feedback!
Just curious - how do I find out if ipv6 is activated either from command line or webfig?
System - Packages.
I can see that it’s not enabled.
Good!
why are people so afraid of ipv6?
If one is living in a warzone iPV6 looks harmless in comparison 
IPV6 is like taking away my comfort zone.
Here some links old one first:
https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router
Because it takes away a fraction of precious bandwidth due to larger packet overhead. And specifically to ROS it most often reduces router performance by factor of 3-4 due to lack of fasttrack.
And because it's an unfamiliar boo-hoo 