basic firewall rules after hotspot activation

lexicalerror · May 31, 2016, 9:05am

hello
i removed default configuration from routerboard and configured it for hotspot. after this all basic firewall rules gone!
is it necessary to add them in firewall again?
thanks

freemannnn · May 31, 2016, 9:08am

normally they are not gone. they moved down down in the list if you enable hotspot.
but if u reset configuration yes you start with blank firewall rules.

normis · May 31, 2016, 10:45am

i removed default configuration from routerboard

Didn’t you say that you removed them yourself?
So yes, if you did remove firewall, I suggest to make your own now. without firewall, the router is an easy attack target.

lexicalerror · May 31, 2016, 2:11pm

when login to winbox for first time, it shows a alert to confirm default configuration script or not? i selected remove option!
now if i want to add firewall rules manually, they be added after HS rules in list. is it ok? dont conflict with hotspot rules?!!

ZeroByte · May 31, 2016, 2:18pm

The Hotspot’s rules are created in special chains such as hs-auth, hs-unauth, etc. If you add your own rules to the input/output/forward chains, then it doesn’t matter if they come before or after the hs-XXXXX chains because the order only matters for rules within the same chain.
There are some jump rules in the main input/output/forward chains (to jump into the HS chains), and it’s these jump rules that you must consider the order. You can add rules before or after them however you like - just think about what you’re trying to do and if you need to filter something before the hotspot chains, then make sure your new rule comes before the jump. If it can come after the hs chains, then put your new rules after the jump.

lexicalerror · June 1, 2016, 1:14pm

i added these rules to firewall as last rules. are these ok for basic protection?

52    ;;;Drop Invalid Connections
      chain=input action=drop connection-state=invalid log=no log-prefix=""

53    ;;;Allow established connections
      chain=input action=accept connection-state=established log=no
      log-prefix=""

54    ;;;Allow icmp
      chain=input action=accept protocol=icmp log=no log-prefix=""

55    chain=input action=accept src-address=192.168.1.0/24 in-interface=!ether>
      log=no log-prefix=""

56    chain=input action=accept src-address=192.168.5.0/24 in-interface=!ether>
      log=no log-prefix=""

57    ;;; Drop everything else
      chain=input action=drop log=no log-prefix=""

58    ;;;drop invalid connections
      chain=forward action=drop connection-state=invalid protocol=tcp log=no
      log-prefix=""

59    ;;;allow already established connections
      chain=forward action=accept connection-state=established log=no
      log-prefix=""

60    ;;;allow related connections
      chain=forward action=accept connection-state=related log=no
      log-prefix=""

61    chain=forward action=drop src-address=0.0.0.0/8 log=no log-prefix=""

62    chain=forward action=drop dst-address=0.0.0.0/8 log=no log-prefix=""

63    chain=forward action=drop src-address=127.0.0.0/8 log=no log-prefix=""

64    chain=forward action=drop dst-address=127.0.0.0/8 log=no log-prefix=""

65    chain=forward action=drop src-address=224.0.0.0/3 log=no log-prefix=""

66    chain=forward action=drop dst-address=224.0.0.0/3 log=no log-prefix=""