Basic must have firewall settings?

43north · June 14, 2015, 10:44pm

Just looking for a list of standard firewall settings that are general best practice rules. Such a list exist?

IntrusDave · June 15, 2015, 5:43am

For a general / basic / home network, this should be “good enough.”

/ip firewall filter
add action=drop chain=input connection-state=invalid
add action=drop chain=input comment="Drop Blacklisted Hosts" log-prefix="NOTICE: Dropped Attack Attempt" src-address-list=\
    blacklist
add chain=input connection-state=established,related
add chain=input src-address-list=ipSec
add chain=input src-address-list=PrivateIPs
add chain=input in-interface=lan1
add chain=input log-prefix=NOTICE protocol=icmp
add action=drop chain=input comment="Default Drop" log-prefix=<DEFAULT>
add action=drop chain=forward connection-state=invalid
add action=reject chain=forward dst-address-list=blacklist log=yes log-prefix="BL OUTBOUND" reject-with=icmp-admin-prohibited
add action=drop chain=forward src-address-list=blacklist
add chain=forward connection-state=established,related
add chain=forward src-address-list=PrivateIPs
add action=drop chain=forward comment="Default Drop" in-interface=wan1 log=yes log-prefix=<DEFAULT>
add action=drop chain=forward comment="Default Drop" in-interface=wan2 log=yes log-prefix=<DEFAULT>

If you have public servers that you are protecting, then you can do a lot more to try and stop DDOS and brute force attacks. But in general, this should be enough to keep you safe.

Oh, I have two address lists; “blacklist” and “Private IPs”. The blacklist is generated by my server every morning using several publicly available lists, as well as lists generated by Fail2Ban on all of my servers. The PrivateIPs is just that, 10.0.0.0/8, 172.16.0.0/16, and 192.168.0.0/16. It’s a simple (although maybe not entirely secure) way of making sure my VPN’s all flow nicely.

G2Dolphin · June 15, 2015, 8:02am

Add this as first filter rules, if your firmware is 6.29+.

/ip firewall filter
add action=fasttrack-connection chain=forward comment=\
    "FT established/related connections (forward)" connection-state=\
    established,related
add action=fasttrack-connection chain=input comment=\
    "FT established/related connections (input)" connection-state=\
    established,related

Rudios · June 24, 2015, 12:22pm

Adding the fasttrack option is only applicable for the forward chain.
It does not affect the input chain.

wiyat · June 24, 2015, 4:02pm

43north? After that you read it the before post you are clear or you need support?