Apart from one own needs, I was wondering if that setup is still valid and you would suggest it as a good starting point.
Your thought about it, please.
Thanks
IMHO people care too much about various flooding options (ping flood, syn flood, …). Either they are not that malicious after all (normal pings … blocking ICMP is one more fetish for some and is hurting IPv6, which is one thing to keep in mind, many people simply extrapolate firewall filter rules from IPv4 to IPv6) or eventually get dropped by (now default) firewall rules (because those connections are invalid). And for DL one can’t do much to reduce amount of traffic, the upstream routers/firewalls/DPIs could help.
I’m not saying that default firewall settings are “best setup ever” either, but they are decent starting point. They are simple enough to understand them, they are reasonably secure and don’t flood log files with mostly useless log entries.
Sure they can be tuned for better performance, but probably setup would become less apparent … and less apparent rules threaten to become less secure. And security is paramount when it comes to firewall.
One thing that may add to firewall security is use of remote IP address black lists. Collecting those is a complex task and random home user likely can’t collect a decent list himself. Using lists from a quality and trusted source is then a must.
This is interesting.
Could you please give me more information about that?
I still don’t know how to create black lists and set them up in the firewall.
Thanks
No, it’s not good starting point, current default firewall is better for that, it’s simpler, easier to understand, …
Forward chain here is wide open for everything, which is not ideal, even though in practice for regular user with at most one public address and NAT, it shouldn’t be major problem. With the bogons list it shouldn’t be insecure, but it’s not very clear.
Input chain is chaotic, on one hand it has default drop at the end (good), but then it has extra blocking for WinBox, instead of more logical accept rule for selected list. It’s a little confusing, but it’s not security hole. Allowing DNS from everywhere and making router an open resolver on the other hand, is security hole.
Why bother with detection of port scanners. It’s not exactly wrong and sometimes it can make sense. But usually it’s simpler to just not open any unnecessary ports. Let them scan, they won’t find anything.
Fine-tuning icmp, why not, if you know what you’re doing. But too many people don’t. And it’s not like any bad icmp will eat your router alive.
Blocking bogons, again, it’s not wrong. But it’s not like anything bad should necessarily happen when you don’t. So someone sends a spoofed packet to your publicly available service. If the service doesn’t have some incorrectly configured whitelist, nothing bad will happen.
There’s nothing magical about black lists. They are simply address list (you can create and maintain them under /ip firewall address-list, ditto for IPv6), and then use them as criterion for some drop rules (e.g. /ip firewall raw add action=drop chain=prerouting src-address-list=). There are a few things to consider:
take care not to loose management access to your router (your management worjstation’s address might end up in black list), so make allow whitelist entry before the drop blacklist
Whitelist is another address list, the only difference is that it’s used for action=accept …
using blacklist might prove a major performance problem. It helps to re-position the drop rule somewhere else (e.g. if used in raw as I illustrated it’ll check each and every packet. If used in usual firewall filter rules list after the default accept established,related, the performance hit will normally be neglectable but won’t help much when e.g. under DDoS attack - using raw would be slightly better in that case).
…
So blindly using blacklists can cause problems as well.
Nope, that was just an example (and I wrote it was). As I wrote, adress lists are not anything magical. They are used as criteria for any firewall rule (either filter or raw, possibly nat as well). And you have to construct appropriate rule by yourself, there aren’t any such rules neither implicitly nor by default.