Could you audit my firewall rules

Hi, I wanted to know if anybody could audit my firewall rules, to find optimizations, flaws or else.
Setup is basic, 1WAN, 1LAN (172.16.0.0/16), 1DMZ (192.168.1.0/24).

LAN and DMZ can go to WAN, DMZ and WAN can only respond to LAN if initiated by LAN.

[REDACTED@MikroTik] > /ip firewall export  

# 2024-10-04 12:22:38 by RouterOS 7.15.3
# software id = Y101-UNBL
#
# model = CCR2004-16G-2S+
# serial number = REDACTED

/ip firewall address-list
add address=172.16.0.0/16 list=here

/ip firewall connection tracking
set udp-timeout=10s

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" in-interface-list=LAN protocol=icmp
add action=accept chain=input comment="accept from LAN" in-interface-list=LAN
add action=drop chain=input comment="default action DROP"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop DNS req to outside" dst-port=53 in-interface-list=LAN protocol=udp src-address=!172.16.1.1
add action=drop chain=forward dst-port=53 in-interface-list=LAN protocol=tcp src-address=!172.16.1.1
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept LAN to WAN" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="accept LAN to DMZ" in-interface-list=LAN out-interface-list=DMZ
add action=accept chain=forward comment="accept DMZ to WAN" in-interface-list=DMZ out-interface-list=WAN
add action=accept chain=forward comment="accept port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="default action DROP"

/ip firewall nat
add action=masquerade chain=srcnat comment=hairpinning disabled=yes dst-address=192.168.1.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="out nat" out-interface-list=WAN
add action=jump chain=dstnat dst-address=REDACTED jump-target=port-forward
add action=dst-nat chain=port-forward comment="" dst-port=4222 protocol=tcp to-addresses=192.168.1.15 to-ports=22
add action=dst-nat chain=port-forward comment="" dst-port=4282 protocol=tcp to-addresses=192.168.1.15 to-ports=4282
add action=dst-nat chain=port-forward comment="" dst-port=4221 protocol=tcp to-addresses=192.168.1.15 to-ports=21
add action=dst-nat chain=port-forward comment="" dst-port=40101-40200 protocol=tcp to-addresses=192.168.1.15 to-ports=40101-40200
add action=dst-nat chain=port-forward comment="" dst-port=3306 protocol=tcp to-addresses=192.168.1.15 to-ports=3306
add action=dst-nat chain=port-forward comment="" dst-port=8443 protocol=tcp to-addresses=192.168.1.15 to-ports=8443
add action=dst-nat chain=port-forward comment="" dst-port=443 protocol=tcp to-addresses=192.168.1.16
add action=dst-nat chain=port-forward comment="" dst-port=80 protocol=tcp to-addresses=192.168.1.16 to-ports=80
add action=dst-nat chain=port-forward comment="" dst-port=4443 protocol=tcp to-addresses=192.168.1.14 to-ports=4443
add action=dst-nat chain=port-forward comment="" disabled=yes dst-port=4380 protocol=tcp to-addresses=192.168.1.17 to-ports=80
add action=dst-nat chain=port-forward comment="" disabled=yes dst-port=4322 protocol=tcp to-addresses=192.168.1.17 to-ports=22
add action=dst-nat chain=port-forward comment="" dst-port=4580 protocol=tcp to-addresses=192.168.1.45 to-ports=80
add action=dst-nat chain=port-forward comment="" dst-port=4543 protocol=tcp to-addresses=192.168.1.45 to-ports=443
add action=dst-nat chain=port-forward comment="" dst-port=26000-28000 protocol=tcp src-port="" to-addresses=192.168.1.88 to-ports=26000-28000
add action=dst-nat chain=port-forward comment="" dst-port=26000-28000 protocol=udp to-addresses=192.168.1.88 to-ports=26000-28000
add action=dst-nat chain=port-forward comment="" dst-port=25555 protocol=tcp to-addresses=192.168.1.88 to-ports=22

Thanks !

Sorry I dont comment on partial configs as all parts are related, and yes your firewall rules need work.

Hi,

What is missing ? I just exported the FW rules.

As a general - a MikroTik is a router - it’s default is to route. Keep this in mind when building your rules.
Always have a broad catchall drop at the bottom of every list.
Allow only what you want - allow dro pall to drop the rest.
Use lists where you can.

It always bothers me when people cross mingle default rules with custom additions as when something doesn’t work, you don’t know those rules like you wrote them because you didn’t but rehashing the rules even if you are re-creating to better understand is nicer as yu’ll understand them better and likely ammend on the fly to match your use case better.

If in doubt - drop/block and test.

[quote=anav post_id=1101746 time=1728160927 user_id=115581]
Are you S1rious LOL, Everything else is missing, what a clown.
[/quote]

Hum I guess you are the only clown here, taunting beginner. Maybe you should propose and command to export what you want, but beside interface list or else I dont see what is really missing for you to take look at it.

From my experience, @anav can be a bit direct (he/she could be Dutch ). He is requesting the entire export, because that is the only way to be able to “audit”.

The usual advice is to post the whole configuration, see:
http://forum.mikrotik.com/t/forum-rules/173010/1

There are reasons for that, the way a configuration works (or completely fails to) can be “hidden” in a seemingly unrelated part, but more than that a member willing to help often needs to understand the whole setup, to be able to provide some (hopefully good) advice.

If you prefer, the right approach to solve an issue or analyze a setup is holistic.