Hello For all Mikrotik friends here..!!
So i see alot of videos out there from a Mikrotik Certified Trainer or other high level Mikrotik people that talking about DDOS Mitigation, and they apply rules different from the preexist default rules on Mikrotik RouterOS, so NOW my question is does that mean that the default firewall rules in mikrotik is not enough, and we have to add another rules..? or we have to replace it..?
well one of my Mikroitk user friends tell me that when you increase the firewall rules, you increase vulnerability not security..!
DDOS Mitigation won’t help most users (ISP can/should help in this case).
The number of rules will increase complexity. As long as you know what you do (and what every rules reason for being is) you won’t make it vurnerable.
If you think that there is a problem with them then show what makes you fear?
Study the dafault configruation line by line.
Default firewall (where it exists, high-end devices come without one) is pretty secure, it defaults to (weirdly implemented) drop everything else concept (which is the secure way to do it). However, since default firewall setup relies on connection tracking doing its job, it is also quite resource demanding. In normal situation one can not really live without connection tracking (NAT requires it), so for normal operation this is not a problem.
But: DDoS hits connection tracking pretty hard because router is flooded with packets all claiming a new connection. And thus router “dies”. So DDoS mitigation is needed. On SOHO router one can add RAW firewall rules which will drop incoming packets, part of DDoS attack, before hitting connection tracking machinery. The remaining issue is consumption of uplink bandwidth … and that can only be solved upstream (i.e. on ISP’s routers/firewalls).
And yes, your friend is right: if one starts to mess with default firewall setup and he’s not up to the task (ROS learning curve is pretty steep from beginning), then chances of f***g up something are pretty high.