Efficient and Strong Firewall Rules

RouterOS General
1

Hi everybody, i have been struggle a lot trying to find the most efficient and strong way to configure firewall.
It needs to be fast and also strong against attacks.
Please watch my current configuration and suggest me if there is something to add or to remove.
Regards.


/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="Place hotspot rules here" disabled=yes
add action=drop chain=forward comment="Drop invalid connections" connection-state=invalid
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s protocol=tcp tcp-flags=syn,ack
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-targets address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=10m chain=detect-ddos
add action=jump chain=forward comment="SYN Flood protect" connection-state=new jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=accept chain=SYN-Protect connection-state=new limit=400,5 protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect connection-state=new protocol=tcp tcp-flags=syn
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Allow established/related connections" connection-state=established,related
add action=accept chain=forward comment="Allow internet access" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Wireguard To Access LAN" in-interface="Wireguard VPN" out-interface-list=LAN
add action=accept chain=forward comment="Allow Dst NAT" connection-nat-state=dstnat
add action=drop chain=forward comment="Drop everything else" log=yes log-prefix=fwd-else
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add action=tarpit chain=input comment="Capture and hold connections" connection-limit=3,32 protocol=tcp src-address-list=blocked-addr
add action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d chain=input comment="Limit incoming connections" \
    connection-limit=100,32 protocol=tcp
add action=accept chain=input comment="Allow established/related connections" connection-state=established,related
add action=accept chain=input comment="Allow LAN to access the router" in-interface-list=LAN
add action=accept chain=input comment="Allow Winbox" dst-port=xxxx protocol=tcp
add action=accept chain=input comment="Allow SSH" dst-port=xxxx protocol=tcp
add action=accept chain=input comment="Allow Wireguard VPN" dst-port=13231 protocol=udp
add action=accept chain=input comment="Allow ICMP for everyone" protocol=icmp
add action=drop chain=input comment="Drop everything else"




/ip firewall raw
add action=drop chain=prerouting comment="Drop Ddoser" dst-address-list=ddos-targets src-address-list=ddos-attackers
add action=drop chain=prerouting comment=Worm-Infected-p445 src-address-list=Worm-Infected-p445
add action=drop chain=prerouting comment="Drop all DNS request from Internet" dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=prerouting dst-port=53 in-interface-list=WAN protocol=udp
add action=drop chain=prerouting comment="TCP invalid combination of flags attack (7 rules)" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,syn
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,rst
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,!ack
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,urg
add action=drop chain=prerouting protocol=tcp tcp-flags=syn,rst
add action=drop chain=prerouting protocol=tcp tcp-flags=rst,urg
add action=drop chain=prerouting comment="TCP Port 0 attack (2 rules)" protocol=tcp src-port=0
add action=drop chain=prerouting dst-port=0 protocol=tcp
add action=drop chain=prerouting comment="UDP Port 0 attack (2 rules)" protocol=udp src-port=0
add action=drop chain=prerouting dst-port=0 protocol=udp
add action=drop chain=prerouting comment="Protecting device crash when size > 1024" packet-size=1025-1600 protocol=icmp
add action=drop chain=prerouting comment="ICMP large packet attack" packet-size=1601-65535 protocol=icmp
add action=drop chain=prerouting comment="ICMP fragmentation attack" fragment=yes protocol=icmp
add action=drop chain=prerouting comment="SYN fragmented attack" fragment=yes protocol=tcp tcp-flags=syn
add action=drop chain=prerouting comment="Fragment attack Interface Protection" dst-address-list="LAN Users" fragment=yes
add action=drop chain=prerouting comment="IP option loose-source-routing" ipv4-options=loose-source-routing
add action=drop chain=prerouting comment="IP option strict-source-routing" ipv4-options=strict-source-routing
add action=drop chain=prerouting comment="IP option record-route" ipv4-options=record-route
add action=drop chain=prerouting comment="IP option router-alert" ipv4-options=router-alert
add action=drop chain=prerouting comment="IP option timestamp" ipv4-options=timestamp
add action=drop chain=prerouting comment="IP options left, except IP Stream used by the IGMP protocol" ipv4-options=any protocol=!igmp
add action=accept chain=prerouting protocol=icmp
add action=accept chain=prerouting protocol=igmp
add action=accept chain=prerouting protocol=tcp
add action=accept chain=prerouting protocol=udp
add action=accept chain=prerouting protocol=gre
add action=log chain=prerouting log=yes log-prefix="Not TCP protocol" protocol=!tcp
add action=drop chain=prerouting comment="Unused protocol protection" protocol=!tcp
2

hello,

hmm, done some reading on few lines of your fw rules, i think those are nice rules.

if i may suggest,
there are many types of firewalling based on these: layer 2, layer 3 and layer 4 and above.

and the most important thing is to understand:

  • whether any set firewall rules need to be in stateless or statefull rules.

  • if you need statefull rules, you better to include at least a pair of src and dst address specifically (preferably with any specific traffic parameters) - other wise that rule will bound to stateless rules.

  • the traffic direction from the router/firewall view point ie. inbound/outbound on router/interface. don’t mixed up - otherwise you will have non working firewalls or self locked.

  • build fw rules that can be applied as close as to the source interface that you want to filter ie. not being too late to execute the filters.

  • avoid layer 2 raw and content matchers if possible. it is resource intensive.

  • longer matchers and logging are resource intensive.

just a thought :thinking:

3

Wrong focus, you should concentrate on only allowing needed traffic and less attention to blocking.
Allow needed traffic in forward and input chains then drop all else… KISS

https://forum.mikrotik.com/viewtopic.php?t=180838
The apprentice setup may be of interest but unless you have issues, really not needed.