Hi All,
our client devices connected with PPPoE got attacked and many of our devices became useless. Do you have any suggestions for firewall rules that can be used to take precautions?
Thanks lot
Default firewall rules in latest versions already have protection in such setups.
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
is that enoguh ? i will just change wan interface to pppoe_client and lan is ether ?
WAN and LAN are interface lists. You just need to edit WAN interface list.
Basic one but usable, of course you need to change the in-interface to match your pppoe client interface name (pppoe_out1 is the default);
/ip firewall filter
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related in-interface=pppoe-out1
add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related in-interface=pppoe-out1
add action=drop chain=forward comment="DROP invalid" connection-state=invalid in-interface=pppoe-out1
add action=drop chain=input comment="DROP invalid" connection-state=invalid in-interface=pppoe-out1
add action=accept chain=forward comment="ACCEPT DST-NAT'D" connection-nat-state=dstnat in-interface=pppoe-out1
add action=accept chain=input comment="ACCEPT ICMP" in-interface=pppoe-out1 protocol=icmp
add action=drop chain=input comment="DROP ALL" in-interface=pppoe-out1
add action=drop chain=forward comment="DROP ALL" in-interface=pppoe-out1
Thanks mrz,
also I would like to add this rules also but Im not sure the order of the rules, can i add this rule end of the default config ? or
/ip firewall
address-list add address=10.10.2.10 comment="Admin Network" list=admin
/ip firewall filter
add action=accept chain=forward comment="SecureConnection For Admin" src-address-list=admin
add action=drop chain=input comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=tcp
add action=drop chain=input comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=udp
add action=drop chain=forward comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=tcp
add action=drop chain=forward comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=udp
Thanks Steveocee for your help.
I think the difference between the mikrotik default firewall config and your firewall is that foward chain . mikrotik default firewall rules not used foward chain.
add action=accept chain=forward comment="ACCEPT DST-NAT'D" connection-nat-state=dstnat in-interface=pppoe-out1
the rule above for port fowarding ?
if I want to make it more secure and give access to only some special ip’s to not get attack to customers what can I do ? cause our equipment s which has public ip on their wan interface affected from attack and became unusable
so I thought I would add these rules too;
/ip firewall
address-list add address=10.10.2.10 comment="Admin Network" list=admin
/ip firewall filter
add action=accept chain=forward comment="SecureConnection For Admin" src-address-list=admin
add action=drop chain=input comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=tcp
add action=drop chain=input comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=udp
add action=drop chain=forward comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=tcp
add action=drop chain=forward comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=udp
I generally use both forward and input in tandem, same rules for each. It just adds some extra assurance for your clients behind the router.
Yes, this makes it so that you don’t have to add separate rules for each port forward you add.
You don’t need those specific rules. A simple drop all would suffice as long as you have an allow established and related at the top.
Many Many Thanks Steveocee…
here is last one..
/interface list add name=WAN
/interface list add name=LAN
/interface list member add interface=[/interface ethernet find] list=LAN
/interface list member add interface=[/interface pppoe-client find] list=WAN
/ip firewall address-list add address=10.10.10.30 comment="Admin" list=secureAdmin
/ip firewall filter
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related in-interface-list=WAN
add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related in-interface-list=WAN
add action=drop chain=forward comment="DROP invalid" connection-state=invalid in-interface-list=WAN
add action=drop chain=input comment="DROP invalid" connection-state=invalid in-interface-list=WAN
add action=accept chain=input comment="SecureConnection For Admin" src-address-list=admin
add action=accept chain=forward comment="SecureConnection For Admin" src-address-list=admin
add action=accept chain=forward comment="ACCEPT DST-NAT'D" connection-nat-state=dstnat in-interface-list=WAN
add action=accept chain=input comment="ACCEPT ICMP" in-interface-list=WAN protocol=icmp
/ip firewall filter add action=drop chain=input comment="drop connection for admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp
/ip firewall filter add action=drop chain=input comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp
/ip firewall filter add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp
/ip firewall filter add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp
add action=drop chain=input comment="DROP ALL" in-interface-list=WAN
add action=drop chain=forward comment="DROP ALL" in-interface-list=WAN
/ip service disable telnet,ftp,www,api,api-ssl
/ip service set ssh port=2200
/ip service set address=10.10.10.30 [/ip service find]
/user set address=10.10.10.30 [/user find]
/tool bandwidth-server set enabled=no
/ip dns set allow-remote-requests=no
/ip proxy set enabled=no
/ip socks set enabled=no
/ip upnp set enabled=no
/ip cloud set ddns-enabled=no update-time=no
/ip ssh set strong-crypto=yes
/ip ssh set host-key-size=4096 strong-crypto=yes
/ip settings set rp-filter=strict
/ip firewall service-port disable [/ip firewall service-port find]
I think this is enough for protect customer device and internet. do i need add port scanner rules also ?
Thanks a lot.
I will suggest you remove the in-interface on the following rules.
/ip firewall filter
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related in-interface-list=WAN
add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related in-interface-list=WAN
add action=drop chain=forward comment="DROP invalid" connection-state=invalid in-interface-list=WAN
add action=drop chain=input comment="DROP invalid" connection-state=invalid in-interface-list=WAN
add action=drop chain=input comment="DROP ALL" in-interface-list=WAN
add action=drop chain=forward comment="DROP ALL" in-interface-list=WAN
Hi CZFan thank you very much for your help and support.. I combined Steveocee advice and yours and here is result 
I hope this will help me to secure connection for Cpe and customer. thank you and Steveocee again.
/interface list add name=WAN
/interface list add name=LAN
/interface list member add interface=[/interface ethernet find] list=LAN
/interface list member add interface=[/interface pppoe-client find] list=WAN
/ip firewall address-list add address=10.10.10.30 comment="Admin" list=secureAdmin
/ip firewall filter
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related
add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related
add action=drop chain=forward comment="DROP invalid" connection-state=invalid
add action=drop chain=input comment="DROP invalid" connection-state=invalid
add action=accept chain=input comment="SecureConnection For Admin" src-address-list=admin
add action=accept chain=forward comment="SecureConnection For Admin" src-address-list=admin
add action=accept chain=forward comment="ACCEPT DST-NAT'D" connection-nat-state=dstnat in-interface-list=WAN
add action=accept chain=input comment="ACCEPT ICMP" in-interface-list=WAN protocol=icmp
/ip firewall filter add action=drop chain=input comment="drop connection for admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp
/ip firewall filter add action=drop chain=input comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp
/ip firewall filter add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp
/ip firewall filter add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp
add action=drop chain=input comment="DROP ALL"
add action=drop chain=forward comment="DROP ALL"
/ip service disable telnet,ftp,www,api,api-ssl
/ip service set ssh port=2200
/ip service set address=10.10.10.30 [/ip service find]
/user set address=10.10.10.30 [/user find]
/tool bandwidth-server set enabled=no
/ip dns set allow-remote-requests=no
/ip proxy set enabled=no
/ip socks set enabled=no
/ip upnp set enabled=no
/ip cloud set ddns-enabled=no update-time=no
/ip ssh set strong-crypto=yes
/ip ssh set host-key-size=4096 strong-crypto=yes
/ip settings set rp-filter=strict
/ip firewall service-port disable [/ip firewall service-port find]
Assuming your pppoe runs on top of some ethernet interface (presumably ether1), is it safe to add all ether interfaces to LAN list? I’d leave that particular one out. If pppoe runs on top of sfp1 interface then your config is OK.
Hi Mkx thanks for your answer
all customer devices are SXT or LHG and they have only one Ethernet, I will try to put these firewall rules with program to more than 1 device at same time over telnet. So I prefer to use this method because some times technicians changes Ethernet interface name like Home or DVR, or some time they change pppoe_client name like internet.
Thanks
Should drop invalid be in front of accept connected and established? It seems better if you get rid of the invalid packet first so it won’t flow down the rest of the filter rules.
Good question SOLAR!! One that bugs me daily.
My logic, twisted as it is, tells me its best to match the majority of packets soonest and thus one would expect that is the case for legitimate traffic.
The ‘bad’ traffic is in the minority and thus it can be handled after.
Put in another way, why force good traffic (the majority of traffic) to be compared to drop rules first…
Order should be
established,related first
then drop invalid.
Due to reasons anav already mentioned.
The functionality that is used to get rid of traffic before Filter Rules is the application of RAW rules.
This assumes no connection and thus no inspection of the traffic to see if it matches filter parameters and thus is not the place for the filter rules noted previously, but is an excellent place for address lists that the OP wants blocked…
examples, country block, blacklist block, etc…
It also appears common to ‘catch’ incoming traffic that is illegitimate, drop it but also capture the source address, and add this address to a temporary list 24 hr for example,
The address list created is then applied in a RAW rule, so that such traffic is not even seen at the connections point from thereonin for at least 24 hours.
Its this kind of approach, that I find, in a nerdy way, freakin kewl! In SteveO vernacular, almost a woody!
So I can start to use these rules
Hi CZFan
when remove in interface from Drop All customer cant accesses to internet.
Add rules for and place above drop rules - This is to allow only new connection from inside to outside, not the other way around:
Allow, forward chain, connection-state=new, in-interface-list=LAN (To access internet)
Allow, input chain, connection-state=new, in-interface-list=LAN (to access Router for DNS, Management, etc)