Firewall Best Practice

divB · October 10, 2024, 5:32pm

Hello,

I started using the documentation to build my own firewall: https://help.mikrotik.com/docs/display/ROS/Building+Advanced+Firewall

However, first, it does not include rules to allow traffic (probably for simplicity due to NAT) and second, I don’t understand why the last rule is not a DROP all:

/ip firewall filter
  add action=accept chain=forward comment="defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec disabled=yes
  add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
  add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
  add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
  add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
  add action=drop chain=forward src-address-list=no_forward_ipv4 comment="defconf: drop bad forward IPs"
  add action=drop chain=forward dst-address-list=no_forward_ipv4 comment="defconf: drop bad forward IPs"

Why do we needs the last four DROP rules if we could just have a single DROP all? Am I missing specific packets?

I have modified my rules like below which I believe is much more compact and elegant:

/ip firewall filter
add action=accept chain=forward comment=\
    "PortFW: Complex port forwardings which can’t be fasttracked.” \
    connection-mark=conn_portfw connection-state=established,related
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=jump chain=forward comment="Traffic rules for new connections" \
    connection-state=new jump-target=traffic_rules 
add action=drop chain=forward comment="Drop everything else (fallback)"

add action=accept chain=traffic_rules comment="Allow from ISP only when DNAT" connection-nat-state=dstnat in-interface-list=ISP
add action=accept chain=traffic_rules comment="Internet for LAN" in-interface-list=LAN out-interface-list=ISP
add action=accept chain=traffic_rules comment="Allow ZoneA --> ZoneB access" in-interface-list=ZoneA out-interface-list=ZoneB
add action=drop chain=traffic_rules comment="Drop everything else"

I first mark existing connections with fasttrak and then accept all existing and untracked connections (same as in the documentation). Then I have a chain “traffic_rules” which only applies to new connections and lists allowed traffic flow in a compact way. Lastly, I just have a DROP ALL rule.

Is there anything wrong this my approach? If not, what is the reason for the more complicated approach in the Mikrotik documentation?

anav · October 10, 2024, 6:44pm

No idea, dont use chains as I rarely have an actual need, the concept of chains is very nice agreed, but rare to see. Well mostly see it in garbage firewall rulesets.

/ip firewall filter
{ default rules to keep }
add chain=input action=accept connection-state=established,related,untracked
add chain=input action=drop connection-state=invalid
add chain=input action=accept protocol=icmp
{ admin rules }
ADD ANY VPN ALLOW RULES HERE ( dst-port=>>>> protocol=>>>> )
add chain=input action=accept comment=“admin access only” src-address-list=TRUSTED
add chain=input action=accept comment=“users to services” dst-port=53,123 protocol=udp
add chain=input action=accept comment=“users to services” dst-port=53 protocol=tcp
add chain=input action=drop comment=“Drop all else”
+++++++++++++++++++++++++++++++++++++++++++++++++++++
{ default rules to keep }
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
{ admin rules }
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“Port forwarding” connection-nat-state=dstnat disabled=yes { enable if required or remove }
****** PLACE ANY OTHER REQUIRED ALLOW RULES HERE ******
add action=drop chain=forward comment=“drop all else”

If implemented and there are still some security issues, then perhaps would look at other measures as required.
Anything else for the moment is bogus extra.