Firewall Critique/Feedback

I’m working on refining my firewall and would like some feedback on what else I should add. I’ve read a lot of posts and incorporated what I thought was appropriate into the filter list. One thing that I still have to figure out is the foward chain as with the current filter list, if I enable the drop everything else at the end of my forwarding chain, I start dropping a lot of different traffic affecting end users (I can see DNS and other traffic).

I also had a question regarding return statements. Do you need them at the end of a chain that you jumped to or will it automatically return to the originally jump point when it is finishes executing the chain? I wouldn’t think it would return but from my observations, it looks like it does. Thus, the confusion.

I would appreciate any feedback on the following firewall filter list:


Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Drop Black List IPs
chain=input in-interface=Cloud src-address-list=Black list action=drop

8 ;;; Drop invalid connections
chain=input connection-state=invalid action=drop

9 ;;; Accept related connections
chain=input connection-state=related action=accept
10 ;;; Accept established connections
chain=input connection-state=established action=accept

11 ;;; !!! Check for well-known viruses !!!
chain=input action=jump jump-target=virus

12 ;;; UDP
chain=input protocol=udp action=accept

13 ;;; Allow limited pings 50 over 5 seconds
chain=input protocol=icmp limit=50/5s,2 action=accept

14 ;;; Drop excess Pings
chain=input protocol=icmp action=drop

15 ;;; Allow Winbox connection
chain=input protocol=tcp dst-port=8291 action=accept

16 ;;; TIT1 traffic allowed
chain=input src-address=10.0.0.0/24 action=accept

17 ;;; Home Office traffic allowed
chain=input src-address=192.168.0.0/24 action=accept

18 ;;; Log and drop everything else
chain=input action=log log-prefix=“”

19 X ;;; Log and drop everything else
chain=input action=drop




20 ;;; Drop invalid connections
chain=forward connection-state=invalid action=drop

21 ;;; Established connections
chain=forward connection-state=established action=accept

22 ;;; Related connections
chain=forward connection-state=related action=accept

23 ;;; !!! Check for well-known viruses !!!
chain=forward action=jump jump-target=virus

24 ;;; UDP
chain=forward protocol=udp action=accept

25 ;;; Allow limited pings: 50 over 5 seconds
chain=forward protocol=icmp limit=50/5s,2 action=accept

26 ;;; Drop excess Pings
chain=forward protocol=icmp action=drop

27 X chain=forward action=drop





28 ;;; Drop Blaster Worm
chain=virus protocol=tcp dst-port=135-139 action=drop

29 X ;;; Drop Messenger Worm
chain=virus protocol=udp dst-port=135-139 action=drop

30 ;;; Drop Blaster Worm
chain=virus protocol=tcp dst-port=445 action=drop

31 ;;; Drop Blaster Worm
chain=virus protocol=udp dst-port=445 action=drop

32 ;;; ________
chain=virus protocol=tcp dst-port=593 action=drop

33 ;;; ________
chain=virus protocol=tcp dst-port=1024-1030 action=drop

34 ;;; Drop MyDoom
chain=virus protocol=tcp dst-port=1080 action=drop

35 ;;; ________
chain=virus protocol=tcp dst-port=1214 action=drop

36 ;;; ndm requester
chain=virus protocol=tcp dst-port=1363 action=drop

37 ;;; ndm server
chain=virus protocol=tcp dst-port=1364 action=drop

38 ;;; screen cast
chain=virus protocol=tcp dst-port=1368 action=drop

39 ;;; hromgrafx
chain=virus protocol=tcp dst-port=1373 action=drop

40 ;;; cichlid
chain=virus protocol=tcp dst-port=1377 action=drop

41 ;;; Worm
chain=virus protocol=tcp dst-port=1433-1434 action=drop

42 ;;; Bagle Virus
chain=virus protocol=tcp dst-port=2745 action=drop

43 ;;; Drop Dumaru.Y
chain=virus protocol=tcp dst-port=2283 action=drop

44 ;;; Drop Beagle
chain=virus protocol=tcp dst-port=2535 action=drop

45 ;;; Drop Beagle.C-K
chain=virus protocol=tcp dst-port=2745 action=drop

46 ;;; Drop MyDoom
chain=virus protocol=tcp dst-port=3127-3128 action=drop

47 ;;; Drop Backdoor OptixPro
chain=virus protocol=tcp dst-port=3410 action=drop

48 ;;; Worm
chain=virus protocol=tcp dst-port=4444 action=drop

49 ;;; Worm
chain=virus protocol=udp dst-port=4444 action=drop

50 ;;; Drop Sasser
chain=virus protocol=tcp dst-port=5554 action=drop

51 ;;; Drop Beagle.B
chain=virus protocol=tcp dst-port=8866 action=drop

52 ;;; Drop Dabber.A-B
chain=virus protocol=tcp dst-port=9898 action=drop

53 ;;; Drop Dumaru.Y
chain=virus protocol=tcp dst-port=10000 action=drop

54 ;;; Drop MyDoom.B
chain=virus protocol=tcp dst-port=10080 action=drop

55 ;;; Drop NetBus
chain=virus protocol=tcp dst-port=12345 action=drop

56 ;;; Drop Kuang2
chain=virus protocol=tcp dst-port=17300 action=drop

57 ;;; Drop SubSeven
chain=virus protocol=tcp dst-port=27374 action=drop

58 ;;; Drop PhatBot, Agobot, Gaobot
chain=virus protocol=tcp dst-port=65506 action=drop

59 chain=virus action=return

If no match is found in the child chain, the packet will return to the parent chain.

Thanks Eugene. So #59 isn’t needed (I have that disabled anyhow).

I’d appreciate any feedback on the filter as well. I missing some that I need to add but I’m not sure what they are. I’d like to add a drop remaining packets in the forward/input chains but I don’t want to enable that as of yet. Unless someone complains about something not working, I don’t know what else I should add.

I think packet will return anayway even without ‘action=return’. If you want to apply specific action on traffic passed trough ‘virus’ chain, add appropriate action at the end of chain.

Thanks sergejs. Does anyone have any suggestions on what else to add to the forward and input chains?

Seems to be fine. One more example of a good firewall:
http://wiki.mikrotik.com/wiki/Dmitry_on_firewalling

in Dimitry example :

add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=3128 action=mark-connection new-connection-mark=proxy passthrough=no

if i set the proxy port to 8080 , then the dst-port will be 8080 instead of the default 3128 right ?

right