Hello,
Should below drop rule be first or last in the input chain?
/ip firewall filter add chain=input action=drop connection-state=new src-address-list=pwlgrzs-blacklist in-interface=all-ethernet
My intension is to block according to blacklist.
Thanks in advance.
The firewall rules are evaluated from top to bottom.
So a block list should be first.
Do you understand how the firewall chains work in Router OS.
Asking about a single rule, is not going to solve the issue of not understanding how to apply them properly/safely.
What is your intention with this rule.
block WAN access To the router
OR
bloc WAN access to your subnets/LAN
I think you should provide your config to see the mess you probably have create from watching too many crappy youtube videos ( and in some cases even MT documenation )
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys )
Here you are my firewall. It is difficult to print everything, because of very long address lists.
Thank you for your time
/ip firewall filter print
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; block IP based on blacklist to WAN access
chain=input action=drop connection-state=new src-address-list=pwlgrzs-blacklist in-interface=all-ethernet log=no log-prefix=""
2 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
3 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
4 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
5 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1
6 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
7 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
8 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
9 X ;;; defconf: fasttrack
chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related log=no log-prefix=""
10 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
11 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
12 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
Nice try… Not the complete config.
Also didnt answer the questioWhat is your intention with this rule.
block WAN access To the router
OR
bloc WAN access to your subnets/LANn…
What are you afraid of??
Now the config is complete.
I want to block access to WAN for addresses from the list (that was my comment on this rule).
Unless you have another recommendation.
# 2024-11-30 17:36:33 by RouterOS 7.16.1
# software id = xxx
#
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] comment="" \
disable-running-check=no
set [ find default-name=ether3 ] comment="" disable-running-check=\
no name=ether2
set [ find default-name=ether5 ] comment="" \
disable-running-check=no name=ether3
set [ find default-name=ether6 ] comment="" \
disable-running-check=no name=ether4
set [ find default-name=ether7 ] comment=\
"" disable-running-check=no \
disabled=yes name=ether5
set [ find default-name=ether2 ] comment="" disable-running-check=no \
name=ether6
set [ find default-name=ether4 ] comment="" \
disable-running-check=no name=ether7
/disk
set slot1 media-interface=none media-sharing=no slot=slot1
set slot2 media-interface=none media-sharing=no slot=slot2
set slot3 media-interface=none media-sharing=no slot=slot3
set slot4 media-interface=none media-sharing=no slot=slot4
set slot5 media-interface=none media-sharing=no slot=slot5
set slot6 media-interface=none media-sharing=no slot=slot6
set slot7 media-interface=none media-sharing=no slot=slot7
set slot8 media-interface=none media-sharing=no slot=slot8
set slot9 media-interface=none media-sharing=no slot=slot9
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.77.10-192.168.77.100
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
set 2 name=serial4
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.77.1/24 comment="default configuration" interface=bridge1 \
network=192.168.77.0
/ip dhcp-client
add interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.77.10 client-id=1:xx:xx:xx:xx:xx:xx mac-address=\
9C:2F:9D:50:39:2D server=dhcp1
add address=192.168.77.11 client-id=1:xx:xx:xx:xx:xx:xx mac-address=\
9C:29:76:51:48:9D server=dhcp1
add address=192.168.77.12 client-id=1:xx:xx:xx:xx:xx:xx mac-address=\
26:70:95:10:48:76 server=dhcp1
/ip dhcp-server network
add address=192.168.77.0/24 dns-server=192.168.77.1 gateway=192.168.77.1 \
netmask=24
/ip dns
set allow-remote-requests=yes servers=xx.xx.xx.xx,xx.xx.xx.xx \
verify-doh-cert=yes
/ip firewall filter
add action=drop chain=input comment="block IP based on blacklist to WAN access" \
connection-state=new in-interface=all-ethernet src-address-list=\
pwlgrzs-blacklist
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat comment=HairpinNat dst-address=\
192.168.77.0/24 src-address=192.168.77.0/24
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=xxx
/system note
set show-at-login=no
/system ntp client servers
add address=0.xx.pool.ntp.org
/system scheduler
add disabled=yes interval=1w name=dl-mt-blacklist on-event=\
pwlgrzs-blacklist-dl policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2024-12-01 start-time=00:05:00
add disabled=yes interval=1w name=ins-mt-blacklist on-event=\
pwlgrzs-blacklist-replace policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2024-12-01 start-time=00:10:00
/system script
add dont-require-permissions=no name=pwlgrzs-blacklist-dl owner=admin \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="/tool fetch url=\"https://raw.githubusercontent.com/pwlgrzs/Mikrot\
ik-Blacklist/master/blacklist.rsc\" mode=https"
add dont-require-permissions=no name=pwlgrzs-blacklist-replace owner=admin \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="/ip firewall address-list remove [find where list=\"pwlgrzs-blackl\
ist\"]; /import file-name=blacklist.rsc; /file remove blacklist.rsc"
Yeah I
/ip firewall address-list
add address=192.168.77.X list=Authorized comment=“admin desktop”
add address=192.168.77.Y list=Authorized comment=“admin laptop”
add address=192.168.77.Y list=Authorized comment=“admin smartphone”
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input src-address-list=Authorized
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment=“drop all else”
Thanks for feedback.
1. Could you pls explain what exactly creating such a list will improve?
2. So I understand that below rule stays at the beginning input chain?
add chain=input action=drop connection-state=new src-address-list=pwlgrzs-blacklist in-interface=all-ethernet
No you get rid of it, not required.
Its also wasteful, in that all good traffic has to go through that rule before the rest of the rules not efficient.
That traffic already captured by the last rule…
Since you didnt answer the question → what are you afraid of???
You can do want you want, opinion provided, Good day!
The combination of these two rules:
add action=accept chain=input src-address-list=Authorized
…
add action=drop chain=input comment=“drop all else”
give the same (actually better) results than your:
add chain=input action=drop connection-state=new src-address-list=pwlgrzs-blacklist in-interface=all-ethernet
though with reverse logic, the set of two rules have the logic:
Well stated except that similar rule is also bogus in forward chain as we drop all there as well!!
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
***** add rules here *****
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else"
Sure 
, but at the moment you had posted only the input chain rules.
I was trying to highlight how futile it was replacing a rule that doesn’t do what is its intended goal (because it is in the wrong chain) with a (better) inverted logical approach that as well is in the wrong chain and thus fails to reach the intended goal just the same.
The worse blacklist based approach should first go in the right chain (forward) and only then it should be replaced by the (much) better one(s).
You are right, checking one rule and ignoring the rest is of little value in this case.
I have applied your advice.
Please review the rules below and possibly advise me on something else if necessary. Thank you in advance for your feedback.
/ip firewall filter print
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
2 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
3 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
4 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1
5 chain=input action=accept src-address-list=Authorized
6 chain=input action=accept protocol=udp in-interface-list=LAN dst-port=53
7 chain=input action=accept protocol=tcp in-interface-list=LAN dst-port=53
8 ;;; drop all else
chain=input action=drop
9 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
10 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
11 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related log=no log-prefix=""
12 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
13 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
14 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
This rule is a simple default rule for the home user not making any changes etc..
Once you start making changes one of the first things I do is:
From
14 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
TO
add chain=forward action=accept comment="internet traffic in-interface-list=LAN out-interface-list=WAN
add chain=forward action=accept comment=“port forwarding” connection-nat-state=dstnat { if not required disable or remove }
***** any other allow rules ******
add chain=forward action=drop comment=“drop all else”
Other allow rules would be like vlanX is allowed to vlanY, or admin is allowed to all vlans, or all vlans are allowed to shared printer or subnet is allowed out wireguard interface etc…
*******************************************’
Its the same concept, allow only needed traffic drop everything else.