Firewall geniuses .. does this script appear to be acceptable in a small LAN configuration?
I’ve only been working on it for a month (yes, I am slow, while you are smart). My eyeballs
have crusted over from looking at the wiki. I need simple, effective, but not overkill in my environment.
Bottom line, will this suffice in a small office with one WAN and 8 PC’s?
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward
1 ;;; Accept Established / Related Input
chain=input connection-state=established,related
2 ;;; Allow Management Input - 192.168.88.0/24
chain=input src-address=192.168.88.0/24
3 ;;; allow l2tp
chain=input action=accept protocol=udp dst-port=1701
4 ;;; allow pptp
chain=input action=accept protocol=tcp dst-port=1723
5 ;;; allow sstp
chain=input action=accept protocol=tcp dst-port=443
6 ;;; Drop Input
chain=input action=drop log-prefix=“Input Drop”
7 ;;; FastTrack Established / Related Forward
chain=forward action=fasttrack-connection connection-state=established,related
8 ;;; Accept Established / Related Forward
chain=forward connection-state=established,related
9 ;;; Allow forward traffic LAN >> WAN
chain=forward src-address=192.168.88.0/24 out-interface=ether1-gateway
10 ;;; Drop Bogon Forward >> Ether1
chain=forward action=drop src-address-list=Bogon in-interface=ether1-gateway log=yes
log-prefix=“Bogon Forward Drop”
11 ;;; Drop Forward
chain=forward action=drop
12 chain=input action=drop protocol=tcp in-interface=ether1-gateway dst-port=53 log=no log-prefix=“”
13 chain=input action=drop protocol=udp in-interface=ether1-gateway dst-port=53 log=no log-prefix=“”
I suggest to use other port than 443 for sstp - for example 444 - and keep 443 for ssl web management instead port 80.
Anyway, better to use l2tp instead sstp, as the sstp is tcp and l2tp is udp, thus much faster.
Here is the result of most of your recommendations, except sstp port change which I will do.
Kindly review for any mistakes I may have made in hierarchy of rules.
/ip firewall address-list
add address=192.168.88.0/24 list=support
add address=192.168.0.0/16 list=Bogon
add address=10.0.0.0/8 list=Bogon
add address=172.16.0.0/12 list=Bogon
add address=127.0.0.0/8 list=Bogon
add address=0.0.0.0/8 list=Bogon
add address=169.254.0.0/16 list=Bogon
/ip firewall filter
add chain=input comment=“Accept Established / Related Input” connection-state=established,related
add chain=input comment=“Allow Management Input - 192.168.88.0/24” src-address=192.168.88.0/24
add action=accept chain=input comment=“allow l2tp” dst-port=1701 protocol=udp
add action=accept chain=input comment=“allow sstp,pptp” dst-port=443,1723 protocol=tcp
add action=drop chain=input comment=“Drop Input” log-prefix=“Input Drop”
add action=fasttrack-connection chain=forward comment=“FastTrack Established / Related Forward”
connection-state=established,related
add chain=forward comment=“Accept Established / Related Forward” connection-state=established,related
add chain=forward comment=“Allow forward traffic LAN >> WAN” out-interface=ether1-gateway src-address=
192.168.88.0/24
add action=drop chain=forward comment=“Drop Forward”
/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration” out-interface=ether1-gateway
add action=masquerade chain=srcnat comment=“masq. vpn traffic” src-address=192.168.89.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set sctp disabled=yes
Howdy all, I have been sharpening my skills on the firewall filter rules, and would like your opinion of the following rules. I have a situation whereby Windows 10 firewalls are standing in the way of very expensive software for 3D scanning and we need to disable it for it to function properly. Is there a way to block out the world, and run without local Windows firewalls with filter rules you see below? Thanks in advance. - Jim
