Firewall Improvments

KennyPowers · November 18, 2015, 2:38pm

Hi All,

Could I ask someone to have a look at my firewall rules below and suggest any improvements, mistakes or additions. Thanks I’ve been reading up a bit and copied most of the rules form various sites.

Support list is all local LAN 192.168.88.0/24

/ip firewall filter 
add chain=input action=accept comment="allow already established and related connections" 
 connection-state=established,related 
add chain=input action=accept comment="allow ICMP" protocol=icmp 
add chain=input action=accept comment="allow vpn" dst-port=1723 in-interface=ether1-gateway protocol=tcp 
add chain=input action=accept comment="" in-interface=ether1-gateway protocol=gre 
add chain=input action=accept comment="Accept DNS - UDP" disabled=no port=53 protocol=udp  
add chain=input action=accept comment="Accept DNS - TCP" disabled=no port=53 protocol=tcp 
add chain=input action=drop comment="Block all access to the winbox - except to support list disabled=no dst-port=8291 protocol=tcp src-address-list=!Support 
add chain=input action=drop comment="Block all access to the API - except to support list disabled=no dst-port=8728 protocol=tcp src-address-list=!Support 
add chain=input action=drop  comment="drop ftp" disabled=no dst-port=21 protocol=tcp 
 
 
add chain=input action=add-src-to-address-list address-list=trying_to_login address-list-timeout=1d comment="list IP's who try remote login" disabled=no dst-port=20-23 protocol=tcp  
add chain=input action=drop comment="drop ssh brute forcers" disabled=no dst-port=22 protocol=tcp src-address-list=ssh_blacklist  
add chain=input action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3  
add chain=input action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1h connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2  
add chain=input action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1h connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1  
add chain=input action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1h connection-state=new disabled=no dst-port=22 protocol=tcp  
add chain=input action=accept comment="allow ssh" disabled=no dst-port=22 protocol=tcp 
 
add chain=input action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m comment="Add Syn Flood IP to the list" connection-limit=30,32 disabled=no protocol=tcp tcp-flags=syn 
add chain=input action=drop comment="Drop to syn flood list" disabled=no src-address-list=Syn_Flooder

add chain=input action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w comment="Port Scanner Detect" disabled=no protocol=tcp psd=21,3s,3,1  
add chain=input action=drop comment="Drop to port scan list" disabled=no src-address-list=Port_Scanner 
 
add chain=input action=accept comment="acccept lan" disabled=no in-interface=!bridge-local src-address=192.168.88.0/24 
add chain=input action=drop comment="" in-interface=!bridge-local 
 
add chain=forward action=fasttrack-connection connection-state=established,related 
add chain=forward action=accept comment="allow already established and related connections" connection-state=established,related 
add chain=forward action=drop comment="drop invalid connections" connection-state=invalid
 
add chain=forward in-interface=bridge-local action=accept

add chain=forward action=add-src-to-address-list address-list=spammers address-list-timeout=3h comment="Add Spammers to the list for 3 hours" connection-limit=30,32 disabled=no dst-port=25,587 limit=30/1m,0 protocol=tcp  
add chain=forward action=drop comment="Avoid spammers action" disabled=no dst-port=25,587 protocol=tcp src-address-list=spammers 
 
add chain=forward action=reject reject-with=icmp-host-unreachable protocol=icmp in-interface=!bridge-local out-interface=bridge-local icmp-options=8:0-255  
add chain=forward action=reject reject-with=icmp-host-unreachable protocol=icmp in-interface=!bridge-local out-interface=bridge-local icmp-options=17:0-255 
add chain=forward action=reject reject-with=icmp-host-unreachable protocol=icmp in-interface=!bridge-local out-interface=bridge-local icmp-options=15:0-255 
add chain=forward action=reject reject-with=icmp-host-unreachable protocol=icmp in-interface=!bridge-local out-interface=bridge-local icmp-options=30:0-255 
 
add chain=forward action=drop protocol=tcp port=0 
add chain=forward action=drop protocol=udp port=0 
add chain=forward action=drop 
add action=accept chain=input comment="Full access to SUPPORT address list" disabled=no src-address-list=Support 
add chain=input action=drop comment="drop everything else"

francisuk24 · November 21, 2015, 9:02pm

Are you running this on a RouterBroad or an x86 (PC)

int2str · November 30, 2015, 7:40am

Not sure if still relevant, but a few comments:

Why are you allowing external DNS lookups? No reason to do that IMHO.
Don’t use SSH on port 22. Instead, move it to a different (non-standard) port. Then, auto-blacklist anybody who connects to port 22. There is a lot of password brute force attacks these days on port 22.
Lots of stuff for ICMP ping. Just block it, done

Here’s the relevant entry from my firewall:

      ;;; Auto-block any SSH attempt on port 22
      chain=sanity-check action=add-src-to-address-list protocol=tcp address-list=blocked-addr
      address-list-timeout=3m dst-port=22 log=yes log-prefix="ssh-ban"

(and of course “blocked-addr” is dropped later)
I did it for 3 minutes since I don’t want to lock myself out if I forget to specify the port somehow