Firewall Issue

RouterOS Beginner Basics
1

Hi all,

I want to know why is it that if you added a rule in firewall, must it be assign priority in arrangement before it takes effect? say i have the following below:

/ip firewall filter

add action=passthrough chain=unused-hs-chain comment=\

“place hotspot rules here” disabled=yes

add action=drop chain=forward comment=“” disabled=no dst-address-list=\

your-freedom

add action=drop chain=forward comment=“” content=your-freedom disabled=no

add action=drop chain=forward comment=“” disabled=no src-address=0.0.0.0/8

add action=drop chain=forward comment=“” disabled=no dst-address=0.0.0.0/8

add action=drop chain=forward comment=“” disabled=no src-address=127.0.0.0/8

add action=drop chain=forward comment=“” disabled=no dst-address=127.0.0.0/8

add action=drop chain=forward comment=“” disabled=no src-address=224.0.0.0/3

add action=drop chain=forward comment=“” disabled=no dst-address=224.0.0.0/3

add action=jump chain=forward comment=“” disabled=no jump-target=tcp \

protocol=tcp

add action=jump chain=forward comment=“” disabled=no jump-target=udp \

protocol=udp

add action=jump chain=forward comment=“” disabled=no jump-target=icmp \

protocol=icmp

add action=jump chain=forward comment=“” disabled=no jump-target=tcp \

protocol=tcp

add action=jump chain=forward comment=“” disabled=no jump-target=udp \

protocol=udp

add action=jump chain=forward comment=“” disabled=no jump-target=icmp \

protocol=icmp

add action=drop chain=tcp comment=“deny NFS” disabled=no dst-port=2049 \

protocol=tcp

add action=drop chain=tcp comment=“deny NetBus” disabled=no dst-port=\

12345-12346 protocol=tcp

add action=drop chain=tcp comment=“deny NetBus” disabled=no dst-port=20034 \

protocol=tcp

add action=drop chain=tcp comment=“deny BackOriffice” disabled=no dst-port=\

3133 protocol=tcp

add action=drop chain=tcp comment=“deny DHCP” disabled=no dst-port=67-68 \

protocol=tcp

add action=drop chain=udp comment=“deny TFTP” disabled=no dst-port=69 \

protocol=udp

add action=drop chain=udp comment=“deny PRC portmapper” disabled=no dst-port=\

111 protocol=udp

add action=drop chain=udp comment=“deny PRC portmapper” disabled=no dst-port=\

135 protocol=udp

add action=drop chain=udp comment=“deny NBT” disabled=no dst-port=137-139 \

protocol=udp

add action=drop chain=udp comment=“deny NFS” disabled=no dst-port=2049 \

protocol=udp

add action=drop chain=udp comment=“deny BackOriffice” disabled=no dst-port=\

3133 protocol=udp

add action=accept chain=icmp comment=“drop invalid connections” disabled=no \

icmp-options=0:0 protocol=icmp

add action=accept chain=icmp comment=“allow established connections” \

disabled=no icmp-options=3:0 protocol=icmp

add action=accept chain=icmp comment=“allow already established connections” \

disabled=no icmp-options=3:1 protocol=icmp

add action=accept chain=icmp comment=“allow source quench” disabled=no \

icmp-options=4:0 protocol=icmp

add action=accept chain=icmp comment=“allow echo request” disabled=no \

icmp-options=8:0 protocol=icmp

add action=accept chain=icmp comment=“allow time exceed” disabled=no \

icmp-options=11:0 protocol=icmp

add action=accept chain=icmp comment=“allow parameter bad” disabled=no \

icmp-options=12:0 protocol=icmp

add action=drop chain=icmp comment=“deny all other types” disabled=no

add action=drop chain=tcp comment=“deny TFTP” disabled=no dst-port=69 \

protocol=tcp

add action=drop chain=tcp comment=“deny RPC portmapper” disabled=no dst-port=\

111 protocol=tcp

add action=drop chain=tcp comment=“deny RPC portmapper” disabled=no dst-port=\

135 protocol=tcp

add action=drop chain=tcp comment=“deny NBT” disabled=no dst-port=137-139 \

protocol=tcp

add action=drop chain=tcp comment=“deny cifs” disabled=no dst-port=445 \

protocol=tcp

add action=drop chain=forward comment=“” disabled=no p2p=all-p2p

add action=drop chain=forward comment=“” disabled=no dst-address-list=\

restricted

add action=drop chain=forward comment=“” disabled=no src-address=0.0.0.0/8

add action=drop chain=forward comment=“” disabled=no dst-address=0.0.0.0/8

add action=drop chain=forward comment=“” disabled=no src-address=127.0.0.0/8

add action=drop chain=forward comment=“” disabled=no dst-address=127.0.0.0/8

add action=drop chain=forward comment=“” disabled=no src-address=224.0.0.0/3

add action=drop chain=forward comment=“” disabled=no dst-address=224.0.0.0/3

add action=jump chain=forward comment=“” disabled=no jump-target=tcp \

protocol=tcp

add action=jump chain=forward comment=“” disabled=no jump-target=udp \

protocol=udp

add action=jump chain=forward comment=“” disabled=no jump-target=icmp \

protocol=icmp

add action=drop chain=tcp comment=“deny TFTP” disabled=no dst-port=69 \

protocol=tcp

add action=drop chain=tcp comment=“deny RPC portmapper” disabled=no dst-port=\

111 protocol=tcp

add action=drop chain=tcp comment=“deny RPC portmapper” disabled=no dst-port=\

135 protocol=tcp

add action=drop chain=tcp comment=“deny NBT” disabled=no dst-port=137-139 \

protocol=tcp

add action=drop chain=tcp comment=“deny cifs” disabled=no dst-port=445 \

protocol=tcp

add action=drop chain=tcp comment=“deny NFS” disabled=no dst-port=2049 \

protocol=tcp

add action=drop chain=tcp comment=“deny NetBus” disabled=no dst-port=\

12345-12346 protocol=tcp

add action=drop chain=tcp comment=“deny NetBus” disabled=no dst-port=20034 \

protocol=tcp

add action=drop chain=tcp comment=“deny BackOriffice” disabled=no dst-port=\

3133 protocol=tcp

add action=drop chain=tcp comment=“deny DHCP” disabled=no dst-port=67-68 \

protocol=tcp

add action=drop chain=virus comment=“Drop Blaster Worm” disabled=no dst-port=\

135-139 protocol=tcp

add action=drop chain=virus comment=“Drop Messenger Worm” disabled=no \

dst-port=135-139 protocol=udp

add action=drop chain=virus comment=“Drop Blaster Worm” disabled=no dst-port=\

445 protocol=tcp

add action=drop chain=virus comment=“Drop Blaster Worm” disabled=no dst-port=\

445 protocol=udp

add action=drop chain=virus comment=________ disabled=no dst-port=593 \

protocol=tcp

add action=drop chain=virus comment=________ disabled=no dst-port=1024-1030 \

protocol=tcp

add action=drop chain=virus comment=“Drop MyDoom” disabled=no dst-port=1080 \

protocol=tcp

add action=drop chain=virus comment=________ disabled=no dst-port=1214 \

protocol=tcp

add action=drop chain=virus comment=“ndm requester” disabled=no dst-port=1363 \

protocol=tcp

add action=drop chain=virus comment=“ndm server” disabled=no dst-port=1364 \

protocol=tcp

add action=drop chain=virus comment=“screen cast” disabled=no dst-port=1368 \

protocol=tcp

add action=drop chain=virus comment=hromgrafx disabled=no dst-port=1373 \

protocol=tcp

add action=drop chain=virus comment=cichlid disabled=no dst-port=1377 \

protocol=tcp

add action=drop chain=virus comment=Worm disabled=no dst-port=1433-1434 \

protocol=tcp

add action=drop chain=virus comment=“Bagle Virus” disabled=no dst-port=2745 \

protocol=tcp

add action=drop chain=virus comment=“Drop Dumaru.Y” disabled=no dst-port=2283 \

protocol=tcp

add action=drop chain=virus comment=“Drop Beagle” disabled=no dst-port=2535 \

protocol=tcp

add action=drop chain=virus comment=“Drop Beagle.C-K” disabled=no dst-port=\

2745 protocol=tcp

add action=drop chain=virus comment=“Drop MyDoom” disabled=no dst-port=\

3127-3128 protocol=tcp

add action=drop chain=virus comment=“Drop Backdoor OptixPro” disabled=no \

dst-port=3410 protocol=tcp

add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=\

udp

add action=drop chain=virus comment=“Drop Sasser” disabled=no dst-port=5554 \

protocol=tcp

add action=drop chain=virus comment=“Drop Beagle.B” disabled=no dst-port=8866 \

protocol=tcp

add action=drop chain=virus comment=“Drop Dabber.A-B” disabled=no dst-port=\

9898 protocol=tcp

add action=drop chain=virus comment=“Drop Dumaru.Y” disabled=no dst-port=\

10000 protocol=tcp

add action=drop chain=virus comment=“Drop MyDoom.B” disabled=no dst-port=\

10080 protocol=tcp

add action=drop chain=virus comment=“Drop NetBus” disabled=no dst-port=12345 \

protocol=tcp

add action=drop chain=virus comment=“Drop Kuang2” disabled=no dst-port=17300 \

protocol=tcp

add action=drop chain=virus comment=“Drop SubSeven” disabled=no dst-port=\

27374 protocol=tcp

add action=drop chain=virus comment=“Drop PhatBot, Agobot, Gaobot” disabled=\

no dst-port=65506 protocol=tcp

add action=accept chain=forward comment=“Allow HTTP” disabled=yes dst-port=80 \

protocol=tcp

add action=accept chain=forward comment=“Allow SMTP” disabled=no dst-port=25 \

protocol=tcp

add action=accept chain=forward comment=“allow TCP” disabled=no protocol=tcp

add action=accept chain=forward comment=“allow ping” disabled=no protocol=\

icmp

add action=accept chain=forward comment=“allow udp” disabled=no protocol=udp

add action=drop chain=forward comment=“drop everything else” disabled=no

add action=jump chain=forward comment=“jump to the virus chain” disabled=no \

jump-target=virus

add action=drop chain=forward comment=“block torrent dns” disabled=no \

dst-port=53 layer7-protocol=torrent-dns protocol=udp

How effective would it work?

Thanks

2

Because that is how you prioritize your rules. For example if you used these two rules in this order:

/ip firewall filter
add chain=input action=drop
add chain=input action=accept protocol=icmp

Ping (protocol=icmp) would not work, because the first rule drops all input chains before the second rule is evaluated.

If you reverse the order and put the second rule first, then the router will respond to pings or other icmp stuff, but drops everything else.

3

Thanks Smillies, but what would you recommend to be at the top level among the rules i have listed below for effectiveness.

4

I think in your case, it is not as much the order, as the number of duplicate rules you have entered. The fewer rules the router must evaluate, the faster it will work. I suggest removing the duplicates.

5

I see now!!! :open_mouth:

Thanks guys

6

i think u picked up the rules from too many locations wiki, mikrotik site etc. hence the duplicate rules
i did same when i was a newbie :slight_smile: :smiley: