Firewall Rules - Efficient or not?

RouterOS General
1

Hello everyone, somebody can help me analyzing the firewall rules that currently running on my mikrotik router ?

Is there something to tweak or to change to make it better or more efficient? Or it seems OK?
As far as i know, it seems to works fine at the moment…
Thank you!

/ip firewall mangle
add action=add-src-to-address-list address-list=Worm-Infected-p445 address-list-timeout=1h chain=prerouting connection-state=new disabled=no dst-port=445 limit=5,10 protocol=tcp




/ip firewall filter
add action=drop chain=forward comment=10:89:FB:64:6D:1A src-mac-address=\
    10:89:FB:64:6D:1A
add action=drop chain=input comment=10:89:FB:64:6D:1A src-mac-address=\
    10:89:FB:64:6D:1A
add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" dst-port=\
    53 in-interface-list=LAN protocol=tcp
add action=drop chain=forward comment="Drop WAN DNS queries-UDP" dst-port=53 \
    in-interface-list=WAN protocol=udp
add action=drop chain=forward comment="Drop WAN DNS queries - TCP" dst-port=\
    53 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="Allow IPSEC/IKE2 connections" \
    disabled=yes dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="Accept in ipsec policy" disabled=yes \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="Accept out ipsec policy" disabled=\
    yes ipsec-policy=out,ipsec
add action=accept chain=input comment="Allow Wireguard Trrafic" src-address=\
    192.168.100.0/24
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 \
    protocol=udp
add action=jump chain=forward connection-state=new jump-target=block-ddos
add action=drop chain=forward connection-state=new dst-address-list=ddosed \
    src-address-list=ddoser
add action=return chain=block-ddos dst-limit=50,50,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
    1m chain=block-ddos
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
    1m chain=block-ddos
add action=drop chain=input comment="ping port scanners" src-address-list=\
    "port scanners"
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2m chain=input comment="Port scanners to list " \
    protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2m chain=input comment="NMAP FIN Stealth scan" \
    protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2m chain=input comment="SYN/FIN scan" protocol=tcp \
    tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2m chain=input comment="SYN/RST scan" protocol=tcp \
    tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2m chain=input comment="FIN/PSH/URG scan" protocol=\
    tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=30m chain=input comment="ALL/ALL scan" protocol=tcp \
    tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2m chain=input comment="NMAP NULL scan" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=virus comment="Blaster Worm" dst-port=135-139 protocol=\
    tcp
add action=drop chain=virus comment="Blaster Worm" dst-port=445 protocol=tcp
add action=drop chain=virus comment="Messenger Worm" dst-port=135-139 \
    protocol=udp
add action=drop chain=virus comment="Blaster Worm" dst-port=445 protocol=udp
add action=drop chain=virus comment=________ dst-port=593 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1024-1030 protocol=tcp
add action=drop chain=virus comment=MyDoom dst-port=1080 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1214 protocol=tcp
add action=drop chain=virus comment="ndm requester" dst-port=1363 protocol=\
    tcp
add action=drop chain=virus comment="ndm server" dst-port=1364 protocol=tcp
add action=drop chain=virus comment="screen cast" dst-port=1368 protocol=tcp
add action=drop chain=virus comment=hromgrafx dst-port=1373 protocol=tcp
add action=drop chain=virus comment=cichlid dst-port=1377 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=1433-1434 protocol=tcp
add action=drop chain=virus comment="Bagle Virus" dst-port=2745 protocol=tcp
add action=drop chain=virus comment=Dumaru.Y dst-port=2283 protocol=tcp
add action=drop chain=virus comment=Beagle dst-port=2535 protocol=tcp
add action=drop chain=virus comment=Beagle.C-K dst-port=2745 protocol=tcp
add action=drop chain=virus comment=MyDoom dst-port=3127-3128 protocol=tcp
add action=drop chain=virus comment="Backdoor OptixPro" dst-port=3410 \
    protocol=tcp
add action=drop chain=virus comment=Sasser dst-port=5554 protocol=tcp
add action=drop chain=virus comment=Beagle.B dst-port=8866 protocol=tcp
add action=drop chain=virus comment=Dabber.A-B dst-port=9898 protocol=tcp
add action=drop chain=virus comment=Dumaru.Y dst-port=10000 protocol=tcp
add action=drop chain=virus comment=MyDoom.B dst-port=10080 protocol=tcp
add action=drop chain=virus comment=NetBus dst-port=12345 protocol=tcp
add action=drop chain=virus comment=Kuang2 dst-port=17300 protocol=tcp
add action=drop chain=virus comment=SubSeven dst-port=27374 protocol=tcp
add action=drop chain=virus comment="PhatBot, Agobot, Gaobot" dst-port=65506 \
    protocol=tcp
add action=drop chain=virus comment=Trinoo dst-port=12667 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=27665 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=31335 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=27444 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=34555 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=35555 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=27444 protocol=tcp
add action=jump chain=forward comment="jump to the virus chain" jump-target=\
    virus
add action=drop chain=forward disabled=no dst-port=445 protocol=tcp src-address-list=Worm-Infected-p445
add action=accept chain=input comment="Accept established connections" \
    connection-state=established
add action=accept chain=input comment="Accept related connections" \
    connection-state=related
add action=accept chain=input comment="Accept untracked connections" \
    connection-state=untracked disabled=yes
add action=drop chain=input comment="invalid connections" connection-state=\
    invalid
add action=accept chain=input comment=UDP protocol=udp
add action=drop chain=forward comment="invalid connections" connection-state=\
    invalid
add action=fasttrack-connection chain=forward comment="Fasttrack DNS TCP" \
    dst-port=53 hw-offload=yes protocol=tcp
add action=fasttrack-connection chain=forward comment="Fasttrack DNS UDP" \
    dst-port=53 hw-offload=yes protocol=udp
add action=jump chain=forward comment=Bruteforce connection-state=new \
    dst-address-list=TechsoftcenterIPBlocks dst-port=22,3389 jump-target=\
    Bruteforce protocol=tcp
add action=drop chain=Bruteforce comment="Drop - Blacklist" src-address-list=\
    Bruteforce-Blacklist
add action=add-src-to-address-list address-list=Bruteforce-Blacklist \
    address-list-timeout=15m chain=Bruteforce comment="Add - Blacklist" \
    src-address-list=Bruteforce-Stage3
add action=add-src-to-address-list address-list=Bruteforce-Stage3 \
    address-list-timeout=30s chain=Bruteforce comment="Add - Stage-3" \
    src-address-list=Bruteforce-Stage2
add action=add-src-to-address-list address-list=Bruteforce-Stage2 \
    address-list-timeout=30s chain=Bruteforce comment="Add - Stage-2" \
    src-address-list=Bruteforce-Stage1
add action=add-src-to-address-list address-list=Bruteforce-Stage1 \
    address-list-timeout=30s chain=Bruteforce comment="Add - Stage-1"
add action=jump chain=input comment="Jump to DNS_INPUT Chain" dst-port=53 \
    jump-target=DNS_INPUT log=yes protocol=udp
add action=accept chain=DNS_INPUT comment=\
    "Make exceptions for LAN DNS inquiries" port=53 protocol=udp \
    src-address-list="LAN Addresses (RFC1918)"
add action=add-src-to-address-list address-list=DNS_DDoS \
    address-list-timeout=none-dynamic chain=DNS_INPUT comment=\
    "Add other DNS inquriries to DNS_DDoS Offenders List" port=53 protocol=\
    udp src-address-list="!LAN Addresses (RFC1918)"
add action=drop chain=DNS_INPUT comment=\
    "Drop Traffic Sourced from DNS_DDoS Offenders" src-address-list=DNS_DDoS
add action=return chain=DNS_INPUT comment="Return from DNS_INPUT Chain"
add action=jump chain=output comment="Jump to DNS_OUTPUT Chain" dst-port=53 \
    jump-target=DNS_OUTPUT protocol=udp
add action=accept chain=DNS_OUTPUT comment=\
    "Make Exceptions for Traffic to the DNS Servers" dst-address-list=\
    "DNS Servers" dst-port=53 protocol=udp
add action=drop chain=DNS_OUTPUT comment=\
    "Drop All Other Out Bound DNS Traffic" dst-port=53 protocol=udp
add action=return chain=DNS_OUTPUT comment="Return from DNS_OUTPUT Chain"
add action=jump chain=forward comment="Jump to DNS_FORWARD Chain" \
    jump-target=DNS_FORWARD
add action=accept chain=DNS_FORWARD comment=\
    "Make Exceptions for Traffic from the DNS Servers going to the LAN" \
    dst-address-list="LAN Addresses (RFC1918)" port=53 protocol=udp \
    src-address-list="DNS Servers"
add action=accept chain=DNS_FORWARD comment=\
    "Make Exceptions for Traffic from the LAN going to the DNS Servers" \
    dst-address-list="DNS Servers" port=53 protocol=udp src-address-list=\
    "LAN Addresses (RFC1918)"
add action=drop chain=DNS_FORWARD comment="Drop All Other DNS Traffic" port=\
    53 protocol=udp
add action=drop chain=forward comment=\
    "Drop Traffic to DNS DNS_DDoS Offenders" dst-address-list=DNS_DDoS
2
  1. The general rule for a firewall - at the beginning we describe allowing rules. And at the end - the rules for blocking all chains.
  2. There are a lot of extra rules that are associated with DNS traffic. You just need to block incoming traffic on the right ports from the WAN.
  3. It is necessary to try to use RAW as much as possible to block “extra” traffic.
  4. I recommend you check out this thread - How to really block invalid ICMP, TCP, UDP packets and others (ver. 2021)

This is not a guide to action. This is an example of what I wanted to say.

/ip firewall filter add action=accept chain=input comment="Handle (input) already established, related, untracked connections" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=forward comment="Handle (forward) already established, related, untracked connections" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=output comment="Handle (output) already established, related connections" connection-state=established,related

/ip firewall filter add action=log chain=input comment="Log everything else" disabled=yes
/ip firewall filter add action=log chain=forward disabled=yes
/ip firewall filter add action=log chain=output disabled=yes

/ip firewall filter add action=drop chain=input comment="Drop everything else"
/ip firewall filter add action=drop chain=forward
/ip firewall filter add action=drop chain=output

And blocking

/ip firewall raw add action=drop chain=prerouting comment="Drop new connections from blacklisted IP's to this router" in-interface-list=WAN src-address-list=blacklist

/ip firewall raw add action=drop chain=prerouting comment="Honeypot for Bruteforce" in-interface-list=WAN protocol=!tcp src-address-list=Banned-IP

/ip firewall raw add action=drop chain=prerouting comment="DNS DDoS drop" dst-port=53 in-interface-list=WAN log-prefix=Attack protocol=udp src-address-list=!Allow_ALL
/ip firewall raw add action=drop chain=prerouting dst-port=53 in-interface-list=WAN log-prefix=Attack protocol=tcp src-address-list=!Allow_ALL
3

You do not need to specify the 53 dns port at fasttrack. It won’t be right. Fastttrack has only one rule that comes before the “forward” section.
Optimize your firewall rules according to the following https://forum.mikrotik.com/viewtopic.php?t=180838

/ip firewall filter
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else" 
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN
4

All of the rules you have are IMHO bloated crap.
Just use the default rules with drop all rules at the end of the forward chain and input chain.
Focus your effort on what traffic you want to be allowed.

DEFAULT RULES
ADMIN RULES TO ALLOW TRAFFIC
LAST RULE BLOCK ALL ELSE.

So this looks like.
{forward chain}
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“allow port forwarding” connection-nat-state=dstnat
------ ADD your RULES HERE -----
add action=drop chain=forward comment=“drop all else”

{input chain}
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input in-interface-list=LAN *****
-------- ADD your RULES HERE -----------
add action=drop chain=input comment=“drop all else” *****

**** Note: There is more nuance required usually for what is allowed to access the router (or specifically the router provided services).
Typically the admin is the only user requiring full access to the router and the rest of the users only to DNS and perhaps NTP etc.
Thus typically this evolves to (just an example)
add action=accept chain=input in-interface-list=Managed src-address=adminPC
add action=accept chain=input comment=“Allow LAN DNS queries-UDP” \ {and NTP *** services if required etc}
dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“Allow LAN DNS queries - TCP”
dst-port=53 in-interface-list=LAN protocol=tcp

USER added rules in the input chain really detail what external ports should be open for VPN services etc…

5

Thank you for your time and for helping.

6

How to implement in right way this rules inside your suggested rules?

add action=jump chain=forward connection-state=new jump-target=block-ddos
add action=drop chain=forward connection-state=new dst-address-list=ddosed \
    src-address-list=ddoser
add action=return chain=block-ddos dst-limit=50,50,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
    1m chain=block-ddos
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
    1m chain=block-ddos
add action=drop chain=input comment="ping port scanners" src-address-list=\
    "port scanners"
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2m chain=input comment="Port scanners to list " \
    protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2m chain=input comment="NMAP FIN Stealth scan" \
    protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2m chain=input comment="SYN/FIN scan" protocol=tcp \
    tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2m chain=input comment="SYN/RST scan" protocol=tcp \
    tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2m chain=input comment="FIN/PSH/URG scan" protocol=\
    tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=30m chain=input comment="ALL/ALL scan" protocol=tcp \
    tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2m chain=input comment="NMAP NULL scan" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
7

all is useless with drop-all at the end…

8

YOu were not paying attention.
The ADMIN rules of which I speak are those needed to ensure desired user traffic flows.

ex. forward chain
So if you need for example a bunch of vlans to use a shared printer on one vlan, you would put the necessary rule in the admin rules section

ex. input chain
if you wanted the router to act as a wireguard endpoint for initial handshake
You would put the listening port where I have shown ADMIN rules.

See the pattern, rules for when traffic is needed!