Firewall rules review and suggestions

b0n3v · March 16, 2022, 8:18am

Hello all Tik Gurus,
I use these firewall rules wihout problem but i want to be checked by someone with more experiance.
I want to improve if possible this rules, to optimize and if need to add new one to increase the security.

I have “support” address list to allow my “admins” pcs.
And separate Wi-Fi guest network(Wi-Fi_Guest_bridge).

Firewall rules:

/ip firewall filter
add action=fasttrack-connection chain=forward comment=\
    "Fast track- accept established/related" connection-state=\
    established,related hw-offload=yes
add action=accept chain=input comment="Wireguard - UDP Allow" dst-port=1234 \
    protocol=udp
add action=accept chain=forward comment=\
    "Accept forword from support list to everywhere" src-address-list=support
add action=accept chain=input comment=\
    "Accept input from support list to everywhere" src-address-list=support
add action=add-src-to-address-list address-list=Syn_Flooder \
    address-list-timeout=30m chain=input comment=\
    "Add Syn Flood IP to the list" connection-limit=100,32 in-interface-list=\
    WAN protocol=tcp tcp-flags=syn,!fin,!rst,!psh,!ack,!urg,!ece,!cwr
add action=drop chain=input comment="Drop to syn flood list" \
    in-interface-list=WAN src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port Scanner Detect TCP" \
    in-interface-list=WAN protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port Scanner Detect UDP" \
    in-interface-list=WAN protocol=udp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
    in-interface-list=WAN src-address-list=Port_Scanner
add action=drop chain=forward comment=\
    "Wi-Fi Guest network drop all if not addresset to WAN(Client->WAN only)" \
    in-interface=Wi-Fi_Guest_bridge out-interface-list=!WAN
add action=drop chain=forward comment=\
    "Isolated VLAN99, drop all if not addresset to WAN(VLAN99->WAN only)" \
    in-interface=Isolated out-interface-list=!WAN
add action=jump chain=forward comment="Jump for icmp forward flow" \
    jump-target=ICMP protocol=icmp
add action=drop chain=input comment=\
    "Block all access to the winbox - except to support list" dst-port=8291 \
    protocol=tcp src-address-list=!support
add action=add-src-to-address-list address-list=spammers \
    address-list-timeout=3h chain=forward comment=\
    "Add Spammers to the list for 3 hours" connection-limit=100,32 dst-port=\
    25,587 in-interface-list=WAN limit=100/1m,0:packet protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
    protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment=\
    "Accept to established/related connections" connection-state=\
    established,related
add action=accept chain=forward comment=\
    "Accept to established/related connections" connection-state=\
    established,related
add action=drop chain=forward comment="Drop Invalid-connections" \
    connection-state=invalid log=yes log-prefix="DROP invalid-connection:"
add action=drop chain=output comment="Drop Invalid-connections" \
    connection-state=invalid log=yes log-prefix="DROP invalid-connection:"
add action=drop chain=input comment="Drop Invalid-connections" \
    connection-state=invalid log=yes log-prefix="DROP invalid-connection:"
add action=drop chain=input comment="Drop anything else!" log-prefix=Drop:
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \
    icmp-options=8:0 limit=1,5:packet protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
    3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
    protocol=icmp

Mangle:

/ip firewall mangle 
add action=change-mss chain=forward comment="Clamping MSS also makes things load faster because there's less fragmentation" new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn

RAW:

/ip firewall raw 
add action=drop chain=prerouting comment="disable DNS (TCP) from WAN for protection" dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=prerouting comment="disable DNS (UDP) from WAN for protection" dst-port=53 in-interface-list=WAN protocol=udp

anav · March 16, 2022, 11:24am

To improve your setup, simplify is my advice.
This should do all that is needed without the extra bloatware…
All you need to do is add any additional ALLOWED traffic

/ip firewall filter
{Input Chain}
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input in-interface-list=Authorized src-address-list=Admin dst-port=xxxxxx protocol=tcp {winbox}
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input comment=“Allow LAN DNS queries-UDP” \ {and NTP services if required etc}
dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“Allow LAN DNS queries - TCP”
dst-port=53 in-interface-list=LAN protocol=tcp
add action=reject chain=input in-interface-list=LAN reject-with=icmp-admin-prohibited {useful for tracking LAN issues}
add action=drop chain=input comment=“drop all else”
{forward chain}
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“allow dst-nat from both WAN and LAN (including port forwarding)” connection-nat-state=dstnat
add action=reject chain=forward in-interface-list=LAN reject-with=icmp-admin-prohibited {useful for tracking LAN issues}
add action=drop chain=forward comment=“drop all else”
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN