I’ve been looking at the (slightly modified over the years) default firewall rules on my home hAP ac2 in preparation for adding a couple of VLANs and isolating them from one another, and the last couple rules at the end of the forward chain seem like they could be tightened up. But I’m not a networking professional so wanted to see if I could get a sanity check before I change something with unintended consequences.
Currently the non-VLAN-related rules at the end of the forward chain are:
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid log=yes log-prefix="drop invalid forward chain"
add action=drop chain=forward in-interface-list=WAN log=yes log-prefix="Blanket DROP from WAN forward chain"
However, I’ve read lots of recommendations on the interwebs to always have a default “drop everything” rule at the end, and then only accept specific things you want to allow above that. So if my goal is to block everything coming in from the WAN side while still allowing hosts on the LAN side to access the internet, wouldn’t this be more secure (essentially whitelisting traffic originating from the LAN as opposed to blacklisting traffic originating from the WAN)? Or am I missing something important?
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid log=yes log-prefix="drop invalid forward chain"
add action=accept chain=forward in-interface-list=LAN
add action=drop chain=forward log=yes log-prefix="Blanket DROP forward chain"
Any and all advice would be greatly appreciated.
Not an expert either so my personal view.
Functionally both are mostly the same. In some edge case (which I can not directly imagine) the second version will catch more so I guess it is the better option.
On second option: why use 2 rules for hw-offload or not ?
Since I have been looking into this myself lately:
the Help page on building Advanced Firewall uses a slightly different rule:
https://help.mikrotik.com/docs/spaces/ROS/pages/328513/Building+Advanced+Firewall#BuildingAdvancedFirewall-ProtecttheClients
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
Setting up a CHR on cloud instance recently, I used this approach for firewall:
- Allow established and related
- Drop invalid
- allow VPN
- drop all the rest
which more or less corresponds with your second option.
Interested as well to get the expert opinions.
Since I have been looking into this myself lately:
the Help page on building Advanced Firewall uses a slightly different rule:
https://help.mikrotik.com/docs/spaces/R > … theClients
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
Yeah, it’s been a while since I first set this up, but I believe that was the original factory default “catch-all” rule. I think I read somewhere that it’s intended to allow people to forward port(s) while still blocking other traffic from the internet side(?), which I don’t need to do, so I removed the “connection-nat-state” and “connection-state” criteria to make it as broad as possible.
With regards to your question about hw-offloading, that was also part of the default factory rule set and I can’t find much documentation about what it does in the context of firewalls. Not sure if that is a matching criteria or an action to apply to packets that match the rest of the rule.