Firewall rules

Hi!
RouterOS and ip-tables are totally new for me, so i just want to verify that my firewall configuration has any flaws, can it get better/safer? Is is the different rules in the right order?
I’m using NAT, VPN and thankfull for every help and suggestions i can get

# mar/23/2017 16:49:45 by RouterOS 6.38.5
# software id = XXXX-XXXX
#
/ip firewall address-list
add address=192.168.10.0/24 list=PrivateIPs
/ip firewall filter
add action=drop chain=input comment="dropping port scanners" src-address-list=port_scanners_list
add action=add-src-to-address-list address-list=port_scanners_list address-list-timeout=4w2d chain=input comment="Port scanners to list " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=port_scanners_list address-list-timeout=4w2d chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=port_scanners_list address-list-timeout=4w2d chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=port_scanners_list address-list-timeout=4w2d chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=port_scanners_list address-list-timeout=4w2d chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=port_scanners_list address-list-timeout=4w2d chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=port_scanners_list address-list-timeout=4w2d chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept establieshed,related" connection-state=established,related
add action=accept chain=input comment="VPN Allow L2TP" dst-port=1701 protocol=udp
add action=accept chain=input comment="VPN Allow PPTP" dst-port=1723 protocol=tcp
add action=accept chain=input comment="VPN Allow SSTP" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24

Input chain is ok, you allow only selected services and block the rest from WAN.

I’m not sure about the port scanners part, how much it can help. IMHO most of them don’t bother with fancy scans and only check few ports used by most known services. Try to connect, get a reply or not, done. Then they might either try to misuse them (open proxies, dns resolvers, …) or guess passwords (ssh, …). On the other hand, extra checking can’t hurt.

Forward chain is less ok. Since default action is accept, you currently allow everything. Usually you want to allow new connection only from LAN with exception of forwarded ports. In practice, you’re probably open only to devices in same WAN subnet as yours, because the rest of world would require source routing and it’s usually disabled everywhere. But it’s still good idea to add proper config and don’t allow new connections from internet.

Thanks for the reply. I really would like to close down WAN connections, exept for VPN-Access (RouterOS-default). How shall change my rules to support that?

There are connections to router (chain=input) and connection through router (chain=forward). Input from WAN is already ok, you have only icmp and three ports allowed. But you have no filtering in forward chain. Fasttrack speeds up established and related connections, the other rule accepts those that can’t be fastracked and that’s it. Everything else is accepted by default.

If you want to control what happens, good starting point is:

/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward in-interface=<LAN> comment="anything from LAN"
add action=accept chain=forward connection-nat-state=dstnat comment="forwarded ports"
add action=drop chain=forward comment="everything else not specifically allowed"

In your case, if you also want to allow connections inside VPN tunnel going both ways, you want this before the last drop rule:

/ip firewall filter
add action=accept chain=forward in-interface=<VPN> out-interface=<LAN>

Other way is to just block new connections from WAN, unless they are forwarded ports, which is what default firewall does:

/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface=<WAN>

Hey is this setting good now? I really want to test it on my system too.