Dear MikroTikers,
i’d like to ask to review my fw config, is it good against external threats!
Thank you in advance (the rdp rules are only for me to see how many “ppl” try to get in via standard rdp port, does nothing else)
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
add address=100.64.0.0/10 comment=RFC6890 list=NotPublic
add address=127.0.0.0/8 comment=RFC6890 list=NotPublic
add address=169.254.0.0/16 comment=RFC6890 list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
add address=192.0.0.0/24 comment=RFC6890 list=NotPublic
add address=192.0.2.0/24 comment=RFC6890 list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
add address=192.88.99.0/24 comment=RFC3068 list=NotPublic
add address=198.18.0.0/15 comment=RFC6890 list=NotPublic
add address=198.51.100.0/24 comment=RFC6890 list=NotPublic
add address=203.0.113.0/24 comment=RFC6890 list=NotPublic
add address=224.0.0.0/4 comment=RFC4601 list=NotPublic
add address=240.0.0.0/4 comment=RFC6890 list=NotPublic
add address=192.168.13.0/24 comment=“Admin-Support list” list=adminsupport
/ip firewall filter
add action=add-src-to-address-list address-list=rdp_try
address-list-timeout=1d chain=input comment=RDP_Watcher_3389
connection-state=new dst-port=3389 protocol=tcp
add action=accept chain=input comment=
“Accept established and related packets” connection-state=
established,related
add action=drop chain=input comment=“Drop invalid packets” connection-state=
invalid
add action=drop chain=input comment=
“Drop all packets which are not destined to routes IP address”
dst-address-type=!local
add action=drop chain=input comment=
“Drop all packets which does not have unicast source IP address”
src-address-type=!unicast
add action=accept chain=forward comment=
“Accept established and related packets” connection-state=
established,related
add action=drop chain=forward comment=“Drop invalid packets”
connection-state=invalid
add action=drop chain=forward comment=
“Drop new connections from internet which are not dst-natted”
connection-nat-state=!dstnat connection-state=new in-interface=ether1-wan
add action=drop chain=forward comment=“Drop all packets from public internet w
hich should not exist in public network” in-interface=ether1-wan
src-address-list=NotPublic
add action=drop chain=input comment=“DNS external access block UDP” dst-port=53
in-interface=ether1-wan protocol=udp
add action=drop chain=input comment=“DNS external access block TCP” dst-port=53
in-interface=ether1-wan protocol=tcp
add action=drop chain=forward comment=“Drop all packets from local network to
internet which should not exist in public network” dst-address-list=
NotPublic in-interface=vlan1
add action=drop chain=forward comment=“Drop all packets from local network to
internet which should not exist in public network” dst-address-list=
NotPublic in-interface=vlan2
add action=drop chain=input comment=“WINBOX access only from - 192.168.13.0/24” dst-port=8291 protocol=tcp
src-address-list=!adminsupport
add action=accept chain=forward comment=
" Forward packets which belong to natted connection are accepted"
connection-nat-state=dstnat connection-state=established,related
in-interface=ether1-wan
add action=drop chain=forward comment=
“Drop new connections from internet which are not dst-natted”
connection-nat-state=!dstnat connection-state=new in-interface=ether1-wan