I’ve been tossing various firewall configuration sets back and forth and came up with the following. I’ve ran this rule set against some well known pen-testing platforms but wanted to see if someone could once over. Take in mind this is a basic rule set and does not include more advanced tarpits, bogons and etc. I would appreciate any input into the below rule set to make sure nothing is left open by accident. This should in essence block everything inbound from the zero-cloud.
/ip firewall filter
add action=drop chain=input comment=“INPUT; Drop - Invalid” connection-state=
invalid
add chain=input comment=“INPUT; Accept - LAN” connection-state=new
in-interface=bridge-local
add chain=input comment=“INPUT; Accept - Established” connection-state=
established
add chain=input comment=“INPUT; Accept - Related” connection-state=related
add action=log chain=input comment=“LOG; WAN → LAN; Winbox”
connection-state=new dst-address=1.1.1.1 dst-port=8291
in-interface=ether1-gateway-pppoe log-prefix=#WinBox# protocol=tcp
add chain=input comment=“WAN → LAN; Winbox” connection-state=new
dst-address=1.1.1.1 dst-port=8291 in-interface=ether1-gateway-pppoe
protocol=tcp
add action=drop chain=input comment=“INPUT; Drop - All”
add action=drop chain=forward comment=“FORWARD: Drop - Invalid”
connection-state=invalid
add chain=forward comment=“FORWARD; Accept - LAN” connection-state=new
in-interface=bridge-local
add chain=forward comment=“FORWARD; Accept - Established” connection-state=
established
add action=drop chain=forward comment=“FORWARD; Drop - All”
/ip firewall nat
add action=src-nat chain=srcnat comment=“LAN → WAN; Egress NAT”
out-interface=ether1-gateway-pppoe src-address=10.0.0.0/24 to-addresses=
2.2.2.2
Regards,