In light of http://forum.mikrotik.com/t/for-isp-how-to-really-block-invalid-icmp-tcp-udp-packets-and-others-ver-2021/75627/1 topic by rextended i decided to discuss other angle of firewall filter chain forward - IP address filter. This firewall is for setup that have a public IP address, masquerade and one local network, if you use other setup, you will need to adjust rules.
Lets start with my collection of IP address ranges that can’t exist in internet (if you see something missing or wrong, please, let me know).
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
And firewall filter itself:
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related protocol=tcp
add action=fasttrack-connection chain=forward connection-state=established,related protocol=udp
add chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface=sfp1_Internet
add action=drop chain=forward in-interface=sfp1_Internet src-address-list=not_in_internet
add action=drop chain=forward dst-address-list=not_in_internet in-interface=bridge_lan
add action=drop chain=forward in-interface=bridge_lan src-address=!192.168.88.0/24
so first 4 rules are here to get rid of all other than connection-state=new packets, we will filter only those. As you can see i use Fasttrack, and as it works only for TCP and UDP traffic i have those protocols specified there.
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface=sfp1_Internet
This rule is very important (it is also included in the default mikrotik firewall configuration), but still missed by many. Lets imagine situation where I’m on the same public L2 network as you are, maybe connected to the same switch, somehow i know that you use mikrotik, so most likely you have 192.168.88.0/24 local network. and if i know your public IP address i can make direct route to your local network. We need to block connection like that.
The only connections that are initiated from outside, are in forward chain, and might be necessary to you have to be dst-nated, we can use this with “connection-nat-state” option.
Rest of the rules are simple IP address filter based on address list and your local network 