Help combining the Default Firewall Rules with the Securing Your Router Rules?

mtk1435 · November 13, 2019, 7:44pm

Really enjoying my new MikroTik Hap ac2 router. I have been familiarizing myself with all the options over the past couple of weeks.

I have had a go at creating my own firewall rules building on the available resources but I have never been happy with the results.

Does anyone have any input on how best to combine the Default Firewall Rules with the rules on the Securing Your Firewall wiki page into an ultimate starting point for the firewall rules?

I feel I have a reasonable understanding of each rule individually but what isn’t clear is how to best combine these rules ensuring I keep the CPU usage at a minimum, not duplicate rules, ensure I do not remove a rule thinking it is the same but it isn’t or what a rule is doing a very similar task which one is best (one example, connection-state=established,related or connection-state=established,related,untracked)?

Default Firewall Rules

Input Chain

add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

Forward Chain

add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

Securing Your Router Firewall Rules
https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router#Firewall

Input Chain

add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input

Forward Chain

add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward comment="Established, Related"  connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=bridge1 log=yes log-prefix=!public_from_LAN out-interface=!bridge1
add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=ether1 log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=bridge1 log=yes log-prefix=LAN_!LAN src-address=!192.168.88.0/24

Zacharias · November 13, 2019, 9:08pm

one example, connection-state=established,related or connection-state=established,related,untracked

I would suggest you study about firewall a little more. From your question here it is obvious you miss a lot of basic things about firewall.
Also the default firewall it is a basic firewall. This does not make it bad.
A good firewall is the firewall that blocks what you need to get blocked and what must to be blocked…
There is no perfect firewall as a definition, it depends on your needs…
So what do you want to prevent and block with your firewall ?

mtk1435 · November 15, 2019, 11:22am

I have gone with a combination of both of these but tried to base the rules on address/interface lists so they are a little less specific and I removed the IPSEC rules as I have no plans to use this.

Although I appreciate firewall rules are specific to each users case a basic standard configuration was provided which is why I originally asked my question as their default configuration doesn’t seem to include their own suggestions for securing the router and wanted to know why.

The Input chain rules below work as I would expect. If I understand correctly the first time a connection is made to the router (i.e. New) the following drop rules are applied and as a connection is never made any future connections are still dropped.

I am having issues with the forward chain it appears this similar technique does not appear to work. Even though I have drop rules after the accept established, related rule these are not used and virtually everything is captured by the accept establshed, related rule meaning the drop rules do not work. Do packets entering the forward chain already have the new flag set?

Thanks

anav · November 16, 2019, 6:43pm

post your config and I will have a look…
/export hide-sensitive file=yourconfig (any name suffices)

mtk1435 · November 18, 2019, 4:17pm

I am getting more confident and things seem to be making more sense now.

Rain check on the kind offer to have a look through the config I want to see if I can learn myself first.

Thanks.

anav · November 19, 2019, 3:36pm

No worries, the first offer is free, the next one is $100 per hour… J/K
Enjoy and have fun!!