How are my firewall rules?

RouterOS General
1

I’m looking for feedback or recommendations on my firewall rules. I’ve spent a couple of years refining and adding to my rules and recently made a lot of changes. Am I missing anything? Is there something I should do a different way? Is there a way to consolidate any of my rules?

Filter rule 16 I was only able to add 15 ports (Router OS limitation). Is there a good reason for not allowing more than 15 ports? Should I list each port as a separate rule? It seems like consolidating all of the ports into one rule should make it more efficient but maybe I’m missing something?

Is there a way to consolidate the last 7 NAT rules?


/ip firewall filter
add action=drop chain=input comment="Drop Hackers Input" log=yes log-prefix="Block Hacker Input - " src-address-list=zHackers
add action=drop chain=forward comment="Drop Hackers Forward" disabled=yes log=yes log-prefix="Block Hacker Forward - " src-address-list=zHackers
add action=drop chain=forward comment="Drop Invalid Forward" connection-state=invalid
add action=accept chain=input comment="VPN IPSEC-ESP" protocol=ipsec-esp src-address-list="VPN Addresses"
add action=accept chain=input comment="VPN UDP500, 1701, 4500" port=1701,500,4500 protocol=udp src-address-list="VPN Addresses"
add action=accept chain=forward comment="Allow Established Connections Forward" connection-state=established
add action=accept chain=input comment="Allow Established Connections Input" connection-state=established
add action=drop chain=forward comment="Block server from connecting to internet" log=yes log-prefix=ServerTryingToGetOut out-interface=ether1 src-address=10.10.10.20
add action=drop chain=forward comment="Block untrusted network to anything other than WAN" in-interface=vlan30 log=yes log-prefix="Untrusted attempt - " out-interface=!ether1
add action=accept chain=input comment="Allow ICMP from Management" protocol=icmp src-address-list=management-servers
add action=accept chain=input comment="Allow Related Connections Input" connection-state=related
add action=accept chain=forward comment="Allow Related Connections Forward" connection-state=related
add action=accept chain=input comment="Allow Management to connect via 21-FTP,22-SSH,23-TELNET,80-HTTP,443-HTTPS,8291-WINBOX" dst-port=21,22,23,80,443,8291 protocol=tcp src-address-list=management-servers
add action=accept chain=forward comment="Allow UDP INBOUND 27015-Steam, 9987-TeamSpeak" dst-port=27015,9987 in-interface=ether1 protocol=udp
add action=accept chain=forward comment="Allow TCP INBOUND 25252-Minecraft, 27015-Steam, 80-HTTP 443-HTTPS" dst-port=80,443,25252,27015 in-interface=ether1 protocol=tcp
add action=accept chain=forward comment="Allow TCP Outbound 20-FTP,21-FTP,22-SSH,80-HTTP,110-POP3,123-NTP,162-SNMP,443-HTTPS,587-SMTPS,993-IMAPS,3389-RDP,5001-HTTPS-Synology,8291-Winbox,9100-HPJetDirect" dst-port=20,21,22,80,110,123,162,443,587,993,3389,5001,8291,9100 protocol=tcp src-address-list=AllowedOutboundLANs
add action=accept chain=forward comment="Allow TCP Outbound DNS" dst-address-list=TrustedDNSServers dst-port=53 protocol=tcp src-address-list=AllowedOutboundLANs
add action=accept chain=forward comment="Allow UDP Outbound DNS" dst-address-list=TrustedDNSServers dst-port=53 protocol=udp src-address-list=AllowedOutboundLANs
add action=accept chain=input comment="Allow TCP Allowed Networks to INPUT DNS" dst-address-list=TrustedDNSServers dst-port=53 protocol=tcp src-address-list=AllowedOutboundLANs
add action=accept chain=input comment="Allow UDP Allowed Networks to INPUT DNS" dst-address-list=TrustedDNSServers dst-port=53 protocol=udp src-address-list=AllowedOutboundLANs
add action=add-src-to-address-list address-list=zHackers address-list-timeout=1d chain=input comment="Unknown Attempt - treat as hacker -TCP21,22,23,53,80,443,1194,1433,8291" dst-port=21,22,23,53,80,443,1194,1433,8291 log=yes log-prefix="Add Hacker - " protocol=tcp
add action=drop chain=input comment="Drop anything undefined to INPUT"
add action=drop chain=forward comment="Drop anything undefined Forward"

/ip firewall nat
add action=accept chain=srcnat dst-address=10.1.10.0/24 src-address=10.10.10.0/24
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat comment=Minecraft dst-port=25252 protocol=tcp to-addresses=10.10.10.21 to-ports=25565
add action=dst-nat chain=dstnat comment=Steam27015UDP dst-port=27015 protocol=udp to-addresses=10.10.10.21 to-ports=27015
add action=dst-nat chain=dstnat comment=Steam27015TCP dst-port=27015 protocol=tcp to-addresses=10.10.10.21 to-ports=27015
add action=dst-nat chain=dstnat comment=WWW80 dst-port=80 protocol=tcp src-address-list=wwwusers to-addresses=172.16.10.3 to-ports=80
add action=dst-nat chain=dstnat comment="GameServer - Teamspeak UDP9987" dst-port=9987 protocol=udp to-addresses=10.10.10.21 to-ports=9987
add action=dst-nat chain=dstnat comment=HTTPS dst-port=443 protocol=tcp src-address-list=wwwusers to-addresses=172.16.10.3 to-ports=443
add action=dst-nat chain=dstnat comment="UTRedirected Maps 3128" disabled=yes dst-port=3128 protocol=tcp to-addresses=172.16.10.3 to-ports=80
add action=dst-nat chain=dstnat comment=UT7777UDP disabled=yes dst-port=7777 protocol=udp to-addresses=10.10.10.21 to-ports=7777
add action=dst-nat chain=dstnat comment=UT7778UDP disabled=yes dst-port=7778 protocol=udp to-addresses=10.10.10.21 to-ports=7778
add action=dst-nat chain=dstnat comment=UT7777TCP disabled=yes dst-port=7777 protocol=tcp to-addresses=10.10.10.21 to-ports=7777
add action=dst-nat chain=dstnat comment=UT7778TCP disabled=yes dst-port=7778 protocol=tcp to-addresses=10.10.10.21 to-ports=7778
add action=dst-nat chain=dstnat comment=UT27900UDP disabled=yes dst-port=27900 protocol=udp to-addresses=10.10.10.21 to-ports=27900
add action=dst-nat chain=dstnat comment=UT27900TCP disabled=yes dst-port=27900 protocol=tcp to-addresses=10.10.10.21 to-ports=27900
2

Any thoughts? Am I asking to much to have someone look through them all? If so, how about the other questions?

3

Few random tips:

  • Packets with connection-state=established are most common, it’s good idea to have that rule as first one.

  • You can have connection-state=established,related in one rule (*).

  • IMHO it’s more clear when you first have all chain=forward and then all chain=input (or the other way around), not mixed both together.

  • You don’t need to add separate forward rules for each forwarded port, you can use just one with connection-nat-state=dstnat (*).

  • I don’t know what’s in your TrustedDNSServers list, but somehow I doubt that the same list can be useful for both input and forward chains.

  • Your dstnat rules seem to be too broad. They take packets to any destination and send them to your servers. Usually it’s not what you want and it’s better to limit it using either dst-address=<router’s WAN address> or dst-address-type=local. But maybe you have some good reason for it.

  • If you use dstnat to only change address and port stays the same, you don’t need to include to-ports=.

(*) It wasn’t possible in old RouterOS few years ago.