How to block all except ...

RouterOS Beginner Basics
1

Hello,
another question about firewall from me :slight_smile:
I’m too paranoid so I want to block everything I don’t use. Have RBRB962UiGS.

Using PPPoE from my ISP, SSH on another port, winbox. Curently I have ssh access only from LAN. Using p2p torrents too but I don’t want to block them.

Curently have this:

add action=accept chain=input comment="allow SSH from local" dst-port=1922 in-interface=bridge1 protocol=tcp
add action=add-src-to-address-list address-list=remote_ssh_blacklist address-list-timeout=1w3d chain=input comment="block outside SSH permanently" connection-state=new dst-port=1922 limit=0,5:packet protocol=tcp src-address-list=remote_ssh_blacklist_temp
add action=add-src-to-address-list address-list=remote_ssh_blacklist_temp address-list-timeout=1m chain=input comment="Block outside SSH temp" connection-state=new dst-port=1922 protocol=tcp
add action=drop chain=input comment="Drop outside SSH" dst-port=1922 log=yes protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" disabled=yes dst-port=1922 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new disabled=yes dst-port=1922 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new disabled=yes dst-port=1922 protocol=tcp
add action=add-src-to-address-list address-list=ssh_utok_na_port_22 address-list-timeout=1w3d chain=input comment="block attacks to 22 permanently" connection-state=new dst-port=22 protocol=tcp
add action=drop chain=input comment="drop attack to 22" dst-port=22 log=yes protocol=tcp
add action=add-src-to-address-list address-list=Connection_Limit address-list-timeout=1d chain=input comment="Connection limit because of DDoS" connection-limit=100,32 protocol=tcp
add action=jump chain=forward comment="SYN Flood protect" connection-state=new jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=accept chain=SYN-Protect connection-state=new limit=400,5:packet protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect connection-state=new protocol=tcp tcp-flags=syn

Found this but I don’t know if it will be ok for me. Can anybody check it please? Thank you


/ip firewall filter
add chain=forward protocol=tcp connection-state=invalid action=drop comment="drop invalid connections"  
add chain=forward connection-state=established action=accept comment="allow already established connections"  
add chain=forward connection-state=related action=accept comment="allow related connections"
add chain=forward action=accept protocol=tcp dst-port=53 in-interface=LAN comment "allow DNS"
add chain=forward action=accept protocol=udp dst-port=53 in-interface=LAN comment "allow DNS"
add chain=forward action=accept protocol=tcp dst-port=80 in-interface=LAN comment "allow HTTP"
add chain=forward action=accept protocol=tcp dst-port=443 in-interface=LAN comment "allow HTTPS"
add chain=forward action=accept protocol=tcp dst-port=3389 in-interface=VPN comment "allow RDP via VPN"
add chain=forward action=drop
2

With this you don’t need to create individual rules per NAT rule, simply create a NAT dst rule and the firewall will open up. Established & related can also be a single rule (efficiency).
Please note I’ve included an “in-interface” in the drop rule there as well so it doesn’t drop anything from your LAN

/ip firewall filter
add chain=forward connection-state=established,related action=accept comment="allow already established & related connections"  
add chain=forward protocol=tcp connection-state=invalid action=drop comment="drop invalid connections" 
add chain=forward action=drop connection-nat-state=!dst-nat in-interface=WAN_INTERFACE comment="drop any other connections"
3

So if I add this only it will works fine?