Would the following Filter rules compromise “proper” ICMP? If so, how should I configure to block “ping attacks” while allowing all good traffic?
add action=accept chain=input comment=“Allow limited pings” limit=50/5s,2:packet protocol=icmp
add action=drop chain=input comment=“Drop excess pings” protocol=icmp
Having just re-discovered the mass migraine that MTU/MSS misconfiguration can bring, I have re-enabled a pair of Mangle rules that fixed it historically:
add action=change-mss chain=forward comment=“Magic fix for bad remote sites - see https://stevedischer.com/pmtu-and-mss-discovery-issues-resolved-with-mikrotik/” in-interface-list=WAN new-mss=clamp-to-pmtu passthrough= yes protocol=tcp tcp-flags=syn tcp-mss=1453-65535
add action=change-mss chain=forward comment=“Magic fix for bad remote sites - see https://stevedischer.com/pmtu-and-mss-discovery-issues-resolved-with-mikrotik/” new-mss=clamp-to-pmtu out-interface-list=WAN passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1453-65535
Which brings me to the next question. Since the above rules are an absolutely magic fix that seems to work every time - why are they necessary for some setups but not others?
Which leads to why are they not part of a default setup, and why would I not want to have them as part of a default setup?