When having a routeros without any firewall rules at all, there is an implicit allow, which I think is okay. But, IF one create an firewall rule to allow specific traffic, the implicit allow does not turn itself into an implicit drop. So, unless there is a “drop all” at the end, none of the firewall rules make sense. It’s allowed in the end anyway.
I’d like to propose to change that behavior. Once you create a rule in a chain, the implicit allow in that chain changes into implicit drop. Yes yes yes, I do know it’s one’s own responsibility to have proper firewall rules, but this simple change will increase the security a lot. Seen the “drop all” forgotten more than once “I did not allow it, so it should be blocked”
I guess that would result in a lot of locked devices. So bad idea.
Unless your first rule is to allow administrative access you would no longer be able to log in to your device.
I don’t think so. To my knowledge, it’s best practice to have the first rule to be allow access from you management network.
The firewall is statefull, so once logged-in you can work on your FW rules without issues or losing contact (you can even turn on safe mode).
Just open a second session to test if you can login, before you proceed with anything else. That’s how we do it, has not failed us yet.
It’s also best practice to add the last “drop all” rule. If you think that people fail to do that, why do you think that they would not fail to allow administrative access first? And while firewall is stateful, it doesn’t allow established connections automatically, you need proper rule for that.
This is a philosophical question which had to be answered one way or the other when designing the product. Changing the approach now would cause a lot of headache.
I agree with you that the default behaviour drop is the correct one for a firewall, but since the default firewall rules on SOHO devices do behave this way (by means of placing an “almost unconditional” drop as the last rule), the user has to modify them to break the protection.
The sad part of the story is that the default rules didn’t always look like this, and that there are people who only upgrade the RouterOS version but do not touch the firewall rules inherited from 5 years ago. But there is no simple way to “think on behalf of the administrator”, analyze the existing configuration and add corresponding permissive rules before the “drop the rest” one.
If you think that people fail to do that, why do you think that they would not fail to allow administrative access first? And while firewall is stateful, it doesn’t allow established connections automatically, you need proper rule for that.