Is forward chain firewall rules necessary?

Ghostrider333 · February 16, 2016, 1:43am

Here is my entire firewall config for my home router:
Code: Select all

/ip firewall address-list
add address=w.x.y.z list=Whitelist
add address=a.b.c.0/23 comment=“Work” list=Whitelist
add address=d.e.f.0/23 comment=“Customer” list=Whitelist
/ip firewall filter
add chain=input comment=“Permit existing connections” connection-state=established,related
add chain=input comment=“Allow all ICMP” protocol=icmp
add chain=input comment=“Allow whitelisted sources” src-address-list=Whitelist
add action=drop chain=input comment=“WAN - default deny” in-interface=ether6
/ip firewall nat
add action=src-nat chain=srcnat comment=“Use correct src-ip when talking to DOCSIS modem.”
dst-address=192.168.100.0/24 out-interface=ether6 to-addresses=192.168.100.2
add action=masquerade chain=srcnat out-interface=ether6 to-addresses=0.0.0.0

From: Zerobyte

Hi Mikrotik users, was wondering if it is necessary to include forward chain firewall rules for a typical home router? The above mentioned configuration is from Zerobyte in one of his post in this forum. It did not include forward chain rules?

jarda · February 16, 2016, 5:16am

Always depends if you want to protect the router only or the inner network (networks) too.

Ghostrider333 · February 16, 2016, 5:32am

Hi jarda, isn’t NAT suppose to protect the internal private ip network since only when internal ip transmits a data packet will the return data packet be allowed? Or am I missing something?

jarda · February 16, 2016, 6:51am

If the packet arriving to wan interface will have dst address of existing inner network segment, the router will route that packet.

barkas · February 16, 2016, 6:52am

Nat is not supposed to protect anything.

macgaiver · February 16, 2016, 10:31am

from manual:

connection-nat-state (srcnat | dstnat; Default: ) > Can match connections that are srcnatted, dstnatted or both. Note that connection-state=related connections connection-nat-state is determined by direction of the first packet. and if connection tracking needs to use dst-nat to deliver this connection to same hosts as main connection it will be in connection-nat-state=dstnat even if there are no dst-nat rules at all.

So my firewalls usually starts with:

/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related
add chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat in-interface=<Internet>