I’m reading Building Advanced Firewall - RouterOS - MikroTik Documentation
and it’s explain how add ip-list (range) of ip that can’t be forwarded..
is it not the default behavior on the WAN interface ?
Thanks.
Mikrotik has a default accept if no rule is hit.
Some devices will come with some firewall rules preconfigured, which might also contain a deny rule, but you will be able to see those in the IPv4/6->Firewall.
No it isn’t. Remember that some devices are preconfigured with quite decent set of rules but “big-toys” have almost none so you have create firewall by yourself according to you needs.
is
ip firewaill filter add action=drop chain=input in-interface-list=!LAN
Superseed what is explain in the above link ? ( it seem to me that it is… )
This rule drops everything on the input chain (access to the router) that is not from local (to be specific, everything that is not part of the interface list “LAN”.
Not sure what you mean by “forwarded” in your opening post. Forwarding is on the forward chain (using dstnat in a default configuration situation). That requires dstnat rules in /ip firewall nat
If I’m not mistaken, an outside attacker can forge packets that land in the WAN interface with a local address for example 192.168.x.x right ? if it’s that case this rule
ip firewaill filter add action=drop chain=input in-interface-list=!LAN
now on the other direction ( LAN to WAN )
I should follow a rule that is like the post 1 link right ?
It is an interface list (not an address list). I already changed my previous respons.