On Mikrotiks hosted RouterOS demo system (using demo.mt.lv as target in Winbox),
under Firewall there are a long list of “Virus” firewall entries which seems quit interesting, if they do work in real life
(see below).
Now in this demo system they don’t get hit by any traffic, so I wonder if it would be worth using them
in my systems? Anyone tried something like that?
And if so, if Mikrotik could provide them in the Wiki pages somewhere ( I searched for it but did not see them).
[attachment=0]Mtik_example_firewall_rules.jpg[/attachment]
On input/output I always set default policy of drop/reject, and only allow selective & known traffic. On forward, inbound is denied by default, for outbound it can be tricky. If such a filter set was used for outbound, a hit could mean:
an actual threat communicating out
some valid application “reusing” / cycling through available ports. This could result in additional support: why don’t it work…
If used, I would at least consolidate it, to ensure minimal impact on firewall throughput.
For forward chain it maybe makes a bit of sense to block new connections to these ports, however most of these are no longer active threats and you risk blocking legitimate services (eg cloud services that pick ephemeral ports). The only ones I use on my network are blocking leaky SMB (137-139,445) from hitting WAN. For input you should be blocking all traffic by default so it’s no use.
I was hoping to get some feedback from Mikrotik on how useful THEY think those rules are
(as they don’t publish rubbish normally, I would suppose those FW rules are done on purpose and not just for fun
and maybe they have them run on some real world servers?).
Unfortunately you can not (no longer?) export those rules, it says “not enough permissions” when logged in with SSH.
I just thought I could get them somewhere as text and give them a try in my systems, but as some of you say they
might be useless these days I won’t waste my time on them for now.
