Hi,
This is my first mikrotik configuration. What I intend to do is to block all incoming connection from outside except on port 443 TCP that I am using for openvpn connection. But only specific public ip-s that are written in an address list are going to be allowed to connect to port 443. I would highly appreciate if you let me know if below firewall rules are good to have a decent protection. Thank you!
;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1
chain=input action=drop protocol=tcp src-address-list=!openvpn_list dst-port=443 log=no log-prefix=""
;;; accept ovpn
chain=input action=accept protocol=tcp src-address-list=openvpn_list dst-port=443 log=no log-prefix=""
;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related
;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
could be removed. As the rules are now, the next rule accepts OpenVPN connections and then the next one drops everything coming in not from LAN. So the only connections that the quoted rule drops but the “drop from not LAN” doesn’t are OpenVPN connections from LAN.
Other than that, rules are pretty good … but make sure interface list membership is correct.
Everything MKX said is bang on…
Where I would suggest a slight difference so that you can add more rules later with ease is to take the last rule in the forward chain
and convert that to three rules which are clear and in fact provide a bit better security overall.
/ip firewall
… add chain=forward action=drop connection-state=new comment=defconf: drop all from WAN not DSTNATed
connection-nat-state=!dstnat in-interface-list=WAN
TO add chain=forward action=accept comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add chain=forward action=accept comment=“port forwarding” connection-nat-state=dstnat disabled=yes { enable if required }
add chain=folrward action=drop comment=“drop all else”
THey say the same thing but I bet you didnt know that you were implicitly allowing LAN to WAN traffic (to the internent). This slight change makes that clear.
It separates out port forwarding and allows you to choose to enable or keep it disable for now, depending upon your rquirements without affecting the other rules all jumbled together in one rule.
Finally the last rule in combination with the other two, is stronger in that it
a. like the single rule drops all WAN to LAN traffic but also
b. stops any LAN to LAN (subnet to subnet or vlan to vlan) traffic at L3
c.. allows the admin to easily place any other allow traffic rules required above the drop all rule and that traffic will be allowed.