Need help with my firewall rules

meazz1 · December 19, 2017, 3:39am

I added an entry to drop pings from the wan side with the help of google, does it look right? I added the entry in line #16.

/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input in-interface=!ether1 protocol=icmp icmp-options=8:0-255
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1

evince · December 19, 2017, 2:26pm

Hello, there is a mistake :

add action=drop chain=input in-interface=!ether1 protocol=icmp icmp-options=8:0-255

should be

add action=drop chain=input in-interface=ether1 protocol=icmp icmp-options=8:0-255

ZeroByte · December 19, 2017, 2:36pm

There’s no need to have a rule to explicitly drop ICMP in your posted filter rules.

meazz1:

add action=drop chain=input in-interface=!ether1 protocol=icmp icmp-options=8:0-255
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=ether1

The final rule in the chain will drop anything that has not been accepted by a previous rule. The previous rules only accept packets in the established / related states - meaning that the router will only accept packets which are replies to requests generated by the router itself. (assuming that your router’s public IP address is on interface ether1 - NOT pppoe1 or some vlan sub-interface of ether1)

Essentially, this special rule only serves to waste CPU resources by performing an extra set of checks on every single packet received by the router. The final rule will drop the icmp packets anyway because they will not be part of established connections, or related to those established connections.

And to elaborate on evince’s post - the problem in your posted rules is that the in-interface is set to !ether1 which means “not ether1” so in your original post, the first rule would block pings to the router from every interface EXCEPT ether1.

meazz1 · December 20, 2017, 1:30pm

There’s no need to have a rule to explicitly drop ICMP in your posted filter rules.
meazz1:
add action=drop chain=input in-interface=!ether1 protocol=icmp icmp-options=8:0-255
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=ether1
The final rule in the chain will drop anything that has not been accepted by a previous rule. The previous rules only accept packets in the established / related states - meaning that the router will only accept packets which are replies to requests generated by the router itself. (assuming that your router’s public IP address is on interface ether1 - NOT pppoe1 or some vlan sub-interface of ether1)

Essentially, this special rule only serves to waste CPU resources by performing an extra set of checks on every single packet received by the router. The final rule will drop the icmp packets anyway because they will not be part of established connections, or related to those established connections.

And to elaborate on evince’s post - the problem in your posted rules is that the in-interface is set to !ether1 which means “not ether1” so in your original post, the first rule would block pings to the router from every interface EXCEPT ether1.

Thanks to you both.
I took the entry out for ICMP and left the default rule alone.