please audit my firewall rules

Nexius · December 16, 2024, 12:12pm

I was having link down on my wan (public ip) port, but since I add this rule / filter

/ip firewall raw add action=drop chain=prerouting dst-port=53 in-interface=ether8-WAN protocol=udp

no more link downs, but can anyone advise me / audit this ip firewall rules?
I’m a bit affraid to mess up with the rules order…

# 2024-12-16 12:07:53 by RouterOS 7.16.2
# model = RB5009UPr+S+
/ip firewall address-list add address=192.168.100.0/24 list="rede suporte"
/ip firewall address-list add address=172.29.1.0/24 list="rede suporte"
/ip firewall address-list add address=XXXXX.synology.me list="rede suporte"
/ip firewall address-list add address=XXXXXX.duckdns.org list="rede suporte"
/ip firewall address-list add address=172.27.10.0/24 list="rede suporte"
/ip firewall address-list add list=ddos-attackers
/ip firewall address-list add list=ddos-targets
/ip firewall connection tracking set udp-timeout=10s
/ip firewall filter add action=drop chain=forward connection-state=new dst-address=192.168.100.0/24 src-address=192.168.35.0/24
/ip firewall filter add action=accept chain=input comment="allow WireGuard" dst-port=31231 protocol=udp
/ip firewall filter add action=accept chain=input comment="allow WireGuard traffic" src-address=172.27.10.0/24
/ip firewall filter add action=accept chain=input connection-state=established,related
/ip firewall filter add action=accept chain=input src-address-list="rede suporte"
/ip firewall filter add action=accept chain=input limit=50,5:packet protocol=icmp
/ip firewall filter add action=add-src-to-address-list address-list="rede suporte" address-list-timeout=5h chain=input dst-port=1981 protocol=tcp
/ip firewall filter add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
/ip firewall filter add action=add-dst-to-address-list address-list=ddos-targets address-list-timeout=10m chain=detect-ddos
/ip firewall filter add action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=10m chain=detect-ddos
/ip firewall filter add action=jump chain=input comment="Policy 3" jump-target=syn-flood protocol=tcp tcp-flags=syn
/ip firewall filter add chain=syn-flood limit=100,5
/ip firewall filter add action=drop chain=syn-flood
/ip firewall filter add action=drop chain=input
/ip firewall nat add action=masquerade chain=srcnat out-interface=ether8-WAN
/ip firewall raw add action=drop chain=prerouting dst-port=53 in-interface=ether8-WAN protocol=udp
/ip firewall raw add action=drop chain=prerouting dst-address-list=ddos-targets src-address-list=ddos-attackers
/ip firewall service-port set ftp disabled=yes

anav · December 16, 2024, 2:35pm

These are all the rules you need. Your config was mostly a waste.
Also you should note that NO external WANIPs should have access to the input chain.
Only access the router for config purposes, from behind the router (trusted local IPs), or after having connected to the router via VPN./

You should have no issues with this secure setup.

/ip firewall address-list
add address=192.168.100.XX/32 list=“safe support” comment=“admin local pc”
add address=192.168.100.XY/32 list=“safe support” comment=“admin local wifi device”
add address=172.27.10.A/32 list=“safe support” comment=“remote admin device1”
add address=172.27.10.B/32 list=“safe support” comment=“remote admin device2”
/ip firewall filter
{ default rules to keep }
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
( admin rules )
add action=accept chain=input comment=“allow WireGuard” dst-port=31231 protocol=udp
add action=accept chain=input comment=“admin access only” src-address-list=“safe support”
add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment=“drop all else”
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
{ default rules to keep }
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
( admin rules )
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=input comment=“admin acces sto all local subnets” src-address-list=“safe support” out-interface-list=LAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat disabled=yes ( enable if required or remove )
add action=drop chain=forward comment=“drop all else”
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether8-WAN