Questions regarding the Firewall Configuration Guide

RB951G2HnD · December 22, 2023, 5:44pm

Good day!

I have been using default configuration rules. But after reading the following help and Wiki guides decided to configure the firewall rules more securely.

https://help.mikrotik.com/docs/pages/viewpage.action?pageId=28606504
https://help.mikrotik.com/docs/display/ROS/Building+Your+First+Firewall
https://wiki.mikrotik.com/wiki/Basic_universal_firewall_script
https://wiki.mikrotik.com/wiki/DoS_attack_protection

The first URL where described Protection against DDoS contains one mistake in the Configuration lines from my opinion. It didn’t include the jump action that is mentioned on the Configuration explained section.

My firewall configuration rules are shown below. ether1 interface is my ISP WAN port. ISP provides static and public IP addresses.

The problem that I’m experiencing is understanding in which sequence these rules should follow. In some forums it is mentioned that input then forward and output is only the correct chains sequences that should be used. But I also use jump rules. Could some experts please provide your opinion regarding the sequence? Also, I’ll highly appreciate it if you can provide some hints regarding my configured firewall rules. Do they need corrections, or it has been configured fine?

# dec/22/2023 07:48:53 by RouterOS 6.49.8
#
# model = RouterBOARD 962UiGS-5HacT2HnT
/ip firewall address-list
add address=192.168.10.0/27 list=LAN
add address=192.168.0.0/28 list=GuestsLAN
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=Bogons
add address=10.0.0.0/8 comment="Private [RFC 1918] - CLASS A <Check if you need this subnet before enable it>" list=Bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=Bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=Bogons
add address=172.16.0.0/12 comment="Private [RFC 1918] - CLASS B <Check if you need this subnet before enable it>" list=Bogons
add address=192.168.0.0/16 comment="Private [RFC 1918] - CLASS C <Check if you need this subnet before enable it>" list=Bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=Bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=Bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=Bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=Bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=Bogons
add address=224.0.0.0/4 comment="MC, Class D, IANA <Check if you need this subnet before enable it>" list=Bogons
add address=192.0.0.0/24 comment="[RFC6890]" list=Bogons
add address=100.64.0.0/10 comment="[RFC6890]" list=Bogons
add address=240.0.0.0/4 comment="[RFC6890]" list=Bogons
/ip firewall filter
add action=jump chain=forward comment="Protection against DDoS" connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos_targets address-list-timeout=1d chain=detect-ddos
add action=add-src-to-address-list address-list=ddos_attackers address-list-timeout=1d chain=detect-ddos
add action=add-src-to-address-list address-list=syn_flooder address-list-timeout=1d chain=input comment="Add Syn Flood IP to the list" connection-limit=100,32 protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to Syn Flood list" src-address-list=syn_flooder
add action=add-src-to-address-list address-list=port_scanner address-list-timeout=2w chain=input comment="Port Scanner detect" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" log=yes log-prefix=port_scanner src-address-list=port_scanner
add action=add-src-to-address-list address-list=dns_flooder address-list-timeout=1w chain=input comment="DNS Flood detect" dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input comment="Drop to DNS Flood list" dst-port=53 in-interface=ether1 log=yes log-prefix=dns_flooder protocol=udp src-address-list=dns_flooder
add action=drop chain=input comment="Drop ICMP on WAN port" in-interface=ether1 protocol=icmp
add action=jump chain=input comment="Jump for ICMP input flow" jump-target=icmp protocol=icmp
add action=drop chain=input comment="Block all admin access to the router - except to LAN address-list" dst-port=22,80,443,8291 log=yes log-prefix=block_admin protocol=tcp src-address-list=!LAN
add action=drop chain=forward comment="Block WEB sites" disabled=yes layer7-protocol="Block WEB sites"
add action=accept chain=forward comment="Accept in IPSec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="Accept out IPSec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related disabled=yes
add action=accept chain=forward comment="Allow already established and related connections" connection-state=established,related
add action=accept chain=forward comment="Allow GUESTS access to the Internet on HTTP and HTTPS only" dst-port=80,443 protocol=tcp src-address-list=GuestsLAN
add action=accept chain=forward comment="Allow GUESTS access to e-mail" dst-port=993,465 protocol=tcp src-address-list=GuestsLAN
add action=reject chain=forward comment="Reject GUESTS access to any except only allowed rules" protocol=tcp reject-with=icmp-admin-prohibited src-address-list=GuestsLAN
add action=drop chain=forward comment="Drop invalid connections" connection-state=invalid
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=Bogons in-interface=bridge out-interface=!bridge
add action=drop chain=forward comment="Drop incoming packets that are not in NAT" connection-nat-state=!dstnat connection-state=new in-interface=ether1
add action=jump chain=forward comment="Jump for ICMP forward flow" jump-target=icmp protocol=icmp
add action=drop chain=forward comment="Drop incoming from Internet which is not public IP" in-interface=ether1 src-address-list=Bogons
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=bridge src-address-list=!LAN
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept established and related connections" connection-state=established,related
add action=accept chain=input comment="Allow LAN address-list access to router and Internet" in-interface=!ether1 src-address-list=LAN
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add action=log chain=input comment="Drop everything from anywhere on any interface" disabled=yes
add action=drop chain=input comment="Drop everything from anywhere on any interface"
add action=accept chain=icmp comment="Allow echo request - Avoiding Ping Flood" icmp-options=8:0 limit=1,5:packet protocol=icmp
add action=accept chain=icmp comment="Echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="Allow time exceeded" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp
add action=accept chain=icmp comment="Allow Path MTU Discovery" icmp-options=3:4 protocol=icmp
add action=drop chain=icmp comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for ICMP output" jump-target=icmp protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.10.0/27
add action=masquerade chain=srcnat src-address=192.168.0.0/28
add action=redirect chain=dstnat dst-port=53 protocol=tcp
add action=redirect chain=dstnat dst-port=53 protocol=udp
/ip firewall raw
add action=drop chain=prerouting dst-address-list=ddos_targets src-address-list=ddos_attackers
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ipv6 firewall filter
add action=drop chain=input
add action=drop chain=forward
add action=drop chain=output
/ipv6 firewall raw
add action=drop chain=prerouting
add action=drop chain=output

mkx · December 22, 2023, 8:07pm

Rule order only matters inside same chain because rule evaluation starts from top and continues towards botzom until some rule matches.
Rules for different chains can be interleaved but that doesn’t change order of execution, only rules for relevant chain are considered. However, mixing rules of different chains makes human-reading much harder, hence it’s better to group them by chain.

anav · December 22, 2023, 8:50pm

The MT guide is a bloated piece of crap.

/ip firewall filter
{Input Chain}
(default rules to keep)
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
( admin rules )
add action=accept chain=input src-address-list=Authorized comment=“Config Access”
add action=accept chain=input comment=“Allow LAN DNS queries-UDP” \ {and NTP *** services if required etc}
dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“Allow LAN DNS queries - TCP”
dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment=“drop all else”
{forward chain}
(default rules to keep)
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
(user rules)
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“allow dst-nat from both WAN and LAN (including port forwarding)” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”

/ip firewall address-list ( from fixed static dhcp leases mostly )
add address=IP1 list=Authorized (desktop)
add address=IP2 list=Authorized (laptop)
add address=IP3 list=Authorized (smartphone)
add address=IP4 list=Authorized (wireguard IP if you use wireguard )