Hi All,
i’m trying to setup my ccr1072 to have maximum performance and have some basic firewalling. We receive lot of DDoS, so the troughtput is important.
This is my enviroment:
- We monitor traffic and, when anomaly is detected we divert traffic with bgp announcement to some paralles filters. Filters have complex rules (hardware + software) and can handle most of the attacks.
My idea is, as ACLs for Cisco, put some basic rules on mikrotik routers (our network hanve 20 mikrotik around europe for IXP peers that are connected to a pair of Cisoc A9k).
We keep connection tracking disabled to save CPUs.
My question is, if i put following rules into raw tableas prerouting, fastpath still enabled? Because in wiki is not clear if it talk about only filter rules or All
3 chain=prerouting action=jump jump-target=tcp in-interface=DEC-IX log=no log-prefix=“” protocol=tcp
4 chain=prerouting action=jump jump-target=udp in-interface=DEC-IX log=no log-prefix=“” protocol=udp
5 chain=tcp action=drop in-interface=DEC-IX log=no log-prefix=“” protocol=tcp fragment=yes
6 chain=tcp action=drop in-interface=DEC-IX src-port=123 log=no log-prefix=“” protocol=tcp
7 chain=udp action=drop in-interface=DEC-IX log=no log-prefix=“” protocol=udp fragment=yes
8 chain=udp action=drop in-interface=DEC-IX src-port=0 log=no log-prefix=“” protocol=udp
9 chain=udp action=drop in-interface=DEC-IX src-port=19 log=no log-prefix=“” protocol=udp
10 chain=udp action=drop in-interface=DEC-IX src-port=111 log=no log-prefix=“” protocol=udp
11 chain=udp action=drop in-interface=DEC-IX src-port=113 log=no log-prefix=“” protocol=udp
12 chain=udp action=drop in-interface=DEC-IX src-port=389 log=no log-prefix=“” protocol=udp
13 chain=udp action=drop in-interface=DEC-IX src-port=1900 log=no log-prefix=“” protocol=udp