I just purchased a Mikrotik RB951G-2HND (several actually), and I have upgraded to the latest RouterOS (6.35.4).
Below is a screenshot of the Firewall Default settings (except for the “drop WAN ping”, I did that):
My question is, what are these defaults “protecting” my network from? Or better yet, what am I not protected from?
I’m reading in the Forums about SYNC flood, DDoS attacks, Port Scans, etc… Will these default settings cover all of that? Additionally, will these settings prevent Window Network (SMB) for searching for nodes outside my LAN?
I’m trying to set up this router for a small non-profit that I’m helping out, but the level of configuration available on the RB951G-2HND is a bit to take in. I’m used the the DD-WRT and tomato firmware UI’s for configuration. I’m quite optimistic about the RB951G-2HND working on their network; I just really need to be sure I’ve done my best to secure their network.
These defaults protect you against most common issues because they allow only outgoing requests and incoming
ports that you explictly open (default none).
But: they assume that ether1 is you internet interface.
When this is not true, e.g. because you added a PPPoE interface “the wrong way” (= the way you find on youtube),
your router is wide open!
So always make sure you set this correctly when not using the quickset procedure for this.
These default settings block ALL traffic in the network unless I allow the traffic in with a separate firewall rule or an established internal connection is made first. Is that correct?
What about things like port scanners? Will these default rules prevent things like that?
What about “dangerous” outbound traffic? Are there any defaults I should create for that specifically?
You’ll have to forgive me if my questions seem a bit amateur, but I have not done this precise level of firewall tuning on a router before; this is more of a hobby for me.
I reckon that if you want to learn and be able to troubleshoot, it’s best to start out clean in order to know your device inside out. Also, learn to use safemode, create intermediate backups to your PC and make sure you know how to reset your device to defaults in case things go wrong (especially since that 951 has no serial port) after which you can restore your old backup.
