Ready to start my custom firewall rules journey

RouterOS Beginner Basics
41

hahaha :laughing: , no problem as long as I eventually get my rules right.
If I understand anav correctly then I think this is what I haveā€¦

add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add chain=input action=accept in-interface-list=LAN comment="LAN to device"
add chain=input action=drop comment="drop all else"
-
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
-
add action=accept chain=forward comment="LAN to WAN internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="drop all else" log=yes
42

This config actually looks fine.

What I would do next is to restrict the accepted traffic from LAN (in input) to only DNS (53/udp and 53/tcp), ssh (22/tcp), webfig (80/tcp and 443/tcp) and winbox (8291/tcp). Youā€™re also fine if you donā€™t - just a suggestion.

43

@xsentinel
Yep, sorry for the hijacking :blush: .

@lurker888
Letā€™s move the discussion here :slight_smile: :
http://forum.mikrotik.com/t/the-ultimate-mikrotik-iptables-flowchart/184101/1

44

Nothing to apologize for. I appreciate very much all of you helping so much. I do believe at this point that I have a pretty good simple effective rule set for my purposes and I understand what each rule does and why.
At this point I believe that my mikrotik is set up and secure and it is all thanks to you all. I still want to learn more and I have more questions, but, since I feel this thing is properly set up and secured, they are not mission critical so Iā€™ll be posting them separately.

Once again thank you all. Very much appreciated.