I have also read some criticism of using a address list like, not_in_internet but in my case I use chains and had to use the not_in_internet address list to control internet access.
Please let me know if you have any questions and if there is anything I can improve in this config. firewall.review.rsc (28.6 KB)
edit #1: Removed serial number.
Some hints: Golden rule: drop all at the end
Drop all at the end on both input and forward.
Permit only what is know.
No remote access directly the RouterBOARD, use VPN.
PPtP is not a VPN, not more…
A VPN is nowaday a VPN only if some form of cryptography is involved.
Drop traffic from unwanted sources or unwanted types on RAW, not on filter (for example block on RAW any DNS request not coming from your LAN).
Disable loose TCP tracking,
Set RP Filter at least on loose.
Decrease TCP timeout from 1 day (???..) to 30 min.
Block from going outside any IP that you do not have, prevent IP spoofing.
DO NOT disable mac winbox on LAN side, or at least leave one ethernet for direct CPU access for management (and do it before config anything).
Separate traffic on forward with chains, for not process same packet dozen of times.
Do not lost time with DDoS, ask your ISP, you can not do anything…
-as rextended noted, besides the drop invalid default rule the concept of drop all as the last rule, and only putting in user rules for allowed traffic above them is
usually the most efficient and safer method. It also avoids many of the confusing !rules!!
-Forget jump rules unless you really need them.
-Move bogons to ip routes.
etc..