Hi all,
I use my RB750r2 behind a cable-router with NAT for some time already. Now I plan to activate bridge mode in my CPE for particular reasons, so that my RouterBoard is connected directly to the modem inside the cable router and gets his own public IP via DHCP. My RouterBoard will therefore be “fully exposed” to the internet. So I want to ask, if I have to do some tasks before doing this in respect of security issues?
My RouterOS is up to date and I started with a factory reset.
After this I set a secure admin password.
I looked in IP → Firewall and found several default rules and a NAT entry (Out. Interface List: WAN, Chain: srcnat, Action: masquerade). So I suppose that the RouterBoard will not expose any LAN-Clients directly to the Internet. A scan with NMAP -Pn within the LAN provided by the cable router yet revealed only filtered ports (most common 1000 ports scanned) for the WAN IP of the RouterBoard. Further I will disable all services I don’t need under IP → services (e.g. winbox, telnet, api, etc.), even if I don’t expect attacks from internal network.
Are there any other things to ensure that the RouterBoard is prepared for safe and direct internet access?
Is it for example correct that I don’t have to worry about TR069 as long as there is no accordingly named package inside System → Packages? I know that TR069 should not be accessible from arbitrary IP addresses, but I just want to double check that there is definitely no “listener” when there is no TR069 client installed.
These are the default firewall settings after factory reset:
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
I consider to remove the ICMP rule and the two IPSec rules as long as I don’t need them.
If you have any suggestions, please let me know.
Many thanks and best regards.