Second Pair (or more) of eyes for firewall rules

Hey Everyone,

I am just looking for a second pair of eyes to make sure I didn't make a huge blunder or missed something important in regards to my FW ruleset

The goal is to block as much as possible and only open what I need to grant access for.

/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes
protocol=icmp
add action=accept chain=input comment="admin to Router" connection-state=""
dst-address-list=router in-interface-list=LAN src-address-list=
"admin access"
add action=accept chain=input dst-address-list=router_bgp dst-port=179
in-interface-list=LAN protocol=tcp src-address-list=K8-BGP
add action=drop chain=input
add action=accept chain=forward comment="defconf: accept in ipsec policy"
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
"defconf: accept established, related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=accept chain=forward comment="admin to management"
dst-address-list="infrastructure and management" src-address-list=
"admin access"
add action=accept chain=forward comment=
"Allow vlans to reach udp port 53 on local dns" dst-address-list=pi-hole
dst-port=53 protocol=udp src-address-list=local_networks
add action=accept chain=forward comment=
"Allow vlans to reach tcp port 53 on local dns" dst-address-list=pi-hole
dst-port=53 protocol=tcp src-address-list=local_networks
add action=accept chain=forward comment=
"Allow Internal DNS server to querry external DNS 53/tcp" dst-port=53
protocol=udp src-address-list=bind9
add action=accept chain=forward comment=
"Allow Internal DNS server to querry external DNS 53/udp" dst-port=53
protocol=tcp src-address-list=bind9
add action=drop chain=forward comment=
"Drop all other DNS requests to external network" dst-port=53 protocol=tcp
add action=drop chain=forward comment=
"Drop all other DNS requests to external network" dst-port=53 protocol=udp
add action=accept chain=forward comment="Allow Data to access HomeAssistant"
dst-address-list=homeassistant src-address-list=data
add action=accept chain=forward comment="Data to SMB share on Cortex"
dst-address-list=cortex dst-port=445 protocol=tcp src-address-list=data
add action=accept chain=forward comment="allow LAN to WAN traffic"
connection-state="" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Ha -> K8KVM icmp check"
connection-state=new dst-address=xx.xx.xx.xx/31 protocol=icmp
src-address=xx.xx.xx.xx
add action=accept chain=forward comment="nginx test" dst-address=xx.xx.xx.xx
src-address-list=data
add action=drop chain=forward comment="drop all else"

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

/ip firewall service-port
set ftp disabled=yes
set pptp disabled=yes

Thanks for any input that will make my nw and the internet safer!

Br
L

This makes it difficult to read, do not modify the export (apart from censoring the serial number and public IPs) and after pasting it on the forum, select everything and press </>

First bulls~~t:
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp

First error:
connection-state=""

That's enough for me, I'll stop here.
Any change to the default firewall is practically wrong if done carelessly.

First, thanks for the reply!

Second, I have a CCR2004-16G-2S+ so there was no “default” firewall config on it so I had to create it. And since I also have some edits for things I need, I felt it would be good to have a second pair of eyes.

As for ICMP, I don’t have any use for it right at this moment, so it is disabled. I just leave the rule in there in case I need to enable it for something later.

And for the connection state, I assume that it is unnecessary since it is basically empty, I have removed that now. (If this was the wrong assumption please let me know)

Anyway I ask because I want to get it right, so any help, even if its just 2 things is appreciated.

Br
/L

This is a "generic" and "general" issue with RouterOs, in some cases having an empty field/setting (in your case connection state) has a different meaning from not having the field/setting set at all.
Particularly when using Winbox to make the settings it is easy to accidentally set a field as empty.
It is the way RouterOs interprets the settings, in some cases it can be harmless, in others it can create issues.

Thank you for that piece of information!

I will be extra mindful of "" fields when making any changes/updates.

Br
/L