Hello Mikrotik Users!
NOTE: I’ve read: http://forum.mikrotik.com/t/forum-rules/173010/1
I’ve been using my RB915G-2HnD for years now and I’m really happy. I’d describe myself as more of a casual network admin
i.e.: when I need or want to change something I dive in and usually the thing works, but I’m not gonna call myself an expert.
This is about to become painfully obvious, because I’d like to ask for feedback about my firewall rules.
My sources:
- https://blog.ligos.net/2017-08-16/Mikrotik-And-LTE-via-Android.html
- https://www.shellhacks.com/mikrotik-firewall-default-config-basics-for-dummies/
- https://mum.mikrotik.com/presentations/VN17/presentation_4332_1493289082.pdf
- https://help.mikrotik.com/docs/display/ROS/RouterOS (I’m not sure how much applies to ROS6 that I have, this seems to be ROS7-centric at times…)
In the MUM presentation they reiterate the two ways of designing a firewall:
Firewall
Two approaches
● Drop not trusted and allow trusted
● Allow trusted and drop untrusted
I may have ended up with a kludge, that misses the mark somewhere.
Notes:
- I’m not using LTE/PPP anymore, but I kept those lines just in case I have to.
- Interface pppoe-out1 is dead, because I’m in-between ISPs right now, but this is what I’ll be using soon.
- I’m on ROS 6.49.14
Firewall configuration:
user@mikrotik > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
1 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
2 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
3 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1
4 I ;;; https://blog.ligos.net/2017-08-16/Mikrotik-And-LTE-via-Android.html
;;; lte1 not ready
chain=input action=drop in-interface=*B log=no log-prefix=""
5 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
6 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
7 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
8 X ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""
9 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
10 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
11 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
12 I ;;; defconf: drop all from ppp-out1 not DSTNATed
;;; ppp-out1 not ready
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ppp-out1 log=no log-prefix=""
13 I ;;; defconf: drop all from huawei-modem not DSTNATed
;;; huawei-modem not ready
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=huawei-modem log=no log-prefix=""
14 I ;;; defconf: drop all from lte1 not DSTNATed
;;; lte1 not ready
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=*B log=no log-prefix=""
My questions:
- I’m aware this config is not pretty, but is it safe?
- I’d like to know how rule 5 and 4, 12-14 work together, since the packets can come from different interfaces (lte, pppoe-out1, huawei-modem). Is this an issue that I have a drop on input as rule 5 while rules 12-14 have no corresponding drop at the end?
- What does *B mean? Deleted? I couldn’t find this in the docs, but I guess it’s for deleted items, since I removed lte-1 a while ago.
Thank you!