What would be the best approach to only allow incoming traffic from a specific CIDR (my country), vs blocking everyone else?
I assume it would be more effective in terms of filtering.
Any hints? Or anyone willing to share something similar that they have achieved?
Thanks,
anthonws.
Solved.
Added an Input FW rule to block everything !MYCOUNTRY, with a reject icmp network unreachable.
Then used the following script to populate “MYCOUNTRY” list.
/log info “Loading MYCOUNTRY ipv4 address list”
/ip firewall address-list
remove [/ip firewall address-list find list=MYCOUNTRY]
/tool fetch url=http://www.iwik.org/ipcountry/mikrotik/MYCOUNTRY
/import file-name=MYCOUNTRY
Very little to no impact as of now, particularly due to the fact that I live in a small country, so this translates into a small list of subnets.
Thanks,
anthonws.
One should use caution with blindly trusting a script source. If the source site gets compromised, your router can easily be compromised.
A simple example would be if someone compromises the website to return “/system reset-configuration”. Anyone that blindly uses “/tool fetch url=http://www.iwik.org/ipcountry/mikrotik/MYCOUNTRY” will wipe their router configuration.
If I were going to compromise this particular site, I would add my configuration items in the middle or at the end of the address list. That way if you open the website in a browser, you see what you expect to see at the top of the page. I would expect 99% of people validating the script would not scroll to the bottom to confirm nothing has been tampered with. I would add code that might ping a server I control periodically so I know what routers I have control of. I would add a new user account for me to use. I would add a raw rule to allow connections from public address space I have access to. Pretty soon I’d have a cool botnet.
The point I’m making is that you should thoroughly validate source code each time before using it.