I’m currently setup my first MikroTik router (Hex: RB750Gr3)
I have read all the chapter about the firewall but still certain thing are unclear…
What are Dynamic rules ?
and what is this rule ?
/ip firewall filter print dynamic
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
–
Input
0 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
1 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
2 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
3 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
If I want to improve a little bit this default config I could
remove the untracked from rule 0
change rule 2 into : chain=input action=accept protocol=icmp in-interface=ether2-master (meaning only all Lan device will be able to do a ICMP correct ?)
is it possible to create an additional rule how say : Drop everything who is not TCP:80 on LAN ? (I don’t find…)
Forward
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
2 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
3 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related
4 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
5 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
6 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
The “dynamic” rules are inserted automatically. That one is used only for counting, it does nothing by itself.
When you remove the “fasttrack” rule and reboot the router, it will be gone. (and you have no fasttracking anymore)
Your “improvements” are not improvements at all! The default firewall is quite OK, currently.
Removing “untracked” can be done, but it will serve no purpose and will cause problems once you start using “untracked” in the “raw” firewall (which maybe will not happen).
You should not change the ICMP rule, not even when Steve Gibson tells you so. It will cause problems with MTU path discovery.
The 3rd change is not required, everything is already dropped by default.
There used to be more dynamic rules in the past then there are now. E.g. automatic “adjust tcp mss” rule for interfaces with lower MTU.
Those are now no longer visible rules in the firewall, but options in the interface settings, probably handled by the driver instead of the firewall.
Now, the fasttrack thing is the most visible case of dynamic rules.
When you do not want access to certain services at all, you can turn them off under IP->services.
You can do it in the firewall as well, but I would advise you to first get some working knowledge about how it works, and features like “safe mode”, as there is a risk of locking yourself out.