What's wrong with my firewall rules?

In a different thread, I shared my configs hoping to solve a DNS config problem (which was solved), and user anav kindly shared some insights, one of which was:

2. Firewall rules suck for a public facing IP… not safe, remove from internet.

I’m attaching my firewall configurations below because this is making me quite nervous.

/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
    new in-interface=pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade out-interface=\
    pppoe-out1

My full config can be found in the linked thread above. Thanks in advance for your help.

Um.. you have no rules for chain “input” and the default policy in RouterOS is to accept everything. do the math

https://help.mikrotik.com/docs/spaces/ROS/pages/328513/Building+Advanced+Firewall#BuildingAdvancedFirewall-ProtecttheDevice

why deleting the defconf firewal-rules when apparently not really understanding how ROS (“iptables”) firewall works essentially?

if not building smth sophisticated or speacial-purposed, take the default FW configuration from routerboard factory configuration and build up from there

Thanks. I’ve added all the rules under “Protect the Device”

How can I import the “defconf” firewall rules without having defconf itself?

/system default-configuration print
And just run everything under /ip firewall and /ipv6 firewall

Thanks itimo01.

Updated.

IPv4:

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade out-interface=\
    pppoe-out1

IPv6:

/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN

I hope this has me covered. I wonder how much damage the lack of the input rule could have done in a few hours. Because I see it dropping some traffic..

It is always dropping traffic as there is much noise on the net, not to be concerned.

Thanks anav. Are the current rules “good enough”?

Yes

If not actually using IPV6, what I recommend, is disabling it and removing all the associated firewall address lists and rules save
add chain=input action=drop
add chain=forward action=drop

Yes, the firewall default filter rules are safe out of the box.
They are basically designed to block the worst traffic and then allow everything else.
An example would be in the input chain to block all traffic to the router except LAN traffic.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Once one makes changes to the default config, its usually best to turn the concept block the known bad things and allow everything else
TO
Block everything and allow only the known good things (aka needed traffic).
I think you can agree with me that its much easier to identify the needed traffic then to know about all the possible bad things that could be passing…

Thus, for example on the forward chain we take this default rule.
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

Which does the job as default but can be very confusing to the new person because its trying to do many things at once.
The take away is that this is the only real controlling/limiting rule in the forward chain and it says, DROP any traffic coming from the external www that is not coming in due to port forwarding.
In other words, it identifies potential bad trafficto block and then basically allows ANY other traffic to occur.

and change it to something that is clearer ( inferred that lan to wan traffic is allowed, now becomes OBVIOUS )

add chain=forward action=accept comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add chain=forward action=accept comment=“port forwarding” connection-nat-state=dstnat { disable or remove if not required }
add chain=forward action=drop comment=“drop all else”

Right away its clear to the reader the purpose of these rules, allow traffic to the www, allow any port forwarding, and then drop all other possible traffic, whatever it is!!!