We use this rules.
add action=drop chain=forward comment=“drop to bogon list” disabled=no dst-address-list=bogons
Why we don’t use this rules.
add action=drop chain=input comment=“drop to bogon list” disabled=no src-address-list=bogons
Note:- we don’t want to use drop everything in input.
Thanks.
Sent from my Redmi Note 5 using Tapatalk
I say: replace both with strict reverse path filter
/ip settings set rp-filter=strict
@sebastia: ****
rp-filter=strict
is not a defence against bogons coming from WAN because, you most likely have 0.0.0.0/0 route there, which will give a green light to any bogon…
we don’t want to use drop everything in input.
That isn’t good approach and I would strongly recommend to reconsider it. “drop everything except allowed” is much safer and if done properly, you wouldn’t even need to define bogon lists..
Correct, on the inbound from upstream it’s the responsibility of the ISP. But just in case these are in standard config of Tik, and that’s enough:
* /ip firewall filter add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
* /ip firewall filter add action=drop chain=input in-interface-list=!LAN comment="defconf: drop all not coming from LAN"