Community discussions

 
KennyPowers
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 59
Joined: Tue May 05, 2015 6:18 pm

Firewall Improvments

Wed Nov 18, 2015 4:38 pm

Hi All,

Could I ask someone to have a look at my firewall rules below and suggest any improvements, mistakes or additions. Thanks I've been reading up a bit and copied most of the rules form various sites.

Support list is all local LAN 192.168.88.0/24
/ip firewall filter 
add chain=input action=accept comment="allow already established and related connections" 
 connection-state=established,related 
add chain=input action=accept comment="allow ICMP" protocol=icmp 
add chain=input action=accept comment="allow vpn" dst-port=1723 in-interface=ether1-gateway protocol=tcp 
add chain=input action=accept comment="" in-interface=ether1-gateway protocol=gre 
add chain=input action=accept comment="Accept DNS - UDP" disabled=no port=53 protocol=udp  
add chain=input action=accept comment="Accept DNS - TCP" disabled=no port=53 protocol=tcp 
add chain=input action=drop comment="Block all access to the winbox - except to support list disabled=no dst-port=8291 protocol=tcp src-address-list=!Support 
add chain=input action=drop comment="Block all access to the API - except to support list disabled=no dst-port=8728 protocol=tcp src-address-list=!Support 
add chain=input action=drop  comment="drop ftp" disabled=no dst-port=21 protocol=tcp 
 
 
add chain=input action=add-src-to-address-list address-list=trying_to_login address-list-timeout=1d comment="list IP's who try remote login" disabled=no dst-port=20-23 protocol=tcp  
add chain=input action=drop comment="drop ssh brute forcers" disabled=no dst-port=22 protocol=tcp src-address-list=ssh_blacklist  
add chain=input action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3  
add chain=input action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1h connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2  
add chain=input action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1h connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1  
add chain=input action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1h connection-state=new disabled=no dst-port=22 protocol=tcp  
add chain=input action=accept comment="allow ssh" disabled=no dst-port=22 protocol=tcp 
 
add chain=input action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m comment="Add Syn Flood IP to the list" connection-limit=30,32 disabled=no protocol=tcp tcp-flags=syn 
add chain=input action=drop comment="Drop to syn flood list" disabled=no src-address-list=Syn_Flooder

add chain=input action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w comment="Port Scanner Detect" disabled=no protocol=tcp psd=21,3s,3,1  
add chain=input action=drop comment="Drop to port scan list" disabled=no src-address-list=Port_Scanner 
 
add chain=input action=accept comment="acccept lan" disabled=no in-interface=!bridge-local src-address=192.168.88.0/24 
add chain=input action=drop comment="" in-interface=!bridge-local 
 
add chain=forward action=fasttrack-connection connection-state=established,related 
add chain=forward action=accept comment="allow already established and related connections" connection-state=established,related 
add chain=forward action=drop comment="drop invalid connections" connection-state=invalid
 
add chain=forward in-interface=bridge-local action=accept

add chain=forward action=add-src-to-address-list address-list=spammers address-list-timeout=3h comment="Add Spammers to the list for 3 hours" connection-limit=30,32 disabled=no dst-port=25,587 limit=30/1m,0 protocol=tcp  
add chain=forward action=drop comment="Avoid spammers action" disabled=no dst-port=25,587 protocol=tcp src-address-list=spammers 
 
add chain=forward action=reject reject-with=icmp-host-unreachable protocol=icmp in-interface=!bridge-local out-interface=bridge-local icmp-options=8:0-255  
add chain=forward action=reject reject-with=icmp-host-unreachable protocol=icmp in-interface=!bridge-local out-interface=bridge-local icmp-options=17:0-255 
add chain=forward action=reject reject-with=icmp-host-unreachable protocol=icmp in-interface=!bridge-local out-interface=bridge-local icmp-options=15:0-255 
add chain=forward action=reject reject-with=icmp-host-unreachable protocol=icmp in-interface=!bridge-local out-interface=bridge-local icmp-options=30:0-255 
 
add chain=forward action=drop protocol=tcp port=0 
add chain=forward action=drop protocol=udp port=0 
add chain=forward action=drop 
add action=accept chain=input comment="Full access to SUPPORT address list" disabled=no src-address-list=Support 
add chain=input action=drop comment="drop everything else"
 
francisuk24
newbie
Posts: 28
Joined: Tue Mar 18, 2014 12:10 am
Location: United Kingdom
Contact:

Re: Firewall Improvments

Sat Nov 21, 2015 11:02 pm

Are you running this on a RouterBroad or an x86 (PC) :D
RouterBoard RB750R2, RouterOS Level 4
ISP: Zen Internet via VDSL 2 > 74.68Mb Down / 17.84Mb Up
 
int2str
just joined
Posts: 7
Joined: Wed Oct 28, 2015 11:53 am

Re: Firewall Improvments

Mon Nov 30, 2015 9:40 am

Not sure if still relevant, but a few comments:

- Why are you allowing external DNS lookups? No reason to do that IMHO.
- Don't use SSH on port 22. Instead, move it to a different (non-standard) port. Then, auto-blacklist anybody who connects to port 22. There is a lot of password brute force attacks these days on port 22.
- Lots of stuff for ICMP ping. Just block it, done :)

Here's the relevant entry from my firewall:
      ;;; Auto-block any SSH attempt on port 22
      chain=sanity-check action=add-src-to-address-list protocol=tcp address-list=blocked-addr
      address-list-timeout=3m dst-port=22 log=yes log-prefix="ssh-ban"
(and of course "blocked-addr" is dropped later)
I did it for 3 minutes since I don't want to lock myself out if I forget to specify the port somehow :D

Who is online

Users browsing this forum: No registered users and 16 guests