Page 1 of 1

Firewall rules

Posted: Fri Feb 22, 2019 6:09 pm
by yourboss
I am very new to networking, please help me to setup my home router. I use following firewall rules.
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=fasttrack-connection chain=forward comment="Fasstrack DNS TCP" \
    dst-port=53 protocol=tcp
add action=fasttrack-connection chain=forward comment="Fasttrack DNS UPD" \
    dst-port=53 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=add-src-to-address-list address-list=Syn_Flooder \
    address-list-timeout=30m chain=input comment=\
    "Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
    tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
    src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port Scanner Detect" \
    protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
    src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
    ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except t\
    o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
    PORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" \
    jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    bogons
add action=add-src-to-address-list address-list=spammers \
    address-list-timeout=3h chain=forward comment=\
    "Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
    25,587 limit=30/1m,0:packet protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
    protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" \
    connection-state=established
add action=accept chain=input comment="Accept to related connections" \
    connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" \
    src-address-list=support
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
    RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED"
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \
    icmp-options=8:0 limit=1,5:packet protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
    3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
    protocol=icmp

Re: Firewall rules

Posted: Fri Feb 22, 2019 8:26 pm
by 2frogs
If you are new to networking, you should not change the default firewall rule. The default firewall are sufficient for home users.

Re: Firewall rules

Posted: Fri Feb 22, 2019 9:18 pm
by anav
Do you know which rules you have that are not part of the default?
Do you know what each rule does to the packets?
I second 2 frogs point (couldnt resist the pun) that until you are comfortable with how MT config works,
there is not point copying rules from all over the place to stick in the router.

Re: Firewall rules

Posted: Fri Feb 22, 2019 10:46 pm
by yourboss
I bought this router because I want to learn more about networking and about RouteOS. But there is a lot of information and I try to digest slowly.
I've rebuilt the firewall rules, please tell me if they are better:
/ip firewall filter
add action=fasttrack-connection chain=forward comment="Fasstrack DNS TCP" \
    dst-port=53 protocol=tcp
add action=fasttrack-connection chain=forward comment="Fasttrack DNS UPD" \
    dst-port=53 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN

Re: Firewall rules

Posted: Fri Feb 22, 2019 11:23 pm
by 2frogs
You can delete these, DNS alone is a nominal traffic;
/ip firewall filter
add action=fasttrack-connection chain=forward comment="Fasstrack DNS TCP" \
    dst-port=53 protocol=tcp
add action=fasttrack-connection chain=forward comment="Fasttrack DNS UPD" \
    dst-port=53 protocol=udp
And add this if your CPU can not handle your Bandwidth;
/ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related


This will get you started on learning about the firewall.
https://wiki.mikrotik.com/wiki/Manual:I ... all/Filter
The examples at the bottom of the Wiki are geared more toward ISP's/Data Centers.