Community discussions

MikroTik App
 
Fuggernaught
just joined
Topic Author
Posts: 1
Joined: Mon Nov 09, 2020 3:39 am

Ports not stealthed

Mon Nov 09, 2020 4:06 am

Hello everyone,

I know these kind of topics pop up a lot from my research, but I would really appreciate a bit of help from a kind soul.

I've just gotten a MikroTik router to go behind a Virgin Media modem and after setting it up I looked around for ways to make the router a bit more secure. I found several sources including the MikroTik wiki, with several suggested additional rules. After disabling services and adding some rules I did some port scans and found several were unstealthed (135, 137-139, 445), it responded to pings, TCP requests, etc, and am now somewhat concerned that I've messed up the firewall somehow.

I'm doing my best to learn and I'm not looking for lots of handholding, but could someone have a quick scan of my rules and let me know if I've made myself vulnerable while I do my research? I'm good with computers but very new at this level of networking and honestly underestimated just how deep the rabbit hole went, and I'm kinda worried I've opened myself to exploitation.

Thanks in advance.

Rules as follows:

/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

add action=accept chain=input comment="default configuration" connection-state=established,related disabled=yes
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input disabled=yes protocol=icmp
add action=drop chain=input
add action=accept chain=forward comment="Established, Related" connection-state=established,related disabled=yes
add action=drop chain=forward comment="Drop invalid" connection-state=invalid disabled=yes log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=ether1 log=yes log-prefix=!public src-address-list=not_in_internet

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

Who is online

Users browsing this forum: darshansebastian and 84 guests