Community discussions

MikroTik App
 
cifzo
just joined
Topic Author
Posts: 15
Joined: Mon Feb 18, 2019 10:35 pm

Should LAN firewall be more specific?

Fri Nov 20, 2020 4:55 pm

I noticed most of the default firewall rules allow LAN clients full access to the router. I understand that the router only has a handful of ports open (in my case 53/tcp, 53/udp, 67/udp, 68/udp, 123/udp and Winbox). For more restrictive VLANS (used for guest access or IOT devices), is there any added security provided by specifically allowing only these ports in the firewall rules?
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1882
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: Should LAN firewall be more specific?

Fri Nov 20, 2020 5:06 pm

firewall rules is very much a "personal" thing and is your to configure as you feel fit for your environment

Typically, one trusts the hosts in your LAN as they are under your administrative control, so allow full access out and related back in, but the hosts on the Internet (Evil) not so much
MTCNA, MTCTCE, MTCRE & MTCINE
 
cifzo
just joined
Topic Author
Posts: 15
Joined: Mon Feb 18, 2019 10:35 pm

Re: Should LAN firewall be more specific?

Fri Nov 20, 2020 5:35 pm

Thanks. Yes, definitely the full access out and related back in. I'm wondering more about the input chain. So if router has ports A, B and C open, is there a benefit to having the firewall restrict to just A, B and C also?
 
Sob
Forum Guru
Forum Guru
Posts: 6260
Joined: Mon Apr 20, 2009 9:11 pm

Re: Should LAN firewall be more specific?  [SOLVED]

Fri Nov 20, 2020 5:39 pm

Default firewall has one LAN and you usually trust connected devices, so everything is allowed. But it makes sense to make other things more restricted. For example guests are not necessarily trusted, so they can get just port 53 for dns and that's enough (dhcp uses raw sockets, so it doesn't need to be allowed in IP firewall).

I prefer to allow few needed things and block everything else. It won't make any difference if nothing is listening on other ports. But if it does and you miss it, it won't be accidentally open without you knowing about it.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
cifzo
just joined
Topic Author
Posts: 15
Joined: Mon Feb 18, 2019 10:35 pm

Re: Should LAN firewall be more specific?

Fri Nov 20, 2020 5:46 pm

Thanks!

Who is online

Users browsing this forum: No registered users and 36 guests