I have a question regarding safety and best practices for firewall setup.
According to the documentation here: https://help.mikrotik.com/docs/display/ ... t+Firewall
There are some rules that drop packets in the forward chain, snippet from the example:
Code: Select all
/ip firewall filter
# Typical allow stuff
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
# Extra stuff should go here
# ...
# Rules that drop packets
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=bridge1 log=yes log-prefix=!public_from_LAN out-interface=!bridge1
add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=ether1 log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=bridge1 log=yes log-prefix=LAN_!LAN src-address=!192.168.88.0/24
I have gone for an `allow some rules and drop everything else` approach in my firewall:
Code: Select all
/ip firewall filter
# Typical allow stuff
# No fasttrack rule as I am using queues for QoS
add chain=forward action=accept connection-state=established,related comment="Allow established and related"
add chain=forward action=drop connection-state=invalid
add chain=forward action=accept connection-state=new in-interface-list=ALLOWED_WAN out-interface-list=WAN comment="ALLOWED_WAN can access Internet Access"
# Inter vlan allow rules
add chain=forward action=accept connection-state=new in-interface-list=HOME_VLAN_LIST out-interface=PI_VLAN comment="HOME_VLANs can access PI_VLAN"
# Drop everything else
add chain=forward action=drop comment="Drop"
It seems more logical to me to allow certain stuff and to deny everything else.