Community discussions

MikroTik App
 
lnulzer
just joined
Topic Author
Posts: 5
Joined: Wed Oct 14, 2020 9:38 am

Firewall drop everything rule vs rules for not nat and internet

Thu May 13, 2021 10:43 am

Hi,

I have a question regarding safety and best practices for firewall setup.

According to the documentation here: https://help.mikrotik.com/docs/display/ ... t+Firewall
There are some rules that drop packets in the forward chain, snippet from the example:
/ip firewall filter
# Typical allow stuff
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
# Extra stuff should go here
# ...
# Rules that drop packets
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=bridge1 log=yes log-prefix=!public_from_LAN out-interface=!bridge1
add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=ether1 log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=bridge1 log=yes log-prefix=LAN_!LAN src-address=!192.168.88.0/24
I understand that these are needed as the example has no `drop everything else rule` at the bottom of the Forward chain.

I have gone for an `allow some rules and drop everything else` approach in my firewall:
/ip firewall filter
# Typical allow stuff
# No fasttrack rule as I am using queues for QoS
add chain=forward action=accept connection-state=established,related comment="Allow established and related"
add chain=forward action=drop connection-state=invalid
add chain=forward action=accept connection-state=new in-interface-list=ALLOWED_WAN out-interface-list=WAN comment="ALLOWED_WAN can access Internet Access"
# Inter vlan allow rules
add chain=forward action=accept connection-state=new in-interface-list=HOME_VLAN_LIST out-interface=PI_VLAN comment="HOME_VLANs can access PI_VLAN"
# Drop everything else
add chain=forward action=drop comment="Drop"
Are the rules from the documentation safer?
It seems more logical to me to allow certain stuff and to deny everything else.
 
sid5632
Long time Member
Long time Member
Posts: 552
Joined: Fri Feb 17, 2017 6:05 pm

Re: Firewall drop everything rule vs rules for not nat and internet

Thu May 13, 2021 11:51 am

What you have is just as safe...
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Firewall drop everything rule vs rules for not nat and internet  [SOLVED]

Thu May 13, 2021 2:39 pm

@lnulzer: what you have is inherently more safe. The code in first block (as you write it's from some MT documentation) uses multiple drop rules and when using such rules it's only too easy to forget to drop something and omission to drop something is very hard to notice ... until after it's too late. If you drop too much, you (or your users) will notice that pretty fast and you can fix that by adding a fairly specific allow rule above final "drop all" rule.

Default firewall setup uses similar "drop new packets ingressing through one of WAN interfaces not being dst-nated" approach and the only benefit of using a combined "drop all except" rule is that it reduces total number of rules which in turn helps with performance. However, strategical rule order has much better effect on firewall processing efficiency. Using a few more, but more explicit rules, helps with readability though.

Who is online

Users browsing this forum: BillyVan, rplant and 45 guests