I build some 90-rules firewall (ip firewall filter) based on wiki examples.
To debug my firewall issues (no pptp, etc) I would like to disable as much rules as I can, and once inbound connectivity is back, re-enable them one by one. The process can take few days.

The questions is - what are the minimal set of rules I MUST leave in place at any time to prevent bad guys from doing what they are usually do?

That depends on what assets you're protecting behind the router. For the router itself, for the short term it's probably sufficient to just make an address-list with administrative networks, and to drop everything in the input chain not sourced from those networks.

The problems I'm trying to weed out are with inbound connections from outside, so purpose is exactly the opposite - open as much outside access as it's still relatively safe, make everything work, and then add limiting rules one by one over period of a week or so.

Behind the router is merely a SOHO LAN, nothing particularly interesting for a high profile attackers.

Since the 'input' chain only contains packets destined for the router itself, if you don't drop anything in the 'forward' chain all traffic going through the router from outside to inside would be permitted.

Sure - but the router is facing the wild internet.
This is why I'm asking what would be the very minimal set of forward chain rules to keep is secure at least from the most obvious threats. There must be something, I can't just accept all essentially exposing my LAN.

If they're Windows hosts, drop all NetBIOS related traffic (tcp/udp 135-149 and 445). Possibly drop ICMP to prevent reconnaissance, drop all remote control protocols in use on the LAN (RDP, VNC, SSH).

The questions is - what are the minimal set of rules I MUST leave in place at any time to prevent bad guys from doing what they are usually do?

/ip firewall filter chain=input action=drop
/ip firewall filter chain=forward action=drop



Rule of thumb. Deny everything, accept only what you need.

open as much outside access as it's still relatively safe, make everything work, and then add limiting rules one by one over period of a week or so.

That is backwards. Start as restrictive as possible, then allow what you need. The biggest threat to a network typically comes from inside anyways, not outside.

i have a long set of rules dropping almost 500 ports for tcp n udp
then some rules dropping bogons
these rules seem to have helped but i want to arrange them properly as well n make the set of rules short.
i dont know how to do it

again, dont drop a bunch of stuff and accept everything else... accept what you need, then drop everything else. its much more efficient and easier to understand that way.

Right, unless something doesn't come through and you have no idea why it got dropped. Then, to debug it the reversed approach is applied, doesn't it?

/ip firewall filter add action=log chain=drop comment="" disabled=no log-prefix="THIS WAS DROPPED!"
/ip firewall filter add action=drop chain=drop comment="" disabled=no
/ip firewall filter add action=drop chain=silentdrop comment="" disabled=no

Then, instead of action=drop, actio=jump jump-target=drop if you want to log it, or change jump-target=silentdrop if you want to silently discard the packet.

Then it logs/drops the packet, so you can see what is being dropped. If you arent logging it, good luck getting anything to work the way you want.

Seriously, do it the way we are telling you.. It will be a much simpler and more robust firewall if you do. All my internet and intranet servers are blocked off from the net completely except for what i explicitly allow. Incoming and outgoing. A DNS server has no reason to send traffic out with dport 80, 443, 25, etc. Use webproxy to allow the http sites for getting system updates, etc. Filter it by hostname that way. Lock it down. Take advantage of connection tracking. Accept established/related by default, then new connections on service ports.