hey I'm trying to set up a 750G as a home firewall, I have the ISP cable modem-->750G--->PC

is there an FAQ that explains how to do this? I looked thru the wiki but am not having any luck

------

there are no firewall rules defined yet. I have the cable modem feeding port 1 & PC is on port 2

I can't get any connectivity, isn't this supposed to work as a switch until you define some rules?

both connections show up when I use winbox to get into the 750G & poke around

on the 750G, the DHCP isn't picking anything up from the ISP

when I try manually setting the dns from the wiki none of the commands seem to work in the terminal; like the syntax is wrong or something

ie: I tried setting the dns & the command just syntax errors out on the word "primary"

/ip dns
set primary-dns=yyy.yyy.yyy.yyy secondary-dns=0.0.0.0 allow-remote-requests=yes cache-size=4096KiB cache-max-ttl=1w

from

http://wiki.mikrotik.com/wiki/NetworkPro_on_firewalling



thx for any help

i found the following

http://wiki.mikrotik.com/wiki/A_script_ ... ou_started

very usefull. If you go through the script you can also see what steps are needed.

that's great thx; just reading through the script explains a lot

it was previously setup for someone else using DSL; I suspect I'll have to clear everything & start from scratch

I also found that guys website with vid tutorials ( Dave? ) , will go thru them as well

cheers

This one is worthwhile for getting started, it talks about a really old version of RouterOS but is otherwise pretty up to date:
http://wiki.mikrotik.com/wiki/Securing_ ... rOs_Router

For a deep dive the one that fewi did is good:
http://wiki.mikrotik.com/wiki/How_to_co ... ome_router

I have used this as a basic firewall. Just change the lan addresses to what fit your lan and copy & paste into a new terminal window and you have a basic firewall.


/ip firewall filter
add action=drop chain=forward comment="" connection-state=invalid disabled=no
add action=accept chain=forward comment="" connection-state=established disabled=no
add action=accept chain=forward comment="" connection-state=related disabled=no
add action=accept chain=forward comment="" connection-state=new disabled=no src-address=192.168.0.0/24
add action=log chain=forward comment="" disabled=no dst-address=192.168.0.0/24 log-prefix=UNWANTED src-address=\
!192.168.0.0/24
add action=drop chain=forward comment="" disabled=no dst-address=192.168.0.0/24 src-address=192.168.0.0/24
add action=accept chain=input comment="" disabled=no dst-port=22 protocol=tcp src-address=192.168.0.0/24
add action=log chain=input comment="" disabled=no dst-port=22 log-prefix="" protocol=tcp
add action=drop chain=input comment="" disabled=no dst-port=22 protocol=tcp

this is my current firewall excl. port forwards, but including blocking port scanners. I did not do the script for the ports scanners. I took from one of the examples on the wiki, but we tested it and it works really well.


/ip firewall filter
add action=log chain=forward comment="" connection-state=invalid disabled=yes log-prefix=""
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid disabled=no
add action=drop chain=forward comment="Drop Invalid connections" connection-state=invalid disabled=no
add action=accept chain=forward comment="Accept New" connection-state=new disabled=no src-address=192.168.0.0/24
add action=accept chain=forward comment="Accept established" connection-state=established disabled=no
add action=accept chain=forward comment="Accept related" connection-state=related disabled=no
add action=accept chain=forward comment=Winbox disabled=no dst-port=20561 protocol=udp
add action=log chain=forward comment="" disabled=yes dst-address=192.168.0.0/24 log-prefix=UNWANTED src-address=!192.168.0.0/24
add action=drop chain=forward comment="" disabled=no dst-address=192.168.0.0/24 src-address=!192.168.0.0/24
add action=accept chain=input comment="" disabled=no dst-port=22 protocol=tcp src-address=192.168.0.0/24
add action=log chain=input comment="" disabled=no dst-port=22 log-prefix="" protocol=tcp
add action=drop chain=input comment="" disabled=no dst-port=22 protocol=tcp
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list " disabled=no \
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" disabled=no \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" disabled=no protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" disabled=no protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" disabled=no protocol=\
tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" disabled=no protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" disabled=no protocol=\
tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" disabled=no src-address-list="port scanners"
add action=accept chain=input comment="Accept established connections" connection-state=established disabled=no
add action=accept chain=input comment="Accept related connections" connection-state=related disabled=no
add action=accept chain=input comment=UDP disabled=no dst-port=53 protocol=udp src-address=192.168.0.0/24
add action=accept chain=input comment=UDP disabled=no dst-port=123,161,5678,9 protocol=udp
add action=accept chain=input comment="Allow limited pings" disabled=no limit=50/5s,2 protocol=icmp
add action=drop chain=input comment="Drop excess pings" disabled=no protocol=icmp
add action=accept chain=input comment=winbox disabled=no dst-port=8291 protocol=tcp
add action=accept chain=input comment="From LAN" disabled=no src-address=192.168.0.0/24
add action=log chain=input comment="Log everything else" disabled=yes log-prefix="DROP INPUT"
add action=add-src-to-address-list address-list="input dropped scr addr" address-list-timeout=0s chain=input comment="Log everything else" disabled=\
yes
add action=drop chain=input comment="Drop everything else" disabled=no

hi
if you want a useful filter rule,can help from this:
/ip firewall filter
add action=accept chain=forward disabled=no src-address=192.168.0.10
add action=drop chain=forward disabled=no src-address=192.168.0.0/24
add action=drop chain=forward comment="Drop Invalid Connection" \
connection-state=invalid disabled=no protocol=tcp
add action=accept chain=forward comment=\
"Allow Already established Connections" connection-state=established \
disabled=no
add action=accept chain=forward comment="Allow Related Connections" \
connection-state=related disabled=no
add action=drop chain=forward disabled=no src-address=0.0.0.0/8
add action=drop chain=forward disabled=no dst-address=0.0.0.0/8
add action=drop chain=forward disabled=no src-address=127.0.0.0/8
add action=drop chain=forward disabled=no dst-address=127.0.0.0/8
add action=drop chain=forward disabled=no src-address=224.0.0.0/3
add action=drop chain=forward disabled=no dst-address=224.0.0.0/3
add action=jump chain=forward disabled=no jump-target=tcp protocol=tcp
add action=jump chain=forward disabled=no jump-target=udp protocol=udp
add action=jump chain=forward disabled=no jump-target=icmp protocol=icmp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=\
111 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=\
135 protocol=tcp
add action=drop chain=tcp comment="deny NBT" disabled=no dst-port=137-139 \
protocol=tcp
add action=drop chain=tcp comment="deny cifs" disabled=no dst-port=445 \
protocol=tcp
add action=drop chain=tcp comment="deny NFS" disabled=no dst-port=2049 \
protocol=tcp
add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=\
12345-12346 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=20034 \
protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" disabled=no dst-port=\
3133 protocol=tcp
add action=drop chain=tcp comment="deny DHCP" disabled=no dst-port=67-68 \
protocol=tcp
add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=\
111 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=\
135 protocol=udp
add action=drop chain=udp comment="deny NBT" disabled=no dst-port=137-139 \
protocol=udp
add action=drop chain=udp comment="deny NFS" disabled=no dst-port=2049 \
protocol=udp
add action=drop chain=udp comment="deny BackOriffice" disabled=no dst-port=\
3133 protocol=udp
add action=accept chain=icmp comment="echo reply" disabled=no icmp-options=\
0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" disabled=no \
icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" disabled=no \
icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment=\
"host unreachable fragmentation required" disabled=no icmp-options=3:4 \
protocol=icmp
add action=accept chain=icmp comment="allow source quench" disabled=no \
icmp-options=4:0 protocol=icmp
add action=accept chain=icmp comment="allow echo request" disabled=no \
icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" disabled=no \
icmp-options=11:0 protocol=icmp
add action=accept chain=icmp disabled=no icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types" disabled=no
---------------
first rule access to ip 192.168.0.10 to internet and second line drop each other ip address.