Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Safe firewall Settings

Locked
 
emistery
just joined
Topic Author
Posts: 4
Joined: Thu Oct 23, 2014 6:45 pm

Safe firewall Settings

Wed Oct 29, 2014 12:03 pm

Hello,

Since a couple of days I am the proud owner of a Mikrotik routerboard, because this was the best option if I wanted to replace my ISP`s router. I dont have a huge amount of knowlegde about networking but I know how to configure it. But since I had to reset the router and start with an empty config I also have an (almost) empty firewall. I only added the rules so that my provider won't complain (KPN in the Netherlands; the worst provider in the world if you want to use your own stuff). So my question is: Do you know what the default firewall config is or can you give me some safe firewall rules?

Thanks in advance!

Sincerely,

Emistery


edit:

This is the current firewall config:
0 chain=input action=accept protocol=icmp in-interface=pppoe log=no
log-prefix=""

1 chain=input action=accept connection-state=related log=no
log-prefix=""

2 chain=input action=accept connection-state=established log=no
log-prefix=""

3 chain=input action=reject reject-with=icmp-port-unreachable
protocol=tcp in-interface=pppoe log=no log-prefix=""

4 chain=input action=reject reject-with=icmp-port-unreachable
protocol=udp in-interface=pppoe log=no log-prefix=""
Top
 
bingo220
Member Candidate
Member Candidate
Posts: 124
Joined: Sun Sep 22, 2013 9:30 pm
Location: Ukraine

Re: Safe firewall Settings

Wed Oct 29, 2014 6:51 pm

Change 192.168.88.0/24 if you are using different subnet.

ros code

/ip firewall filter
add chain=input connection-state=invalid action=drop comment="Drop input invalid connection packets"
add chain=input connection-state=established action=accept comment="Allow input established connections"
add chain=input connection-state=related action=accept comment="Allow input related connections"
add chain=input src-address=192.168.88.0/24 action=accept comment="Allow all input for local net"
add chain=input action=accept protocol=icmp comment="Allow input Ping"
add chain=input action=drop comment="All other inputs drop"
add chain=forward connection-state=invalid action=drop comment="Drop forward invalid connection packets"
add chain=forward connection-state=established action=accept comment="Allow forward established connections"
add chain=forward connection-state=related action=accept comment="Allow forward related connections"
add chain=forward src-address=192.168.88.0/24 action=accept comment="Allow all forward for local net"
add chain=forward action=accept protocol=icmp comment="Allow forward Ping"
add chain=forward action=drop comment="All other forwards drop"
Top
 
miramanee
just joined
Posts: 19
Joined: Tue Oct 28, 2014 2:37 pm

Re: Safe firewall Settings

Wed Oct 29, 2014 11:34 pm

Hello I have the RB2011UiAS-2HnD-IN can i also use this firewall rules or du i have to change something?

here the export file from my default config
Code: Select all

  MMM      MMM       KKK                          TTTTTTTTTTT      KKK
  MMMM    MMMM       KKK                          TTTTTTTTTTT      KKK
  MMM MMMM MMM  III  KKK  KKK  RRRRRR     OOOOOO      TTT     III  KKK  KKK
  MMM  MM  MMM  III  KKKKK     RRR  RRR  OOO  OOO     TTT     III  KKKKK
  MMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK
  MMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK

  MikroTik RouterOS 6.20 (c) 1999-2014       http://www.mikrotik.com/

[?]             Gives the list of available commands
command [?]     Gives help on the command and list of arguments

[Tab]           Completes the command/word. If the input is ambiguous,
                a second [Tab] gives possible options

/               Move up to base level
..              Move up one level
/command        Use command at the base level
(1 messages not shown)
jan/02/1970 00:28:48 system,error,critical login failure for user admin from 192.1
68.88.254 via winbox
jan/02/1970 00:00:23 system,error,critical router was rebooted without proper shut
down
jan/02/1970 00:00:22 system,error,critical router was rebooted without proper shut
down
jan/02/1970 01:11:04 system,error,critical router was rebooted without proper shut
down
oct/27/2014 11:19:42 dhcp,critical,error dhcp-client on ether1-gateway lost IP add
ress 37.49.57.220 - received NAK from dhcp server 0.0.0.0
oct/27/2014 11:20:31 dhcp,critical,error dhcp-client on ether1-gateway lost IP add
ress 192.168.100.10 - lease expired
oct/28/2014 12:29:46 dhcp,critical,error dhcp-client on ether1-gateway lost IP add
ress 37.49.57.220 - received NAK from dhcp server 0.0.0.0
oct/28/2014 12:30:51 dhcp,critical,error dhcp-client on ether1-gateway lost IP add
ress 192.168.100.10 - lease expired
[admin@RB2011] > export
# oct/28/2014 13:22:31 by RouterOS 6.20
# software id = QUBV-PGBY
#
/interface bridge
add admin-mac= auto-mac=no mtu=1500 name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether6 ] name=ether6-master-local
set [ find default-name=ether7 ] master-port=ether6-master-local name=ether7-slave-local
set [ find default-name=ether8 ] master-port=ether6-master-local name=ether8-slave-local
set [ find default-name=ether9 ] master-port=ether6-master-local name=ether9-slave-local
set [ find default-name=ether10 ] master-port=ether6-master-local name=ether10-slave-local
set [ find default-name=sfp1 ] name=sfp1-gateway
/ip neighbor discovery
set ether1-gateway discover=no
set sfp1-gateway discover=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=wlan supplicant-identity="" wpa2-pre-shared-key=\

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-ht-above country=germany disabled=no distance=indoors l2mtu=2290 mode=ap-bridge \
    security-profile=wlan ssid=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge-local name=default
/port
set 0 name=serial0
/system logging action
set 1 disk-file-name=log
set 2 remember=yes
set 3 src-address=0.0.0.0
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local interface=wlan1
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=bridge-local network=192.168.88.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=no interface=sfp1-gateway
add comment="default configuration" dhcp-options=hostname,clientid disabled=no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=sfp1-gateway
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=sfp1-gateway
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway to-addresses=0.0.0.0
/ip proxy
set cache-path=web-proxy1
/ip upnp
set allow-disable-external-interface=no
/snmp
set trap-community=public
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=RB2011
/system logging
add topics=ipsec
/system ntp client
set enabled=yes primary-ntp=132.199.4.1 secondary-ntp=132.199.4.1
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-slave-local
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-slave-local
add interface=wlan1
add interface=bridge-local
[admin@RB2011] >
Top
 
bingo220
Member Candidate
Member Candidate
Posts: 124
Joined: Sun Sep 22, 2013 9:30 pm
Location: Ukraine

Re: Safe firewall Settings

Thu Oct 30, 2014 10:22 am

miramanee, this is a standard rules. You can use it without problem.
Top
 
miramanee
just joined
Posts: 19
Joined: Tue Oct 28, 2014 2:37 pm

Re: Safe firewall Settings

Thu Oct 30, 2014 2:07 pm

Hello

this are my settings into IP Firewall

Image

do i have to delete those entries and put the entries at the same order shown from user bingo220???

these is my Interface list

Image
Top
 
emistery
just joined
Topic Author
Posts: 4
Joined: Thu Oct 23, 2014 6:45 pm

Re: Safe firewall Settings

Sat Nov 01, 2014 9:25 pm

Thanks! I will try it!
Top
Locked

Who is online

Users browsing this forum: Bing [Bot], derolf and 36 guests
  4. RouterOS
  5. Beginner Basics