Community discussions

MUM Europe 2020
 
User avatar
43north
Member Candidate
Member Candidate
Topic Author
Posts: 197
Joined: Fri Nov 14, 2014 7:06 am

Basic must have firewall settings?

Mon Jun 15, 2015 1:44 am

Just looking for a list of standard firewall settings that are general best practice rules. Such a list exist?
 
IntrusDave
Forum Guru
Forum Guru
Posts: 1290
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: Basic must have firewall settings?

Mon Jun 15, 2015 8:43 am

For a general / basic / home network, this should be "good enough."
/ip firewall filter
add action=drop chain=input connection-state=invalid
add action=drop chain=input comment="Drop Blacklisted Hosts" log-prefix="NOTICE: Dropped Attack Attempt" src-address-list=\
    blacklist
add chain=input connection-state=established,related
add chain=input src-address-list=ipSec
add chain=input src-address-list=PrivateIPs
add chain=input in-interface=lan1
add chain=input log-prefix=NOTICE protocol=icmp
add action=drop chain=input comment="Default Drop" log-prefix=<DEFAULT>
add action=drop chain=forward connection-state=invalid
add action=reject chain=forward dst-address-list=blacklist log=yes log-prefix="BL OUTBOUND" reject-with=icmp-admin-prohibited
add action=drop chain=forward src-address-list=blacklist
add chain=forward connection-state=established,related
add chain=forward src-address-list=PrivateIPs
add action=drop chain=forward comment="Default Drop" in-interface=wan1 log=yes log-prefix=<DEFAULT>
add action=drop chain=forward comment="Default Drop" in-interface=wan2 log=yes log-prefix=<DEFAULT>
If you have public servers that you are protecting, then you can do a lot more to try and stop DDOS and brute force attacks. But in general, this should be enough to keep you safe.

Oh, I have two address lists; "blacklist" and "Private IPs". The blacklist is generated by my server every morning using several publicly available lists, as well as lists generated by Fail2Ban on all of my servers. The PrivateIPs is just that, 10.0.0.0/8, 172.16.0.0/16, and 192.168.0.0/16. It's a simple (although maybe not entirely secure) way of making sure my VPN's all flow nicely.
David Joyce
Network & Security Engineer
Intrus Technologies, LLC.
Rancho Cucamonga, CA, USA
 
User avatar
G2Dolphin
Member Candidate
Member Candidate
Posts: 159
Joined: Sun May 17, 2015 6:03 pm
Location: Moscow, Russia

Re: Basic must have firewall settings?

Mon Jun 15, 2015 11:02 am

Add this as first filter rules, if your firmware is 6.29+.
/ip firewall filter
add action=fasttrack-connection chain=forward comment=\
    "FT established/related connections (forward)" connection-state=\
    established,related
add action=fasttrack-connection chain=input comment=\
    "FT established/related connections (input)" connection-state=\
    established,related
Home: RB3011UiAS-IN (2011 case+3011-RM), hAP ac, mAP2n/mAP2nD, GrooveA-52HPn, hEX (r3), hAP lite, RB951G-2HnD
Work: RB2011UiAS-RM / UiAS-2HnD-IN, RB951G-2HnD, hEX (r3), CRS125-24G-1S-2HnD-IN, CCR1009-8G-1S-1S+
 
Rudios
Forum Veteran
Forum Veteran
Posts: 966
Joined: Mon Mar 11, 2013 12:58 pm
Location: The Netherlands

Re: Basic must have firewall settings?

Wed Jun 24, 2015 3:22 pm

Adding the fasttrack option is only applicable for the forward chain.
It does not affect the input chain.
Testing setup with: 2 x RB750UP | 2 x RB750GL | 1 x RB951G-2HnD | 1 x RB2011UiAS-IN
 
wiyat
newbie
Posts: 43
Joined: Tue Jan 12, 2010 9:38 pm
Contact:

Re: Basic must have firewall settings?

Wed Jun 24, 2015 7:02 pm

43north? After that you read it the before post you are clear or you need support?

Who is online

Users browsing this forum: Chuckr53 and 31 guests