Sat Apr 29, 2017 5:46 pm
There are some conflicting interests here. For example, this was previously brought up for DNS several times. Current MikroTik's position is that everything is safe by default, because there's firewall and it blocks incoming connections from WAN. It's true, there's drop rule with in-interface=<WAN>. But then user manually adds another WAN (e.g. PPPoE) and suddenly there's no protection, because input's default action is accept. The suggestion was to use reverse approach, allow connections from LAN (well, rather "interface currently configured as LAN", because there's no hard set LAN or WAN in RouterOS) and have default unconditional drop rule at the end. MikroTik's response was along the lines that it would help, but then when users would add e.g. another LAN, they could be confused, because everything from there would be by default blocked, they would not know what to do, would think the router is broken, and so on. And that's true too. Now what to choose? One approach is clearly better for security, but the other one makes sense too, especially for MikroTik, because they don't want users returning "broken" routers.
Another thing are access control options currently available in RouterOS. In short, it's not good. Some services (winbox, ssh, ...) can be configured in IP->Services and you can set allowed IP subnets. Others (socks, web proxy) have own access rules. SMB has own option to select allowed interfaces. And DNS doesn't have anything like that at all. This is clearly bad for users (even advanced ones). These settings need to be available for *all* services, we should be able to allow requests from selected IP subnets, interfaces and interface lists for any of them. Preferably at one common place (*1).
But even if we get these nice access control options for everything, there's still a problem what defaults there should be (see first paragraph). Remember, it's not about me, you and others who do know something about RouterOS, we'll always get by. But there are millions of users who don't know anything and just got the router because someone told them it's better than others. If it's too complicated for them, it's bad for MikroTik's sales. If it's too easy to mess up, it's bad for everyone (DDOS attacks using misconfigured routers, ...) and MikroTik's reputation too (even though it's not completely fair to blame them). It needs the right balance... and I'm not saying it's easy to find it.
-
(*1) It might sort of "conflict" with advanced access options used by socks and web proxy. I don't see a major problem with it, even if it would mean that there would be "basic" access rules for service in IP->Services and more detailed ones where they are now. Someone might not like that ("same" options in two places), but I think it's solvable, there could be e.g. some kind of link to the other place, so nobody would get lost.