Hi All,
our client devices connected with PPPoE got attacked and many of our devices became useless. Do you have any suggestions for firewall rules that can be used to take precautions?
Thanks lot
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall filter
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related in-interface=pppoe-out1
add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related in-interface=pppoe-out1
add action=drop chain=forward comment="DROP invalid" connection-state=invalid in-interface=pppoe-out1
add action=drop chain=input comment="DROP invalid" connection-state=invalid in-interface=pppoe-out1
add action=accept chain=forward comment="ACCEPT DST-NAT'D" connection-nat-state=dstnat in-interface=pppoe-out1
add action=accept chain=input comment="ACCEPT ICMP" in-interface=pppoe-out1 protocol=icmp
add action=drop chain=input comment="DROP ALL" in-interface=pppoe-out1
add action=drop chain=forward comment="DROP ALL" in-interface=pppoe-out1
Thanks mrz,WAN and LAN are interface lists. You just need to edit WAN interface list.
/ip firewall
address-list add address=10.10.2.10 comment="Admin Network" list=admin
/ip firewall filter
add action=accept chain=forward comment="SecureConnection For Admin" src-address-list=admin
add action=drop chain=input comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=tcp
add action=drop chain=input comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=udp
add action=drop chain=forward comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=tcp
add action=drop chain=forward comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=udp
Thanks Steveocee for your help.Basic one but usable, of course you need to change the in-interface to match your pppoe client interface name (pppoe_out1 is the default);
Code: Select all/ip firewall filter add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related in-interface=pppoe-out1 add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related in-interface=pppoe-out1 add action=drop chain=forward comment="DROP invalid" connection-state=invalid in-interface=pppoe-out1 add action=drop chain=input comment="DROP invalid" connection-state=invalid in-interface=pppoe-out1 add action=accept chain=forward comment="ACCEPT DST-NAT'D" connection-nat-state=dstnat in-interface=pppoe-out1 add action=accept chain=input comment="ACCEPT ICMP" in-interface=pppoe-out1 protocol=icmp add action=drop chain=input comment="DROP ALL" in-interface=pppoe-out1 add action=drop chain=forward comment="DROP ALL" in-interface=pppoe-out1
add action=accept chain=forward comment="ACCEPT DST-NAT'D" connection-nat-state=dstnat in-interface=pppoe-out1
/ip firewall
address-list add address=10.10.2.10 comment="Admin Network" list=admin
/ip firewall filter
add action=accept chain=forward comment="SecureConnection For Admin" src-address-list=admin
add action=drop chain=input comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=tcp
add action=drop chain=input comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=udp
add action=drop chain=forward comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=tcp
add action=drop chain=forward comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=udp
I generally use both forward and input in tandem, same rules for each. It just adds some extra assurance for your clients behind the router.Thanks Steveocee for your help.
I think the difference between the mikrotik default firewall config and your firewall is that foward chain . mikrotik default firewall rules not used foward chain.
Yes, this makes it so that you don't have to add separate rules for each port forward you add.the rule above for port fowarding ?Code: Select alladd action=accept chain=forward comment="ACCEPT DST-NAT'D" connection-nat-state=dstnat in-interface=pppoe-out1
You don't need those specific rules. A simple drop all would suffice as long as you have an allow established and related at the top.if I want to make it more secure and give access to only some special ip's to not get attack to customers what can I do ? cause our equipment s which has public ip on their wan interface affected from attack and became unusable
so I thought I would add these rules too;Code: Select all/ip firewall address-list add address=10.10.2.10 comment="Admin Network" list=admin /ip firewall filter add action=accept chain=forward comment="SecureConnection For Admin" src-address-list=admin add action=drop chain=input comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=tcp add action=drop chain=input comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=udp add action=drop chain=forward comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=tcp add action=drop chain=forward comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=udp
/interface list add name=WAN
/interface list add name=LAN
/interface list member add interface=[/interface ethernet find] list=LAN
/interface list member add interface=[/interface pppoe-client find] list=WAN
/ip firewall address-list add address=10.10.10.30 comment="Admin" list=secureAdmin
/ip firewall filter
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related in-interface-list=WAN
add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related in-interface-list=WAN
add action=drop chain=forward comment="DROP invalid" connection-state=invalid in-interface-list=WAN
add action=drop chain=input comment="DROP invalid" connection-state=invalid in-interface-list=WAN
add action=accept chain=input comment="SecureConnection For Admin" src-address-list=admin
add action=accept chain=forward comment="SecureConnection For Admin" src-address-list=admin
add action=accept chain=forward comment="ACCEPT DST-NAT'D" connection-nat-state=dstnat in-interface-list=WAN
add action=accept chain=input comment="ACCEPT ICMP" in-interface-list=WAN protocol=icmp
/ip firewall filter add action=drop chain=input comment="drop connection for admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp
/ip firewall filter add action=drop chain=input comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp
/ip firewall filter add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp
/ip firewall filter add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp
add action=drop chain=input comment="DROP ALL" in-interface-list=WAN
add action=drop chain=forward comment="DROP ALL" in-interface-list=WAN
/ip service disable telnet,ftp,www,api,api-ssl
/ip service set ssh port=2200
/ip service set address=10.10.10.30 [/ip service find]
/user set address=10.10.10.30 [/user find]
/tool bandwidth-server set enabled=no
/ip dns set allow-remote-requests=no
/ip proxy set enabled=no
/ip socks set enabled=no
/ip upnp set enabled=no
/ip cloud set ddns-enabled=no update-time=no
/ip ssh set strong-crypto=yes
/ip ssh set host-key-size=4096 strong-crypto=yes
/ip settings set rp-filter=strict
/ip firewall service-port disable [/ip firewall service-port find]
/ip firewall filter
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related in-interface-list=WAN
add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related in-interface-list=WAN
add action=drop chain=forward comment="DROP invalid" connection-state=invalid in-interface-list=WAN
add action=drop chain=input comment="DROP invalid" connection-state=invalid in-interface-list=WAN
add action=drop chain=input comment="DROP ALL" in-interface-list=WAN
add action=drop chain=forward comment="DROP ALL" in-interface-list=WAN
Hi CZFan thank you very much for your help and support.. I combined Steveocee advice and yours and here is result I hope this will help me to secure connection for Cpe and customer. thank you and Steveocee again.I will suggest you remove the in-interface on the following rules.
Code: Select all/ip firewall filter add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related in-interface-list=WAN add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related in-interface-list=WAN add action=drop chain=forward comment="DROP invalid" connection-state=invalid in-interface-list=WAN add action=drop chain=input comment="DROP invalid" connection-state=invalid in-interface-list=WAN add action=drop chain=input comment="DROP ALL" in-interface-list=WAN add action=drop chain=forward comment="DROP ALL" in-interface-list=WAN
/interface list add name=WAN
/interface list add name=LAN
/interface list member add interface=[/interface ethernet find] list=LAN
/interface list member add interface=[/interface pppoe-client find] list=WAN
/ip firewall address-list add address=10.10.10.30 comment="Admin" list=secureAdmin
/ip firewall filter
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related
add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related
add action=drop chain=forward comment="DROP invalid" connection-state=invalid
add action=drop chain=input comment="DROP invalid" connection-state=invalid
add action=accept chain=input comment="SecureConnection For Admin" src-address-list=admin
add action=accept chain=forward comment="SecureConnection For Admin" src-address-list=admin
add action=accept chain=forward comment="ACCEPT DST-NAT'D" connection-nat-state=dstnat in-interface-list=WAN
add action=accept chain=input comment="ACCEPT ICMP" in-interface-list=WAN protocol=icmp
/ip firewall filter add action=drop chain=input comment="drop connection for admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp
/ip firewall filter add action=drop chain=input comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp
/ip firewall filter add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp
/ip firewall filter add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp
add action=drop chain=input comment="DROP ALL"
add action=drop chain=forward comment="DROP ALL"
/ip service disable telnet,ftp,www,api,api-ssl
/ip service set ssh port=2200
/ip service set address=10.10.10.30 [/ip service find]
/user set address=10.10.10.30 [/user find]
/tool bandwidth-server set enabled=no
/ip dns set allow-remote-requests=no
/ip proxy set enabled=no
/ip socks set enabled=no
/ip upnp set enabled=no
/ip cloud set ddns-enabled=no update-time=no
/ip ssh set strong-crypto=yes
/ip ssh set host-key-size=4096 strong-crypto=yes
/ip settings set rp-filter=strict
/ip firewall service-port disable [/ip firewall service-port find]
Hi Mkx thanks for your answerAssuming your pppoe runs on top of some ethernet interface (presumably ether1), is it safe to add all ether interfaces to LAN list? I'd leave that particular one out. If pppoe runs on top of sfp1 interface then your config is OK.
Hi CZFanI will suggest you remove the in-interface on the following rules.
Code: Select all/ip firewall filter add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related in-interface-list=WAN add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related in-interface-list=WAN add action=drop chain=forward comment="DROP invalid" connection-state=invalid in-interface-list=WAN add action=drop chain=input comment="DROP invalid" connection-state=invalid in-interface-list=WAN add action=drop chain=input comment="DROP ALL" in-interface-list=WAN add action=drop chain=forward comment="DROP ALL" in-interface-list=WAN
Hi CZFanI will suggest you remove the in-interface on the following rules.
Code: Select all/ip firewall filter add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related in-interface-list=WAN add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related in-interface-list=WAN add action=drop chain=forward comment="DROP invalid" connection-state=invalid in-interface-list=WAN add action=drop chain=input comment="DROP invalid" connection-state=invalid in-interface-list=WAN add action=drop chain=input comment="DROP ALL" in-interface-list=WAN add action=drop chain=forward comment="DROP ALL" in-interface-list=WAN
when remove in interface from Drop All customer cant accesses to internet.
okay rules should be like that if i understand correctlyHi CZFanI will suggest you remove the in-interface on the following rules.
Code: Select all/ip firewall filter add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related in-interface-list=WAN add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related in-interface-list=WAN add action=drop chain=forward comment="DROP invalid" connection-state=invalid in-interface-list=WAN add action=drop chain=input comment="DROP invalid" connection-state=invalid in-interface-list=WAN add action=drop chain=input comment="DROP ALL" in-interface-list=WAN add action=drop chain=forward comment="DROP ALL" in-interface-list=WAN
when remove in interface from Drop All customer cant accesses to internet.
Add rules for and place above drop rules - This is to allow only new connection from inside to outside, not the other way around:
Allow, forward chain, connection-state=new, in-interface-list=LAN (To access internet)
Allow, input chain, connection-state=new, in-interface-list=LAN (to access Router for DNS, Management, etc)
/ip firewall filter
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related
add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related
add action=drop chain=forward comment="DROP invalid" connection-state=invalid
add action=drop chain=input comment="DROP invalid" connection-state=invalid
add action=accept chain=input comment="SecureConnection For Admin" src-address-list=admin
add action=accept chain=forward comment="SecureConnection For Admin" src-address-list=admin
add action=accept chain=forward comment="ACCEPT DST-NAT'D" connection-nat-state=dstnat in-interface-list=WAN
add action=accept chain=input comment="ACCEPT ICMP" in-interface-list=WAN protocol=icmp
add action=drop chain=input comment="drop connection for admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp
add action=drop chain=input comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp
add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp
add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp
add action=accept chain=forward comment="ACCEPT New" connection-state=new in-interface-list=LAN
add action=accept chain=input comment="ACCEPT New" connection-state=new in-interface-list=LAN
add action=drop chain=input comment="DROP ALL"
add action=drop chain=forward comment="DROP ALL"
Order should be
established,related first
then drop invalid.
Due to reasons anav already mentioned.
add action=accept chain=input comment="ACCEPT ICMP" in-interface-list=WAN protocol=icmp
add action=drop chain=input comment="drop connection for admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp
add action=drop chain=input comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp
add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp
add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp
I removed it.Why do you want this rule? Except if needed for monitoring, ICMP traffic will work just fine if initiated from inside, and then the following will be allowed by established, related rule without rule below
Code: Select alladd action=accept chain=input comment="ACCEPT ICMP" in-interface-list=WAN protocol=icmp
for these rules I add this rule below, so I thought that only admin can manage the router other's will be doped.Then these rules, how are you going to manage the router, i.e. config changes?Code: Select alladd action=drop chain=input comment="drop connection for admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp add action=drop chain=input comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp
/ip firewall
address-list add address=10.10.2.10 comment="Admin Network" list=admin
for these rules I add this rule below, so I thought that only admin can manage the router other's will be doped.Code: Select alladd action=drop chain=input comment="drop connection for admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp add action=drop chain=input comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp
/ip firewall
address-list add address=10.10.2.10 comment="Admin Network" list=admin
add action=drop chain=input src-address-list=!admin comment="drop connection for admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp
for these rules I add this rule below, so I thought that only admin can manage the router other's will be doped.Code: Select alladd action=drop chain=input comment="drop connection for admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp add action=drop chain=input comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp
Code: Select all/ip firewall address-list add address=10.10.2.10 comment="Admin Network" list=admin
add action=drop chain=input src-address-list=!admin comment="drop connection for admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp