Community discussions

 
User avatar
BartoszP
Forum Guru
Forum Guru
Topic Author
Posts: 1719
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Usable rules for firewall

Wed May 09, 2018 12:20 am

I'm starting this thread to share some settings/rules I've made in my routers.

For the beggining non-routable Multicast definitions:
add action=accept chain=forward comment="MCAST: All hosts" dst-address=224.0.0.1
add action=accept chain=forward comment="MCAST: All Routers" dst-address=224.0.0.2
add action=accept chain=forward comment="MCAST: DVMRP" dst-address=224.0.0.4
add action=accept chain=forward comment="MCAST: OSPF" dst-address=224.0.0.5
add action=accept chain=forward comment="MCAST: OSPF DR" dst-address=224.0.0.6
add action=accept chain=forward comment="MCAST: RIPv2" dst-address=224.0.0.9
add action=accept chain=forward comment="MCAST: EIGRP" dst-address=224.0.0.10
add action=accept chain=forward comment="MCAST: PIMv2" dst-address=224.0.0.13
add action=accept chain=forward comment="MCAST: VRRP" dst-address=224.0.0.18
add action=accept chain=forward comment="MCAST: IS-IS over IP" dst-address=224.0.0.19
add action=accept chain=forward comment="MCAST: IS-IS over IP" dst-address=224.0.0.20
add action=accept chain=forward comment="MCAST: IS-IS over IP" dst-address=224.0.0.21
add action=accept chain=forward comment="MCAST: IGMPv3" dst-address=224.0.0.22
add action=accept chain=forward comment="MCAST: HSRPv2/GLBP" dst-address=224.0.0.102
add action=accept chain=forward comment="MCAST: PTPv2" dst-address=224.0.0.107
add action=accept chain=forward comment="MCAST: mDNS" dst-address=224.0.0.251
add action=accept chain=forward comment="MCAST: LLMNR" dst-address=224.0.0.252
add action=accept chain=forward comment="MCAST: Toredo" dst-address=224.0.0.253
Real admins use real keyboards.
 
User avatar
MangleRule
Frequent Visitor
Frequent Visitor
Posts: 60
Joined: Mon May 07, 2018 1:05 am

Re: Usable rules for firewall

Wed May 09, 2018 12:52 am

I'm sure this will be useful to a lot of people! To keep the firewall tables from getting unruly it might be nice to get these into address-lists like "multicast.addresses" and have a single rule. It would make importing, extending, managing, and deleting these rules very simple.

/ip firewall filter
 add chain=forward address-list="multicast.addresses" action=accept comment="Permit: Forward traffic from address-list multicast.addresses."

/ip firewall address-list
  add list=multicast.addresses address=224.0.0.1 comment="All hosts"
  add list=multicast.addresses address=224.0.0.2 comment="All Routers"
  add list=multicast.addresses address=224.0.0.4 comment="DVMRP"
  add list=multicast.addresses address=224.0.0.5 comment="OSPF"
  add list=multicast.addresses address=224.0.0.6 comment="OSPF DR"
  add list=multicast.addresses address=224.0.0.9 comment="RIPv2"
  add list=multicast.addresses address=224.0.0.10 comment="EIGRP"
  add list=multicast.addresses address=224.0.0.13 comment="PIMv2"
  add list=multicast.addresses address=224.0.0.18 comment="VRRP"
  add list=multicast.addresses address=224.0.0.19 comment="IS-IS over IP"
  add list=multicast.addresses address=224.0.0.20 comment="IS-IS over IP"
  add list=multicast.addresses address=224.0.0.21 comment="IS-IS over IP"
  add list=multicast.addresses address=224.0.0.22 comment="IGMPv3"
  add list=multicast.addresses address=224.0.0.102 comment="HSRPv2/GLBP"
  add list=multicast.addresses address=224.0.0.107 comment="PTPv2"
  add list=multicast.addresses address=224.0.0.251 comment="mDNS"
  add list=multicast.addresses address=224.0.0.252 comment="LLMNR"
  add list=multicast.addresses address=224.0.0.253 comment="Toredo"
MTCNAMTCREMTCINE | MTCTCE | MTCUME | UBWA
 
User avatar
BartoszP
Forum Guru
Forum Guru
Topic Author
Posts: 1719
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Usable rules for firewall

Wed May 09, 2018 12:57 am

Nice.
But you can't switch on/off or count particular protocols hitting your router.
Real admins use real keyboards.
 
User avatar
MangleRule
Frequent Visitor
Frequent Visitor
Posts: 60
Joined: Mon May 07, 2018 1:05 am

Re: Usable rules for firewall

Wed May 09, 2018 1:04 am

Nice.
But you can't switch on/off or count particular protocols hitting your router.

Well you can just disable and enable the items on the address-list to turn them off and on. I guess counters would be the only downside.
MTCNAMTCREMTCINE | MTCTCE | MTCUME | UBWA
 
Gombeen666
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Tue Jun 25, 2019 5:33 pm

Re: Usable rules for firewall

Fri Jun 28, 2019 4:58 pm

Are the firewall rules to be on the AP or CPE or both! also is necessary to specify the interface!
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1795
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Usable rules for firewall

Fri Jun 28, 2019 6:42 pm

For the beggining non-routable Multicast definitions:
If these are non-routable, then why forward?

Who is online

Users browsing this forum: No registered users and 57 guests