Community discussions

 
flynno
Member Candidate
Member Candidate
Topic Author
Posts: 241
Joined: Wed Aug 27, 2014 8:11 pm

Clients CPE Firewall

Sat Jan 26, 2019 11:31 pm

Hey guys,

I'm using this firewall on wireless clients CPE's, anyone have anything else that I should include into it?

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow WinBox" dst-port=8291 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip firewall address-list
add list="BOGONS" address=0.0.0.0/8
add list="BOGONS" address=10.0.0.0/8
add list="BOGONS" address=100.64.0.0/10
add list="BOGONS" address=127.0.0.0/8
add list="BOGONS" address=169.254.0.0/16
add list="BOGONS" address=172.16.0.0/12
add list="BOGONS" address=192.0.0.0/24
add list="BOGONS" address=192.0.2.0/24
add list="BOGONS" address=192.168.0.0/16
add list="BOGONS" address=198.18.0.0/15
add list="BOGONS" address=198.51.100.0/24
add list="BOGONS" address=203.0.113.0/24
add list="BOGONS" address=224.0.0.0/3
/ip firewall filter
add action=drop chain=forward comment="Drop to bogon list" disabled=no dst-address-list=BOGONS

Services

/ip service disable www
/ip service disable www-ssl
/ip service disable telnet
/ip service disable api
/ip service disable api-ssl
/ip service disable ftp
/ip service set ssh port=2022
/ip service disable ssh
/ip settings set tcp-syncookies=yes
/ip settings set rp-filter=strict
/ip ssh set strong-crypto=yes
/system note set show-at-login=yes
/system note set note="Authorized administrators only. Access to this device is monitored."

Who is online

Users browsing this forum: No registered users and 98 guests