I'm looking for some input and good ideas from others for firewalling my internal servers on my border router. What methods do you use in firewalling internal servers? I've basically been setting up a few rules per server IP. For example, for a web server, I'll allow port 80, established connections and related connections then drop everything else. Should I be doing anything differently? Any input would be appreciated.

umm , well at my MT Router , I used to open my used ports then drop everything unwanted ports , this configuration decreased my traffic also protected our customers but for the input chain :

http://www.mikrotik.com/testdocs/ros/2.9/ip/filter.php

and if you want to forward ports or to make sure your applications are protected behind a router ..

If you want to forward your outside your coutry to visit your webserver , you can use srcnat chain , another thinng for dstnat is for your cusrtomers .

I'm looking for some input and good ideas from others for firewalling my internal servers on my border router. What methods do you use in firewalling internal servers? I've basically been setting up a few rules per server IP. For example, for a web server, I'll allow port 80, established connections and related connections then drop everything else. Should I be doing anything differently? Any input would be appreciated.

Allow established, related, and then tcp/80 'new' connections. If you allow tcp/80 before established you can get hackers trying mess with existing connections possibly.

If you have a few web servers its nice to be able to use the address-list and setup a list of web server ips, then use that in your dst-address-list filter on the rule. Saves you from having to repeat the same rules for others.

Put some synflood filters in place. Don't allow too many syn's from a single IP address, or too many connections from a single ip address.

Thanks changeip. I actually did have port 80 and then established and related. I'll switch the order of my rules.

you'll want to add connection-state=new to that port 80 rule as well ... otherwise it will hit even if someone sends you RST or other packets and they are not established.

Sam

Ah, I see. Thanks.

In case anyone is interested, here's an example of the way I have this set up for one of my web servers (IP address changed):

/ ip firewall filter
add chain=forward dst-address=10.0.0.2 connection-state=established action=accept comment="" disabled=no
add chain=forward dst-address=10.0.0.2 connection-state=related action=accept comment="" disabled=no
add chain=forward dst-address=10.0.0.2 protocol=tcp dst-port=80 connection-state=new action=accept comment="" disabled=no
add chain=forward dst-address=10.0.0.2 protocol=tcp dst-port=443 connection-state=new action=accept comment="" disabled=no
add chain=forward dst-address=10.0.0.2 protocol=tcp dst-port=22 connection-state=new action=accept comment="" disabled=no
add chain=forward dst-address=10.0.0.2 protocol=tcp dst-port=20 connection-state=new action=accept comment="" disabled=no
add chain=forward dst-address=10.0.0.2 protocol=tcp dst-port=21 connection-state=new action=accept comment="" disabled=no
add chain=forward dst-address=10.0.0.2 action=drop comment="" disabled=no

(FYI, I do allow pings/traceroutes/other good icmp above this, so this machine will still be pingable.)