Played around a bit with Mikrotik firewall, and now got a question which is more optimal way for doing simple home firewall:

This:

ros code

add chain=input action=drop connection-state=invalid comment="Block invalid connections"
add chain=input action=accept in-interface=sfp1.4 protocol=igmp comment="Allow IPTV Multicast"
add chain=input action=accept in-interface=sfp1.4 protocol=udp comment="Allow IPTV Multicast"
add chain=input action=accept connection-state=new in-interface=ether1 comment="Allow access from LAN"
add chain=input action=accept connection-state=established comment="Allow established connections"
add chain=input action=accept connection-state=related comment="Allow related connections"
add chain=input action=log log-prefix="IP Filter Input Drop:" disabled=yes comment="Log everything else"
add chain=input action=drop comment="Drop everything else"

add chain=forward action=drop connection-state=invalid comment="Block invalid connections"
add chain=forward action=accept in-interface=sfp1.4 protocol=igmp comment="Allow IPTV Multicast"
add chain=forward action=accept in-interface=sfp1.4 protocol=udp comment="Allow IPTV Multicast"
add chain=forward action=accept connection-state=new in-interface=ether1 comment="Allow access from LAN"
add chain=forward action=accept connection-state=established comment="Allow established connections"
add chain=forward action=accept connection-state=related comment="Allow related connections"
add chain=forward action=log log-prefix="IP Filter Forward Drop:" disabled=yes comment="Log everything else"
add chain=forward action=drop comment="Drop everything else"

Or this:

ros code

add chain=input action=jump jump-target=common comment="Common Rules"

add chain=forward action=jump jump-target=common comment="Common Rules"

add chain=common action=drop connection-state=invalid comment="Block invalid connections"
add chain=common action=accept in-interface=sfp1.4 protocol=igmp comment="Allow IPTV Multicast"
add chain=common action=accept in-interface=sfp1.4 protocol=udp comment="Allow IPTV Multicast"
add chain=common action=accept connection-state=new in-interface=ether1 comment="Allow access from LAN"
add chain=common action=accept connection-state=established comment="Allow established connections"
add chain=common action=accept connection-state=related comment="Allow related connections"
add chain=common action=log log-prefix="IP Filter Drop:" disabled=yes comment="Log everything else"
add chain=common action=drop comment="Drop everything else"

There shouldnt be any difference in functionality AFAIK only one would be 16 lines another is 10 lines.

For lots of port forwards, looks like second one would be better, because there is only need to create third jump into forward chain before "common" named "services" and add those forwards under it.

Before someone asks what I actually try to achieve, is that I try to optimize it and make this easier to read, minimize "duplicates" on different chains, etc, etc...

allowing UDP and igmp on input chain, regardless of the source, results on easy (D)DoS attack or DNS flood....
Both block is wrong from this point of view...

Last line on both block is wrong, it broken any other protocol.

The only time one packet must be drop, generally is when is INCOMING from WAN from untrusted sources, and unsolicited (connection-state=new)

Usually from LAN to WAN must be allowed all, regardless of any.

Input and Output are only routerboard related.
On output block none, on input only all from WAN (add before the exception you want, like ping, winbox, webfig, etc.)

allowing UDP and icmp on input chain results on easy (D)DoS attack or DNS flood....

Actually It doesnt, SFP1 is Internet connectivity, SFP1.4 is subinterface (vlan4 in upstream) and it is ISP "pirvate multicast network" 10.x.x.x/8,
I really doubt that ISP tries to DDoS`me unless some encoder goes haywire, another option would just be to limit it to src address 10.x.x.x/8 which pretty much results the same situation.

And I do have to allow it in input chain aswell or IGMP Proxy wont work

Second block is wrong from this point of view...

Line 17 is wrong on first block, it broken any other protocol.

Could you be more precise?
It should be usual, do drop everything not allowed at the end...at leats on every other vendors network gear.

The only time one packet must be drop, generally is when is INCOMING from WAN from untrusted sources, and unsolicited (connection-state=new)

Usually from LAN to WAN must be allowed all, regardless of any.

Input and Output are only routerboard related.
On output block none, on input only all from WAN (add before the exception you want, like ping, winbox, webfig, etc.

I dont plan any "public services" or want to allow ICMP from WAN eq SFP1
And I dont have any output chain rules as you see and IMHO everything from LAN is permitted by those.

>>>Actually It doesnt, SFP1 is Internet connectivity, SFP1.4 is subinterface (vlan4 in upstream) and it is ISP "pirvate multicast network" 10.x.x.x/8,
How I can know that if you not specify it?

>>>I really doubt that ISP tries to DDoS`me unless some encoder goes haywire.
If you do not have any public IP address, why firewalling?

>>>Could you be more precise?
For example you can not use IPv6 tunnels, VPN, etc. with application than use different protocol over tcp or udp.

>>>It should be usual, do drop everything not allowed at the end...at leats on every other vendors network gear.
Is better block all INCOMING unsolicited traffic at the end than all coming also from own devices.

>>>I dont plan any "public services" or want to allow ICMP.
You not have any public IP? then why use firewall?
If any single device use one public IP address is like one public service, wanted or not...

>>>And I dont have any output chain rules as you see.
Is for completing the explanation.

How I can know that if you not specify it?

Indeed, sorry for that. I should have been more specific.
ISP uplink is trunk interface, has two vlan`s in it. Native vlan is Internet with public IP, bound to SFP1.
IPTV is tagged vlan 4, bound to subinterface SFP1.4 and it is private network.
I only need IGMP & UDP from vlan 4 (Private IPTV network), not from public Internet (or it would be indeed huge security issue, open for NTP/DNS/SNMP DDoS, UDP Flood, etc...).

Ether1 is Local-Lan "trusted" (switch) master port.

If you do not have any public IP address, why firewalling?

I do have public IP, but as I described its on another interface, and I dont allow any UDP from there.

For example you can not use IPv6 tunnels, VPN, etc. with application than use different protocol over tcp or udp.

I know, but as I only setting up basileine, I have to permit those services afterwards eq. add rules concerning those services into corrsponding chains.

Is better block all INCOMING unsolicited traffic at the end than all coming also from own devices.

Wouldnt that create huge allow/deny IP adress specific lists?

You not have any public IP? then why use firewall?
If any single device use one IP address is like one public service, wanted or not...

Well, you probably just misunderstood me. I meant I dont need any access from internet to routerboard itself (Winbox, API, ICMP)
Planning to set up VPN for it and create rules for VPN, after that I can access it as it would be in Local-Lan.
As device itself is in my home, accessible 24/7 I pretty much dont need remote management.

Is for completing the explanation.

OK, actually thought so.

I must go away now, but if I miss, remember me to show mine...

I must go away now, but if I miss, remember me to show mine...

OK, thx...I do appreciate your help...

ros code

add chain=common action=accept connection-state=new in-interface=ether1 comment="Allow access from LAN"

Should be probably just replaced with this:

ros code

add chain=common action=accept in-interface=ether1 comment="Allow access from LAN"

It should resolve it:

For example you can not use IPv6 tunnels, VPN, etc. with application than use different protocol over tcp or udp.

As it should now accept everything, coming from local network, regardless of protocol or destination, untill source is local network...

I must go away now, but if I miss, remember me to show mine...

Could you please?

right,

but I'm away from my home and from my office,

ask tomorrow on the morning

ask tomorrow on the morning

Can you do it now, please?

Yes, wait 5 min, i post here.

MATRIX = local network

i not translate the comments, but
Accetto = accept
Permetto = permit
Blocco = block
Attacco = attack
Passano = go trought

input rules: obvioously no rule on output...

forward rules:

Wow...many thanks

And actually by this nice example I finally understood, what you actually tried to tell me eralier...