Wed Jun 10, 2015 4:00 pm
Honestly, I've seen some crazy over-the-top firewall configurations on here.
You can do lots and lots with the ROS firewall. However, for home use, especially if you're new to the netfilters way of doing things (tables, chains, etc) then it can quickly become something much too complicated for your own good.
I'm not saying this to say "you don't have the skill or knowledge" - I'm simply saying that RouterOS certainly "gives you enough rope to hang yourself with," and these intricate firewall configurations that block SYN+FIN between the hours of 3 and 4pm but only on tuesdays of leap years.... well, the benefit these give versus the complexity is not very much.
A basic firewall setup is really all you need:
Rules should go in this order:
(optional)block traffic to/from addresses in a blacklist
Allow whatever you've requested (allow connection-state = established,related)
Allow icmp (with some rate limits if you're worried about flooding - today's flood protocol of choice is DNS, not icmp)
Allow new connections if they're outbound to the internet.
Block everything else
Good security requires more than a good firewall.....
Secure behind the firewall:
Only run services that you actually intend to make use of (even if it's "behind a firewall" - it's possible to get exploited)
Keep software up-to-date (especially on your computers and devices)
Practice good Internet use habits:
(What good is a highly complex firewall if you just click "install" on a trojan downloader?)
- avoid piracy sites and porn sites (that's where lots of dangers lurk)
- don't open strange email / attachments)
- don't click links in emails, especially "bills" and "late payment notices" and "update your contact info" links. Open a browswer and go to your bank's web page yourself.
- use openDNS or some other similar service to prevent your devices from reaching malicious websites, C&C servers, etc by hostname.
- Use good passwords on your servers / device admin pages.
- Be aware of certificates and know how to use them to validate trustworthy secure sites.
As you can see - having a good firewall is only the beginning of security, not the end-all/be-all.