Dear All,

I am new to MikroTik but i really love the MikroTik RouterOS and hardware architecture. I really concern about the security on the Internet and i try to add others filter to protect my Router and LAN Network like ping flood, SYN flood... etc.

We all knows that we have to add some filter to allow the established connection into our LAN and drop invalid package.... etc. My question is, shall i place other rules like ping flood, SYN flood, virus ports filter.... on the top of those default rule or i can place under the default rules?

Another question, some filters has jump rule, example block virus port using virus chain then we have to create a jump rule for that virus chain so shall i place the jump rule on the top of virus chain rule or the bottom of the virus chain rule?



Thanks for sharing and i am looking forward to hearing from you guys.

Sokeada

Hello. From my perspective, you should put first adresses or lists that you want to allow, then drop everything else.

Honestly, I've seen some crazy over-the-top firewall configurations on here.
You can do lots and lots with the ROS firewall. However, for home use, especially if you're new to the netfilters way of doing things (tables, chains, etc) then it can quickly become something much too complicated for your own good.

I'm not saying this to say "you don't have the skill or knowledge" - I'm simply saying that RouterOS certainly "gives you enough rope to hang yourself with," and these intricate firewall configurations that block SYN+FIN between the hours of 3 and 4pm but only on tuesdays of leap years.... well, the benefit these give versus the complexity is not very much.

A basic firewall setup is really all you need:

Rules should go in this order:
(optional)block traffic to/from addresses in a blacklist
Allow whatever you've requested (allow connection-state = established,related)
Allow icmp (with some rate limits if you're worried about flooding - today's flood protocol of choice is DNS, not icmp)
Allow new connections if they're outbound to the internet.
Block everything else

Good security requires more than a good firewall.....

Secure behind the firewall:
Only run services that you actually intend to make use of (even if it's "behind a firewall" - it's possible to get exploited)
Keep software up-to-date (especially on your computers and devices)
Practice good Internet use habits:
(What good is a highly complex firewall if you just click "install" on a trojan downloader?)
- avoid piracy sites and porn sites (that's where lots of dangers lurk)
- don't open strange email / attachments)
- don't click links in emails, especially "bills" and "late payment notices" and "update your contact info" links. Open a browswer and go to your bank's web page yourself.
- use openDNS or some other similar service to prevent your devices from reaching malicious websites, C&C servers, etc by hostname.
- Use good passwords on your servers / device admin pages.
- Be aware of certificates and know how to use them to validate trustworthy secure sites.

As you can see - having a good firewall is only the beginning of security, not the end-all/be-all.

Following the guru here, i can add one thing:you are never 100 percent secure. Security patches, educating yourself about possible threats over network, but most of all...common sense.

Hello. From my perspective, you should put first adresses or lists that you want to allow, then drop everything else.

Hello, thanks for sharing.

Honestly, I've seen some crazy over-the-top firewall configurations on here.
You can do lots and lots with the ROS firewall. However, for home use, especially if you're new to the netfilters way of doing things (tables, chains, etc) then it can quickly become something much too complicated for your own good.

I'm not saying this to say "you don't have the skill or knowledge" - I'm simply saying that RouterOS certainly "gives you enough rope to hang yourself with," and these intricate firewall configurations that block SYN+FIN between the hours of 3 and 4pm but only on tuesdays of leap years.... well, the benefit these give versus the complexity is not very much.

A basic firewall setup is really all you need:

Rules should go in this order:
(optional)block traffic to/from addresses in a blacklist
Allow whatever you've requested (allow connection-state = established,related)
Allow icmp (with some rate limits if you're worried about flooding - today's flood protocol of choice is DNS, not icmp)
Allow new connections if they're outbound to the internet.
Block everything else

Good security requires more than a good firewall.....

Secure behind the firewall:
Only run services that you actually intend to make use of (even if it's "behind a firewall" - it's possible to get exploited)
Keep software up-to-date (especially on your computers and devices)
Practice good Internet use habits:
(What good is a highly complex firewall if you just click "install" on a trojan downloader?)
- avoid piracy sites and porn sites (that's where lots of dangers lurk)
- don't open strange email / attachments)
- don't click links in emails, especially "bills" and "late payment notices" and "update your contact info" links. Open a browswer and go to your bank's web page yourself.
- use openDNS or some other similar service to prevent your devices from reaching malicious websites, C&C servers, etc by hostname.
- Use good passwords on your servers / device admin pages.
- Be aware of certificates and know how to use them to validate trustworthy secure sites.

As you can see - having a good firewall is only the beginning of security, not the end-all/be-all.

Thanks for sharing bro, yeah i acknowledged on what u have described above. What i have asked was just want to use my MikroTik correctly with it's capacity.

Following the guru here, i can add one thing:you are never 100 percent secure. Security patches, educating yourself about possible threats over network, but most of all...common sense.

Thanks bro for sharing, yeah i realized that we can't make 100% secure but if we use more than one locker at lease someone need more time to unlock those locker than just one locker.

Yes, i agree and i follow the same logic. The more you know about locking yourself to outer world, the safer you get. Simple as that.