Page 1 of 1

Best scripts for firewall and router protection

Posted: Fri Apr 06, 2018 2:31 pm
by DLz47
Hi,
as the title says, I would like to know which of the following 3 wiki guides I should follow to have the best protection:
1) https://wiki.mikrotik.com/wiki/Basic_un ... all_script
2)https://wiki.mikrotik.com/wiki/Tips_and ... f_RouterOS
3)https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

I have the RB951G-2HnD

Thanks :)

Re: Best scripts for firewall and router protection

Posted: Fri Apr 06, 2018 5:46 pm
by Sob
Not the first one. Just from quick look, it makes your router open resolver, and doesn't do much for protecting LAN.

It's probably best to start with default firewall config you get when you reset device to factory defaults, it was fine last time I checked.

Re: Best scripts for firewall and router protection

Posted: Fri Apr 06, 2018 6:45 pm
by DLz47
Thanks for your reply. If the first one is so dangerous (Open Resolvers pose a significant threat to the global network infrastructure by answering recursive queries for hosts outside of its domain. They are utilized in DNS Amplification attacks and pose a similar threat as those from Smurf attacks) why is still there? It should be removed!
Lets say I would like to have something more secure than the default settings, are the other two solutions valid? If yes, should I follow both or just one? If instead neither of those is a usefull solution, how do I reset the firewall to default settings? I just select all the rules and then click on the red -? I have a custom port mapping I don't want to lose with a reset.
Also I have found these:
4) https://rickfreyconsulting.com/basic-mi ... e-version/
5)viewtopic.php?t=110864 (post number 6)

Thanks :)

Re: Best scripts for firewall and router protection  [SOLVED]

Posted: Fri Apr 06, 2018 10:09 pm
by Sob
Be it a lesson that one should never use configs from internet, without understanding what they do. :)

If you want something more secure than default firewall, good first step is to define why default firewall is not secure enough for you. There isn't anything like one best firewall, only good or bad firewall for given purpose. Also there's usually more than one way how to reach the goal. Sometimes there are some small functional differences, sometimes it's just a matter of personal preferences.

For example, I upgraded one spare RB450 to current RouterOS 6.41.3 and default firewall config is the following.

Input (traffic to router itself):
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
Forward (traffic going through router):
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
NAT config (just standard masquerade, nothing interesting):
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
If you look at it, you can see the basic assumption that LAN is trusted, WAN isn't. Other possible interfaces differ between input and forward.

Input accepts packets for established and related connections, it's the good thing pretty much always. Also accepts untracked packets, but it doesn't do anything by default, you first need to tell the router that some packets should not be tracked. Next is blocking of invalid packets (e.g. not part of any existing connection, or such that could be start of new connection), that's also good for most non-advanced setups. Then it accepts ICMP, because usually accepting it will make your life easier more, than not accepting it makes life hard for evil hackers. Some people prefer to disable ICMP and then recoice when when some online scanner congratulates them for being "stealth". Well, if they like it... Hopefully they won't continue to do so with IPv6, because there it will break things for sure. If you know what you're doing, you can do some sensible ICMP filtering, but I don't think it's worth it for most setups. Maybe if you're connecting a nuclear facility or something. ;) Finally everything coming from somewhere else than LAN is dropped (LAN is defined as interface list elsewhere). So there really isn't much to improve.

Forward accepts traffic from and to IPSec tunnels. It doesn't do anything, if you don't have any. And if you don't plan to, you can remove these rules and save few CPU cycles. Fasttrack for established and related connections can speed things up and lower CPU usage. Next accept rule is same as for input, for stuff that can't be fasttracked. Droping invalid connections is also the same. Finally everything from WAN is dropped, unless it's forwarded port.
So as you can see, it's also pretty secure. What I don't like much is that everything else is allowed by default. E.g. if you connect to VPN, anything from there will be allowed to access LAN. On the other hand, connecting to VPN is extra step. If you don't do it, there's only LAN and WAN, nothing else. And it's safe, because if you don't forward any port inside, router won't let anything pass from WAN to LAN. So again, nothing much to improve for simple setups.

Compare it with that loooong 4). I'm not saying it's wrong. Some parts I'm alergic to, e.g. that "virus blocking" (try to find info about those names, some of them are no even from this millenium). Some ideas could be useful, e.g. to block traffic to unreachable private addresses leaking to WAN. But as whole it looks like it was made for slightly different purpose than simple home/office router. E.g. why bother with droppping bruteforcers, when you can simply not allow anything from WAN with one rule. Just because it's longer doesn't mean it's better. :)

As for the other links, 2) and 3) are written by MikroTik people, and they look ok. A lot of it is similar to default config. There are some extras, but it depends on your needs, what could be benefical for you. There are also some possibly useful ideas in 5), but again, it's not good to just copy it without understanding.

Re: Best scripts for firewall and router protection

Posted: Fri Apr 06, 2018 10:40 pm
by DLz47
Thanks a lot for your reply! I will remove the rules from my firewall and copy/paste the default config (should be enough) and then read more about the subject. Maybe the default firewall is fine for me :)

Re: Best scripts for firewall and router protection

Posted: Sat Apr 07, 2018 2:13 pm
by Sob
I'd suggest to first read and understand, then apply it, it's safer order. And if you're going to use default config I posted, don't forget to define interface lists. Or resetting router to factory setting would be sure way to have everything what's needed and no leftovers. But it depends on how much stuff you already changed, and how much you want to do it again.

You can also export current config using "/export" command and compare it with your device's default config "/system default-configuration print". Both take optional parameter file=<filename> to save it to file that you can copy to PC and work with it there.

Re: Best scripts for firewall and router protection

Posted: Sat Apr 07, 2018 6:58 pm
by DLz47
I'm using the RB951G-2HnD as a bridge (is the only interfaces I have configured). What do you mean when you say: <<don't forget to define interface lists.>> ? Isn't the interface list already defined in the firewall? Doesn't the firewall update itself once you create a new interface?
Thanks.
By the way this is the default config. :

Code: Select all

script: :global ssid;
#| RouterMode:
#| * WAN port is protected by firewall and enabled DHCP client
#| * Wireless and Ethernet interfaces (except WAN port ether1)
#| are part of LAN bridge
#| wlan1 Configuration:
#| mode: ap-bridge;
#| band: 2ghz-b/g/n;
#| ht-chains: 0,1;
#| ht-extension: 20/40mhz-Ce;
#| LAN Configuration:
#| IP address 192.xxx.xx.x/xx is set on bridge (LAN port)
#| DHCP Server: enabled;
#| WAN (gateway) Configuration:
#| gateway: ether1 ;
#| ip4 firewall: enabled;
#| ip6 firewall: enabled;
#| NAT: enabled;
#| DHCP Client: enabled;
#| DNS: enabled;

:log info Starting_defconf_script_;
#-------------------------------------------------------------------------------
-- [Q quit|D dump|down]
The "x" I used in the ip are there for security reasons, but, don't worry, there is the real mikrotik ip there

Re: Best scripts for firewall and router protection

Posted: Sat Apr 07, 2018 7:48 pm
by squeeze
Either you,

1. Be very careful to understand what parts constitute every component of your firewall from the Default Configuration, then re-apply them to your customized setup, OR

2. Export your config, save the non-firewall parts that you changed from default, then factory reset the router and start over with the default firewall config.

Honestly, almost no home user needs to touch the default firewall on SOHO devices, except to either fully stealth their router if its Internet-facing (disable ICMP) and/or add a high level Accept exception for a Management subnet or VLAN, so that you cannot lock yourself out of the router. It is very well designed, simple and more than secure enough to guarantee nothing will get through the router from the WAN side that falls under the control of the firewall.

Most of these custom rules you have been looking at are specialisms to clean up traffic or log unexpected behavior that is to be treated by some other more advanced ways. The few remaining more useful ones are extremely situational. None of the rules improve your security more than what you get from the default configuration. They are just different types of monitors and protections.

Finally, you can really mess up your router configuration, waste a TON of time or expose your network to harm by getting the firewall rules wrong without knowing what you are doing.

Re: Best scripts for firewall and router protection

Posted: Sun Apr 08, 2018 1:55 am
by Sob
Isn't the interface list already defined in the firewall?
It depends on by which RouterOS version was your current config originally created. In case it was something old, you would not have LAN and WAN interface lists.
Doesn't the firewall update itself once you create a new interface?
Short answer, no. Long answer, the "all" and "dynamic" lists get updated automatically, but the rest is up to you.

Re: Best scripts for firewall and router protection

Posted: Sun Apr 08, 2018 5:21 pm
by DLz47
Either you,

1. Be very careful to understand what parts constitute every component of your firewall from the Default Configuration, then re-apply them to your customized setup, OR

2. Export your config, save the non-firewall parts that you changed from default, then factory reset the router and start over with the default firewall config.

Honestly, almost no home user needs to touch the default firewall on SOHO devices, except to either fully stealth their router if its Internet-facing (remove ICMP) and/or add a high level Accept exception for a Management subnet or VLAN, so that you cannot lock yourself out of the router. It is very well designed, simple and more than secure enough to guarantee nothing will get through the router from the WAN side that falls under the control of the firewall.

Most of these custom rules you have been looking at are specialisms to clean up traffic or log unexpected behavior that is to be treated by some other more advanced ways. The few remaining more useful ones are extremely situational. None of the rules improve your security more than what you get from the default configuration. They are just different types of monitors and protections.

Finally, you can really mess up your router configuration, waste a TON of time or expose your network to harm by getting the firewall rules wrong without knowing what you are doing.
Thanks for the reply. How do I export only the non-firewall part of my cfg. ? Do I have to use the command ip address> export file=address or something else? For the factory reset I can do it in the winbox right? I don't need to use the button on the routerboard right?
Thanks
Isn't the interface list already defined in the firewall?
It depends on by which RouterOS version was your current config originally created. In case it was something old, you would not have LAN and WAN interface lists.
Doesn't the firewall update itself once you create a new interface?
Short answer, no. Long answer, the "all" and "dynamic" lists get updated automatically, but the rest is up to you.
Ok, thanks. Then how do I update the interfaces lis? What is the command I should use?
Thanks

Re: Best scripts for firewall and router protection

Posted: Sun Apr 08, 2018 5:47 pm
by Sob
To export config, just use "/export file=oldconfig" and you'll get everything. There won't be too much, if you didn't do extensive changes. And it should be clear what parts of it you want to keep.

Reset can be done from System->Reset Configuration.

Interface lists are defined in Interfaces->Interface List.

Re: Best scripts for firewall and router protection

Posted: Sun Apr 08, 2018 6:00 pm
by squeeze
Before anything else. I just want to clarify your initial post for other new people:

The best additional protections for your new Mikrotik router are simply everything on "Manual:Securing Your Router" page before the "Firewall" section.

Absolutely stop reading past this point: "We strongly suggest to keep default firewall on. Here are few adjustment to make it more secure, make sure to apply the rules, when you understand what are they doing."

Proceed beyond that point only if you are an IT pro at a business or other organisation. Period.

===

Ok, now that's answered.

As you say, you can export via the Terminal command:
/export file=whatever

You can reset to the default configuration, without factory resetting, using the Terminal command of "/system reset-configuration" or System -> Reset Configuration.

However, I'm a firm believer or performing firmware reset + firmware upgrade then firmware reset again when you receive a brand new router, for other reasons (to clear your device of any tampering, check the upgrade process, then clear to default configuration). All Mikrotik devices should come with some instructions on a piece of paper in their box for resetting the router - it is very straightforward. If you are missing those instructions, the general instructions are in the Wiki.

If you have not made any changes to the default ports, bridges, wireless, VLANs, portforwarding etc, then you are done and have a nice, clean, shiny up-to-date router to work with.

If you have made the non-firewall changes mentioned above, then you'll have to pick out those commands from the "whatever.rsc" exported file. They are all very clear text commands, so should not be difficult to just copy and paste them into the Terminal (or a new file and then the Terminal, for future documentation). Just ignore anything that says "firewall".

If you have indirectly fiddled with the Firewall, e.g. by port forwarding or making/modifying Firewall Address Lists, but know or have documented what you have done, then you can just start over. Done.

If you have indirectly fiddled with the Firewall AND forgotten what you've done, then for port forwarding, you would need to pick out any "srcnat" and "dstnat" "/ip firewall" commands to re-apply. Similarly, for Firewall Address Lists, you would need to pick out any changes via "/ip firewall address-list add list=something". Re-apply the commands and test them. Done.

Re: Best scripts for firewall and router protection

Posted: Sun Apr 08, 2018 10:09 pm
by patrikg

Re: Best scripts for firewall and router protection

Posted: Mon Apr 09, 2018 11:38 am
by DLz47
To export config, just use "/export file=oldconfig" and you'll get everything. There won't be too much, if you didn't do extensive changes. And it should be clear what parts of it you want to keep.

Reset can be done from System->Reset Configuration.

Interface lists are defined in Interfaces->Interface List.
Oh, ok then. My interface list is already updated with the interface (the bridge) I configured. I thought that something else was needed.
Thanks.
Before anything else. I just want to clarify your initial post for other new people:

The best additional protections for your new Mikrotik router are simply everything on "Manual:Securing Your Router" page before the "Firewall" section.

Absolutely stop reading past this point: "We strongly suggest to keep default firewall on. Here are few adjustment to make it more secure, make sure to apply the rules, when you understand what are they doing."

Proceed beyond that point only if you are an IT pro at a business or other organisation. Period.

===

Ok, now that's answered.

As you say, you can export via the Terminal command:
/export file=whatever

You can reset to the default configuration, without factory resetting, using the Terminal command of "/system reset-configuration" or System -> Reset Configuration.

However, I'm a firm believer or performing firmware reset + firmware upgrade then firmware reset again when you receive a brand new router, for other reasons (to clear your device of any tampering, check the upgrade process, then clear to default configuration). All Mikrotik devices should come with some instructions on a piece of paper in their box for resetting the router - it is very straightforward. If you are missing those instructions, the general instructions are in the Wiki.

If you have not made any changes to the default ports, bridges, wireless, VLANs, portforwarding etc, then you are done and have a nice, clean, shiny up-to-date router to work with.

If you have made the non-firewall changes mentioned above, then you'll have to pick out those commands from the "whatever.rsc" exported file. They are all very clear text commands, so should not be difficult to just copy and paste them into the Terminal (or a new file and then the Terminal, for future documentation). Just ignore anything that says "firewall".

If you have indirectly fiddled with the Firewall, e.g. by port forwarding or making/modifying Firewall Address Lists, but know or have documented what you have done, then you can just start over. Done.

If you have indirectly fiddled with the Firewall AND forgotten what you've done, then for port forwarding, you would need to pick out any "srcnat" and "dstnat" "/ip firewall" commands to re-apply. Similarly, for Firewall Address Lists, you would need to pick out any changes via "/ip firewall address-list add list=something". Re-apply the commands and test them. Done.
I already did the firmware reset + upgrade + reset when I got the router, so I guess I'm fine with just the reset from the winbox and the edit of the config file with the notepad.
Thanks
Thanks for the tutorial!

Re: Best scripts for firewall and router protection

Posted: Wed Dec 26, 2018 10:21 pm
by Kampfwurst
Im also looking for an new firewall "scipt" for my new mikrotik home router. Is the gregsowell script "useable" or has someone better firewall settings?

Re: Best scripts for firewall and router protection

Posted: Sat Dec 29, 2018 11:13 pm
by Dassault
if you connect to VPN, anything from there will be allowed to access LAN. On the other hand, connecting to VPN is extra step. If you don't do it, there's only LAN and WAN, nothing else. And it's safe, because if you don't forward any port inside, router won't let anything pass from WAN to LAN. So again, nothing much to improve for simple setups.
Hi Sob ,i have some concern about the point i quote from your well explain reply , if i want to add a vpn conecction from some of the vps servers like nordvpn or other so i only will use it for traffic out , with the default setup, they could access to my local lan hosts? in this case how will be a good way to allow only outgoin traffic or nat, set the vpn interface as wan one? could work? should i add some rule to block new incoming traffic from vpn tunel or just default config is correcto to handle this scenary relative well.

Thanks

Re: Best scripts for firewall and router protection

Posted: Thu Jan 03, 2019 10:46 pm
by nitrohydride
I do not want o create new topic, so i decided to ask my question here.

According to Basic Router protection from Mikrotik Wikia :
i have line :
 add chain=input comment="Accept all connections from local network" in-interface=LAN
In my Router i have separate networks for trusted users (10.10.10.0) and guest wifi (192.168.1.0). Considering i have two lan networks i assume i should add rule:
add chain=input comment="Accept all connections from local network" in-interface=GUEST
Then in basic rules from wikia i have:
 add action=drop chain=forward comment="Drop all packets from local network to internet which should not exist in public network" dst-address-list=NotPublic in-interface=LAN
 add action=drop chain=forward comment="Drop all packets in local network which does not have local network address" in-interface=LAN src-address=!192.168.88.0/24
Same scanario like before. I copied this rule for LAN interface. Should i create it for Guest interface as well ?


EDIT:

Now i get it. This rule allows people form my LAN networks to access the router. I shouldn't let people from guest wifi to connect with the router. Actually i shodn't let people form LAN network to connect with router so i granted accces to router only for 1 Ip from local network and dropped all other connection form input chain.

This question is one big missunderstanding :D