Community discussions

MikroTik App
 
User avatar
reevansxyz
just joined
Topic Author
Posts: 18
Joined: Sat Jul 02, 2022 7:49 pm
Location: Asia/Kuala_Lumpur
Contact:

IPv4 & 6 firewall

Tue Aug 02, 2022 11:31 pm

Greetings MikroTik fam,

If you look below, I've listed my config for IPv4 & 6 firewall; considering that this is my 1st attempt at it, would you mind pointing out what I did wrong or could have done better?

Cheers!
Reev


#| IPv4 Firewall
#-------------------------------------------------------------------------------
/ip firewall {
  address-list add list=allowed_to_router address=10.17.1.2-10.17.1.254 comment= "allowed_to_router"
  address-list add list=not_in_internet address=0.0.0.0/8 comment="RFC6890"
  address-list add list=not_in_internet address=172.16.0.0/12 comment="RFC6890"
  address-list add list=not_in_internet address=192.168.0.0/16 comment="RFC6890"
  address-list add list=not_in_internet address=10.0.0.0/8 comment="RFC6890"
  address-list add list=not_in_internet address=169.254.0.0/16 comment="RFC6890"
  address-list add list=not_in_internet address=127.0.0.0/8 comment="RFC6890"
  address-list add list=not_in_internet address=224.0.0.0/4 comment="Multicast"
  address-list add list=not_in_internet address=198.18.0.0/15 comment="RFC6890"
  address-list add list=not_in_internet address=192.0.0.0/24 comment="RFC6890"
  address-list add list=not_in_internet address=192.0.2.0/24 comment="RFC6890"
  address-list add list=not_in_internet address=198.51.100.0/24 comment="RFC6890"
  address-list add list=not_in_internet address=203.0.113.0/24 comment="RFC6890"
  address-list add list=not_in_internet address=100.64.0.0/10 comment="RFC6890"
  address-list add list=not_in_internet address=240.0.0.0/4 comment="RFC6890"
  address-list add list=not_in_internet address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]"
  filter add chain=input action=accept connection-state=established,related comment="accept established,related"
  filter add chain=input action=drop connection-state=invalid comment="drop invalid"
  filter add chain=input action=drop protocol=udp dst-port=53 in-interface-list=WAN comment="drop DNS queries from WAN"
  filter add chain=input action=drop protocol=tcp dst-port=53 in-interface-list=WAN comment="drop DNS queries from WAN"
  filter add chain=input action=accept src-address-list=allowed_to_router comment="accept access to router based on address list allowed_to_router"
  filter add chain=input action=accept protocol=icmp comment="accept ICMP"
  filter add chain=input action=accept dst-address=127.0.0.1 comment="accept to local loopback (for CAPsMAN)"
  filter add chain=input action=drop in-interface-list=!LAN comment="drop all not coming from LAN"
  filter add chain=forward action=accept ipsec-policy=in,ipsec comment="accept in ipsec policy"
  filter add chain=forward action=accept ipsec-policy=out,ipsec comment="accept out ipsec policy"
  filter add chain=forward action=fasttrack-connection connection-state=established,related comment="fasttrack"
  filter add chain=forward action=accept connection-state=established,related comment="accept established,related"
  filter add chain=forward action=drop connection-state=invalid log=yes log-prefix=invalid comment="drop invalid"
  filter add chain=forward action=drop dst-address-list=not_in_internet in-interface-list=LAN out-interface-list=!LAN log=yes log-prefix=!public_from_LAN comment="drop tries to reach not public addresses from LAN"
  filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=yes log-prefix=!NAT comment="drop all from WAN not DSTNATed"
  filter add chain=forward action=jump protocol=icmp jump-target=icmp comment="jump to ICMP filters"
  filter add chain=forward action=drop src-address-list=not_in_internet in-interface-list=WAN log=yes log-prefix=!public comment="drop incoming from WAN which is not public IP"
  filter add chain=forward action=drop src-address=!10.17.1.0/24 in-interface-list=LAN log=yes log-prefix=LAN_!LAN comment="drop packets from LAN that do not have LAN IP"
  filter add chain=icmp action=accept protocol=icmp icmp-options=0:0 comment="echo reply"
  filter add chain=icmp action=accept protocol=icmp icmp-options=3:0 comment="net unreachable"
  filter add chain=icmp action=accept protocol=icmp icmp-options=3:1 comment="host unreachable"
  filter add chain=icmp action=accept protocol=icmp icmp-options=3:4 comment="host unreachable fragmentation required"
  filter add chain=icmp action=accept protocol=icmp icmp-options=8:0 comment="allow echo request"
  filter add chain=icmp action=accept protocol=icmp icmp-options=11:0 comment="allow time exceed"
  filter add chain=icmp action=accept protocol=icmp icmp-options=12:0 comment="allow parameter bad"
  filter add chain=icmp action=drop comment="deny all other types"
  filter add chain=forward action=accept in-interface=zerotier1 place-before=0 comment="accept ZeroTier"
  filter add chain=input action=accept in-interface=zerotier1 place-before=0 comment="accept ZeroTier"
}

#| IPv6 Firewall
#-------------------------------------------------------------------------------
/ipv6 firewall {
  address-list add list=bad_ipv6 address=::/128 comment="unspecified address"
  address-list add list=bad_ipv6 address=::1 comment="lo"
  address-list add list=bad_ipv6 address=fec0::/10 comment="site-local"
  address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="ipv4-mapped"
  address-list add list=bad_ipv6 address=::/96 comment="ipv4 compat"
  address-list add list=bad_ipv6 address=100::/64 comment="discard only "
  address-list add list=bad_ipv6 address=2001:db8::/32 comment="documentation"
  address-list add list=bad_ipv6 address=2001:10::/28 comment="ORCHID"
  address-list add list=bad_ipv6 address=3ffe::/16 comment="6bone"
  filter add chain=input action=accept connection-state=established,related comment="accept established,related"
  filter add chain=input action=drop connection-state=invalid comment="drop invalid"
  filter add chain=input action=accept protocol=icmpv6 comment="accept ICMPv6"
  filter add chain=input action=accept protocol=udp port=33434-33534 comment="accept UDP traceroute"
  filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/16 comment="accept DHCPv6-Client prefix delegation."
  filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="accept IKE"
  filter add chain=input action=accept protocol=ipsec-ah comment="accept ipsec AH"
  filter add chain=input action=accept protocol=ipsec-esp comment="accept ipsec ESP"
  filter add chain=input action=accept ipsec-policy=in,ipsec comment="accept all that matches ipsec policy"
  filter add chain=input action=drop in-interface-list=!LAN comment="drop everything else not coming from LAN"
  filter add chain=forward action=accept connection-state=established,related comment="accept established,related"
  filter add chain=forward action=drop connection-state=invalid log=yes log-prefix=ipv6,invalid comment="drop invalid"
  filter add chain=forward action=drop src-address-list=bad_ipv6 comment="drop packets with bad src ipv6"
  filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="drop packets with bad dst ipv6"
  filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="rfc4890 drop hop-limit=1"
  filter add chain=forward action=accept protocol=icmpv6 comment="accept ICMPv6"
  filter add chain=forward action=accept protocol=139 comment="accept HIP"
  filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="accept IKE"
  filter add chain=forward action=accept protocol=ipsec-ah comment="accept ipsec AH"
  filter add chain=forward action=accept protocol=ipsec-esp comment="accept ipsec ESP"
  filter add chain=forward action=accept ipsec-policy=in,ipsec comment="accept all that matches ipsec policy"
  filter add chain=forward action=drop in-interface-list=!LAN comment="drop everything else not coming from LAN"
}
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: IPv4 & 6 firewall  [SOLVED]

Tue Aug 02, 2022 11:50 pm

for example, this rule:
add chain=input action=drop in-interface-list=!LAN comment="drop all not coming from LAN"

make perfectly useless those:
add chain=input action=drop protocol=udp dst-port=53 in-interface-list=WAN comment="drop DNS queries from WAN"
add chain=input action=drop protocol=tcp dst-port=53 in-interface-list=WAN comment="drop DNS queries from WAN"

and all ICMP rules on forward are useless (until you do not use public IPs on internal LAN).
 
User avatar
reevansxyz
just joined
Topic Author
Posts: 18
Joined: Sat Jul 02, 2022 7:49 pm
Location: Asia/Kuala_Lumpur
Contact:

Re: IPv4 & 6 firewall

Wed Aug 03, 2022 1:04 am

Thanks a heap for pointing the above rextended, looking forward to learning something new everyday :)

Who is online

Users browsing this forum: miks, Netstumble and 20 guests