I'm trying to block all internet ports thru my router 0-65535

but only allow only for internet access just want to make sure i have the correct ports open thru

what i have open
port 80 Tcp & udp
port 443 tcp & udp
port 53. tcp & udp


Please let me know if i need to allow any more ports thru



also i blocked 0-65535 tcp & udp Input & and output



any suggestions. thanks

The default firewall rules are safe to start with.
All you need to do is add dst-nat rules for port forwarding and perhaps specific VPN ports on the input chain.
Without seeing your config hard to say but chances are you may have made a mess of things.

Please post your config
/export hide-sensitive file=anynameyouwish

viewtopic.php?t=182373

/ip firewall filter
add action=accept chain=forward comment="allow dns" dst-port=53 protocol=tcp
add action=accept chain=forward comment="allow dns" dst-port=53 protocol=udp
add action=accept chain=forward comment="allow http" dst-port=80 protocol=tcp
add action=accept chain=forward comment="allow http" dst-port=80 protocol=udp
add action=accept chain=forward comment="allow https" dst-port=443 protocol=\
tcp
add action=accept chain=forward comment="allow https" dst-port=443 protocol=\
udp
add action=accept chain=forward comment="allow ntp" dst-port=123 protocol=tcp
add action=accept chain=forward comment="allow ntp" dst-port=123 protocol=udp
add action=drop chain=input comment="blocked to internet" dst-port=0-65535 \
protocol=tcp
add action=drop chain=input comment="blocked to internet" dst-port=0-65535 \
protocol=udp
add action=drop chain=output comment="blocked to internet" dst-port=0-65535 \
protocol=tcp
add action=drop chain=output comment="blocked to internet" dst-port=0-65535 \
protocol=udp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=444-65535 protocol=udp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=444-65535 protocol=tcp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=0-52 protocol=tcp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=0-52 protocol=udp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=54-79 protocol=tcp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=54-79 protocol=udp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=81-122 protocol=tcp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=81-122 protocol=udp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=124-442 protocol=tcp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=124-442 protocol=udp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=442-443 protocol=tcp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=442-443 protocol=udp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=4445-8189 protocol=tcp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=4445-8189 protocol=udp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=8191 protocol=tcp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=8191 protocol=udp
add action=drop chain=forward protocol=ggp
add action=drop chain=forward protocol=st
add action=drop chain=forward protocol=icmp
add action=drop chain=forward protocol=igmp
add action=drop chain=forward protocol=egp
add action=drop chain=forward protocol=ipencap
add action=drop chain=forward protocol=pup
add action=drop chain=forward protocol=hmp
add action=drop chain=forward protocol=xns-idp
add action=drop chain=forward protocol=rdp
add action=drop chain=forward protocol=iso-tp4
add action=drop chain=forward protocol=dccp
add action=drop chain=forward protocol=xtp
add action=drop chain=forward protocol=ddp
add action=drop chain=forward protocol=idpr-cmtp
add action=drop chain=forward protocol=rsvp
add action=drop chain=forward protocol=ipv6-encap
add action=drop chain=forward protocol=gre
add action=drop chain=forward protocol=ipsec-esp
add action=drop chain=forward protocol=ipsec-ah
add action=drop chain=forward protocol=rspf
add action=drop chain=forward protocol=vmtp
add action=drop chain=forward protocol=ospf
add action=drop chain=forward protocol=ipip
add action=drop chain=forward protocol=etherip
add action=drop chain=forward protocol=encap
add action=drop chain=forward protocol=pim
add action=drop chain=forward protocol=vrrp
add action=drop chain=forward protocol=l2tp
add action=drop chain=forward protocol=sctp
add action=drop chain=forward protocol=udp-lite
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN

The default firewall rules are safe to start with.
All you need to do is add dst-nat rules for port forwarding and perhaps specific VPN ports on the input chain.
Without seeing your config hard to say but chances are you may have made a mess of things.

Please post your config
/export hide-sensitive file=anynameyouwish

viewtopic.php?t=182373

/ip firewall filter
add action=accept chain=forward comment="allow dns" dst-port=53 protocol=tcp
add action=accept chain=forward comment="allow dns" dst-port=53 protocol=udp
add action=accept chain=forward comment="allow http" dst-port=80 protocol=tcp
add action=accept chain=forward comment="allow http" dst-port=80 protocol=udp
add action=accept chain=forward comment="allow https" dst-port=443 protocol=\
tcp
add action=accept chain=forward comment="allow https" dst-port=443 protocol=\
udp
add action=accept chain=forward comment="allow ntp" dst-port=123 protocol=tcp
add action=accept chain=forward comment="allow ntp" dst-port=123 protocol=udp
add action=drop chain=input comment="blocked to internet" dst-port=0-65535 \
protocol=tcp
add action=drop chain=input comment="blocked to internet" dst-port=0-65535 \
protocol=udp
add action=drop chain=output comment="blocked to internet" dst-port=0-65535 \
protocol=tcp
add action=drop chain=output comment="blocked to internet" dst-port=0-65535 \
protocol=udp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=444-65535 protocol=udp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=444-65535 protocol=tcp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=0-52 protocol=tcp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=0-52 protocol=udp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=54-79 protocol=tcp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=54-79 protocol=udp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=81-122 protocol=tcp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=81-122 protocol=udp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=124-442 protocol=tcp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=124-442 protocol=udp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=442-443 protocol=tcp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=442-443 protocol=udp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=4445-8189 protocol=tcp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=4445-8189 protocol=udp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=8191 protocol=tcp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=8191 protocol=udp
add action=drop chain=forward protocol=ggp
add action=drop chain=forward protocol=st
add action=drop chain=forward protocol=icmp
add action=drop chain=forward protocol=igmp
add action=drop chain=forward protocol=egp
add action=drop chain=forward protocol=ipencap
add action=drop chain=forward protocol=pup
add action=drop chain=forward protocol=hmp
add action=drop chain=forward protocol=xns-idp
add action=drop chain=forward protocol=rdp
add action=drop chain=forward protocol=iso-tp4
add action=drop chain=forward protocol=dccp
add action=drop chain=forward protocol=xtp
add action=drop chain=forward protocol=ddp
add action=drop chain=forward protocol=idpr-cmtp
add action=drop chain=forward protocol=rsvp
add action=drop chain=forward protocol=ipv6-encap
add action=drop chain=forward protocol=gre
add action=drop chain=forward protocol=ipsec-esp
add action=drop chain=forward protocol=ipsec-ah
add action=drop chain=forward protocol=rspf
add action=drop chain=forward protocol=vmtp
add action=drop chain=forward protocol=ospf
add action=drop chain=forward protocol=ipip
add action=drop chain=forward protocol=etherip
add action=drop chain=forward protocol=encap
add action=drop chain=forward protocol=pim
add action=drop chain=forward protocol=vrrp
add action=drop chain=forward protocol=l2tp
add action=drop chain=forward protocol=sctp
add action=drop chain=forward protocol=udp-lite
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN

Wow. Wouldn't it be better to use:

Which is very very close to the default rules SOB,
Just some minor modifications and one is there.

I have to ask where did the OP get the impression all that bloat was required, youtube ???

in any case check out item B here - viewtopic.php?t=182373

i dropped 0-65535 input and output does that drop everything from and to the internet is that correct

What we are saying is you didnt invent router security and have no clue on how to go about that in the mikrotik Routers or more accurately in their ROS software design.
So instead of sticking your head in the sand, attempt to learn what the default rules are actually doing and then you will understand why your request seems rather silly.

i know how to configure Rules

Forward is thru router
input is to internet
and output is out to the internet

i just needed some help just wanted to know what ports i needed to connect to the internet

i thought someone on this fourm would know what im trying to accomplish.

Depends on your requirements.
Normally the only allowed traffic direction by default (external to the router) is LAN to WAN, is that your concern?
Which ports you want to allow in that direction is up to you.
Personally I dont block any ports LAN to WAN,

Asked in a different way, what are you afraid of? or is there some advice you read that your are following?

just wanted to block all ports thru router except

port 80 http
port 443 https
53 dns

just wanted to block all ports thru router except

port 80 http
port 443 https
53 dns

This is just an example don't copy-paste it.

just wanted to block all ports thru router except

port 80 http
port 443 https
53 dns

Code: Select all

 /ip/firewall/filter add action=drop chain=input  dst-port=!80,443,53 protocol=tcp

This is just an example don't copy-paste it.

One has to be careful of rule implementation!
For example the rule above blocks access to the router itself on ALL ports except the three noted from WAN and LAN.
Just to be clear!!

It does not block any traffic from WAN to LAN or LAN to WAN.
It blocks access to winbox from the LAN depending upon winbox port.

just wanted to block all ports thru router except

port 80 http
port 443 https
53 dns

Code: Select all

 /ip/firewall/filter add action=drop chain=input  dst-port=!80,443,53 protocol=tcp

This is just an example don't copy-paste it.

Thanks. for all your help with everything

It does not block any traffic from WAN to LAN or LAN to WAN.
It blocks access to winbox from the LAN depending upon winbox port.

Hi,
yes, I just wanted to share the "!" in DST PORT. It's not the right CLI by any means.

Personally, I rather have an accept rule for the ports such as Winbox, VPN, etc in the input chain, followed by a drop all not coming from LAN.

It does not block any traffic from WAN to LAN or LAN to WAN.
It blocks access to winbox from the LAN depending upon winbox port.

Hi,
yes, I just wanted to share the "!" in DST PORT. It's not the right CLI by any means.

Personally, I rather have an accept rule for the ports such as Winbox (from LAN), VPN (from WAN), etc in the input chain, followed by a drop all (covering both WAN and LAN)

Fixed it for ya!!

i know how to configure Rules

Forward is thru router
input is to internet
and output is out to the internet

No, sorry, you don't. If you did, you couldn't produce the config you posted. Forward is correct. Input is traffic to router itself, that's not going to forward (e.g. when you're connecting to router with WinBox), from any source. Output is traffic produced by router itself (e.g. when it queries upstream DNS resolver, or if you'd ping device in LAN from router).

If you enabled your "blocked thru router" rules, it wouldn't work, connected devices would have no connection to internet. Because even though you allowed packets to correct ports (both to internet and from internet, most likely you don't want the latter), your other rules block responses to them. What you need to understand and use is stateful firewall described in @anav's thread (you can allow only your selected ports, but you need the same principle as shown there).