Community discussions

MikroTik App
 
zenxne
just joined
Topic Author
Posts: 1
Joined: Thu Jun 30, 2022 12:56 pm

Is my firewall OK?

Thu Jun 30, 2022 1:05 pm

Hello everyone,
I am quite new to Mikrotik, so feel free to correct me in any way.
I've been told to make a firewall with FastTrack and port scanner blocking, I am wondering will this one work as an universal rule list?
/ip firewall filter
add action=accept chain=input comment="Accept established/related/untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="Drop Invalid connections" \
    connection-state=invalid
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=fasttrack-connection chain=forward comment=\
    "Fasttrack established/related" connection-state=established,related
add action=accept chain=forward comment=\
    "Accept established/related/untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="Drop invalid connections" \
    connection-state=invalid protocol=tcp
add action=drop chain=input dst-port=21 in-interface-list=WAN protocol=tcp
add action=drop chain=input dst-port=22 in-interface-list=WAN protocol=tcp
add action=drop chain=input dst-port=23 in-interface-list=WAN protocol=tcp
add action=drop chain=input dst-port=161 in-interface-list=WAN protocol=tcp
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=udp
add action=drop chain=input src-address-list="port scanners"
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="Port scanners to list " \
    in-interface-list=WAN protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
    in-interface-list=WAN protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/FIN scan" \
    in-interface-list=WAN protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/RST scan" \
    in-interface-list=WAN protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" \
    in-interface-list=WAN protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="ALL/ALL scan" \
    in-interface-list=WAN protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP NULL scan" \
    in-interface-list=WAN protocol=tcp tcp-flags=\
    !fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="Drop SSH Brute Forcers" dst-port=22,23 \
    protocol=tcp src-address-list=brute-force_blacklist
add action=add-src-to-address-list address-list=brute-force_blacklist \
    address-list-timeout=1d chain=input comment="Drop SSH Brute Forcers" \
    connection-state=new dst-port=22,23 in-interface-list=WAN protocol=tcp \
    src-address-list=bruteforce_stage3
add action=add-src-to-address-list address-list=bruteforce_stage3 \
    address-list-timeout=30s chain=input comment="Drop SSH Brute Forcers" \
    connection-state=new dst-port=22,23 in-interface-list=WAN protocol=tcp \
    src-address-list=bruteforce_stage2
add action=add-src-to-address-list address-list=bruteforce_stage2 \
    address-list-timeout=30s chain=input comment="Drop SSH Brute Forcers" \
    connection-state=new dst-port=22,23 in-interface-list=WAN protocol=tcp \
    src-address-list=bruteforce_stage1
add action=add-src-to-address-list address-list=bruteforce_stage1 \
    address-list-timeout=1m chain=input comment="Drop SSH Brute Forcers" \
    connection-state=new dst-port=22,23 in-interface-list=WAN protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
Thanks.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Is my firewall OK?

Thu Jun 30, 2022 1:46 pm

Before checking something, learn to not leave open SSH, Winbox, telnet, etc. services ports on WAN....
And also drop port scanner is useless, if is needed just a simply, at the end of both chain, "drop all not previously explicitly allowed"....
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Is my firewall OK?

Thu Jun 30, 2022 2:11 pm

Hello everyone,
I am quite new to Mikrotik, so feel free to correct me in any way.
I've been told to make a firewall with FastTrack and port scanner blocking, I am wondering will this one work as an universal rule list?
I dont understand the part "I have been told"?
Who told you to setup the device if
a. you do not have experience.
b. they seem to know what they want seemingly at a superficial level?

In other words, they are stating to you how to config the device and are not providing you actual requirements to properly config the device.
How many users and groups of users are there,,, (users = people + devices)
What should the users be able to do, what should the users NOT b able to do.
Where is a network diagram to depict what the physical connections/relationships are between the available devices........

Why the focus on port scannin?, in other words, it seems a focused request, so what is the problem encountered that leads them to make this suggestion?
You need to get more information to proceed in an organized and efficient manner.

Who is online

Users browsing this forum: esj, kub1x and 56 guests