Community discussions

MUM Europe 2020
 
nxs02
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sat Nov 07, 2015 1:25 pm
Location: Planet Earth

[ASK] Firewall Filter Rules

Fri Dec 11, 2015 1:24 am

i use 104 firewall filter rules in my mikrotik RB951Ui-2nd
its to many or just fine?
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: [ASK] Firewall Filter Rules

Fri Dec 11, 2015 1:44 am

I use 7 rules in my filter table - only 4 are really needed, as the last 3 simply block IP4 from leaking onto my IPv6-only test SSID. This includes input and forward rules.

1: input: allow established,related
2: input: allow ICMP
3: input: allow whitelisted sources
4: input: drop in-interface=wan

Done.

(5, 6, and 7 = drop IPv4 input from, output to, or forwarding from the IPv6-only network)

Granted, I have no NAT pinholes, etc, which I want to limit access to, or any outgoing stuff that I want to deny.... but this policy is quite simple: if I asked for it, then accept it. If it's control messaging (ICMP) then accept it. If someone I trust on the outside asks for it, then accept it. Otherwise, throw it away. (blocking pings is against my religion - it doesn't really enhance your security anyway)
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1746
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: [ASK] Firewall Filter Rules

Fri Dec 11, 2015 1:55 am

i use 104 firewall filter rules in my mikrotik RB951Ui-2nd
its to many or just fine?

what throughput you achieve with that config on that rb951?
 
skuykend
Member Candidate
Member Candidate
Posts: 270
Joined: Tue Oct 06, 2015 7:28 am

Re: [ASK] Firewall Filter Rules

Fri Dec 11, 2015 6:14 am

i use 104 firewall filter rules in my mikrotik RB951Ui-2nd
its to many or just fine?
I would say it depends on a couple things:
Are you getting the throughput you want/need and is it getting too complicated for you to manage/maintain?

If you use custom chains/jumps and order the rules properly then the rule count can be high with a manageable effect on performance. This will also help document and manage your rules.
 
jarda
Forum Guru
Forum Guru
Posts: 7604
Joined: Mon Oct 22, 2012 4:46 pm

Re: [ASK] Firewall Filter Rules

Fri Dec 11, 2015 7:27 am

I use 7 rules in my filter table - only 4 are really needed, as the last 3 simply block IP4 from leaking onto my IPv6-only test SSID. This includes input and forward rules.

1: input: allow established,related
2: input: allow ICMP
3: input: allow whitelisted sources
4: input: drop in-interface=wan

Done.

(5, 6, and 7 = drop IPv4 input from, output to, or forwarding from the IPv6-only network)

Granted, I have no NAT pinholes, etc, which I want to limit access to, or any outgoing stuff that I want to deny.... but this policy is quite simple: if I asked for it, then accept it. If it's control messaging (ICMP) then accept it. If someone I trust on the outside asks for it, then accept it. Otherwise, throw it away. (blocking pings is against my religion - it doesn't really enhance your security anyway)
But this is not typical situation. Typically the router has to not only protect itself but also the network hidden by nat behind it. To have not general drop rule in forward chain means to let pass everything that was not eventually matched and dropped by individual forward chain rule. I agree with allowing icmp religion but my religion says in addition: and finally drop everything in all chains.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: [ASK] Firewall Filter Rules

Fri Dec 11, 2015 4:35 pm

I agree with allowing icmp religion but my religion says in addition: and finally drop everything in all chains.
Well, since there's NAT involved, a default drop in-interface=wan for the forward chain is somewhat redundant, but it's good to be explicit in configurations.

FWIW my IPv6 forward chain has a default drop policy from the Internet. ;)
When given a spoon,
you should not cling to your fork.
The soup will get cold.

Who is online

Users browsing this forum: No registered users and 83 guests