Community discussions

MikroTik App
 
Johncomptom1
just joined
Topic Author
Posts: 2
Joined: Sun Nov 03, 2019 3:41 am

Default firewall config

Sun Nov 03, 2019 3:57 am

Guys I hate to be a pain but I have a question that I need answered and after searching the web it's an absolute mystery to me. I'm not a firewall expert obviously. I am using a ccr1009 (it was a steal) for a home environment and I just realized after all this time that my firewall rule list is absolutely BLANK. I initially set up my router with help of the initial setup page on the Mikrotik documentation page. (I didn't use the quickset page but maybe I should've?) The initial config page never mentioned adding any firewall rules. I also have it running a DHCP server for my one network and I have a Mikrotik switch connected to it. Probably too much info but basically everywhere I read it says that these routers are meant to work out of the box and are ready to go. Well I assumed that the default firewall is on but there is absolutely no rules on the list so from the best of my knowledge it might as well be off. Why did my router not have any rules? My question is how can I get the basic rules added to my firewall. I don't want anything extra or special. I just want it simple, lean, and mean. This is a basic home environment. How can I get a basic script of these default out-of-the-box rules so I can add them through the terminal. Or am I wrong and there are some basic rules that are just automatically on and I don't see them? Or heck do I need to add any rules since I'm in a basic home environment and getting a dynamic address from my ISP? I'm a super noob so please forgive me.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Default firewall config

Mon Nov 04, 2019 8:57 pm

You have to manually add the firewall rules now...
You will find some example in the mikrotik wiki page...
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Default firewall config

Mon Nov 04, 2019 9:26 pm

It's been mentioned several times, also by Normis of MT fame, that pro-line of Routerboard devices (CCR among others) comes by default with blank firewall. It is expected that pro devices will be administered by pro admins who know how to do their jobs.

For us, the rest of the amateur crowd, it remains to copy default rules from somewhere else. The best would be to get hold of a SOHO routerboard and check output of /system default-configuration print ... Don't get tempted to turn to youtube tutorials, most are awfully out-dated and incomplete at best ... or outright wrong at worst. Some are, however, high quality. The problem is, that average amateur can't tell if they are good or not.
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1237
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Default firewall config

Mon Nov 04, 2019 10:17 pm

That is basically what a SOHO firewall is with fasttrack rule removed (you don't need it using a CCR in home environment):
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN
It allows ping to your router from outside, access to it from interfaces in interface-list=LAN and dropping everything from interface-list=WAN, that was not subjected to dst-nat (port forwarding).
In order to use it you need first to be sure that you add needed interfaces to corresponding interface-lists: WAN interface(s) - to WAN list, LAN interface(s) - to LAN list.
Otherwise you will lock you up.
 
Johncomptom1
just joined
Topic Author
Posts: 2
Joined: Sun Nov 03, 2019 3:41 am

Re: Default firewall config

Mon Nov 04, 2019 11:11 pm

Thank you so much for the information everyone! I do apologize for my ignorance again and your help is greatly appreciated! I would shake everybody's hand on here if I could! There's a lot of knowledge and wisdom in this place. I will consider this issue SOLVED! Thanks again.
 
mur
Member Candidate
Member Candidate
Posts: 105
Joined: Thu Feb 13, 2020 8:43 pm

Re: Default firewall config

Thu Apr 02, 2020 9:14 pm

That is basically what a SOHO firewall is with fasttrack rule removed (you don't need it using a CCR in home environment):
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN
It allows ping to your router from outside, access to it from interfaces in interface-list=LAN and dropping everything from interface-list=WAN, that was not subjected to dst-nat (port forwarding).
In order to use it you need first to be sure that you add needed interfaces to corresponding interface-lists: WAN interface(s) - to WAN list, LAN interface(s) - to LAN list.
Otherwise you will lock you up.
Are the firewall filter rules above in the right order?
I mean
is this the number 1 rule for example

add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked

Thanks
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Default firewall config

Thu Apr 02, 2020 9:53 pm

Are the firewall filter rules above in the right order?

Not going to answer directly.

A packet is matched against the rules in firewall (filter, raw, nat, ...) in the order from top (number 0) to bottom ... when talking about firewall filter packet is first checked zo determine correct chain (inout, output or forward).
The ordering of rules then has a few gials to match:
  1. correct filtering ... if a packet should be dropped, then the dropping rule has to be before a rule which would allow packet. Which means that a more specific rule should be higher than a more general rule IF their action is not the same.
  2. performance ... the idea is to either accept or drop a packet as soon as possible. And higher on the rule list should hence be filters which apply to larger number of packets.
And we always lean on connection tracking state. Hence the rule you were asking about: let's assume we track all connections. So the packet state is either new, established, related or invalid. Connection can not reach established/related state without first being new and if we allowed the connection while it was new, we should allow it while it's established/related. And remember, vast majority of packets of a connection are transmitted while it's established (a TCP connection is new only during initial three-way handshake which involves total of 3 packets, 2 are without any payload, the last one might be as well). So if we place the quoted rule at the top, vast majority of packets will only get matched against single rule. If they had to traverse a bunch of rules dropping specific packets, the router's CPU would have much more work to do.
 
spidereczek
just joined
Posts: 1
Joined: Mon Mar 22, 2021 4:18 pm

Re: Default firewall config

Wed Apr 28, 2021 7:11 pm

Hi,

Quick question. Following you firewall configuration for input chain from example above:
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN
Theoretically, if we change last line from:
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN
to:
add action=drop chain=input comment="drop all other"
Are we able to get icmp respond from router LAN interface (if we send it from local network as well) ?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12383
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Default firewall config

Wed Apr 28, 2021 7:27 pm

on the modified last line, you lock the device and you are unable to config it again without reset all, but it reply on ping
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12383
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Default firewall config

Wed Apr 28, 2021 7:32 pm

/ip firewall filter
...
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN
...


Giving the rule as this way, porbably the user paste it and lock the router:
LAN list: empty or not?
WAN list: empty or not?

add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN
= drop all not LAN

but if lan list is empty is
= drop all input to routerboard (except ping)

but just simply repy to ping
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Default firewall config

Thu Apr 29, 2021 12:44 am

The default rules, and then how to get a more tailored ruleset that ensures only the ADMIN has full access to the router on the input chain, and only traffic allowed by the admin is served on the forward chain.

DEFAULT
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input protocol=icmp
add action=drop chain=input in-interface-list=!LAN
++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN

Have a look at this to see if you understand and want to accomplish.
INPUT rules are for traffic to and from the router itself.
FORWARD rules are for traffic across the router (wan to lan, lan to wan, lan to lan)
Output rules are rarely used.
NAT rules are typically used for port forwarding (dst nat) and assigning public IPs to private IPs before heading outbound (src nat), however in MT speak they can be used for a variety of different situations.
Ip Routes are used to determine the outbound path of packets.

Here is my minimalist but safe setup.
(1) The idea being, as stated move from default setup (which is safe but not targeted) and has a concept of allow all and block what you don't want.
TO what The previous poster and most who prefer to change the setup to BLOCK ALL by default and then state what is allowed.

(2) Correct in that the goal in the input chain, for security, is to only allow the admin to have access to the router, but users/devices may need some services typically DNS.

(3) For VLAN to VLAN protection and any traffic to and from the LANs, the firewall rules in the forward chain come into play.
The same concept as above applies, modify the defaultrules, into a concept of block all except what you wish to allow.
All the rules above the +++++ line are default ones that we want to keep and the ones below are the ones the admin adds.
NOTE: In the input chain, do not put in the LAST RULE the DROP rule until the allow admin access rule is in place - otherwise one is locked out!

MODIFICATION
ip firewall filter
{input chain}
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=input comment="Allow ADMIN to Router" =\
in-interface-list=MGMT src-address-list=adminaccess
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop All Else"
....
{forward chain}
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=forward comment="allow LAN to WAN traffic"
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Port Forwarding" \ {disable when not needed}
connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

(4) The input chain rule requiring the admin access firewall address list ensures only the LANIPs identified have access to the router (via winbox for example). Typically one sets ones IPs through the routers dhcp leases as static, fixed Ips.
/ip firewall address-list
add address=ip_admin-desktop list=adminaccess
add address=ip_admin- laptop list=adminaccess
add address=ip_admin-smartphone list=adminaccess

(5) The other part of this rule as you may have noted is an interface-list=MGMT
Typically this is the scenario.

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MGMT (optional)
add name=VlansWith-Internet (optional but if you dont allow all vlans to access internet this provides an easy way to config)

/interface list member
add comment=defconf interface=Ether1 list=WAN
add interface=bridge list=LAN
add interface=vlan10 list-MGMT (this identifies the management lan typically the home lan the admin user is on)
+++++++++++++++++++++++++++++++++++++
add interface=ether5 list=LAN (if you have an emergency access port on the router to reach it for config purposes if bridge or main LAN gets funky)
add interface=ether5 list=MGMT (so as to be able to reach router from emerg access for config purposes)

(6) Can you guess where else we use MGMT.
Correct Look at TOOLS MACSERVER.
Set WINBOX- MAC sever interface=MGMT.

(7) Go To IP Services and turn all services off except for WINBOX and possibly SSH as a backup
a. change default port to something else but write it down!
b. in the Available from, put in the subnets above that are applicable (vlan10 subnet and ether5 subnet)

(8) Go to SYSTEM USers and for the logins allowed to access winbox put in the same subnets as in b.

Thus you have in summary limited access to the router (for config purposes)
by login rules (username and password and subnets)
by winbox access (port number and subnets)
by firewall rules that limit access to winbox mac server
by firewall rules that limit access by subnets and IP addresses.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
Last edited by anav on Thu Jul 11, 2024 3:30 am, edited 1 time in total.
 
kevintkv
just joined
Posts: 5
Joined: Fri May 28, 2021 6:29 pm

Re: Default firewall config

Sun May 30, 2021 6:18 pm

Need help with my firewall rule. After I applied my connection from my laptop become unstable.
this is the rule I applied

/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=Bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
d this subnet before enable it" list=Bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=Bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=Bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
need this subnet before enable it" list=Bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=Bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
Bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=Bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=Bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=Bogons
add address=224.0.0.0/4 comment=\
"MC, Class D, IANA # Check if you need this subnet before enable it" \
list=Bogons
/ip firewall filter
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=input port=69 protocol=udp
add action=accept chain=forward port=69 protocol=udp
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
Bogons
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=ether1

Kevin
Last edited by kevintkv on Sun May 30, 2021 6:20 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Default firewall config

Mon May 31, 2021 2:14 pm

Kevin your firewall rules are crap and not secure at all.
Its clear you dont know enough yet about MT configs to get complicated...........
You would be much better off and SAFER sticking with the default rules and ask yourself if you need anything else.
Just because youtube or any other source says you need all this extra stuff, for a home scenario simply you dont.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12383
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Default firewall config

Mon May 31, 2021 3:24 pm

Just because youtube or any other source says you need all this extra stuff, for a home scenario simply you dont.
+100
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Default firewall config

Mon May 31, 2021 3:54 pm

Okay I see in another thread that your actually providing PPPOE ISP accounts on all your etherports at the other thread so its more than just a simple home invasion.
I will move to the other thread for further dialogue.
viewtopic.php?f=13&t=175630
Last edited by anav on Thu Jun 10, 2021 4:19 pm, edited 2 times in total.
 
stuartkoh
newbie
Posts: 30
Joined: Tue Apr 09, 2019 2:16 pm
Location: USA

Re: Default firewall config

Thu Jun 10, 2021 3:38 pm

Are the firewall filter rules above in the right order?

Not going to answer directly.

A packet is matched against the rules in firewall (filter, raw, nat, ...) in the order from top (number 0) to bottom ... when talking about firewall filter packet is first checked zo determine correct chain (inout, output or forward).
The ordering of rules then has a few gials to match:
  1. correct filtering ... if a packet should be dropped, then the dropping rule has to be before a rule which would allow packet. Which means that a more specific rule should be higher than a more general rule IF their action is not the same.
  2. performance ... the idea is to either accept or drop a packet as soon as possible. And higher on the rule list should hence be filters which apply to larger number of packets.
And we always lean on connection tracking state. Hence the rule you were asking about: let's assume we track all connections. So the packet state is either new, established, related or invalid. Connection can not reach established/related state without first being new and if we allowed the connection while it was new, we should allow it while it's established/related. And remember, vast majority of packets of a connection are transmitted while it's established (a TCP connection is new only during initial three-way handshake which involves total of 3 packets, 2 are without any payload, the last one might be as well). So if we place the quoted rule at the top, vast majority of packets will only get matched against single rule. If they had to traverse a bunch of rules dropping specific packets, the router's CPU would have much more work to do.

That's a very clear explanation of how this works. Thanks!
 
bpavlinic
just joined
Posts: 1
Joined: Wed Dec 09, 2015 11:01 pm

Re: Default firewall config

Wed Sep 29, 2021 9:55 am

Hello, sorry for bringing this up, but why allow untracked? default ROS firewall is from setup script without untracked! Why did you ticked "untracked"?
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
I use this:
/ip firewall filter
add action=accept chain=input comment="default: accept established,related" connection-state=established,related
add action=accept chain=forward comment="default: accept established,related" connection-state=established,related
Best regards,
Boris.
Last edited by bpavlinic on Wed Sep 29, 2021 9:59 am, edited 2 times in total.
 
gt57
just joined
Posts: 6
Joined: Wed Jan 13, 2016 3:29 am

Re: Default firewall config

Thu Jul 11, 2024 2:54 am

The default rules, and then how to get a more tailored ruleset that ensures only the ADMIN has full access to the router on the input chain, and only traffic allowed by the admin is served on the forward chain.

[SNIP]

Three years later, is this still a valid configuration for a Mikrotik hEX RB750Gr3?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Default firewall config

Thu Jul 11, 2024 3:31 am

Yes!
 
whuupwhuup
just joined
Posts: 5
Joined: Sun Jul 21, 2024 9:13 pm

Re: Default firewall config

Sat Aug 10, 2024 9:00 pm

That is basically what a SOHO firewall is with fasttrack rule removed (you don't need it using a CCR in home environment):
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN
It allows ping to your router from outside, access to it from interfaces in interface-list=LAN and dropping everything from interface-list=WAN, that was not subjected to dst-nat (port forwarding).
In order to use it you need first to be sure that you add needed interfaces to corresponding interface-lists: WAN interface(s) - to WAN list, LAN interface(s) - to LAN list.
Otherwise you will lock you up.
Beginner question: Do I need to set up an interface list to make your firewall config effective or will "drop all not coming from LAN" and "drop all from WAN not DSTNATed" also work with the following settings?

/ip firewall filter
add action=accept chain=input comment="accept established, related" \ connection-state=established,related
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" \ in-interface=!bridge1-LAN
add action=accept chain=forward comment="accept established, related" \ connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" \ ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \ ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \ connection-nat-state=!dstnat in-interface=ether1-Internet

/interface bridge port
add bridge=bridge1-LAN interface=ether2-LAN
add bridge=bridge1-LAN interface=ether3-LAN
add bridge=bridge1-LAN interface=ether4-LAN
add bridge=bridge1-LAN interface=ether5-LAN
add bridge=bridge1-LAN interface=wifi2-2.4ghz

/interface ethernet
set [ find default-name=ether1 ] name=ether1-Internet
set [ find default-name=ether2 ] name=ether2-LAN
set [ find default-name=ether3 ] name=ether3-LAN
set [ find default-name=ether4 ] name=ether4-LAN

Or more general, will this config be just as effective as what you posted above?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Default firewall config

Sat Aug 10, 2024 9:19 pm

Beginner question: Do I need to set up an interface list to make your firewall config effective ...

Yes, if you largely re-use firewall, then you have to setup and maintain both interface lists.
Your own approach (if executed carefully) works as well, but lacks flexibility (e.g. if your LAN is more than bridge1-LAN or if your WAN interface changes (to e.g. VLAN interface or PPPoE or something).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Default firewall config

Sun Aug 11, 2024 4:54 pm

I prefer not trying to be too cute. Avoid ! rules unless they are required as its clearer to state what traffic is needed!1
So From:

/ip firewall filter
add action=accept chain=input comment="accept established, related" \ connection-state=established,related
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" \ in-interface=!bridge1-LAN
add action=accept chain=forward comment="accept established, related" \ connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" \ ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \ ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \ connection-nat-state=!dstnat in-interface=ether1-Internet


TO:

/ip firewall address-list
add address=192.168.88.X list=Authorized comment="Admin PC"
add address=192.168.88.Y list=Authorized comment="Admin laptop/ipad"
add address=192.168.88.Z list=Authorized comment="Admin smartphone"


/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="admin access" src-address-list=Authorized
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else" { add as very last rule }
+++++++++++++++++++++++++++++++++++
add action=fasttrack chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disabled=yes { enable if required or remove }
add action=drop chain=forward comment="drop all else"
 
whuupwhuup
just joined
Posts: 5
Joined: Sun Jul 21, 2024 9:13 pm

Re: Default firewall config

Fri Aug 16, 2024 1:50 am

I prefer not trying to be too cute. Avoid ! rules unless they are required as its clearer to state what traffic is needed!1
So From:

/ip firewall filter
add action=accept chain=input comment="accept established, related" \ connection-state=established,related
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" \ in-interface=!bridge1-LAN
add action=accept chain=forward comment="accept established, related" \ connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" \ ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \ ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \ connection-nat-state=!dstnat in-interface=ether1-Internet


TO:

/ip firewall address-list
add address=192.168.88.X list=Authorized comment="Admin PC"
add address=192.168.88.Y list=Authorized comment="Admin laptop/ipad"
add address=192.168.88.Z list=Authorized comment="Admin smartphone"


/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="admin access" src-address-list=Authorized
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else" { add as very last rule }
+++++++++++++++++++++++++++++++++++
add action=fasttrack chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disabled=yes { enable if required or remove }
add action=drop chain=forward comment="drop all else"
Thanks a lot for your replies mkx and anav, very helpful! I tried both configs, but I have a few questions regarding your rules anav:

1. Instead of authorising every device, can I also just authorise my entire LAN range or is this bad practice? My config would then be as follows:
/ip pool
add name=dhcp_pool1 ranges=177.22.12.0-177.22.12.254
/ip firewall address-list
add address=177.22.12.0/24 list=Authorized

Otherwise, if I am not mistaken, I would need to set static IPs for my admin devices.

2. Is untracked necessary? The rule also seems to work without it. What is the benefit of including untracked?

3. add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disabled=yes { enable if required or remove }
Does your comment mean that this rule can be disregarded and left out, if everything works as intended without the rule?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Default firewall config

Fri Aug 16, 2024 2:57 am

Yes, that is the whole point, you use static DHCP leases for trusted devices and only they require access on the input chain.
The LAN only requires access to specific services normally DNS and sometime NTP.

Yes if not doing port forwarding, then the rule can be removed.

Read the posts by SINDY, on this thread...... viewtopic.php?t=210175
 
whuupwhuup
just joined
Posts: 5
Joined: Sun Jul 21, 2024 9:13 pm

Re: Default firewall config

Sat Aug 17, 2024 4:14 pm

Thanks a lot again anav!

Other rookies, below you can find a little summary of the inputs above. Hope it helps (LAN IP can be changed of course and the MAC address is device specific; if port forwarding is also needed see anav´s post #22):

/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] disabled=yes name=ether2-LAN
set [ find default-name=ether3 ] disabled=yes name=ether3-LAN
set [ find default-name=ether4 ] disabled=yes name=ether4-LAN
set [ find default-name=ether5 ] disabled=yes name=ether5-LAN

/interface bridge
add name=Bridge-LAN

/interface bridge port
add bridge=Bridge-LAN interface=ether2-LAN
add bridge=Bridge-LAN interface=ether3-LAN
add bridge=Bridge-LAN interface=ether4-LAN
add bridge=Bridge-LAN interface=ether5-LAN
add bridge=Bridge-LAN interface=Wifi2-2.4ghz

/interface list
add name=WAN
add name=LAN

/interface list member
add interface=ether1-WAN list=WAN
add interface=Bridge-LAN list=LAN

/ip pool
add name=dhcp_pool1 ranges=109.33.48.20-109.33.48.254

/ip address
add address=109.33.48.1/24 interface=Bridge-LAN network=109.33.48.0

/ip dhcp-server
add address-pool=dhcp_pool1 interface=Bridge-LAN name=dhcp1

/ip dhcp-client
add interface=ether1-WAN

/ip dhcp-server lease
add address=109.33.48.11 client-id=1:XX:XX:XX:XX:XX:XX comment=ADMIN \
mac-address=XX:XX:XX:XX:XX:XX server=dhcp1

/ip dhcp-server network
add address=109.33.48.0/24 dns-server=109.33.48.1 gateway=109.33.48.1

/ip dns
set allow-remote-requests=yes

/ip firewall address-list
add address=109.33.48.11 comment=ADMIN list=Authorized

/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="admin access" src-address-list=\
Authorized
add action=accept chain=input comment="users to services" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to services" dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=fasttrack chain=forward connection-state=established,related
add action=accept chain=forward comment=\
"accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
LAN out-interface-list=WAN
add action=drop chain=forward comment="drop all else"

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN
 
jahu
just joined
Posts: 12
Joined: Thu Aug 22, 2024 1:33 am

Re: Default firewall config

Sat Aug 24, 2024 1:31 pm

hi, I am also interested in this. Are the summary settings in the last post above safe to use or is anything missing or should anything be modified?
Last edited by jahu on Sun Aug 25, 2024 4:30 pm, edited 1 time in total.
 
jahu
just joined
Posts: 12
Joined: Thu Aug 22, 2024 1:33 am

Re: Default firewall config

Wed Aug 28, 2024 11:33 pm

anyone?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Default firewall config

Sat Aug 31, 2024 6:45 pm

It is fine for the basic generic setup the OP was looking for in terms of:
TAKING the default firewall set of rules and
a. make them efficient
b. change concept to block all and identify needed traffic above block all rule.

If its good for your scenario, if different from a single subnet one bridge then one would have to make more adjustments.
 
jahu
just joined
Posts: 12
Joined: Thu Aug 22, 2024 1:33 am

Re: Default firewall config

Sat Aug 31, 2024 7:42 pm

It is fine for the basic generic setup the OP was looking for in terms of:
TAKING the default firewall set of rules and
a. make them efficient
b. change concept to block all and identify needed traffic above block all rule.

If its good for your scenario, if different from a single subnet one bridge then one would have to make more adjustments.
Hi anav, thank you. In this case I will use whuupwhuup´s config as is
 
jahu
just joined
Posts: 12
Joined: Thu Aug 22, 2024 1:33 am

Re: Default firewall config

Sat Sep 07, 2024 2:01 pm

It is fine for the basic generic setup the OP was looking for in terms of:
TAKING the default firewall set of rules and
a. make them efficient
b. change concept to block all and identify needed traffic above block all rule.

If its good for your scenario, if different from a single subnet one bridge then one would have to make more adjustments.
follow-up question, if i want make ipv6 as secure as possible, meaning not used at all or blocked entirely, will
/ipv6 settings set disable-ipv6=yes
be enough?

Or is it better to have it enabled and set the firewall rules below?
/ipv6 firewall filter
add action=drop chain=input comment="Drop all IPv6 ICMP traffic" protocol=icmpv6
add action=drop chain=input comment="Drop all other IPv6 traffic"
add action=drop chain=forward comment="Drop all IPv6 forward traffic"
add action=drop chain=output comment="Drop all IPv6 output traffic"
/ipv6 nd
set [ find default=yes ] disabled=yes

if so are the rules effective or is something missing?
 
jahu
just joined
Posts: 12
Joined: Thu Aug 22, 2024 1:33 am

Re: Default firewall config

Wed Sep 11, 2024 12:10 am

anyone else which would have insights on this? anav seems busy

Who is online

Users browsing this forum: holvoetn and 50 guests