/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN
Are the firewall filter rules above in the right order?That is basically what a SOHO firewall is with fasttrack rule removed (you don't need it using a CCR in home environment):It allows ping to your router from outside, access to it from interfaces in interface-list=LAN and dropping everything from interface-list=WAN, that was not subjected to dst-nat (port forwarding).Code: Select all/ip firewall filter add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="drop invalid" connection-state=invalid add action=accept chain=input comment="accept ICMP" protocol=icmp add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked add action=drop chain=forward comment="drop invalid" connection-state=invalid add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN
In order to use it you need first to be sure that you add needed interfaces to corresponding interface-lists: WAN interface(s) - to WAN list, LAN interface(s) - to LAN list.
Otherwise you will lock you up.
Are the firewall filter rules above in the right order?
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=input comment="drop all other"
Code: Select all/ip firewall filter ... add action=accept chain=input comment="accept ICMP" protocol=icmp add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN ...
+100Just because youtube or any other source says you need all this extra stuff, for a home scenario simply you dont.
Are the firewall filter rules above in the right order?
Not going to answer directly.
A packet is matched against the rules in firewall (filter, raw, nat, ...) in the order from top (number 0) to bottom ... when talking about firewall filter packet is first checked zo determine correct chain (inout, output or forward).
The ordering of rules then has a few gials to match:
And we always lean on connection tracking state. Hence the rule you were asking about: let's assume we track all connections. So the packet state is either new, established, related or invalid. Connection can not reach established/related state without first being new and if we allowed the connection while it was new, we should allow it while it's established/related. And remember, vast majority of packets of a connection are transmitted while it's established (a TCP connection is new only during initial three-way handshake which involves total of 3 packets, 2 are without any payload, the last one might be as well). So if we place the quoted rule at the top, vast majority of packets will only get matched against single rule. If they had to traverse a bunch of rules dropping specific packets, the router's CPU would have much more work to do.
- correct filtering ... if a packet should be dropped, then the dropping rule has to be before a rule which would allow packet. Which means that a more specific rule should be higher than a more general rule IF their action is not the same.
- performance ... the idea is to either accept or drop a packet as soon as possible. And higher on the rule list should hence be filters which apply to larger number of packets.
I use this:Code: Select all/ip firewall filter add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter
add action=accept chain=input comment="default: accept established,related" connection-state=established,related
add action=accept chain=forward comment="default: accept established,related" connection-state=established,related
The default rules, and then how to get a more tailored ruleset that ensures only the ADMIN has full access to the router on the input chain, and only traffic allowed by the admin is served on the forward chain.
[SNIP]
Three years later, is this still a valid configuration for a Mikrotik hEX RB750Gr3?
Beginner question: Do I need to set up an interface list to make your firewall config effective or will "drop all not coming from LAN" and "drop all from WAN not DSTNATed" also work with the following settings?That is basically what a SOHO firewall is with fasttrack rule removed (you don't need it using a CCR in home environment):It allows ping to your router from outside, access to it from interfaces in interface-list=LAN and dropping everything from interface-list=WAN, that was not subjected to dst-nat (port forwarding).Code: Select all/ip firewall filter add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="drop invalid" connection-state=invalid add action=accept chain=input comment="accept ICMP" protocol=icmp add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked add action=drop chain=forward comment="drop invalid" connection-state=invalid add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN
In order to use it you need first to be sure that you add needed interfaces to corresponding interface-lists: WAN interface(s) - to WAN list, LAN interface(s) - to LAN list.
Otherwise you will lock you up.
Beginner question: Do I need to set up an interface list to make your firewall config effective ...
Thanks a lot for your replies mkx and anav, very helpful! I tried both configs, but I have a few questions regarding your rules anav:I prefer not trying to be too cute. Avoid ! rules unless they are required as its clearer to state what traffic is needed!1
So From:
/ip firewall filter
add action=accept chain=input comment="accept established, related" \ connection-state=established,related
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" \ in-interface=!bridge1-LAN
add action=accept chain=forward comment="accept established, related" \ connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" \ ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \ ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \ connection-nat-state=!dstnat in-interface=ether1-Internet
TO:
/ip firewall address-list
add address=192.168.88.X list=Authorized comment="Admin PC"
add address=192.168.88.Y list=Authorized comment="Admin laptop/ipad"
add address=192.168.88.Z list=Authorized comment="Admin smartphone"
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="admin access" src-address-list=Authorized
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else" { add as very last rule }
+++++++++++++++++++++++++++++++++++
add action=fasttrack chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disabled=yes { enable if required or remove }
add action=drop chain=forward comment="drop all else"
Hi anav, thank you. In this case I will use whuupwhuup´s config as isIt is fine for the basic generic setup the OP was looking for in terms of:
TAKING the default firewall set of rules and
a. make them efficient
b. change concept to block all and identify needed traffic above block all rule.
If its good for your scenario, if different from a single subnet one bridge then one would have to make more adjustments.
follow-up question, if i want make ipv6 as secure as possible, meaning not used at all or blocked entirely, willIt is fine for the basic generic setup the OP was looking for in terms of:
TAKING the default firewall set of rules and
a. make them efficient
b. change concept to block all and identify needed traffic above block all rule.
If its good for your scenario, if different from a single subnet one bridge then one would have to make more adjustments.