i have changed my Firewall Rules to a default Drop rule.
Did i have made any errors? The router is used in my house with a few Servers.
Code: Select all
/ip firewall filter
add action=accept chain=input connection-state=established,related log-prefix="Allow established, related: "
add action=accept chain=input comment=DNS dst-port=53 in-interface-list=!WAN log-prefix="Allow DNS(UDP): " protocol=udp src-address-list=dns_access
add action=accept chain=input dst-port=22,8291 in-interface-list=!WAN log=yes log-prefix="Allow ssh+winbox: " protocol=tcp src-address-list=mgmt_access
add action=accept chain=input icmp-options=8:0-255 in-interface-list=!WAN log-prefix="Allow ICMP: " protocol=icmp
add action=accept chain=input dst-port=13231 in-interface-list=WAN log=yes log-prefix="Allow Wireguard: " protocol=udp
add action=accept chain=input comment=DNS dst-port=53 in-interface-list=!WAN log-prefix="Allow DNS(TCP): " protocol=tcp src-address-list=dns_access
add action=drop chain=input log-prefix="INPUT: Drop anything not allowed: "
add action=accept chain=forward comment="allow established,related" connection-state=established,related log-prefix="Allow established, related: "
add action=drop chain=forward comment="drop invalid" connection-state=invalid log-prefix="Drop invalid:"
add action=drop chain=forward dst-address-list=DOH-Server in-interface=vlan2 log=yes log-prefix="Drop DoH: " protocol=tcp src-port=443
add action=accept chain=forward in-interface=vlan2 log-prefix="Allow VLAN2 -> WAN: " out-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat in-interface-list=WAN log-prefix="Allow dstnat aka Portfreigabe: "
add action=accept chain=forward in-interface=vlan10 log-prefix="Allow VLAN10 -> WAN: " out-interface-list=WAN
add action=accept chain=forward in-interface=wireguard_clients log-prefix="Allow WG-Clients -> Internet: " out-interface-list=WAN
add action=accept chain=forward dst-address-list=subnet3 log=yes log-prefix="Allow irantu+win3 -> SN3: " out-interface=wireguard_s2s_ag src-address-list=subnet3_access
add action=accept chain=forward in-interface=wireguard_clients log-prefix="Allow WG-Clients- > VLAN2: " out-interface=vlan2
add action=drop chain=forward log=yes log-prefix="FORWARD: Drop anything not allowed: "
mg