Community discussions

MikroTik App
 
User avatar
quotengrote
newbie
Topic Author
Posts: 33
Joined: Sun May 16, 2021 1:20 pm

Firewall Check

Thu Jan 06, 2022 5:20 pm

Hi,

i have changed my Firewall Rules to a default Drop rule.

Did i have made any errors? The router is used in my house with a few Servers.
/ip firewall filter
add action=accept chain=input connection-state=established,related log-prefix="Allow established, related: "
add action=accept chain=input comment=DNS dst-port=53 in-interface-list=!WAN log-prefix="Allow DNS(UDP): " protocol=udp src-address-list=dns_access
add action=accept chain=input dst-port=22,8291 in-interface-list=!WAN log=yes log-prefix="Allow ssh+winbox: " protocol=tcp src-address-list=mgmt_access
add action=accept chain=input icmp-options=8:0-255 in-interface-list=!WAN log-prefix="Allow ICMP: " protocol=icmp
add action=accept chain=input dst-port=13231 in-interface-list=WAN log=yes log-prefix="Allow Wireguard: " protocol=udp
add action=accept chain=input comment=DNS dst-port=53 in-interface-list=!WAN log-prefix="Allow DNS(TCP): " protocol=tcp src-address-list=dns_access
add action=drop chain=input log-prefix="INPUT: Drop anything not allowed: "
add action=accept chain=forward comment="allow established,related" connection-state=established,related log-prefix="Allow established, related: "
add action=drop chain=forward comment="drop invalid" connection-state=invalid log-prefix="Drop invalid:"
add action=drop chain=forward dst-address-list=DOH-Server in-interface=vlan2 log=yes log-prefix="Drop DoH: " protocol=tcp src-port=443
add action=accept chain=forward in-interface=vlan2 log-prefix="Allow VLAN2 -> WAN: " out-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat in-interface-list=WAN log-prefix="Allow dstnat aka Portfreigabe: "
add action=accept chain=forward in-interface=vlan10 log-prefix="Allow VLAN10 -> WAN: " out-interface-list=WAN
add action=accept chain=forward in-interface=wireguard_clients log-prefix="Allow WG-Clients -> Internet: " out-interface-list=WAN
add action=accept chain=forward dst-address-list=subnet3 log=yes log-prefix="Allow irantu+win3 -> SN3: " out-interface=wireguard_s2s_ag src-address-list=subnet3_access
add action=accept chain=forward in-interface=wireguard_clients log-prefix="Allow WG-Clients- > VLAN2: " out-interface=vlan2
add action=drop chain=forward log=yes log-prefix="FORWARD: Drop anything not allowed: "

Wishes
mg

Who is online

Users browsing this forum: akakua and 11 guests