If you look below, I've listed my config for IPv4 & 6 firewall; considering that this is my 1st attempt at it, would you mind pointing out what I did wrong or could have done better?
Cheers!
Reev
Code: Select all
#| IPv4 Firewall
#-------------------------------------------------------------------------------
/ip firewall {
address-list add list=allowed_to_router address=10.17.1.2-10.17.1.254 comment= "allowed_to_router"
address-list add list=not_in_internet address=0.0.0.0/8 comment="RFC6890"
address-list add list=not_in_internet address=172.16.0.0/12 comment="RFC6890"
address-list add list=not_in_internet address=192.168.0.0/16 comment="RFC6890"
address-list add list=not_in_internet address=10.0.0.0/8 comment="RFC6890"
address-list add list=not_in_internet address=169.254.0.0/16 comment="RFC6890"
address-list add list=not_in_internet address=127.0.0.0/8 comment="RFC6890"
address-list add list=not_in_internet address=224.0.0.0/4 comment="Multicast"
address-list add list=not_in_internet address=198.18.0.0/15 comment="RFC6890"
address-list add list=not_in_internet address=192.0.0.0/24 comment="RFC6890"
address-list add list=not_in_internet address=192.0.2.0/24 comment="RFC6890"
address-list add list=not_in_internet address=198.51.100.0/24 comment="RFC6890"
address-list add list=not_in_internet address=203.0.113.0/24 comment="RFC6890"
address-list add list=not_in_internet address=100.64.0.0/10 comment="RFC6890"
address-list add list=not_in_internet address=240.0.0.0/4 comment="RFC6890"
address-list add list=not_in_internet address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]"
filter add chain=input action=accept connection-state=established,related comment="accept established,related"
filter add chain=input action=drop connection-state=invalid comment="drop invalid"
filter add chain=input action=drop protocol=udp dst-port=53 in-interface-list=WAN comment="drop DNS queries from WAN"
filter add chain=input action=drop protocol=tcp dst-port=53 in-interface-list=WAN comment="drop DNS queries from WAN"
filter add chain=input action=accept src-address-list=allowed_to_router comment="accept access to router based on address list allowed_to_router"
filter add chain=input action=accept protocol=icmp comment="accept ICMP"
filter add chain=input action=accept dst-address=127.0.0.1 comment="accept to local loopback (for CAPsMAN)"
filter add chain=input action=drop in-interface-list=!LAN comment="drop all not coming from LAN"
filter add chain=forward action=accept ipsec-policy=in,ipsec comment="accept in ipsec policy"
filter add chain=forward action=accept ipsec-policy=out,ipsec comment="accept out ipsec policy"
filter add chain=forward action=fasttrack-connection connection-state=established,related comment="fasttrack"
filter add chain=forward action=accept connection-state=established,related comment="accept established,related"
filter add chain=forward action=drop connection-state=invalid log=yes log-prefix=invalid comment="drop invalid"
filter add chain=forward action=drop dst-address-list=not_in_internet in-interface-list=LAN out-interface-list=!LAN log=yes log-prefix=!public_from_LAN comment="drop tries to reach not public addresses from LAN"
filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=yes log-prefix=!NAT comment="drop all from WAN not DSTNATed"
filter add chain=forward action=jump protocol=icmp jump-target=icmp comment="jump to ICMP filters"
filter add chain=forward action=drop src-address-list=not_in_internet in-interface-list=WAN log=yes log-prefix=!public comment="drop incoming from WAN which is not public IP"
filter add chain=forward action=drop src-address=!10.17.1.0/24 in-interface-list=LAN log=yes log-prefix=LAN_!LAN comment="drop packets from LAN that do not have LAN IP"
filter add chain=icmp action=accept protocol=icmp icmp-options=0:0 comment="echo reply"
filter add chain=icmp action=accept protocol=icmp icmp-options=3:0 comment="net unreachable"
filter add chain=icmp action=accept protocol=icmp icmp-options=3:1 comment="host unreachable"
filter add chain=icmp action=accept protocol=icmp icmp-options=3:4 comment="host unreachable fragmentation required"
filter add chain=icmp action=accept protocol=icmp icmp-options=8:0 comment="allow echo request"
filter add chain=icmp action=accept protocol=icmp icmp-options=11:0 comment="allow time exceed"
filter add chain=icmp action=accept protocol=icmp icmp-options=12:0 comment="allow parameter bad"
filter add chain=icmp action=drop comment="deny all other types"
filter add chain=forward action=accept in-interface=zerotier1 place-before=0 comment="accept ZeroTier"
filter add chain=input action=accept in-interface=zerotier1 place-before=0 comment="accept ZeroTier"
}
#| IPv6 Firewall
#-------------------------------------------------------------------------------
/ipv6 firewall {
address-list add list=bad_ipv6 address=::/128 comment="unspecified address"
address-list add list=bad_ipv6 address=::1 comment="lo"
address-list add list=bad_ipv6 address=fec0::/10 comment="site-local"
address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="ipv4-mapped"
address-list add list=bad_ipv6 address=::/96 comment="ipv4 compat"
address-list add list=bad_ipv6 address=100::/64 comment="discard only "
address-list add list=bad_ipv6 address=2001:db8::/32 comment="documentation"
address-list add list=bad_ipv6 address=2001:10::/28 comment="ORCHID"
address-list add list=bad_ipv6 address=3ffe::/16 comment="6bone"
filter add chain=input action=accept connection-state=established,related comment="accept established,related"
filter add chain=input action=drop connection-state=invalid comment="drop invalid"
filter add chain=input action=accept protocol=icmpv6 comment="accept ICMPv6"
filter add chain=input action=accept protocol=udp port=33434-33534 comment="accept UDP traceroute"
filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/16 comment="accept DHCPv6-Client prefix delegation."
filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="accept IKE"
filter add chain=input action=accept protocol=ipsec-ah comment="accept ipsec AH"
filter add chain=input action=accept protocol=ipsec-esp comment="accept ipsec ESP"
filter add chain=input action=accept ipsec-policy=in,ipsec comment="accept all that matches ipsec policy"
filter add chain=input action=drop in-interface-list=!LAN comment="drop everything else not coming from LAN"
filter add chain=forward action=accept connection-state=established,related comment="accept established,related"
filter add chain=forward action=drop connection-state=invalid log=yes log-prefix=ipv6,invalid comment="drop invalid"
filter add chain=forward action=drop src-address-list=bad_ipv6 comment="drop packets with bad src ipv6"
filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="drop packets with bad dst ipv6"
filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="rfc4890 drop hop-limit=1"
filter add chain=forward action=accept protocol=icmpv6 comment="accept ICMPv6"
filter add chain=forward action=accept protocol=139 comment="accept HIP"
filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="accept IKE"
filter add chain=forward action=accept protocol=ipsec-ah comment="accept ipsec AH"
filter add chain=forward action=accept protocol=ipsec-esp comment="accept ipsec ESP"
filter add chain=forward action=accept ipsec-policy=in,ipsec comment="accept all that matches ipsec policy"
filter add chain=forward action=drop in-interface-list=!LAN comment="drop everything else not coming from LAN"
}