Community discussions

MikroTik App
  4. RouterOS
  5. General

Recommended Firewall Filter & Raw rules  [SOLVED]

Post Reply
 
eakteam
just joined
Topic Author
Posts: 17
Joined: Sat Jun 20, 2020 4:27 am
Location: Albania
Contact:
Contact eakteam

Recommended Firewall Filter & Raw rules

Wed Nov 02, 2022 6:21 am

Hi everyone! Can anyone help me with improving or making better firewall based on those rules below which i use for my company router?
Thanks in Advance!

Firewall Raw
Code: Select all
 
 0    ;;; Drop all DNS request from Internet
      chain=prerouting action=drop in-interface-list=WAN dst-port=53 log=no log-prefix="" protocol=tcp

 1    chain=prerouting action=drop in-interface-list=WAN dst-port=53 log=no log-prefix="" protocol=udp

 2    ;;; TCP invalid combination of flags attack (7 rules)
      chain=prerouting action=drop tcp-flags=!fin,!syn,!rst,!ack log=no log-prefix="" protocol=tcp

 3    chain=prerouting action=drop tcp-flags=fin,syn log=no log-prefix="" protocol=tcp

 4    chain=prerouting action=drop tcp-flags=fin,rst log=no log-prefix="" protocol=tcp

 5    chain=prerouting action=drop tcp-flags=fin,!ack log=no log-prefix="" protocol=tcp

 6    chain=prerouting action=drop tcp-flags=fin,urg log=no log-prefix="" protocol=tcp

 7    chain=prerouting action=drop tcp-flags=syn,rst log=no log-prefix="" protocol=tcp

 8    chain=prerouting action=drop tcp-flags=rst,urg log=no log-prefix="" protocol=tcp

 9    ;;; TCP Port 0 attack (2 rules)
      chain=prerouting action=drop src-port=0 log=no log-prefix="" protocol=tcp

10    chain=prerouting action=drop dst-port=0 log=no log-prefix="" protocol=tcp

11    ;;; UDP Port 0 attack (2 rules)
      chain=prerouting action=drop src-port=0 log=no log-prefix="" protocol=udp

12    chain=prerouting action=drop dst-port=0 log=no log-prefix="" protocol=udp

13    ;;; Protecting device crash when size > 1024
      chain=prerouting action=drop packet-size=1025-1600 log=no log-prefix="" protocol=icmp

14    ;;; ICMP large packet attack
      chain=prerouting action=drop packet-size=1601-65535 log=no log-prefix="" protocol=icmp

15    ;;; ICMP fragmentation attack
      chain=prerouting action=drop log=no log-prefix="" protocol=icmp fragment=yes

16    ;;; SYN fragmented attack
      chain=prerouting action=drop tcp-flags=syn log=no log-prefix="" protocol=tcp fragment=yes

17    ;;; Fragment attack Interface Protection
      chain=prerouting action=drop log=no log-prefix="" fragment=yes dst-address-list=LAN Users

18    ;;; IP option loose-source-routing
      chain=prerouting action=drop log=no log-prefix="" ipv4-options=loose-source-routing

19    ;;; IP option strict-source-routing
      chain=prerouting action=drop log=no log-prefix="" ipv4-options=strict-source-routing

20    ;;; IP option record-route
      chain=prerouting action=drop log=no log-prefix="" ipv4-options=record-route

21    ;;; IP option router-alert
      chain=prerouting action=drop log=no log-prefix="" ipv4-options=router-alert

22    ;;; IP option timestamp
      chain=prerouting action=drop log=no log-prefix="" ipv4-options=timestamp

23    ;;; IP options left, except IP Stream used by the IGMP protocol
      chain=prerouting action=drop log=no log-prefix="" protocol=!igmp ipv4-options=any

24    chain=prerouting action=accept log=no log-prefix="" protocol=icmp

25    chain=prerouting action=accept log=no log-prefix="" protocol=igmp

26    chain=prerouting action=accept log=no log-prefix="" protocol=tcp

27    chain=prerouting action=accept log=no log-prefix="" protocol=udp

28    chain=prerouting action=accept log=no log-prefix="" protocol=gre

29    chain=prerouting action=log log=yes log-prefix="Not TCP protocol" protocol=!tcp

30    ;;; Unused protocol protection
      chain=prerouting action=drop log=no log-prefix="" protocol=!tcp

Firewall Filter
Code: Select all
 0  D chain=forward action=jump jump-target=hs-unauth hotspot=from-client,!auth

 1  D chain=forward action=jump jump-target=hs-unauth-to hotspot=to-client,!auth

 2  D chain=input action=jump jump-target=hs-input hotspot=from-client

 3  D chain=input action=drop protocol=tcp hotspot=!from-client dst-port=64872-64875

 4  D chain=hs-input action=jump jump-target=pre-hs-input

 5  D chain=hs-input action=accept protocol=udp dst-port=64872

 6  D chain=hs-input action=accept protocol=tcp dst-port=64872-64875

 7  D chain=hs-input action=jump jump-target=hs-unauth hotspot=!auth

 8  D chain=hs-unauth action=reject reject-with=tcp-reset protocol=tcp

 9  D chain=hs-unauth action=reject reject-with=icmp-net-prohibited

10  D chain=hs-unauth-to action=reject reject-with=icmp-host-prohibited

11 X  ;;; place hotspot rules here
      chain=unused-hs-chain action=passthrough

12    ;;; Accept established,related connections
      chain=input action=accept connection-state=established,related

13    ;;; Accept established,related connections
      chain=forward action=accept connection-state=established,related

14    ;;; Accept established,related connections
      chain=output action=accept connection-state=established,related log=no log-prefix=""

15 X  ;;; UDP
      chain=input action=accept protocol=udp log=no log-prefix=""

16    ;;; Allow LAN DNS queries-UDP
      chain=forward action=accept protocol=udp src-address-list=LAN Users dst-port=53 log=no log-prefix=""

17    ;;; Allow LAN DNS queries-TCP
      chain=forward action=accept protocol=tcp src-address-list=LAN Users dst-port=53 log=no log-prefix=""

18    ;;; Allow Wireguard Trrafic
      chain=input action=accept src-address=192.168.200.0/24 log=no log-prefix=""

19    ;;; Allow Wireguard
      chain=input action=accept protocol=udp dst-port=13231

20    chain=forward action=jump jump-target=tcp protocol=tcp

21    chain=forward action=jump jump-target=udp protocol=udp

22    ;;; deny TFTP
      chain=tcp action=drop protocol=tcp dst-port=69

23    ;;; deny RPC portmapper
      chain=tcp action=drop protocol=tcp dst-port=111

24    ;;; deny RPC portmapper
      chain=tcp action=drop protocol=tcp dst-port=135

25    ;;; deny NBT
      chain=tcp action=drop protocol=tcp dst-port=137-139

26    ;;; deny cifs
      chain=tcp action=drop protocol=tcp dst-port=445

27    ;;; deny NFS
      chain=tcp action=drop protocol=tcp dst-port=2049

28    ;;; deny NetBus
      chain=tcp action=drop protocol=tcp dst-port=12345-12346

29    ;;; deny NetBus
      chain=tcp action=drop protocol=tcp dst-port=20034

30    ;;; deny BackOriffice
      chain=tcp action=drop protocol=tcp dst-port=3133

31    ;;; deny DHCP
      chain=tcp action=drop protocol=tcp dst-port=67-68

32    ;;; deny TFTP
      chain=udp action=drop protocol=udp dst-port=69

33    ;;; deny PRC portmapper
      chain=udp action=drop protocol=udp dst-port=111

34    ;;; deny PRC portmapper
      chain=udp action=drop protocol=udp dst-port=135

35    ;;; deny NBT
      chain=udp action=drop protocol=udp dst-port=137-139

36    ;;; deny NFS
      chain=udp action=drop protocol=udp dst-port=2049

37    ;;; deny BackOriffice
      chain=udp action=drop protocol=udp dst-port=3133

38    chain=forward action=jump jump-target=block-ddos connection-state=new

39    chain=forward action=drop connection-state=new src-address-list=ddoser dst-address-list=ddosed

40    chain=block-ddos action=return dst-limit=50,50,src-and-dst-addresses/10s

41    chain=block-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=1m log=yes

42    chain=block-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=1m log=yes

43    ;;; ping port scanners
      chain=input action=drop src-address-list=port scanners

44    ;;; Port scanners to list
      chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=port scanners address-list-timeout=2m

45    ;;; NMAP FIN Stealth scan
      chain=input action=add-src-to-address-list tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp address-list=port scanners address-list-timeout=2m

46    ;;; SYN/FIN scan
      chain=input action=add-src-to-address-list tcp-flags=fin,syn protocol=tcp address-list=port scanners address-list-timeout=2m

47    ;;; SYN/RST scan
      chain=input action=add-src-to-address-list tcp-flags=syn,rst protocol=tcp address-list=port scanners address-list-timeout=2m

48    ;;; FIN/PSH/URG scan
      chain=input action=add-src-to-address-list tcp-flags=fin,psh,urg,!syn,!rst,!ack protocol=tcp address-list=port scanners address-list-timeout=2m

49    ;;; ALL/ALL scan
      chain=input action=add-src-to-address-list tcp-flags=fin,syn,rst,psh,ack,urg protocol=tcp address-list=port scanners address-list-timeout=30m

50    ;;; NMAP NULL scan
      chain=input action=add-src-to-address-list tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp address-list=port scanners address-list-timeout=2m

51    ;;; Blaster Worm
      chain=virus action=drop protocol=tcp dst-port=135-139

52    ;;; Blaster Worm
      chain=virus action=drop protocol=tcp dst-port=445

53    ;;; Messenger Worm
      chain=virus action=drop protocol=udp dst-port=135-139

54    ;;; Blaster Worm
      chain=virus action=drop protocol=udp dst-port=445

55    ;;; ________
      chain=virus action=drop protocol=tcp dst-port=593

56    ;;; ________
      chain=virus action=drop protocol=tcp dst-port=1024-1030

57    ;;; MyDoom
      chain=virus action=drop protocol=tcp dst-port=1080

58    ;;; ________
      chain=virus action=drop protocol=tcp dst-port=1214

59    ;;; ndm requester
      chain=virus action=drop protocol=tcp dst-port=1363

60    ;;; ndm server
      chain=virus action=drop protocol=tcp dst-port=1364

61    ;;; screen cast
      chain=virus action=drop protocol=tcp dst-port=1368

62    ;;; hromgrafx
      chain=virus action=drop protocol=tcp dst-port=1373

63    ;;; cichlid
      chain=virus action=drop protocol=tcp dst-port=1377

64    ;;; Worm
      chain=virus action=drop protocol=tcp dst-port=1433-1434

65    ;;; Bagle Virus
      chain=virus action=drop protocol=tcp dst-port=2745

66    ;;; Dumaru.Y
      chain=virus action=drop protocol=tcp dst-port=2283

67    ;;; Beagle
      chain=virus action=drop protocol=tcp dst-port=2535

68    ;;; Beagle.C-K
      chain=virus action=drop protocol=tcp dst-port=2745

69    ;;; MyDoom
      chain=virus action=drop protocol=tcp dst-port=3127-3128

70    ;;; Backdoor OptixPro
      chain=virus action=drop protocol=tcp dst-port=3410

71    ;;; Sasser
      chain=virus action=drop protocol=tcp dst-port=5554

72    ;;; Beagle.B
      chain=virus action=drop protocol=tcp dst-port=8866

73    ;;; Dabber.A-B
      chain=virus action=drop protocol=tcp dst-port=9898

74    ;;; Dumaru.Y
      chain=virus action=drop protocol=tcp dst-port=10000

75    ;;; MyDoom.B
      chain=virus action=drop protocol=tcp dst-port=10080

76    ;;; NetBus
      chain=virus action=drop protocol=tcp dst-port=12345

77    ;;; Kuang2
      chain=virus action=drop protocol=tcp dst-port=17300

78    ;;; SubSeven
      chain=virus action=drop protocol=tcp dst-port=27374

79    ;;; PhatBot, Agobot, Gaobot
      chain=virus action=drop protocol=tcp dst-port=65506

80    ;;; Trinoo
      chain=virus action=drop protocol=udp dst-port=12667

81    ;;; Trinoo
      chain=virus action=drop protocol=udp dst-port=27665

82    ;;; Trinoo
      chain=virus action=drop protocol=udp dst-port=31335

83    ;;; Trinoo
      chain=virus action=drop protocol=udp dst-port=27444

84    ;;; Trinoo
      chain=virus action=drop protocol=udp dst-port=34555

85    ;;; Trinoo
      chain=virus action=drop protocol=udp dst-port=35555

86    ;;; Trinoo
      chain=virus action=drop protocol=tcp dst-port=27444

87    ;;; Drop Worm Infected (Mangle)
      chain=forward action=drop protocol=tcp src-address-list=Worm-Infected-p445 port=445

88    ;;; jump to the virus chain
      chain=forward action=jump jump-target=virus

89    ;;; invalid connections
      chain=input action=drop connection-state=invalid

90    ;;; invalid connections
      chain=forward action=drop connection-state=invalid

91    ;;; invalid connections
      chain=output action=drop connection-state=invalid log=no log-prefix=""

92    ;;; Bruteforce
      chain=forward action=jump jump-target=Bruteforce connection-state=new protocol=tcp dst-address-list=TechsoftcenterIPBlocks dst-port=22,3389

93    ;;; Drop - Blacklist
      chain=Bruteforce action=drop src-address-list=Bruteforce-Blacklist

94    ;;; Add - Blacklist
      chain=Bruteforce action=add-src-to-address-list src-address-list=Bruteforce-Stage3 address-list=Bruteforce-Blacklist address-list-timeout=15m

95    ;;; Add - Stage-3
      chain=Bruteforce action=add-src-to-address-list src-address-list=Bruteforce-Stage2 address-list=Bruteforce-Stage3 address-list-timeout=30s

96    ;;; Add - Stage-2
      chain=Bruteforce action=add-src-to-address-list src-address-list=Bruteforce-Stage1 address-list=Bruteforce-Stage2 address-list-timeout=30s

97    ;;; Add - Stage-1
      chain=Bruteforce action=add-src-to-address-list address-list=Bruteforce-Stage1 address-list-timeout=30s

98    ;;; Drop to bogon list
      chain=forward action=drop dst-address-list=bogons
Top
 
erlinden
Forum Guru
Forum Guru
Posts: 1959
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Recommended Firewall Filter & Raw rules

Wed Nov 02, 2022 9:19 am

Can you please use export instead of print for providing this information (glad you used the code tags!).
That will make it a lot more readable!
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19325
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Recommended Firewall Filter & Raw rules

Wed Nov 02, 2022 1:27 pm

YOu dont need any of that stuff......
Concentrate on traffic your users need.........

viewtopic.php?t=180838

By using drop rules at the end of both chains, you have solved almost all of your issues.
Do you have public access to servers on your router? If so, do you really need them and can people vpn into the router instead to gain access.
Top
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12001
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:
Contact rextended

Re: Recommended Firewall Filter & Raw rules  [SOLVED]

Wed Nov 02, 2022 3:01 pm

In a nutshell: the default rules on RouterOS are enough in most cases.
And this from @anav help:
viewtopic.php?t=180838

Unless you already know that some internal equipment, for example, does not support "pings" with payloads over 1024 bytes (the so-called "Ping of Death") and you intend to protect them,
most counterfeit TCP and UDP packets arrive like new connections, and a "drop all" at the end of each chain blocks everything.
Speaking of DDoS, they have now arrived at the router, needless to do more...

So what good are rules like these?
viewtopic.php?t=83387
they are intended for "pass-through" traffic or internal machines that must necessarily have Public IPs that cannot be filtered before, and that perhaps have an internal firewall that is worth it.
Here, in that case it might be useful to first filter all malicious packets, both inbound and outbound, and apply rules to avoid IP Spoofing both inwards and outwards.
Top
 
eakteam
just joined
Topic Author
Posts: 17
Joined: Sat Jun 20, 2020 4:27 am
Location: Albania
Contact:
Contact eakteam

Re: Recommended Firewall Filter & Raw rules

Thu Nov 03, 2022 8:21 pm

Can you please use export instead of print for providing this information (glad you used the code tags!).
That will make it a lot more readable!

Filter Rules
Code: Select all
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=accept chain=input comment="Accept established,related connections" connection-state=established,related
add action=accept chain=forward comment="Accept established,related connections" connection-state=established,related
add action=accept chain=output comment="Accept established,related connections" connection-state=established,related
add action=accept chain=input comment=UDP disabled=yes protocol=udp
add action=accept chain=forward comment="Allow LAN DNS queries-UDP" dst-port=53 protocol=udp src-address-list="LAN Users"
add action=accept chain=forward comment="Allow LAN DNS queries-TCP" dst-port=53 protocol=tcp src-address-list="LAN Users"
add action=accept chain=input comment="Allow Wireguard Trrafic" src-address=192.168.200.0/24
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 protocol=udp
add action=jump chain=forward jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=drop chain=tcp comment="deny TFTP" dst-port=69 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=111 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=135 protocol=tcp
add action=drop chain=tcp comment="deny NBT" dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="deny cifs" dst-port=445 protocol=tcp
add action=drop chain=tcp comment="deny NFS" dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=12345-12346 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" dst-port=3133 protocol=tcp
add action=drop chain=tcp comment="deny DHCP" dst-port=67-68 protocol=tcp
add action=drop chain=udp comment="deny TFTP" dst-port=69 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=111 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=135 protocol=udp
add action=drop chain=udp comment="deny NBT" dst-port=137-139 protocol=udp
add action=drop chain=udp comment="deny NFS" dst-port=2049 protocol=udp
add action=drop chain=udp comment="deny BackOriffice" dst-port=3133 protocol=udp
add action=jump chain=forward connection-state=new jump-target=block-ddos
add action=drop chain=forward connection-state=new dst-address-list=ddosed src-address-list=ddoser
add action=return chain=block-ddos dst-limit=50,50,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=1m chain=block-ddos log=yes
add action=add-src-to-address-list address-list=ddoser address-list-timeout=1m chain=block-ddos log=yes
add action=drop chain=input comment="ping port scanners" src-address-list="port scanners"
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2m chain=input comment="Port scanners to list " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2m chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2m chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2m chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2m chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=30m chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2m chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=virus comment="Blaster Worm" dst-port=135-139 protocol=tcp
add action=drop chain=virus comment="Blaster Worm" dst-port=445 protocol=tcp
add action=drop chain=virus comment="Messenger Worm" dst-port=135-139 protocol=udp
add action=drop chain=virus comment="Blaster Worm" dst-port=445 protocol=udp
add action=drop chain=virus comment=________ dst-port=593 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1024-1030 protocol=tcp
add action=drop chain=virus comment=MyDoom dst-port=1080 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1214 protocol=tcp
add action=drop chain=virus comment="ndm requester" dst-port=1363 protocol=tcp
add action=drop chain=virus comment="ndm server" dst-port=1364 protocol=tcp
add action=drop chain=virus comment="screen cast" dst-port=1368 protocol=tcp
add action=drop chain=virus comment=hromgrafx dst-port=1373 protocol=tcp
add action=drop chain=virus comment=cichlid dst-port=1377 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=1433-1434 protocol=tcp
add action=drop chain=virus comment="Bagle Virus" dst-port=2745 protocol=tcp
add action=drop chain=virus comment=Dumaru.Y dst-port=2283 protocol=tcp
add action=drop chain=virus comment=Beagle dst-port=2535 protocol=tcp
add action=drop chain=virus comment=Beagle.C-K dst-port=2745 protocol=tcp
add action=drop chain=virus comment=MyDoom dst-port=3127-3128 protocol=tcp
add action=drop chain=virus comment="Backdoor OptixPro" dst-port=3410 protocol=tcp
add action=drop chain=virus comment=Sasser dst-port=5554 protocol=tcp
add action=drop chain=virus comment=Beagle.B dst-port=8866 protocol=tcp
add action=drop chain=virus comment=Dabber.A-B dst-port=9898 protocol=tcp
add action=drop chain=virus comment=Dumaru.Y dst-port=10000 protocol=tcp
add action=drop chain=virus comment=MyDoom.B dst-port=10080 protocol=tcp
add action=drop chain=virus comment=NetBus dst-port=12345 protocol=tcp
add action=drop chain=virus comment=Kuang2 dst-port=17300 protocol=tcp
add action=drop chain=virus comment=SubSeven dst-port=27374 protocol=tcp
add action=drop chain=virus comment="PhatBot, Agobot, Gaobot" dst-port=65506 protocol=tcp
add action=drop chain=virus comment=Trinoo dst-port=12667 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=27665 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=31335 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=27444 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=34555 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=35555 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=27444 protocol=tcp
add action=jump chain=forward comment="jump to the virus chain" jump-target=virus
add action=drop chain=input comment="invalid connections" connection-state=invalid
add action=drop chain=forward comment="invalid connections" connection-state=invalid
add action=drop chain=output comment="invalid connections" connection-state=invalid
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=bogons
RAW Rules
Code: Select all
/ip firewall raw
add action=drop chain=prerouting comment=Worm-Infected-p445 src-address-list=Worm-Infected-p445
add action=drop chain=prerouting comment="Drop all DNS request from Internet" dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=prerouting dst-port=53 in-interface-list=WAN protocol=udp
add action=drop chain=prerouting comment="TCP invalid combination of flags attack (7 rules)" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,syn
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,rst
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,!ack
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,urg
add action=drop chain=prerouting protocol=tcp tcp-flags=syn,rst
add action=drop chain=prerouting protocol=tcp tcp-flags=rst,urg
add action=drop chain=prerouting comment="TCP Port 0 attack (2 rules)" protocol=tcp src-port=0
add action=drop chain=prerouting dst-port=0 protocol=tcp
add action=drop chain=prerouting comment="UDP Port 0 attack (2 rules)" protocol=udp src-port=0
add action=drop chain=prerouting dst-port=0 protocol=udp
add action=drop chain=prerouting comment="Protecting device crash when size > 1024" packet-size=1025-1600 protocol=icmp
add action=drop chain=prerouting comment="ICMP large packet attack" packet-size=1601-65535 protocol=icmp
add action=drop chain=prerouting comment="ICMP fragmentation attack" fragment=yes protocol=icmp
add action=drop chain=prerouting comment="SYN fragmented attack" fragment=yes protocol=tcp tcp-flags=syn
add action=drop chain=prerouting comment="Fragment attack Interface Protection" dst-address-list="LAN Users" fragment=yes
add action=drop chain=prerouting comment="IP option loose-source-routing" ipv4-options=loose-source-routing
add action=drop chain=prerouting comment="IP option strict-source-routing" ipv4-options=strict-source-routing
add action=drop chain=prerouting comment="IP option record-route" ipv4-options=record-route
add action=drop chain=prerouting comment="IP option router-alert" ipv4-options=router-alert
add action=drop chain=prerouting comment="IP option timestamp" ipv4-options=timestamp
add action=drop chain=prerouting comment="IP options left, except IP Stream used by the IGMP protocol" ipv4-options=any protocol=!igmp
add action=accept chain=prerouting protocol=icmp
add action=accept chain=prerouting protocol=igmp
add action=accept chain=prerouting protocol=tcp
add action=accept chain=prerouting protocol=udp
add action=accept chain=prerouting protocol=gre
add action=log chain=prerouting log=yes log-prefix="Not TCP protocol" protocol=!tcp
add action=drop chain=prerouting comment="Unused protocol protection" protocol=!tcp
Top
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1497
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:
Contact k6ccc

Re: Recommended Firewall Filter & Raw rules

Thu Nov 03, 2022 10:44 pm

Change your strategy. Allow what you specifically want to allow, and then drop everything at the end of the Input and Forward chains.

Also suggest shuffling your rules so that all the Input chain rules are together and then all the Forward chain, and then whatever other chains you have. It makes no difference to the router, but makes it FAR easier for us poor humans to read. Don't change the order of rules within each chain, just group each chain together.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19325
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Recommended Firewall Filter & Raw rules

Thu Nov 03, 2022 11:58 pm

K6ccc, this is a failure to read or a problem or a determination to ignore advice, as all your points are spelled out in the link already provided.
Top
Post Reply

Who is online

Users browsing this forum: Bing [Bot], ChadRT, LdB and 122 guests
  4. RouterOS
  5. General