Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Basic must have firewall settings?

Locked
 
User avatar
43north
Member Candidate
Member Candidate
Topic Author
Posts: 209
Joined: Fri Nov 14, 2014 7:06 am

Basic must have firewall settings?

Mon Jun 15, 2015 1:44 am

Just looking for a list of standard firewall settings that are general best practice rules. Such a list exist?
Top
 
IntrusDave
Forum Guru
Forum Guru
Posts: 1286
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: Basic must have firewall settings?

Mon Jun 15, 2015 8:43 am

For a general / basic / home network, this should be "good enough."
Code: Select all
/ip firewall filter
add action=drop chain=input connection-state=invalid
add action=drop chain=input comment="Drop Blacklisted Hosts" log-prefix="NOTICE: Dropped Attack Attempt" src-address-list=\
    blacklist
add chain=input connection-state=established,related
add chain=input src-address-list=ipSec
add chain=input src-address-list=PrivateIPs
add chain=input in-interface=lan1
add chain=input log-prefix=NOTICE protocol=icmp
add action=drop chain=input comment="Default Drop" log-prefix=<DEFAULT>
add action=drop chain=forward connection-state=invalid
add action=reject chain=forward dst-address-list=blacklist log=yes log-prefix="BL OUTBOUND" reject-with=icmp-admin-prohibited
add action=drop chain=forward src-address-list=blacklist
add chain=forward connection-state=established,related
add chain=forward src-address-list=PrivateIPs
add action=drop chain=forward comment="Default Drop" in-interface=wan1 log=yes log-prefix=<DEFAULT>
add action=drop chain=forward comment="Default Drop" in-interface=wan2 log=yes log-prefix=<DEFAULT>
If you have public servers that you are protecting, then you can do a lot more to try and stop DDOS and brute force attacks. But in general, this should be enough to keep you safe.

Oh, I have two address lists; "blacklist" and "Private IPs". The blacklist is generated by my server every morning using several publicly available lists, as well as lists generated by Fail2Ban on all of my servers. The PrivateIPs is just that, 10.0.0.0/8, 172.16.0.0/16, and 192.168.0.0/16. It's a simple (although maybe not entirely secure) way of making sure my VPN's all flow nicely.
Top
 
User avatar
G2Dolphin
Member Candidate
Member Candidate
Posts: 164
Joined: Sun May 17, 2015 6:03 pm
Location: Moscow, Russia

Re: Basic must have firewall settings?

Mon Jun 15, 2015 11:02 am

Add this as first filter rules, if your firmware is 6.29+.
Code: Select all
/ip firewall filter
add action=fasttrack-connection chain=forward comment=\
    "FT established/related connections (forward)" connection-state=\
    established,related
add action=fasttrack-connection chain=input comment=\
    "FT established/related connections (input)" connection-state=\
    established,related
Top
 
Rudios
Forum Veteran
Forum Veteran
Posts: 977
Joined: Mon Mar 11, 2013 12:58 pm
Location: The Netherlands

Re: Basic must have firewall settings?

Wed Jun 24, 2015 3:22 pm

Adding the fasttrack option is only applicable for the forward chain.
It does not affect the input chain.
Top
 
wiyat
newbie
Posts: 46
Joined: Tue Jan 12, 2010 9:38 pm
Contact:
Contact wiyat

Re: Basic must have firewall settings?

Wed Jun 24, 2015 7:02 pm

43north? After that you read it the before post you are clear or you need support?
Top
Locked

Who is online

Users browsing this forum: No registered users and 23 guests
  4. RouterOS
  5. Beginner Basics