Community discussions

MikroTik App
  4. RouterOS
  5. General

Firewall Best Practise

Post Reply
 
witblitz
newbie
Topic Author
Posts: 38
Joined: Thu Sep 03, 2015 12:47 pm

Firewall Best Practise

Thu Sep 10, 2015 11:11 am

Hi all,

I know there are tons of posts on this, but I'm finding so much conflicting advice.

I have my Mikrotik (10.0.0.253/24) acting as a PPPoE client assigned to Ether1
ADSL router in bridge mode (192.168.2.1)
bridge-local is Ether2+wlan1
ports 3-5 are slaves (default)

All LAN traffic (10.0.0.0/24) is friendly

I just want the Mikrotik to be ultra secure from the outside.
I am planning on configuring a PPTP VPN client for work, and possibly mangling and then prioritising VOIP traffic from my cisco phone, but other than that I have no special requirements going forward.

My firewall rules are as default, except I changed 2 rules for in.int=Ether1 to in.int=PPPoE (assuming thats correct)
I've also added DDOS protection by blocking port 53 UDP/TCP on the PPPoE interface

Current rules:
Code: Select all
add action=drop chain=input comment=\
    "A - PPPoE DDOS Protection (TCP). Int=PPPoE" dst-port=53 in-interface=\
    pppoe-out log=yes log-prefix=DDOS-RULE protocol=tcp
add action=drop chain=input comment=\
    "A - PPPoE DDOS Protection (UDP). Int=PPPoE" dst-port=53 in-interface=\
    pppoe-out log=yes log-prefix=DDOS-RULE protocol=udp
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=\
    established,related
add action=drop chain=input comment=\
    "default configuration (interface normally = Eth1)" in-interface=\
    pppoe-out log=yes log-prefix=RULE5
add action=fasttrack-connection chain=forward comment="default configuration" \
    connection-state=established,related
add chain=forward comment="default configuration" connection-state=\
    established,related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "default configuration" connection-nat-state=\
    !dstnat connection-state=new in-interface=pppoe-out

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=pppoe-out src-address=10.0.0.0/24
add action=masquerade chain=srcnat comment=\
    "to access ADSL router web interface" dst-address=192.168.2.0/24 \
    out-interface=ether1-gateway
Also, when I set the "drop" rules to log , i'm noticing loads of results for this rule. Is this normal?
Code: Select all
add action=drop chain=input comment=\
    "default configuration (interface normally = Eth1)" in-interface=\
    pppoe-out
Thanks in advance guys
Top
 
jonathan2493
newbie
Posts: 25
Joined: Fri Feb 13, 2015 4:25 am

Re: Firewall Best Practise

Thu Sep 10, 2015 12:26 pm

In my opinion, it really depends on the administrator on how strict he/she will be regarding impelementing firewall rules.

Technically you got 2 options:

1. Deny specific traffic you want to block and permit the rest to go through
2. Permit specifc traffic you want to allow and place a deny all on the end.

If you want to be really secure go for the second option, this way only the traffic you have defined are permitted.

You could also allow specific traffic/connection but do rate limiting on those type of traffic.
http://wiki.mikrotik.com/wiki/DoS_attack_protection


Lastly adding logging on all dropped connections is very useful for analyzing traffic(is it malicious or not? ) though on low end routers this may cause additional CPU cycles.
Top
 
manelfl
newbie
Posts: 30
Joined: Mon May 18, 2015 12:55 pm

Re: Firewall Best Practise

Thu Sep 10, 2015 1:27 pm

I think second option is better. Uncontrolled traffic is deny.
Access rules to administer mikrotik should be exists.
I have find problems dropping traffic in output channel: ipsec, ovpn.
In my opinion, it really depends on the administrator on how strict he/she will be regarding impelementing firewall rules.

Technically you got 2 options:

1. Deny specific traffic you want to block and permit the rest to go through
2. Permit specifc traffic you want to allow and place a deny all on the end.

If you want to be really secure go for the second option, this way only the traffic you have defined are permitted.

You could also allow specific traffic/connection but do rate limiting on those type of traffic.
http://wiki.mikrotik.com/wiki/DoS_attack_protection


Lastly adding logging on all dropped connections is very useful for analyzing traffic(is it malicious or not? ) though on low end routers this may cause additional CPU cycles.
Top
 
efaden
Forum Guru
Forum Guru
Posts: 1708
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Thu Sep 10, 2015 2:07 pm

I always have a default deny on my routers.

Sent from my SCH-I545 using Tapatalk
Top
Post Reply
  4. RouterOS
  5. General