Does anyone like to tell me how can i protect my router from port 53?

Thanks

hi

What sort of traffic are you trying stop, TCP/UDP ?
You could create Firewall rule to drop traffic to this port.
UDP and TCP Port 53 are used for DNS requests,etc

So you could create a rule to only accept these DNS requests from your specified src-address, on a specified interface,(one for UDP and one TCP)
and create another to drop any other requests (one for UDP and one TCP),...so four rules in total.

You could also try searching the web for Mikrotik Hardening, ...but be careful when using Drop Rules
you could find that you have been locked out of the Device.

At the moment i'm using:
add action=drop chain=input dst-port=53 in-interface=ether2 protocol=tcp
add action=drop chain=input dst-port=53 in-interface=ether2 protocol=udp

Are there correct? My router is second maybe that's the reason why i haven't traffic.

Thanks

yes, you could modify the rules to be similar to the following:

add chain=input action=accept src-address=192.168.1.0/27 protocol=tcp dst-port=53 in-interface=ether5 comment="Input Accept DNS - LAN"
add chain=input action=accept src-address=192.168.1.0/27 protocol=udp dst-port=53 in-interface=ether5 comment=""
add chain=input action=drop protocol=tcp dst-port=53 comment="Input Drop DNS - Other"
add chain=input action=drop protocol=udp dst-port=53 comment=""

The above rule will allow dns requests from the private LAN with the 192.168.1.0/27 subnet, on the ether5 interface, and drop any other requests.

are you using at home? only the last making traffic the rest of they have 0 traffic. So ether 5 is gateway.right?

Thanks

in a theoretical setup, ether5 would be my private LAN(192.168.1.0/27) and ether1 would be my WAN connection.

hold on, how it's possible:
accept src-address=192.168.1.0/27 in-interface=eth5 .There bouwt LAN??
twice time to put same interface?

goodness, ..would be 192.168.1.1/27, where network address=192.168.1.0, address of ether5 would then be 192.168.1.1
the firewall rules would still be the same.

this is part of my setup for one of my RB751s:

/ip address
add address=172.56.55.1/27 interface=ClientNet

/ip firewall filter
add chain=input action=accept connection-state=established comment="Input Accept Established"
add chain=input action=accept connection-state=related comment="Input Accept Related"
add chain=input action=drop connection-state=invalid comment="Input Drop Invalid"
add chain=input action=accept protocol=icmp in-interface=ClientNet limit=50/5s,2:packet comment="Input Accept ICMP"
add chain=input action=accept protocol=tcp dst-port=8291 comment="Input Accept Winbox"
add chain=input action=accept in-interface=ClientNet comment="Input Accept LAN"
add chain=input action=accept src-address=172.56.55.0/27 protocol=tcp dst-port=53 in-interface=ClientNet comment="Input Accept DNS - LAN"
add chain=input action=accept src-address=172.56.55.0/27 protocol=udp dst-port=53 in-interface=ClientNet comment=""
add chain=input action=jump jump-target=virus comment="Input Jump Virus Check"
add chain=input action=drop comment="##### INPUT DROP ALL #####"
add chain=forward action=accept connection-state=established comment="Forward Accept Established"
add chain=forward action=accept connection-state=related comment="Forward Accept Related"
add chain=forward action=jump jump-target=virus comment="Forward Jump Virus Check"
add chain=forward action=accept protocol=icmp limit=50/5s,2:packet comment="Forward Accept ICMP - Limits"
add chain=forward action=accept in-interface=ClientNet comment="Forward Accept <LAN>"
add chain=virus action=drop protocol=tcp dst-port=53 comment="----- Virus Drop DNS - Rogue"
add chain=virus action=drop protocol=udp dst-port=53 comment="----- Virus Drop DNS - Rogue"
add chain=virus action=drop protocol=tcp dst-port=10000 comment="----- Virus Drop Dumaru.Y -----"
add chain=virus action=drop protocol=tcp dst-port=4444 comment="----- Virus Drop Worm -----"
add chain=virus action=drop protocol=tcp dst-port=5554 comment="----- Virus Drop Sasser -----"
add chain=virus action=drop protocol=tcp dst-port=12345 comment="----- Virus Drop Netbus -----"
add chain=virus action=drop protocol=tcp dst-port=27374 comment="----- Virus Drop SubSeven -----"
add chain=virus action=drop protocol=tcp dst-port=65506 comment="----- Virus Drop PhatBot -----"
add chain=virus action=drop protocol=tcp dst-port=10080 comment="----- Virus Drop MyDoom.B -----"
add chain=virus action=drop protocol=tcp dst-port=1080 comment="----- Virus Drop MyDoom -----"
add chain=virus action=drop protocol=tcp dst-port=135-139 comment="----- Virus Drop BlasterWorm -----"
add chain=virus action=drop protocol=tcp dst-port=3127-3128 comment="----- Virus Drop MyDoom -----"
add chain=virus action=drop protocol=tcp dst-port=9898 comment="----- Virus Drop Dabber -----"
add chain=virus action=drop protocol=tcp dst-port=17300 comment="----- Virus Drop Kuang -----"
add chain=virus action=drop protocol=tcp dst-port=2283 comment="----- Virus Drop Dumaru.Y -----"
add chain=virus action=drop protocol=tcp dst-port=3410 comment="----- Virus Drop BackDoor OptixPro -----"
add chain=virus action=drop protocol=tcp dst-port=2745 comment="----- Virus Drop Beagle.C-K -----"
add chain=virus action=drop protocol=tcp dst-port=2535 comment="----- Virus Drop Beagle -----"
add chain=virus action=drop protocol=tcp dst-port=1433-1434 comment="----- Virus Drop SQL Worm -----"
add chain=virus action=drop protocol=tcp dst-port=1377 comment="----- Virus Drop Cichlid -----"
add chain=virus action=drop protocol=tcp dst-port=1363-1364 comment="----- Virus Drop NDM Requester+Server -----"
add chain=virus action=drop protocol=tcp dst-port=1373 comment="----- Virus Drop Hromgrafx -----"
add chain=virus action=drop protocol=tcp dst-port=1214 comment="----- Virus Drop Worm -----"
add chain=virus action=drop protocol=tcp dst-port=1900 comment="----- Virus Drop UPnP Port -----"
add chain=virus action=drop protocol=tcp dst-port=445 comment="----- Virus Drop Port 445 -----"
add chain=virus action=drop protocol=udp dst-port=1900 comment="----- Virus Drop UPnP Port -----"
add chain=virus action=drop protocol=udp dst-port=135-139 comment="----- Virus Drop MessengerWorm -----"
add chain=virus action=drop protocol=udp dst-port=1433-1434 comment="----- Virus Drop SQL Worm -----"
add chain=virus action=drop protocol=udp dst-port=4444 comment="----- Virus Drop Worm -----"
add chain=virus action=drop protocol=udp dst-port=445 comment="----- Virus Drop Port 445 -----"
add chain=forward action=drop comment="##### FORWARD DROP ALL #####" disable=yes

are you happy with that? working good?
add address=172.56.55.1/27 interface=ClientNet
it's your local add?

Thanks

Guys. If you were following the general firewall best practice suggestions you would not have it complicated so much. Search the forum it is written hundreds times...

i've been using many of tham but i havent traffic, that a reson why i posted in this forrum.

Thanks

this is a default firewall script from rb2011. i change my last input rule to drop everything from pppoe-out1 (before it was ether1-gateway, but i am using a modem in bridge mode for the dsl connection)
with this set your are protected from outside dns requests.
this is my mostly used firewall rules in my customers with hotspots.
i always set dsl modem to bridge mode.

# jan/02/1970 00:01:04 by RouterOS 6.35
#
/ip firewall filter
## add chain=input comment="Accept Winbox over WAN" dst-port=8291 protocol=tcp
add chain=input comment="defconf: accept ICMP" protocol=icmp
add chain=input comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface=pppoe-out1
add chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1-gateway

also dont forget these..

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

hi Nichky,

You mentioned that you don't have traffic, does that mean that you cant access the internet?

@Randall0L:

Your input chain is needlessly complex because all of those virus rules are in the input chain - which only protects the router itself, which is not even listening on most of those ports anyway.....
It just takes away from performance that packets must be needlessly checked against a dozen rules when they're all going to get dropped anyway.

Much better would be an input chain that allows replies to things the router originated, and then a list of accept rules for exactly the ports you want, and a single drop rule at the end.

i've found rules from Mikrotik wiki. There are working good,see:


http://wiki.mikrotik.com/wiki/Securing_your_router