Help with basic firewall rules

meazz1 · Thu Nov 30, 2017 5:10 pm

I recently purchased a Mikrotik hEX RB750Gr3 5-port Ethernet Gigabit Router. I reset default configuration and have the basic setup, eth0=wan and eth1 to eth4 as switch.
I need to get a basic firewall rule so my external IP is not visible from outside ping. I just need basic rules to protect me as a home user nothing fancy
I found this on tksja.com and implemented this as is. When I ping from outside, I get a reply. So I know something is wrong. Can anyone take look and help me here.

My AT&T hub has 192.168. 1.254 and in passs thru mode. My Mikrotik LAN subnet is 192.168.4.1/24.

/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=Bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
 d this subnet before enable it" list=Bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=Bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=Bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
 need this subnet before enable it" list=Bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=Bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
 Bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=Bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=Bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=Bogons
add address=224.0.0.0/4 comment=\
 "MC, Class D, IANA # Check if you need this subnet before enable it" \
 list=Bogons
/ip firewall filter
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=input port=69 protocol=udp
add action=accept chain=forward port=69 protocol=udp
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
 Bogons
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=ether1

Thu Nov 30, 2017 8:56 pm

See this first, and implement the basic security as described.
https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

meazz1 · Fri Dec 01, 2017 4:30 am

See this first, and implement the basic security as described.
https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

Thanks for your help.
Here is a script I made, let me know if this is ok. Any suggestion is welcom.

/ip firewall filter
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
/ip firewall address-list
add address=192.168.88.1-192.168.88.254 list=allowed_to_router 
add address=192.168.1.1-192.168.1.254 list=allowed_to_router
add address=192.168.4.2-192.168.4.254 list=allowed_to_router
add address=192.168.2.1-192.168.2.254 list=allowed_to_router



/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" disabled=no list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you need this subnet before enable it"\
disabled=yes list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" disabled=no list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" disabled=no list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you need this subnet before enable it"\
disabled=yes list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you need this subnet before enable it"\
disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" disabled=no list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" disabled=no list=bogons
add address=198.18.0.0/15 comment="NIDB Testing" disabled=no list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" disabled=no list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" disabled=no list=bogons
add address=224.0.0.0/4 comment="MC, Class D, IANA # Check if you need this subnet before enable it"\
disabled=yes list=bogons



/ip firewall filter
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input \
comment="Add Syn Flood IP to the list" connection-limit=30,32 disabled=no protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" disabled=no src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect"\
disabled=no protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" disabled=no src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" disabled=no jump-target=ICMP protocol=icmp
add action=drop chain=input\
comment="Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST"\
disabled=yes dst-port=8291 protocol=tcp src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" disabled=no jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" disabled=no dst-address-list=bogons
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 hours"\
connection-limit=30,32 disabled=no dst-port=25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" disabled=no dst-port=25,587 protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" disabled=no port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" disabled=no port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" connection-state=established\
disabled=no
add action=accept chain=input comment="Accept to related connections" connection-state=related disabled=no
add action=accept chain=input comment="Full access to SUPPORT address list" disabled=no src-address-list=support
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED"\
disabled=yes
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" disabled=no icmp-options=8:0 limit=1,5 protocol=icmp
add action=accept chain=ICMP comment="Echo reply" disabled=no icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" disabled=no icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" disabled=no icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD disabled=no icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" disabled=no protocol=icmp
add action=jump chain=output comment="Jump for icmp output" disabled=no jump-target=ICMP protocol=icmp

meazz1 · Fri Dec 01, 2017 6:01 pm

Can someone point me to a preconfigured basic firewall script that works with default config on hEX RB750Gr3 router?

TomosRider · Fri Dec 01, 2017 6:19 pm

Follow what @Jarda said and youll be fine...

Fri Dec 01, 2017 9:50 pm

Especially do not apply mass of rules you find anywhere, because you will make more bads than goods. If you do not understand everything, start with reset to defaults and go through the security guide. If you do understand, reset with blank config and make only those settings you need.

meazz1 · Sat Dec 02, 2017 3:43 am

Thanks for helping the newbie here.
As suggested, I reset configurations to default and ran most of the command in the link provided (https://wiki.mikrotik.com/wiki/Manual:S ... our_Router).
4 questions:
1. the default config has firewall rules already, should I still add the one in the link?
2. my LAN is 192.168.4.1, dhcp starts from 192.168.4.10 -100. I tried to run this command
/ip service set winbox allowed-address=192.168.4.0/24 but I get an error "expected end of command (line1 column 24).
3. how and what rule I need to apply to block my WAN from ping reply and ddos attacks? The default firewall does not have it. I can ping my IP from outside and I get reply.
4. I connect to winbox via 192.168.4.1 IP but my firewall doesn't allow webfig using browser using the same IP. What rule do I need to be able to using browser to connect to router.

I'm still able to connect to winbox using 192.168.4.1 which is my win box IP.

Anumrak · Mon Dec 04, 2017 1:33 pm

In order to hide your external IP from ping, just disable this rule

add action=accept chain=input protocol=icmp

or change action from accept to drop.

Help with basic firewall rules

Help with basic firewall rules

Re: Help with basic firewall rules

Re: Help with basic firewall rules

Re: Help with basic firewall rules

Re: Help with basic firewall rules

Re: Help with basic firewall rules

Re: Help with basic firewall rules

Re: Help with basic firewall rules