MikroTik

Posted: **Fri May 24, 2019 7:24 pm**

I have the default firewall rules running on my router. Only thing I added is the "fasttrack" feature.
Not having good idea about how ping should work, here's my question.
Is is ok form my router to return reply if I ping my IP from outside of my network?
Here's my firewall rules.

# may/24/2019 12:18:14 by RouterOS 6.45beta50
# software id = S1MG-NEED
#
# model = RouterBOARD 750G r3
# serial number = xxxxxxxxxxxxx
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=Bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
    d this subnet before enable it" list=Bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=Bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=Bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" list=Bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=Bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    Bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=Bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=Bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=Bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    list=Bogons
/ip firewall filter
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=input port=69 protocol=udp
add action=accept chain=forward port=69 protocol=udp
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    Bogons
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=ether1
add action=accept chain=forward connection-state=established,related
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

Posted: **Fri May 24, 2019 7:41 pm**

If you wanted your router to be completely invisible from outside its WAN subnet, you'd have to disable also the TFTP - port scanners scan using multiple ports and protocols. So if you need the TFTP service to be available for requests received via WAN, disabling ping will not add much invisibility to you. With full inresponsivity on WAN, you do limit the number of attempts to exploit some not-yet-widely-known vulnerabilities somehow, but you also deny yourself from setting up remote access from other than pre-defined sites.

Posted: **Sat May 25, 2019 1:25 am**

If you wanted your router to be completely invisible from outside its WAN subnet, you'd have to disable also the TFTP - port scanners scan using multiple ports and protocols. So if you need the TFTP service to be available for requests received via WAN, disabling ping will not add much invisibility to you. With full inresponsivity on WAN, you do limit the number of attempts to exploit some not-yet-widely-known vulnerabilities somehow, but you also deny yourself from setting up remote access from other than pre-defined sites.

So, it's no real harm if I don't block ping.
What is recommended or what is a good practice?
Will it be ok if I just leave the rules as is?

Posted: **Tue May 28, 2019 5:03 pm**

any suggestion?

MikroTik

Pining my IP from outside LAN

Pining my IP from outside LAN

Re: Pining my IP from outside LAN

Re: Pining my IP from outside LAN

Re: Pining my IP from outside LAN