MikroTik

I went crazy, because I wanted to see examples of how to have decent security. My config file works fine and everything but I'm not sure if everything works the way its supposed to as the Access Control Lists (ACLs aka firewall rules) maybe in the wrong order and stuff like that? Its all just mushed together (there are probably duplicate rules). I guess I want everything on its own seperate vlan too.
My router resources are still low but I have a good router for my situation
Please help me fix and consolidate this config with your experience, Thanks!

My MikroTik is 192.168.88.1 (GW) it connects to my ISP router (GW) 192.168.254.254
My PC is 192.168.88.254

There are a LOT of duplicate entries.
Also I'm wondering what you want to achieve.

Just some basic rules could look like this

ros code

/ip firewall filter
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add chain=input comment="Accept established connections" connection-state=established
add chain=input comment="Accept related connections" connection-state=related
add chain=input comment="Allow access from local network" in-interface=br-PrivateNetwork src-address=192.168.25.0/24
add action=log chain=input comment="Log everything else" disabled=yes log-prefix="IPv4 Drop input RR:"
add action=drop chain=input comment="Drop everything else"
add action=drop chain=forward comment="Drop invalid connections" connection-state=invalid
add chain=forward comment="Accept established connections" connection-state=established
add chain=forward comment="Accept related connections" connection-state=related
add chain=forward comment="Allow traffic from Local network" in-interface=br-PrivateNetwork src-address=192.168.25.0/24
add action=log chain=forward comment="Log everything else" disabled=yes log-prefix="IPv4 Drop forward RR:"
add action=drop chain=forward comment="Drop everything else"

Only allow established/related traffic and inside initiated, rest will be blocked.

My first sentence says: I wanted to see examples of how to have decent security. I want to learn the syntax. I want to learn how to create IDS/IPS systems. Just diving in head first trying to learn this stuff. I like the CLI but dont understand these chains yet. I will revise it soon.

I really enjoy the freeware program called PeerBlock.. I wish I had a hardware version to protect my whole network like at the inside local area (my wan interface)

anyone up for this, want to help me consolidate for a good home wifi AP security? If not I will eventually get around to learning the syntax and config it how i want. thanks

I see a few duplicates in the default config.
Do these rules go from top -> down like in Cisco's ACLs?
If so, is there an implicit deny all at the end?

Ex: in your post, you have a "drop everything else" in the middle of the settings... how does the processor know when to "drop everything else", if the timing is not specified?

it is really important to understand what you are doing and where before you delve deep into the firewall.

here is manual for filter section to start with:
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter

here is link to packet flow in RouterOS:
http://wiki.mikrotik.com/wiki/Packet_Flow

Really important stuff that you have to understand regarding firewall in RouterOS are chains, you have to know TCP and UDP protocol, have some insight into ICMP. And then there is IPv6.

here you can see how default configuration should look like:
http://wiki.mikrotik.com/wiki/Manual:De ... igurations

p.s. default home/soho router configuration is locked down. Everything you add most probably will make it less secure as nothing beats chain=input action=drop interface=<external>

I cut it down to what I think it should've been as "basic" without duplicates:

/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add chain=forward comment="default configuration" connection-state=established

by the way, default action is accept, so if there are no rules that are dropping packet, it will be accepted when passed through all the rules.

p.s. default home/soho router configuration is locked down. Everything you add most probably will make it less secure as nothing beats chain=input action=drop interface=<external>

So are you saying that rule is a "tcp established" type of rule?
OR is that rule meant to be at the very last (after the allow rules)?
If not, please break it down for me thanks

Final Drop rule should be last...

This is my "simple firewall" example:

ros code

/ip firewall filter
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add chain=input comment="Permit established connections" connection-state=established
add chain=input comment="Permit related connections" connection-state=related
add action=log chain=input comment="Log everything else, except LAN" in-interface=!ether01 log-prefix="ip filter input:"

add action=drop chain=input comment="Drop everything else not specified, except LAN" in-interface=!ether01

add action=drop chain=forward comment="Drop invalid connections" connection-state=invalid
add chain=forward comment="Permit established connections" connection-state=established
add chain=forward comment="Permit related connections" connection-state=related
add action=log chain=forward comment="Log everything else, except LAN" in-interface=!ether01 log-prefix="ip filter forward:"

add action=drop chain=forward comment="Drop everything else not specified, except LAN" in-interface=!ether01

If it is first, everything gets instantly dropped and nothing passes trough.

Routers process Access-lists and Firewall statements, line by line beginning from top, untill first match is found.
If match is found, no further rules will be processed for that packet.

I prefer putting an allowance rule from the interface I trust (master-port or bridge) and then block all other traffic

ros code

/ip firewall filter
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add chain=input comment="Permit established connections" connection-state=established
add chain=input comment="Permit related connections" connection-state=related
add chain=input in-interface=bridge-local src-address=<local lan IP segment>
add action=log chain=input comment="Log everything else" log-prefix="ip filter input:"
add action=drop chain=input comment="Drop everything else" 

add action=drop chain=forward comment="Drop invalid connections" connection-state=invalid
add chain=forward comment="Permit established connections" connection-state=established
add chain=forward comment="Permit related connections" connection-state=related
add chain=forward in-interface=bridge-local src-address=<local lan IP segment>
add action=log chain=forward comment="Log everything else" log-prefix="ip filter forward:"
add action=drop chain=forward comment="Drop everything else"

I prefer putting an allowance rule from the interface I trust (master-port or bridge) and then block all other traffic.

Well, it all depends...

How many interfaces you have, how much of those are "trusted" and how many are "untrusted" also different approaches exist
For example I have multiple "untrusted" uplink interfaces, hence it makes more sense to block all others except one "trusted" one via single line.

Rudios, those "log everything else statements" seems to be crashing my router EVERY TIME I put it in... its logging everything

Rudios, those "log everything else statements" seems to be crashing my router EVERY TIME I put it in... its logging everything

It will log what will get blocked. It depends on the packets arriving at the router and the rules what is allowed.
If there are many packets send to the router from outside without the request of an internal device it probably is unwanted traffic and it will be blocked.
The log rules are not always necessary though. It is more for debugging if the firewall is not behaving as wanted.

use logging only if you really want to see what you are dropping. Else that is just a resource hog that does nothing.

Another problem was like what Etz was saying.. very first rule cant be DROP INPUT or everythings denied!

Another problem was like what Etz was saying.. very first rule cant be DROP INPUT or everythings denied!

The first line only drops invalid packets.

Another problem was like what Etz was saying.. very first rule cant be DROP INPUT or everythings denied!

The first line only drops invalid packets.

He probably meaned:

ros code

add action=drop chain=input

cannot be first, yours is correct implementation...
Also I talked about "final drop rule", not dropping only invalid packets.

I finally went with this one:
http://wiki.mikrotik.com/wiki/Basic_uni ... all_script
I've actually started figuring out how I can edit and and fix things the way I want!

What is the ! in "!ether1"?

Using this firewall list:
http://wiki.mikrotik.com/wiki/Basic_uni ... all_script

ros code

add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect"\
disabled=no protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" disabled=no src-address-list=Port_Scanner

Why is it now, always thinking that I am a port scanner?
I see I have a lot of TCP 6 connections but I dont know what that port is?
It didnt do this before and I dont know what changed?
I am in the support user list. Thanks!

What is the ! in "!ether1"?

[...]

The exclamation mark indicates 'not' so in your example, not ether1

Protocol 6 stands for TCP

I'm getting an way too many logs of 443 (HTTPS) logs in my "log everything else" (false positives)
I bet its just reflexive(aka established) connections and the firewall is not grouping them into the filter #14 (accept established) since its 443 and its accidentally overlooking this.
How can I fix this? thanks

Here is my log and my filters:

I guess you are wrong in the chain assignment.
The rule you highlighted is on the input chain, traffic destined for the router itself.
Are these all your rules or are there more.
For easy reading I advise to group them per chain, so it is clear in one view what rules will be applied to which packet.

I actually prefer what is provided in the book "RouterOS by Example":it has the usual dropping invalid and accepting input from trusted networks then it accepts established, then only accepts NEW forwards from the trusted network, then related forwards then established forwards, finally dropping all other inputs and forwards. This works perfectly. From this I also add in accepted ports for services I want accessible to the world while listing and banning those that make repeated blocked attempts as a means to protect those open ports.

The default firewall rules as set up by the quickset option probably works the same as above but only using the input chain (as per v6.19): first rule is to blindly accept all ICMP, then accept established, then related, rules for vpn go here if enabled, then drop everything on the wan interface.

...

Ex: in your post, you have a "drop everything else" in the middle of the settings... how does the processor know when to "drop everything else", if the timing is not specified?

to directly answer this and to add to the answer already provided, you have to realise that there are multiple ways that data is handled by the router. Yes, the rules are from top down but you might have a few input rules at the top, followed by a deny all input rule, followed by your rules for the forwarded data, followed by say a chain created for icmp that's jumped to prior to the drop all.

Also, muchas gracias for the log option on rules now :)

MadEngineer, do you have an example of this firewall? a link to the writeup?
I understood the timing.
I like my new firewall, but I'm definately missing something!

anyone know what PeerBlock is?
I would love it if I could implement something like that into a hardware appliance (like a switch or router or ASA)
(allows or denies host IPs based on community defined hosts lists of bad or good hosts)

If you can't work it out from my post, buy the book