Good Day to you Friends.
Finally i have managed to connect mikrotik router on internet with the help from this forum's memeber "ZeroByte", Now all clients devices are able to browse internet through it.
Now I would like to secure my router with a simple firewall rule to prevent outside attackers.
while searching google i came across many links which pointed me on creating firewall rules.
some of them are:
1) http://freedommafia.net/clanmain/knowle ... es-scripts
2) http://wirelessconnect.eu/articles/secu ... r_firewall
3) http://wiki.mikrotik.com/wiki/Home_Firewall
4) http://wiki.mikrotik.com/wiki/Basic_uni ... all_script
5) http://gregsowell.com/?p=4013
I would like friends with more knowledge on firewalls to point me to the correct direction.
Basically my requirement is outsiders should not be able to hack in to my router and network.
Let insiders do anything
I think Number 3 & 4 should meet my requirement. If you have better updated firewall rule for a home router please share the link.
Many Thanks to you

The firewall rules that come on RouterBOARD devices by default are sufficient IMO... Perhaps also add rejects for different ICMP requests (but not replies!) in the "forward" chain for extra precaution (in that no hacker can "hack" your network via ICMP, even if they take over your ISP's router; At best, they could learn some facts about the insides of the topology, and even that's a stretch).

So... (Edit: Opps... The input drop should only be for non-local interfaces; Otherwise you block yourself out; Fixed above...)

Thanks for the nod, and I'm glad your router is working well now.

Boen's list is great. I would only add one more rule -
Put this between the "basic" rule set and the "extra icmp filter" set:
> add chain=forward in-interface=local action=accept

and then at the very end of the forward chain:
> add chain=forward action=drop

of course, where the rules we show here use interface name "local" - replace this with whatever your LAN interface is (ether2, LAN-Bridge, etc)


Boen - you have the same old habit that I do - one rule for established, one rule for related. Apparently, now you can just put both in the same rule with state=established,related
(which makes me smile)

Thank you boen_robot for the firewall script & ZeroByte.for the description.
I could have just copy pasted the script in terminal...
but currently going through http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter
which will help me better understand the script so that i can modify it as per my need in future.
Have a great Day.

Boen - you have the same old habit that I do - one rule for established, one rule for related. Apparently, now you can just put both in the same rule with state=established,related
(which makes me smile)

Yeah, about that...

Does a comma "and" or "or" the connection-state? The manual doesn't really make that clear, and I've never quite set up a scenario to check... If it "and"s the two, then it sounds like in addition to "established,related", there should be additional rule or "new,related", plus a rule for "established,!related". If it "or"s the two, then yeah, the two rules can just become one.

Does a comma "and" or "or" the connection-state?

On a rule, multiple criteria are AND operations.
Commas and ranges (where supported) within a single criteria are OR operations.
So if you say protocol=tcp dst-port=53,80,443,22,25,110
Then TCP to any of those ports will match, but not UDP.

Some things, like protocol for instance, don't allow multiple matches like that.

In the actual Linux command-line iptables, you can specify ctstate=established,related (for a very long time now)
But the fact you couldn't do it in RoS always made me smirk. I saw they fixed it so I stopped smirking and went and collapsed my rules.

That makes sense for ports and ranges, and any place that expects numbers... I just wasn't sure if it's applicable in other comma separated (string) criteria.

Similarly with "src/dst-address-type". If you say "local,unicast" would that mean "a local address, addressed via unicast", or does it mean "a local address, addressed in any fashion or any address addressed via unicast"? If the comma rule is universal, I suppose the answer is the latter, and if one wants the former, you'd need two rules.

If you say "local,unicast" would that mean "a local address, addressed via unicast", or does it mean "a local address, addressed in any fashion or any address addressed via unicast"? If the comma rule is universal, I suppose the answer is the latter, and if one wants the former, you'd need two rules.

It's the second, but not the way you worded it. Packets will only be of one type.
local beats unicast/broadcast. (didn't test multicast)

So in english - "a local address, or a unicast address"
Inverting this match -> "broadcast or unicast" (i.e. !local and !unicast)

I discovered this 'only one type' behavior when I decided to lab it up:

I just made some pass-through rules in the mangle table to watch the counters increment every time I pinged something that matched one criteria or another....

rules all matched my laptop src and echo request - plus the test criteria:
1: unicast,local
2: unicast
3: local
4: broadcast

I have put secondary static IP 192.168.100.2/24 on the wan of my router so I can hit the cablemodem with my web browser w/o re-configuring or needing to plug directly into the modem...

Ping to 192.168.100.1 -> the cablemodem -> matches 1 and 2
Ping to 192.168.100.2 -> the Mikrotik -> matches 1 and 3
Ping to 192.168.100.255 -> broadcast on WAN -> matches 4 only as expected.
Ping to 10.10.10.10 -> a /32 on the loopback bridge -> matches 1 and 3

Conclusion:
Comma is an OR operation
Furthermore, I learned that a packet will be considered as one, and only one of the address types with "local" taking priority over broadcast, unicast, (and ostensibly multicast but I didn't bother).
Local = same concept as 'input' chain - an IP of the Mikrotik itself.
(not locally-connected subnet host, mind you, nor 'private IP', nor 169.254.0.0/16)
Unicast / Broadcast / Multicast = just what you would think.

The connection cannot have more than one state. So comma could not mean AND just from logical point of view. Comma in multiple list means OR.

The connection cannot have more than one state. So comma could not mean AND just from logical point of view. Comma in multiple list means OR.

I understand one connection state, but to me - a packet's destination address can be both local and unicast, or local and multicast, or just unicast.... I was always sure the comma meant OR - but then when you're bored and have a router to play with, why not make use of the scientific method and just answer the question for myself?