Perhaps also a disabled example of a Port forwarding rule. With a comment about manual dns host creation for internal host access Matt On 29 Apr 2016 12:10 pm, "Jason Hecker (Up & Running Tech)" < jason@upandrunningtech.com.au> wrote:
I think it's a good idea but it should come with an accompanying document to explain and justify each rule. I am a big fan of KISS simply because a blindly applied ruleset like this can create problems. I have seen people come onto the #mikrotik IRC channel who have cut and paste the big similar looking firewall ruleset off the Mikrotik Wiki and then wondered why things were going wrong.
As for bogons sometimes you need to allow access to non-routable networks on the WAN interface such as the webpage of a modem you are using as a PPPoE bridge. Is it a good idea to mess with ICMP at all?
On 29 April 2016 at 11:49, Mike Everest <mike@duxtel.com> wrote:
All,
Per Josh's post below, what we are trying to do is to create some kind of 'recommended best practice' base firewall script that will suit most applications - most typically, SME, business and home border router type setup.
We often receive requests for this kind of thing, but to date we can only offer some general recommendations and pointers to various mikrotik wiki and forum pages.
On top of the usual scheme as presented below, I'm thinking we should include some of the more obvious checks and actions such as:
1. IMPORTANT: include permit established and permit related as the first rule/s 2. detect ssh brute force attack, add to blocked list 3. block udp and tcp input on port 53? (prevent dns dos when resolver is enabled) 4. detect high volume smtp traffic and clamp to rate limit
also, we're thinking about setting some global variables at beginning of script to allow for easy defining of various address-list timeout values etc.
So we're looking for some general suggestions from others as to:
- what do you already include in your firewall actions - what are the typical attacks that you think need to be addressed - what variations do you think are needed depending on different applications (e.g. for a SME gateway, rate of x/min smtp is typical, whereas n*x/min is more appropriate for a corporate gateway
What we expect to do is to publish somewhere publicly accessible, the results as a fully worked routerOS firewall script with some global variables at the head to enable/disable various rule types, packet rate triggers and timeout variables. That script will then be able to form a basis for further ongoing development over time as a resource for everyone to use and contribute if they wish.
Any suggestions/ideas? :-}
Cheers, Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Josh Oberin Sent: Thursday, 28 April 2016 10:05 AM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] Universal Firewall
Hi Guys,
I'm trying to build a starter universal firewall so people can load it on their routers and then add onto it as needed, or even as just to use as an example.
I uploaded it to pastebin as 50 lines is a little too much to slap into an email.
Let me know of any suggestions you have.
Thanks,
Josh
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-- _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au