Hi All, Just wondering what others do when it comes to jumping to new chains from the forward chain for protecting services running behind your Mikrotik running as a firewall. We typically jump to a new chain for stuff like SMTP servers or Web servers and then filter based on protocol and port within that new chain to protect boxes, then drop anything that doesn't match. Some people add an accept rule at the top of each of those chains for related and established connections, some people add one at the beginning of the default forward chain, what are peoples thoughts on the pros and cons of doing this in any way mentioned ?, are there any risks doing one way or another or should you just stick to allowing only the trusted ports and protocols through in each relevant chain rather than anything that's already been allowed previously ? I'm interested in peoples thoughts on this Thanks Paul
Hi Big question, I typically have on forward chain action=fasttrack-connection connection-state=established,related connection-state=established,related # These are cause I have asym routing tcp-flags=syn,ack protocol=tcp tcp-flags=!syn protocol=tcp Then general rules for global forward. (think ospf,bgp,bfd, ntp...) and then sub rules for each interface. also a special chain for ssh - up near the top On 20 July 2018 at 16:40, Paul Julian <paul@buildingconnect.com.au> wrote:
Hi All,
Just wondering what others do when it comes to jumping to new chains from the forward chain for protecting services running behind your Mikrotik running as a firewall. We typically jump to a new chain for stuff like SMTP servers or Web servers and then filter based on protocol and port within that new chain to protect boxes, then drop anything that doesn't match. Some people add an accept rule at the top of each of those chains for related and established connections, some people add one at the beginning of the default forward chain, what are peoples thoughts on the pros and cons of doing this in any way mentioned ?, are there any risks doing one way or another or should you just stick to allowing only the trusted ports and protocols through in each relevant chain rather than anything that's already been allowed previously ?
I'm interested in peoples thoughts on this
Thanks Paul _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
participants (2)
-
Alex Samad
-
Paul Julian