Hi Guys, I'm trying to build a starter universal firewall so people can load it on their routers and then add onto it as needed, or even as just to use as an example. I uploaded it to pastebin as 50 lines is a little too much to slap into an email. http://pastebin.com/Fp05Cwng Let me know of any suggestions you have. Thanks, Josh
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Josh Oberin Sent: Thursday, 28 April 2016 10:05 AM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] Universal Firewall
Hi Guys,
I'm trying to build a starter universal firewall so people can load it on
All, Per Josh's post below, what we are trying to do is to create some kind of 'recommended best practice' base firewall script that will suit most applications - most typically, SME, business and home border router type setup. We often receive requests for this kind of thing, but to date we can only offer some general recommendations and pointers to various mikrotik wiki and forum pages. On top of the usual scheme as presented below, I'm thinking we should include some of the more obvious checks and actions such as: 1. IMPORTANT: include permit established and permit related as the first rule/s 2. detect ssh brute force attack, add to blocked list 3. block udp and tcp input on port 53? (prevent dns dos when resolver is enabled) 4. detect high volume smtp traffic and clamp to rate limit also, we're thinking about setting some global variables at beginning of script to allow for easy defining of various address-list timeout values etc. So we're looking for some general suggestions from others as to: - what do you already include in your firewall actions - what are the typical attacks that you think need to be addressed - what variations do you think are needed depending on different applications (e.g. for a SME gateway, rate of x/min smtp is typical, whereas n*x/min is more appropriate for a corporate gateway What we expect to do is to publish somewhere publicly accessible, the results as a fully worked routerOS firewall script with some global variables at the head to enable/disable various rule types, packet rate triggers and timeout variables. That script will then be able to form a basis for further ongoing development over time as a resource for everyone to use and contribute if they wish. Any suggestions/ideas? :-} Cheers, Mike. their
routers and then add onto it as needed, or even as just to use as an example.
I uploaded it to pastebin as 50 lines is a little too much to slap into an email.
Let me know of any suggestions you have.
Thanks,
Josh
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Make sure you block incoming NTP similar to your DNS block, for the same reason. James On Fri, 29 Apr 2016, at 11:49, Mike Everest wrote:
All,
Per Josh's post below, what we are trying to do is to create some kind of 'recommended best practice' base firewall script that will suit most applications - most typically, SME, business and home border router type setup.
We often receive requests for this kind of thing, but to date we can only offer some general recommendations and pointers to various mikrotik wiki and forum pages.
On top of the usual scheme as presented below, I'm thinking we should include some of the more obvious checks and actions such as:
1. IMPORTANT: include permit established and permit related as the first rule/s 2. detect ssh brute force attack, add to blocked list 3. block udp and tcp input on port 53? (prevent dns dos when resolver is enabled) 4. detect high volume smtp traffic and clamp to rate limit
also, we're thinking about setting some global variables at beginning of script to allow for easy defining of various address-list timeout values etc.
So we're looking for some general suggestions from others as to:
- what do you already include in your firewall actions - what are the typical attacks that you think need to be addressed - what variations do you think are needed depending on different applications (e.g. for a SME gateway, rate of x/min smtp is typical, whereas n*x/min is more appropriate for a corporate gateway
What we expect to do is to publish somewhere publicly accessible, the results as a fully worked routerOS firewall script with some global variables at the head to enable/disable various rule types, packet rate triggers and timeout variables. That script will then be able to form a basis for further ongoing development over time as a resource for everyone to use and contribute if they wish.
Any suggestions/ideas? :-}
Cheers, Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Josh Oberin Sent: Thursday, 28 April 2016 10:05 AM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] Universal Firewall
Hi Guys,
I'm trying to build a starter universal firewall so people can load it on their routers and then add onto it as needed, or even as just to use as an example.
I uploaded it to pastebin as 50 lines is a little too much to slap into an email.
Let me know of any suggestions you have.
Thanks,
Josh
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
I think it's a good idea but it should come with an accompanying document to explain and justify each rule. I am a big fan of KISS simply because a blindly applied ruleset like this can create problems. I have seen people come onto the #mikrotik IRC channel who have cut and paste the big similar looking firewall ruleset off the Mikrotik Wiki and then wondered why things were going wrong. As for bogons sometimes you need to allow access to non-routable networks on the WAN interface such as the webpage of a modem you are using as a PPPoE bridge. Is it a good idea to mess with ICMP at all? On 29 April 2016 at 11:49, Mike Everest <mike@duxtel.com> wrote:
All,
Per Josh's post below, what we are trying to do is to create some kind of 'recommended best practice' base firewall script that will suit most applications - most typically, SME, business and home border router type setup.
We often receive requests for this kind of thing, but to date we can only offer some general recommendations and pointers to various mikrotik wiki and forum pages.
On top of the usual scheme as presented below, I'm thinking we should include some of the more obvious checks and actions such as:
1. IMPORTANT: include permit established and permit related as the first rule/s 2. detect ssh brute force attack, add to blocked list 3. block udp and tcp input on port 53? (prevent dns dos when resolver is enabled) 4. detect high volume smtp traffic and clamp to rate limit
also, we're thinking about setting some global variables at beginning of script to allow for easy defining of various address-list timeout values etc.
So we're looking for some general suggestions from others as to:
- what do you already include in your firewall actions - what are the typical attacks that you think need to be addressed - what variations do you think are needed depending on different applications (e.g. for a SME gateway, rate of x/min smtp is typical, whereas n*x/min is more appropriate for a corporate gateway
What we expect to do is to publish somewhere publicly accessible, the results as a fully worked routerOS firewall script with some global variables at the head to enable/disable various rule types, packet rate triggers and timeout variables. That script will then be able to form a basis for further ongoing development over time as a resource for everyone to use and contribute if they wish.
Any suggestions/ideas? :-}
Cheers, Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Josh Oberin Sent: Thursday, 28 April 2016 10:05 AM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] Universal Firewall
Hi Guys,
I'm trying to build a starter universal firewall so people can load it on their routers and then add onto it as needed, or even as just to use as an example.
I uploaded it to pastebin as 50 lines is a little too much to slap into an email.
Let me know of any suggestions you have.
Thanks,
Josh
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
--
Perhaps also a disabled example of a Port forwarding rule. With a comment about manual dns host creation for internal host access Matt On 29 Apr 2016 12:10 pm, "Jason Hecker (Up & Running Tech)" < jason@upandrunningtech.com.au> wrote:
I think it's a good idea but it should come with an accompanying document to explain and justify each rule. I am a big fan of KISS simply because a blindly applied ruleset like this can create problems. I have seen people come onto the #mikrotik IRC channel who have cut and paste the big similar looking firewall ruleset off the Mikrotik Wiki and then wondered why things were going wrong.
As for bogons sometimes you need to allow access to non-routable networks on the WAN interface such as the webpage of a modem you are using as a PPPoE bridge. Is it a good idea to mess with ICMP at all?
On 29 April 2016 at 11:49, Mike Everest <mike@duxtel.com> wrote:
All,
Per Josh's post below, what we are trying to do is to create some kind of 'recommended best practice' base firewall script that will suit most applications - most typically, SME, business and home border router type setup.
We often receive requests for this kind of thing, but to date we can only offer some general recommendations and pointers to various mikrotik wiki and forum pages.
On top of the usual scheme as presented below, I'm thinking we should include some of the more obvious checks and actions such as:
1. IMPORTANT: include permit established and permit related as the first rule/s 2. detect ssh brute force attack, add to blocked list 3. block udp and tcp input on port 53? (prevent dns dos when resolver is enabled) 4. detect high volume smtp traffic and clamp to rate limit
also, we're thinking about setting some global variables at beginning of script to allow for easy defining of various address-list timeout values etc.
So we're looking for some general suggestions from others as to:
- what do you already include in your firewall actions - what are the typical attacks that you think need to be addressed - what variations do you think are needed depending on different applications (e.g. for a SME gateway, rate of x/min smtp is typical, whereas n*x/min is more appropriate for a corporate gateway
What we expect to do is to publish somewhere publicly accessible, the results as a fully worked routerOS firewall script with some global variables at the head to enable/disable various rule types, packet rate triggers and timeout variables. That script will then be able to form a basis for further ongoing development over time as a resource for everyone to use and contribute if they wish.
Any suggestions/ideas? :-}
Cheers, Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Josh Oberin Sent: Thursday, 28 April 2016 10:05 AM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] Universal Firewall
Hi Guys,
I'm trying to build a starter universal firewall so people can load it on their routers and then add onto it as needed, or even as just to use as an example.
I uploaded it to pastebin as 50 lines is a little too much to slap into an email.
Let me know of any suggestions you have.
Thanks,
Josh
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au
http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-- _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Josh Oberin Sent: Thursday, 28 April 2016 10:05 AM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] Universal Firewall
Hi Guys,
I'm trying to build a starter universal firewall so people can load it on
Good idea Mike, I have picked up some great info over the years in fine tuning our scripts we use. Suggestions would be: - On input chain throw to other chains for UDP and TCP traffic then process individual requirements for each protocol in those chains to keep the input chain clean - Setup rate limiting for ICMP traffic so you still get it through but not high volumes - We setup honeypot addresses as well on some gear which is just an address that has never ever been used, if something tries to connect to it we add to a dynamic block list Just what I can think of for now Regards Paul -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Friday, 29 April 2016 11:50 AM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Universal Firewall All, Per Josh's post below, what we are trying to do is to create some kind of 'recommended best practice' base firewall script that will suit most applications - most typically, SME, business and home border router type setup. We often receive requests for this kind of thing, but to date we can only offer some general recommendations and pointers to various mikrotik wiki and forum pages. On top of the usual scheme as presented below, I'm thinking we should include some of the more obvious checks and actions such as: 1. IMPORTANT: include permit established and permit related as the first rule/s 2. detect ssh brute force attack, add to blocked list 3. block udp and tcp input on port 53? (prevent dns dos when resolver is enabled) 4. detect high volume smtp traffic and clamp to rate limit also, we're thinking about setting some global variables at beginning of script to allow for easy defining of various address-list timeout values etc. So we're looking for some general suggestions from others as to: - what do you already include in your firewall actions - what are the typical attacks that you think need to be addressed - what variations do you think are needed depending on different applications (e.g. for a SME gateway, rate of x/min smtp is typical, whereas n*x/min is more appropriate for a corporate gateway What we expect to do is to publish somewhere publicly accessible, the results as a fully worked routerOS firewall script with some global variables at the head to enable/disable various rule types, packet rate triggers and timeout variables. That script will then be able to form a basis for further ongoing development over time as a resource for everyone to use and contribute if they wish. Any suggestions/ideas? :-} Cheers, Mike. their
routers and then add onto it as needed, or even as just to use as an example.
I uploaded it to pastebin as 50 lines is a little too much to slap into an email.
Let me know of any suggestions you have.
Thanks,
Josh
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Josh Oberin Sent: Thursday, 28 April 2016 10:05 AM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] Universal Firewall
Hi Guys,
I'm trying to build a starter universal firewall so people can load it on
Also, having many rules for features which aren't needed right now in a disabled state is handy, comments on as many entries as possible as well, then people can pick and choose which rules they need and don't need, then they just enable the ones they need. Regards Paul -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Friday, 29 April 2016 11:50 AM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Universal Firewall All, Per Josh's post below, what we are trying to do is to create some kind of 'recommended best practice' base firewall script that will suit most applications - most typically, SME, business and home border router type setup. We often receive requests for this kind of thing, but to date we can only offer some general recommendations and pointers to various mikrotik wiki and forum pages. On top of the usual scheme as presented below, I'm thinking we should include some of the more obvious checks and actions such as: 1. IMPORTANT: include permit established and permit related as the first rule/s 2. detect ssh brute force attack, add to blocked list 3. block udp and tcp input on port 53? (prevent dns dos when resolver is enabled) 4. detect high volume smtp traffic and clamp to rate limit also, we're thinking about setting some global variables at beginning of script to allow for easy defining of various address-list timeout values etc. So we're looking for some general suggestions from others as to: - what do you already include in your firewall actions - what are the typical attacks that you think need to be addressed - what variations do you think are needed depending on different applications (e.g. for a SME gateway, rate of x/min smtp is typical, whereas n*x/min is more appropriate for a corporate gateway What we expect to do is to publish somewhere publicly accessible, the results as a fully worked routerOS firewall script with some global variables at the head to enable/disable various rule types, packet rate triggers and timeout variables. That script will then be able to form a basis for further ongoing development over time as a resource for everyone to use and contribute if they wish. Any suggestions/ideas? :-} Cheers, Mike. their
routers and then add onto it as needed, or even as just to use as an example.
I uploaded it to pastebin as 50 lines is a little too much to slap into an email.
Let me know of any suggestions you have.
Thanks,
Josh
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Paul Julian Sent: Friday, 29 April 2016 12:41 PM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Universal Firewall
Also, having many rules for features which aren't needed right now in a disabled state is handy, comments on as many entries as possible as well, then
can pick and choose which rules they need and don't need, then they just enable the ones they need.
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Friday, 29 April 2016 11:50 AM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] Universal Firewall
All,
Per Josh's post below, what we are trying to do is to create some kind of 'recommended best practice' base firewall script that will suit most applications - most typically, SME, business and home border router type setup.
We often receive requests for this kind of thing, but to date we can only offer some general recommendations and pointers to various mikrotik wiki and forum pages.
On top of the usual scheme as presented below, I'm thinking we should include some of the more obvious checks and actions such as:
1. IMPORTANT: include permit established and permit related as the first rule/s 2. detect ssh brute force attack, add to blocked list 3. block udp and tcp input on port 53? (prevent dns dos when resolver is enabled) 4. detect high volume smtp traffic and clamp to rate limit
also, we're thinking about setting some global variables at beginning of
allow for easy defining of various address-list timeout values etc.
So we're looking for some general suggestions from others as to:
- what do you already include in your firewall actions - what are the typical attacks that you think need to be addressed - what variations do you think are needed depending on different applications (e.g. for a SME gateway, rate of x/min smtp is typical, whereas n*x/min is more appropriate for a corporate gateway
What we expect to do is to publish somewhere publicly accessible, the results as a fully worked routerOS firewall script with some global variables at the
All good suggestions - keep them coming! :-) Regarding rules and rule blocks being easily disabled - that is the idea of including a set of global variables at the head, so certain rule types can be adjusted, e.g: # set smtp-per-minute-count, 0 is disabled global max-smtp-count 1000 # set smtp-clamp-rate (bps) global smtp-clamp-rate 64000 # enable honeypot address - 0.0.0.0 for disabled global honeypot 10.10.10.1 .. and so on. Suggestions about what kind of globals would be useful and also welcome!! :) Cheers, Mike. people script to head
to enable/disable various rule types, packet rate triggers and timeout variables. That script will then be able to form a basis for further ongoing development over time as a resource for everyone to use and contribute if they wish.
Any suggestions/ideas? :-}
Cheers, Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Josh Oberin Sent: Thursday, 28 April 2016 10:05 AM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] Universal Firewall
Hi Guys,
I'm trying to build a starter universal firewall so people can load it on their routers and then add onto it as needed, or even as just to use as an example.
I uploaded it to pastebin as 50 lines is a little too much to slap into an email.
Let me know of any suggestions you have.
Thanks,
Josh
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
participants (6)
-
James Hodgkinson
-
Jason Hecker (Up & Running Tech)
-
Josh Oberin
-
Matt Chipman
-
Mike Everest
-
Paul Julian