this post was submitted on 19 Jul 2023
6 points (100.0% liked)

Mikrotik

220 readers
8 users here now

A community-contributed sublemmy for all things Mikrotik. General ISP and network discussion also permitted. Please ensure if you're asking a question you have checked the Wiki First: https://help.mikrotik.com

Mikrotik Rules: Don't post content that is incorrect or potentially harmful to a router/network.

This in itself is not a bannable offence but answers that are verifiably incorrect or will cause issues for other users will be edited or removed.

Examples: Factual errors - "EOIP is always unsecure" Configuration problems - Config that would disable all physical interfaces on a router Trolling - "Downgrade it to 5.26"

founded 1 year ago
MODERATORS
 

MikroTik RouterOS comes with a default firewall configuration designed to provide basic network security. As a new user, comprehending these default firewall rules is essential to evaluate the initial level of protection for your network. In this technical guide, we will break down the default firewall rules and teach you how to interpret them to ensure your network's security is optimized.

Accessing the Firewall Configuration

To access the firewall configuration in MikroTik RouterOS, follow these steps:

Step 1: Log in to the MikroTik RouterOS Web Interface or connect via the Terminal (SSH or Telnet).

Step 2: Access the firewall settings by entering the following command in the terminal:

Interpreting Default Firewall Rules

By executing the above command, you will see a list of rules with columns representing essential parameters. Here's how to interpret the default firewall rules:

Column Headers:

  • CHAIN: Specifies the traffic direction the rule applies to (input, forward, or output).
  • SRC-ADDRESS: Defines the source IP address or IP range the rule affects.
  • DST-ADDRESS: Indicates the destination IP address or IP range the rule applies to.
  • PROTOCOL: Specifies the protocol (e.g., TCP, UDP) or all for any protocol.
  • ACTION: Determines what action the rule takes (accept, drop, reject, etc.).
  • COMMENT: Provides a description or comment for the rule (optional).

Default Input Chain Rule

The default rule in the input chain ensures the router itself is protected. It allows established connections (marked as "ESTABLISHED") to be accepted, so responses to outgoing traffic are allowed. It also permits related connections (marked as "RELATED"), enabling protocols like FTP to function correctly. Finally, the rule drops all incoming traffic with an invalid state.

Example Default Input Chain Rule:

0   ;;; defconf: drop all not coming from LAN
    chain=input action=drop in-interface=!yourLANinterface connection-state=new

Default Forward Chain Rule

The default rule in the forward chain controls traffic traversing between different networks. It accepts established and related connections (similar to the input chain) while blocking any new connections from external sources to the router.

Example Default Forward Chain Rule:

0   ;;; defconf: drop all from WAN not DSTNATed
    chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=!yourWANinterface

Default Output Chain Rule

The default rule in the output chain allows all outgoing traffic from the router to external destinations.

Example Default Output Chain Rule:

0   ;;; defconf: accept all from LAN
    chain=output action=accept out-interface=!yourLANinterface

Enhancing Firewall Rules

To enhance your network security, consider adding custom rules. For example, you can create rules to block specific incoming traffic, allow access to specific services, or implement Layer 7 protocol filtering.

Understanding the default firewall rules in MikroTik RouterOS is crucial to assess the initial level of network security. By interpreting the rules provided in the default configuration, you can evaluate and enhance your network's protection as per your specific requirements. Take advantage of custom firewall rules, connection tracking, and Layer 7 protocol filtering to strengthen your network's defenses and ensure a secure and robust network environment.

top 1 comments
sorted by: hot top controversial new old
[–] amarzar 2 points 1 year ago

Nice!!! Thank you for this information!!