...
Code Block | ||
---|---|---|
| ||
/system default-configuration print |
...
IPv4 firewall
Protect the router itself
- work with
new
connections to decrease the load on a router; - create
address-list
for IP addresses, that are allowed to access your router; - enable ICMP access (optionally);
drop
everything else,log=yes
might be added to log packets that hit the specific rule;
...
Protect the LAN devices
We will create address-list
with the name "not_in_internet" which we will use for the firewall filter rules:
...
- packets with connection-state=established,related added to FastTrack for faster data throughput, the firewall will work with new connections only;
- drop invalid connection and log them with prefix "invalid";
- drop attempts to reach not public addresses from your local network, apply address-list=not_in_internet before, bridge1 "bridge" is local network interface, log=yes attempts with prefix "!public_from_LAN";
- drop incoming packets that are not NAT`ed, ether1 is public interface, log attempts with "!NAT" prefix;
- jump to ICMP chain to drop unwanted ICMP messages
- drop incoming packets from the Internet, which are not public IP addresses, ether1 is a public interface, log attempts with prefix "!public";
- drop packets from LAN that does not have LAN IP, 192.168.88.0/24 is local network used subnet;
Code Block | ||
---|---|---|
| ||
/ip firewall filter add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related add action=accept chain=forward comment="Established, Related" connection-state=established,related add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=bridge1bridge log=yes log-prefix=!public_from_LAN out-interface=!bridge1bridge add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT add action=jump chain=forward protocol=icmp jump-target=icmp comment="jump to ICMP filters" add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=ether1 log=yes log-prefix=!public src-address-list=not_in_internet add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=bridge1bridge log=yes log-prefix=LAN_!LAN src-address=!192.168.88.0/24 |
Allow only needed icmp ICMP codes in "icmp" chain:
Code Block | ||
---|---|---|
| ||
/ip firewall filter add chain=icmp protocol=icmp icmp-options=0:0 action=accept \ comment="echo reply" add chain=icmp protocol=icmp icmp-options=3:0 action=accept \ comment="net unreachable" add chain=icmp protocol=icmp icmp-options=3:1 action=accept \ comment="host unreachable" add chain=icmp protocol=icmp icmp-options=3:4 action=accept \ comment="host unreachable fragmentation required" add chain=icmp protocol=icmp icmp-options=4:0 action=accept \ comment="allow source quench" add chain=icmp protocol=icmp icmp-options=8:0 action=accept \ comment="allow echo request" add chain=icmp protocol=icmp icmp-options=11:0 action=accept \ comment="allow time exceed" add chain=icmp protocol=icmp icmp-options=12:0 action=accept \ comment="allow parameter bad" add chain=icmp action=drop comment="deny all other types" |
...
Protect the router itself
Create an address-list
from which you allow access to the device:
...
Code Block | ||
---|---|---|
| ||
/ipv6 firewall filter add action=accept chain=input comment="allow established and related" connection-state=established,related add chain=input action=accept protocol=icmpv6 comment="accept ICMPv6" add chain=input action=accept protocol=udp port=33434-33534 comment="defconf: accept UDP traceroute" add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/1610 comment="accept DHCPv6-Client prefix delegation." add action=drop chain=input in-interface=sit1in_interface_name log=yes log-prefix=dropLL_from_public src-address=fe80::/1610 add action=accept chain=input comment="allow allowed addresses" src-address-list=allowed add action=drop chain=input /ipv6 firewall address-list add address=fe80::/16 list=allowed add address=xxxx::/48 list=allowed add address=ff02::/16 comment=multicast list=allowed |
Note |
---|
In certain setups where the DHCPv6 relay is used, the src address of the packets may not be from the link-local range. In that case, the src-address parameter of rule #4 must be removed or adjusted to accept the relay address. |
Protect the LAN devices
Enabled IPv6 puts makes your clients available for from public networks, set make sure to add proper firewall filter rules to protect your customers.
...
Code Block | ||
---|---|---|
| ||
/ipv6 firewall filter add action=accept chain=forward comment=established,related connection-state=established,related add action=drop chain=forward comment=invalid connection-state=invalid log=yes log-prefix=ipv6,invalid add action=accept chain=forward comment=icmpv6 in-interface=!sit1in_interface_name protocol=icmpv6 add action=accept chain=forward comment="local network" in-interface=!sit1in_interface_name src-address-list=allowed add action=drop chain=forward log-prefix=IPV6 |
...