Answer the question
In order to leave comments, you need to log in
H
H
HeroFromEarth2016-07-07 23:00:43
HeroFromEarth, 2016-07-07 23:00:43
Firewall setup on home MikroTik?
I was puzzled by the security of my home router. Alas, I may not know some subtleties, so I ask for help and advice regarding the settings. Export from firewall:
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
established,related
add chain=forward connection-state=established,related
add chain=input connection-state=established,related in-interface=\
ether1-gateway
add action=reject chain=input connection-state=new in-interface=ether1-gateway
add action=drop chain=input connection-state=invalid in-interface=\
ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-gatewayAt the same time, access to the router is only through Winbox (I plan to close it) and SSH (by key) from internal IPs:
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.0.0/26,192.168.56.0/24
set api disabled=yes
set winbox address=192.168.0.0/26,192.168.56.0/24
set api-ssl disabled=yesThe goal is maximum speed and so that no one from the outside crawls into my network. Any comments?
2 answer(s)
@HeroFromEarth
If you are not sure, then it is better not to touch the forward chain in the filter, especially since you most likely have forward that is only traffic that falls under NAT
Everything is correct here, all traffic that will fall under the following rules will be connection-state = new
By specifying reject, you make it clear to the attacker that the ports are closed, reject is best done on the internal network or towards partners, but definitely not for traffic towards the Internet!
This rule should be the very first one, since this is invalid traffic, it makes sense to strain the filter if we know in advance that this traffic is not needed.
With such a configured filter, Mikrotik is in the most secure mode.
if you need to open a port to access Mikrotik, then you create a rule above the last rule.
If you will open ssh to Mikrotik, then read this article wiki.mikrotik.com/wiki/Bruteforce_login_prevention
Everything else, such as /ip service - this is all from the evil one, at any time it may turn out that you need access to ssh from most unpredictable place.
if you really want not to open ports to everyone at all, then we read about port Knocking herewiki.mikrotik.com/wiki/Port_Knocking
K
Kirill Vasiliev, 2016-07-08 @HeroFromEarth
as usual, tin in the answers, and now in essence, namely, according to your config
add action=fasttrack-connection chain=forward connection-state=established,related
add chain=forward connection-state=established,relatedIf you are not sure, then it is better not to touch the forward chain in the filter, especially since you most likely have forward that is only traffic that falls under NAT
Everything is correct here, all traffic that will fall under the following rules will be connection-state = new
By specifying reject, you make it clear to the attacker that the ports are closed, reject is best done on the internal network or towards partners, but definitely not for traffic towards the Internet!
This rule should be the very first one, since this is invalid traffic, it makes sense to strain the filter if we know in advance that this traffic is not needed.
With such a configured filter, Mikrotik is in the most secure mode.
if you need to open a port to access Mikrotik, then you create a rule above the last rule.
If you will open ssh to Mikrotik, then read this article wiki.mikrotik.com/wiki/Bruteforce_login_prevention
Everything else, such as /ip service - this is all from the evil one, at any time it may turn out that you need access to ssh from most unpredictable place.
if you really want not to open ports to everyone at all, then we read about port Knocking herewiki.mikrotik.com/wiki/Port_Knocking
Similar questions
A
Y
M
D
S
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question