In this blog I would like to post my standard basic configuration for firewall. These rules are good for home use and a baseline for building your own custom configuration.
What will this firewall do:
- - It will allow traffic from internal network to outside and back in for established and related connections.
- - Allow SSH and WinBox access to router only from internal network
- - It will drop invalid connections coming to WAN port.
- - It will allow DNS remote requests to router only from internal network.
- - It will detect port scanners on your WAN interface and put them on a list for 2 weeks to block traffic from their IP coming to your WAN interface.
- - Block PING to router except from internal network.
- - And finally drop all other input and forward chain traffic.
The configuration in this TXT will firstly rename ether1 interface to WAN and create an address list named Internal network that will be used in configuration. If you decide not to rename your WAN interface you must adjust your rules accordingly. I use default subnet 192.168.88.0/24 so if you use different adjust the rules.
You can get the rules at this link: Firewall config TXT
If you are new to Mikrotik I suggest making the default configuration trough QuickSet, then wipe all the rules in the firewall and paste my configuration to terminal.
NOTE : The block DNS remote requests rule is there because the Mikrotik default configuration allows DNS remote requests on input chain meaning you are open to DNS amplification attacks and some hacker can use your router to relay his dastardly deeds.
May the force be with you all :)