Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




523 posts

Ultimate Geek
+1 received by user: 115


Topic # 214643 22-May-2017 16:01
Send private message

Is the default config for a mikrotik now okay to use out of the box?

 

 

 

I recently updated mine to 6.39.1 and the only rule I had to block myself was block ICMP/Ping from WAN

 

GRC ShieldsUp is reporting 100% Passed

 

Connecting via BigPipe (IPoE)

 

 

 

Are there other rules and settings I should be using?

 

 

 

 

 

 

 

 

 

 


Create new topic
27673 posts

Uber Geek
+1 received by user: 7156

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1786129 22-May-2017 18:35
Send private message

The default is fine. I use that along with allowing ICMP and have additional rules to detect and block ICMP flood and SYN flood.

 

 


3909 posts

Uber Geek
+1 received by user: 1624

Subscriber

  Reply # 1786170 22-May-2017 19:55
Send private message

The biggest thing for us in NZ the fact the majority of ISP's require PPPoE and people don't update the rules after making the interface change, then within about half an hour wonder why their router is getting smashed.

 

As Steve mentioned, adding SYN flood and port scanner detection is a good addition too. I find the IP's that the port scanner rule picks up quite interesting. 


 
 
 
 


Human
2908 posts

Uber Geek
+1 received by user: 98

Subscriber

  Reply # 1786799 23-May-2017 14:58
One person supports this post
Send private message

I know there are many different opinions - but can someone please explain to me the benefit of blocking ICMP ping on the WAN interface?
My understanding is that one of the down sides to blocking it is that Path MTU Discovery doesn't work. 

 

 

 

 






3889 posts

Uber Geek
+1 received by user: 164


  Reply # 1787068 23-May-2017 20:59
Send private message

chevrolux:

The biggest thing for us in NZ the fact the majority of ISP's require PPPoE and people don't update the rules after making the interface change, then within about half an hour wonder why their router is getting smashed.


As Steve mentioned, adding SYN flood and port scanner detection is a good addition too. I find the IP's that the port scanner rule picks up quite interesting. 



can you post an export




Promote New Zealand - Get yourself a .kiwi.nz domain name!!!

Check out mine - i.am.a.can.do.kiwi.nz - don@i.am.a.can.do.kiwi.nz


3909 posts

Uber Geek
+1 received by user: 1624

Subscriber

  Reply # 1787127 23-May-2017 22:20
One person supports this post
Send private message

 

 

/ip firewall filter
add chain=input comment="Input. All all ICMP" in-interface=pppoe-wan \
protocol=icmp
add chain=input comment="Input. Allow established/related" connection-state=\
established,related in-interface=pppoe-wan
add chain=input comment="Allow known hosts." in-interface=pppoe-wan \
src-address-list=safe-hosts
add action=add-src-to-address-list address-list=port-scanners \
address-list-timeout=1w chain=input comment="Identify port scanners" \
in-interface=pppoe-wan protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=syn-flooders \
address-list-timeout=30m chain=input comment="SYN flood detector" \
connection-limit=30,32 in-interface=pppoe-wan protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop port scanners" in-interface=\
pppoe-wan src-address-list=port-scanners
add action=drop chain=input comment="Drop SYN flooders" in-interface=\
pppoe-wan src-address-list=syn-flooders
add action=drop chain=input comment="Input. Drop All." in-interface=pppoe-wan
add chain=forward comment="Forward. Allow established/related." \
connection-state=established,related
add action=drop chain=forward comment="Forward. Drop Invalid" \
connection-state=invalid
add action=drop chain=forward comment="Drop all not dstnat'd" \
connection-nat-state=!dstnat connection-state=new in-interface=pppoe-wan

 

 

Edit: I use "pppoe-wan" for my wan interface. So obviously substitute that for whatever your wan interface is


422 posts

Ultimate Geek
+1 received by user: 91


  Reply # 1787131 23-May-2017 22:27
Send private message

Aaroona:

 

I know there are many different opinions - but can someone please explain to me the benefit of blocking ICMP ping on the WAN interface?
My understanding is that one of the down sides to blocking it is that Path MTU Discovery doesn't work. 

 

 

Path MTU discovery uses ICMP packets, but not ICMP Ping packets.  If you block just the ICMP Ping packets, it is unaffected.  If you block all ICMP packets, then Path MTU Discovery stops working and also several other subtle things, so it is not recommended to do that.  Blocking ICMP Ping packets is entirely up to you - I can not think of anything that is damaged by doing that.  I prefer to leave pings enabled myself, as there are times when I need to ping my router from my phone to see if the data networking on the phone is working properly.

 

For IPv6, ICMPv6 is required for the protocol to work, and there is an RFC that tells you what ICMPv6 packets you should be allowing:

 

http://www.ietf.org/rfc/rfc4890.txt

 

Unfortunately, for IPv4 there is no such straightforward set of recommendations and requirements available.  I tend to have my routers allow rather than drop ICMP packets.  If I find a problem, I can then drop the problem packets if I need to, but I do not then wind up with strange problems caused by the lack of certain ICMP packets.


3909 posts

Uber Geek
+1 received by user: 1624

Subscriber

  Reply # 1787173 23-May-2017 23:56
Send private message

We leave ICMP open purely because we use it for basic diagnostics for connection uptime/stability.

By no means a perfect method but can be a dam handy quick way to check stuff.



523 posts

Ultimate Geek
+1 received by user: 115


  Reply # 1787294 24-May-2017 09:58
Send private message

Thanks for all that,

 

Will have to add that filter to my setup

 

 

 

Changing my BigPipe to connect with IpoE instead of PPPoE has made the setup so much easier after resetting my config


1779 posts

Uber Geek
+1 received by user: 495


  Reply # 1787772 24-May-2017 20:25
2 people support this post
Send private message

If you're not port-forwarding or accepting services to your router from the world (eg vpn) there's no need for complicated port-scanner detections or address-list compilations (ie poor-man's fail2ban) as everything will be blocked anyway under the default config.  It's only useful maybe if you're curious or if there's a risk that someone may detect an active port forward and start abusing it.  That has the presumption that they will port scan before trying said open ports in the first place.

 

 

 

Also, instead of blindly accepting ICMP, use the following:

 

/ip firewall filter
add chain=input protocol=icmp limit=50/5s,2 comment="Allow limited pings"
add chain=input protocol=icmp action=drop comment="Drop excess pings"

Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Orcon announces new always-on internet service for Small Business
Posted 18-Apr-2019 10:19


Spark Sport prices for Rugby World Cup 2019 announced
Posted 16-Apr-2019 07:58


2degrees launches new unlimited mobile plan
Posted 15-Apr-2019 09:35


Redgate brings together major industry speakers for SQL in the City Summits
Posted 13-Apr-2019 12:35


Exported honey authenticated on Blockchain
Posted 10-Apr-2019 21:19


HPE and Nutanix partner to deliver hybrid cloud as a service
Posted 10-Apr-2019 21:12


Southern Cross and ASN sign contract for Southern Cross NEXT
Posted 10-Apr-2019 21:09


Data security top New Zealand consumer priority when choosing a bank
Posted 10-Apr-2019 21:07


Samsung announces first 8K screens to hit New Zealand
Posted 10-Apr-2019 21:03


New cyber-protection and insurance product for businesses launched in APAC
Posted 10-Apr-2019 20:59


Kiwis ensure streaming is never interrupted by opting for uncapped broadband plans
Posted 7-Apr-2019 09:05


DHL Express introduces new MyDHL+ online portal to make shipping easier
Posted 7-Apr-2019 08:51


RackWare hybrid cloud platform removes barriers to enterprise cloud adoption
Posted 7-Apr-2019 08:50


Top partner named at MYOB High Achievers Awards
Posted 7-Apr-2019 08:48


Great ideas start in Gisborne with hackathon event back for another round
Posted 7-Apr-2019 08:42



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.