Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


skewt

667 posts

Ultimate Geek


#214643 22-May-2017 16:01
Send private message

Is the default config for a mikrotik now okay to use out of the box?

 

 

 

I recently updated mine to 6.39.1 and the only rule I had to block myself was block ICMP/Ping from WAN

 

GRC ShieldsUp is reporting 100% Passed

 

Connecting via BigPipe (IPoE)

 

 

 

Are there other rules and settings I should be using?

 

 

 

 

 

 

 

 

 

 


Create new topic
Affiliate link
 
 
 

Affiliate link: Shop Mighty Ape for electronics, games, computers books and more.
sbiddle
30853 posts

Uber Geek

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #1786129 22-May-2017 18:35
Send private message

The default is fine. I use that along with allowing ICMP and have additional rules to detect and block ICMP flood and SYN flood.

 

 


chevrolux
4962 posts

Uber Geek
Inactive user


  #1786170 22-May-2017 19:55
Send private message

The biggest thing for us in NZ the fact the majority of ISP's require PPPoE and people don't update the rules after making the interface change, then within about half an hour wonder why their router is getting smashed.

 

As Steve mentioned, adding SYN flood and port scanner detection is a good addition too. I find the IP's that the port scanner rule picks up quite interesting. 


Aaroona
3065 posts

Uber Geek


  #1786799 23-May-2017 14:58
Send private message

I know there are many different opinions - but can someone please explain to me the benefit of blocking ICMP ping on the WAN interface?
My understanding is that one of the down sides to blocking it is that Path MTU Discovery doesn't work. 

 

 

 

 




DonGould
3892 posts

Uber Geek


  #1787068 23-May-2017 20:59
Send private message

chevrolux:

The biggest thing for us in NZ the fact the majority of ISP's require PPPoE and people don't update the rules after making the interface change, then within about half an hour wonder why their router is getting smashed.


As Steve mentioned, adding SYN flood and port scanner detection is a good addition too. I find the IP's that the port scanner rule picks up quite interesting. 



can you post an export




Promote New Zealand - Get yourself a .kiwi.nz domain name!!!

Check out mine - i.am.a.can.do.kiwi.nz - don@i.am.a.can.do.kiwi.nz


chevrolux
4962 posts

Uber Geek
Inactive user


  #1787127 23-May-2017 22:20
Send private message

 

 

/ip firewall filter
add chain=input comment="Input. All all ICMP" in-interface=pppoe-wan \
protocol=icmp
add chain=input comment="Input. Allow established/related" connection-state=\
established,related in-interface=pppoe-wan
add chain=input comment="Allow known hosts." in-interface=pppoe-wan \
src-address-list=safe-hosts
add action=add-src-to-address-list address-list=port-scanners \
address-list-timeout=1w chain=input comment="Identify port scanners" \
in-interface=pppoe-wan protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=syn-flooders \
address-list-timeout=30m chain=input comment="SYN flood detector" \
connection-limit=30,32 in-interface=pppoe-wan protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop port scanners" in-interface=\
pppoe-wan src-address-list=port-scanners
add action=drop chain=input comment="Drop SYN flooders" in-interface=\
pppoe-wan src-address-list=syn-flooders
add action=drop chain=input comment="Input. Drop All." in-interface=pppoe-wan
add chain=forward comment="Forward. Allow established/related." \
connection-state=established,related
add action=drop chain=forward comment="Forward. Drop Invalid" \
connection-state=invalid
add action=drop chain=forward comment="Drop all not dstnat'd" \
connection-nat-state=!dstnat connection-state=new in-interface=pppoe-wan

 

 

Edit: I use "pppoe-wan" for my wan interface. So obviously substitute that for whatever your wan interface is


fe31nz
815 posts

Ultimate Geek


  #1787131 23-May-2017 22:27
Send private message

Aaroona:

 

I know there are many different opinions - but can someone please explain to me the benefit of blocking ICMP ping on the WAN interface?
My understanding is that one of the down sides to blocking it is that Path MTU Discovery doesn't work. 

 

 

Path MTU discovery uses ICMP packets, but not ICMP Ping packets.  If you block just the ICMP Ping packets, it is unaffected.  If you block all ICMP packets, then Path MTU Discovery stops working and also several other subtle things, so it is not recommended to do that.  Blocking ICMP Ping packets is entirely up to you - I can not think of anything that is damaged by doing that.  I prefer to leave pings enabled myself, as there are times when I need to ping my router from my phone to see if the data networking on the phone is working properly.

 

For IPv6, ICMPv6 is required for the protocol to work, and there is an RFC that tells you what ICMPv6 packets you should be allowing:

 

http://www.ietf.org/rfc/rfc4890.txt

 

Unfortunately, for IPv4 there is no such straightforward set of recommendations and requirements available.  I tend to have my routers allow rather than drop ICMP packets.  If I find a problem, I can then drop the problem packets if I need to, but I do not then wind up with strange problems caused by the lack of certain ICMP packets.


chevrolux
4962 posts

Uber Geek
Inactive user


  #1787173 23-May-2017 23:56
Send private message

We leave ICMP open purely because we use it for basic diagnostics for connection uptime/stability.

By no means a perfect method but can be a dam handy quick way to check stuff.



skewt

667 posts

Ultimate Geek


  #1787294 24-May-2017 09:58
Send private message

Thanks for all that,

 

Will have to add that filter to my setup

 

 

 

Changing my BigPipe to connect with IpoE instead of PPPoE has made the setup so much easier after resetting my config


MadEngineer
3007 posts

Uber Geek

Trusted

  #1787772 24-May-2017 20:25
Send private message

If you're not port-forwarding or accepting services to your router from the world (eg vpn) there's no need for complicated port-scanner detections or address-list compilations (ie poor-man's fail2ban) as everything will be blocked anyway under the default config.  It's only useful maybe if you're curious or if there's a risk that someone may detect an active port forward and start abusing it.  That has the presumption that they will port scan before trying said open ports in the first place.

 

 

 

Also, instead of blindly accepting ICMP, use the following:

 

/ip firewall filter
add chain=input protocol=icmp limit=50/5s,2 comment="Allow limited pings"
add chain=input protocol=icmp action=drop comment="Drop excess pings"




You're not on Atlantis anymore, Duncan Idaho.

Create new topic





News and reviews »

D-Link G415 4G Smart Router Review
Posted 27-Jun-2022 17:24


New Zealand Video Game Sales Reaches $540 Million
Posted 26-Jun-2022 14:49


Github Copilot Generally Available to All Developers
Posted 26-Jun-2022 14:37


Logitech G Introduces the New Astro A10 Headset
Posted 26-Jun-2022 14:20


Fitbit introduces Sleep Profiles
Posted 26-Jun-2022 14:11


Synology Introduces FlashStation FS3410
Posted 26-Jun-2022 14:04


Intel Arc A380 Graphics First Available in China
Posted 15-Jun-2022 17:08


JBL Introduces PartyBox Encore Essential Speaker
Posted 15-Jun-2022 17:05


New TVNZ+ streaming brand launches
Posted 13-Jun-2022 08:35


Chromecast With Google TV Review
Posted 10-Jun-2022 17:10


Xbox Gaming on Your Samsung Smart TV No Console Required
Posted 10-Jun-2022 00:01


Xbox Cloud Gaming Now Available in New Zealand
Posted 10-Jun-2022 00:01


HP Envy Inspire 7900e Review
Posted 9-Jun-2022 20:31


Philips Hue Starter Kit Review
Posted 4-Jun-2022 11:10


Sony Expands Its Wireless Speaker X-series Range
Posted 4-Jun-2022 10:25









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.