Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




578 posts

Ultimate Geek


# 214643 22-May-2017 16:01
Send private message

Is the default config for a mikrotik now okay to use out of the box?

 

 

 

I recently updated mine to 6.39.1 and the only rule I had to block myself was block ICMP/Ping from WAN

 

GRC ShieldsUp is reporting 100% Passed

 

Connecting via BigPipe (IPoE)

 

 

 

Are there other rules and settings I should be using?

 

 

 

 

 

 

 

 

 

 


Create new topic
28145 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  # 1786129 22-May-2017 18:35
Send private message

The default is fine. I use that along with allowing ICMP and have additional rules to detect and block ICMP flood and SYN flood.

 

 


4136 posts

Uber Geek


  # 1786170 22-May-2017 19:55
Send private message

The biggest thing for us in NZ the fact the majority of ISP's require PPPoE and people don't update the rules after making the interface change, then within about half an hour wonder why their router is getting smashed.

 

As Steve mentioned, adding SYN flood and port scanner detection is a good addition too. I find the IP's that the port scanner rule picks up quite interesting. 


 
 
 
 


Human
2911 posts

Uber Geek

Subscriber

  # 1786799 23-May-2017 14:58
One person supports this post
Send private message

I know there are many different opinions - but can someone please explain to me the benefit of blocking ICMP ping on the WAN interface?
My understanding is that one of the down sides to blocking it is that Path MTU Discovery doesn't work. 

 

 

 

 






3889 posts

Uber Geek


  # 1787068 23-May-2017 20:59
Send private message

chevrolux:

The biggest thing for us in NZ the fact the majority of ISP's require PPPoE and people don't update the rules after making the interface change, then within about half an hour wonder why their router is getting smashed.


As Steve mentioned, adding SYN flood and port scanner detection is a good addition too. I find the IP's that the port scanner rule picks up quite interesting. 



can you post an export




Promote New Zealand - Get yourself a .kiwi.nz domain name!!!

Check out mine - i.am.a.can.do.kiwi.nz - don@i.am.a.can.do.kiwi.nz


4136 posts

Uber Geek


  # 1787127 23-May-2017 22:20
One person supports this post
Send private message

 

 

/ip firewall filter
add chain=input comment="Input. All all ICMP" in-interface=pppoe-wan \
protocol=icmp
add chain=input comment="Input. Allow established/related" connection-state=\
established,related in-interface=pppoe-wan
add chain=input comment="Allow known hosts." in-interface=pppoe-wan \
src-address-list=safe-hosts
add action=add-src-to-address-list address-list=port-scanners \
address-list-timeout=1w chain=input comment="Identify port scanners" \
in-interface=pppoe-wan protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=syn-flooders \
address-list-timeout=30m chain=input comment="SYN flood detector" \
connection-limit=30,32 in-interface=pppoe-wan protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop port scanners" in-interface=\
pppoe-wan src-address-list=port-scanners
add action=drop chain=input comment="Drop SYN flooders" in-interface=\
pppoe-wan src-address-list=syn-flooders
add action=drop chain=input comment="Input. Drop All." in-interface=pppoe-wan
add chain=forward comment="Forward. Allow established/related." \
connection-state=established,related
add action=drop chain=forward comment="Forward. Drop Invalid" \
connection-state=invalid
add action=drop chain=forward comment="Drop all not dstnat'd" \
connection-nat-state=!dstnat connection-state=new in-interface=pppoe-wan

 

 

Edit: I use "pppoe-wan" for my wan interface. So obviously substitute that for whatever your wan interface is


460 posts

Ultimate Geek


  # 1787131 23-May-2017 22:27
Send private message

Aaroona:

 

I know there are many different opinions - but can someone please explain to me the benefit of blocking ICMP ping on the WAN interface?
My understanding is that one of the down sides to blocking it is that Path MTU Discovery doesn't work. 

 

 

Path MTU discovery uses ICMP packets, but not ICMP Ping packets.  If you block just the ICMP Ping packets, it is unaffected.  If you block all ICMP packets, then Path MTU Discovery stops working and also several other subtle things, so it is not recommended to do that.  Blocking ICMP Ping packets is entirely up to you - I can not think of anything that is damaged by doing that.  I prefer to leave pings enabled myself, as there are times when I need to ping my router from my phone to see if the data networking on the phone is working properly.

 

For IPv6, ICMPv6 is required for the protocol to work, and there is an RFC that tells you what ICMPv6 packets you should be allowing:

 

http://www.ietf.org/rfc/rfc4890.txt

 

Unfortunately, for IPv4 there is no such straightforward set of recommendations and requirements available.  I tend to have my routers allow rather than drop ICMP packets.  If I find a problem, I can then drop the problem packets if I need to, but I do not then wind up with strange problems caused by the lack of certain ICMP packets.


4136 posts

Uber Geek


  # 1787173 23-May-2017 23:56
Send private message

We leave ICMP open purely because we use it for basic diagnostics for connection uptime/stability.

By no means a perfect method but can be a dam handy quick way to check stuff.

 
 
 
 




578 posts

Ultimate Geek


  # 1787294 24-May-2017 09:58
Send private message

Thanks for all that,

 

Will have to add that filter to my setup

 

 

 

Changing my BigPipe to connect with IpoE instead of PPPoE has made the setup so much easier after resetting my config


1878 posts

Uber Geek


  # 1787772 24-May-2017 20:25
2 people support this post
Send private message

If you're not port-forwarding or accepting services to your router from the world (eg vpn) there's no need for complicated port-scanner detections or address-list compilations (ie poor-man's fail2ban) as everything will be blocked anyway under the default config.  It's only useful maybe if you're curious or if there's a risk that someone may detect an active port forward and start abusing it.  That has the presumption that they will port scan before trying said open ports in the first place.

 

 

 

Also, instead of blindly accepting ICMP, use the following:

 

/ip firewall filter
add chain=input protocol=icmp limit=50/5s,2 comment="Allow limited pings"
add chain=input protocol=icmp action=drop comment="Drop excess pings"

Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Intel expands 10th Gen Intel Core Mobile processor family
Posted 23-Aug-2019 10:22


Digital innovation drives new investment provider
Posted 23-Aug-2019 08:29


Catalyst Cloud becomes a Kubernetes Certified Service Provider (KCSP)
Posted 23-Aug-2019 08:21


New AI legaltech product launched in New Zealand
Posted 21-Aug-2019 17:01


Yubico launches first Lightning-compatible security key, the YubiKey 5Ci
Posted 21-Aug-2019 16:46


Disney+ streaming service confirmed launch in New Zealand
Posted 20-Aug-2019 09:29


Industry plan could create a billion dollar interactive games sector
Posted 19-Aug-2019 20:41


Personal cyber insurance a New Zealand first
Posted 19-Aug-2019 20:26


University of Waikato launches space for esports
Posted 19-Aug-2019 20:20


D-Link ANZ expands mydlink ecosystem with new mydlink Mini Wi-Fi Smart Plug
Posted 19-Aug-2019 20:14


Kiwi workers still falling victim to old cyber tricks
Posted 12-Aug-2019 20:47


Lightning Lab GovTech launches 2019 programme
Posted 12-Aug-2019 20:41


Epson launches portable laser projector
Posted 12-Aug-2019 20:27


Huawei launches new distributed HarmonyOS
Posted 12-Aug-2019 20:20


Lenovo introduces single-socket servers for edge and data-intensive workloads
Posted 9-Aug-2019 21:26



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.