Mikrotik- Default firewall rules missing

Googling took me to this forum thread: https://forum.mikrotik.com/viewtopic.php?t=175459

And in it is a reference to the command: /system default-configuration print

On my RB5009 this dumps out the default configuration for it including default firewall rules.

Its quite a long script with some options. I'm happy to send it to you if you want. That said the default firewall rules/commands are:

/interface list member add list=LAN interface=bridge comment="defconf"

/interface list member add list=WAN interface=ether1 comment="defconf"

/ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade"

/ip firewall {

filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"

filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"

filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"

filter add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"

filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"

filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"

filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"

filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"

filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"

filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"

filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"

}

/ipv6 firewall {

address-list add list=bad_ipv6 address=::/128 comment="defconf: unspecified address"

address-list add list=bad_ipv6 address=::1 comment="defconf: lo"

address-list add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local"

address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped"

address-list add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat"

address-list add list=bad_ipv6 address=100::/64 comment="defconf: discard only "

address-list add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation"

address-list add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID"

address-list add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone"

filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"

filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"

filter add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"

filter add chain=input action=accept protocol=udp dst-port=33434-33534 comment="defconf: accept UDP traceroute"

filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="defconf: accept DHCPv6-Client prefix delegation."

filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"

filter add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"

filter add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"

filter add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"

filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"

filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"

filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"

filter add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6"

filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6"

filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1"

filter add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"

filter add chain=forward action=accept protocol=139 comment="defconf: accept HIP"

filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"

filter add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"

filter add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"

filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"

filter add chain=forward action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"

}

mentalinc

RunningMan

nzkc

RunningMan

mentalinc

nzkc

RunningMan

Dell

saf

mentalinc