Friday, February 5, 2021

Is my firewall config up-to-date with current IETF spec (IPv4 & IPv6)?

Deployed on MikroTik's RouterOS.

IPv4 firewall

/ip firewall filter add action=accept chain=input comment "defconf: accept established,related,untracked" connection-state established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state invalid add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=drop chain=input comment "defconf: drop all not coming from LAN's interface list/subnets" in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec add action=accept chain=forward comment "defconf: accept established,related, untracked" connection-state established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment "Drop tries to reach not public addresses from LAN" dst-address-list not_in_internet in-interface-list=LAN out-interface-list=WAN add action=drop chain=forward comment "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp protocol=icmp add action=drop chain=forward comment "Drop incoming from internet which is not public IP" in-interface-list WAN src-address-list=not_in_internet add action=drop chain=forward comment "Drop packets from LAN that do not have LAN IP" in-interface-list=LAN src-address-list=!lan_subnets add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol icmp add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp add action=accept chain=icmp comment "host unreachable fragmentation required" icmp-options=3:4 protocol=icmp add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp add action=drop chain=icmp comment="deny all other types" add action=jump chain=forward comment="Jump to DDoS detection" connection-state=new in-interface-list=WAN jump-target=detect-ddos add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s protocol=tcp tcp-flags=syn,ack add action=add-dst-to-address-list address-list=ddos-targets address-list-timeout=10m chain=detect-ddos add action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=10m chain=detect-ddos /ip firewall raw add action=drop chain=prerouting dst-address-list=ddos-targets src-address-list=ddos-attackers add action=accept chain=prerouting comment "defconf: enable for transparent firewall" disabled=yes add action=accept chain=prerouting comment="defconf: accept DHCP discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol udp src-address=0.0.0.0 src-port=68 add action=drop chain=prerouting comment="defconf: drop bad src IPs" src-address-list=bad_ipv4 add action=drop chain=prerouting comment="defconf: drop bad dst IPs" dst-address-list=bad_ipv4 add action=drop chain=prerouting comment="defconf: drop bad src IPs" src-address-list=bad_src_ipv4 add action=drop chain=prerouting comment="defconf: drop bad dst IPs" dst-address-list=bad_dst_ipv4 add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_in_internet add action=drop chain=prerouting comment "defconf: drop forward to local lan from WAN" dst-address-list lan_subnets in-interface-list=WAN add action=drop chain=prerouting comment "defconf: drop local if not from default IP range" in-interface-list=LAN src-address-list=!lan_subnets add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 protocol=udp add action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=bad_tcp protocol=tcp add action=accept chain=prerouting comment "defconf: accept everything else from LAN" in-interface-list=LAN add action=accept chain=prerouting comment "defconf: accept everything else from WAN" in-interface-list=WAN add action=drop chain=prerouting comment="defconf: drop the rest" add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=fin,syn add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=fin,rst add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=fin,!ack add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=fin,urg add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=syn,rst add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=rst,urg add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 protocol=tcp /ip firewall address-list add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet #Disabled as my ISP uses this very subnet on their access concentrator add address=10.0.0.0/8 comment=RFC6890 disabled=yes list=not_in_internet add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet add address=224.0.0.0/4 comment=Multicast list=not_in_internet add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet add address=255.255.255.255 comment=RFC6890 list=not_in_internet add list=ddos-attackers add list=ddos-targets #My LAN subnets add address=192.168.80.0/24 comment="LAN subnets" list=lan_subnets add address=192.168.81.0/30 comment="LAN subnets" list=lan_subnets add address=192.168.82.0/31 comment="LAN subnets" list=lan_subnets add address=127.0.0.0/8 comment="RAW Filtering - RFC6890" list=bad_ipv4 add address=192.0.0.0/24 comment="RAW Filtering - RFC6890" list=bad_ipv4 add address=192.0.2.0/24 comment="RAW Filtering - RFC6890 documentation" list=bad_ipv4 add address=198.51.100.0/24 comment="RAW Filtering - RFC6890 documentation" list=bad_ipv4 add address=203.0.113.0/24 comment="RAW Filtering - RFC6890 documentation" list=bad_ipv4 add address=240.0.0.0/4 comment="RAW Filtering - RFC6890 reserved" list=bad_ipv4 add address=224.0.0.0/4 comment="RAW Filtering - multicast" list=bad_src_ipv4 add address=255.255.255.255 comment="RAW Filtering - RFC6890" list=bad_src_ipv4 add address=0.0.0.0/8 comment="RAW Filtering - RFC6890" list=bad_dst_ipv4 add address=224.0.0.0/4 comment="RAW Filtering - RFC6890" list=bad_dst_ipv4 

IPv6 firewall

/ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6 add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10 add action=drop chain=input comment=dropLocalLink_from_public in-interface=pppoe-out1 src-address=fe80::/16 add action=accept chain=input comment="allow allowed addresses" src-address-list=allowed add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6 add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6 add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv6 add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv6 add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6 add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6 add action=accept chain=forward comment="local clients to public" in-interface=!pppoe-out1 src-address-list=allowed add action=accept chain=forward comment="defconf: accept HIP" protocol=139 add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN /ipv6 firewall raw add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes add action=drop chain=prerouting comment="defconf: drop bad src IPs" src-address-list=bad_ipv6 add action=drop chain=prerouting comment="defconf: drop bad dst IPs" dst-address-list=bad_ipv6 add action=drop chain=prerouting comment="defconf: drop packets with bad src ipv6" src-address-list=bad_src_ipv6 add action=drop chain=prerouting comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6 add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv6 add action=accept chain=prerouting comment="defconf: accept local multicast scope" dst-address=ff02::/16 add action=drop chain=prerouting comment="defconf: drop other multicast destinations" dst-address=ff00::/8 add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN add action=drop chain=prerouting comment="defconf: drop the rest" /ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6 add address=::1/128 comment="defconf: lo" list=bad_ipv6 add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6 add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6 add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6 add address=100::/64 comment="defconf: discard only " list=bad_ipv6 add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6 add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6 add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6 add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6 add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6 add address=::/104 comment="defconf: other" list=bad_ipv6 add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6 add address=fd12:672e:6f65:8899::/64 list=allowed add address=fe80::/16 list=allowed add address=ff02::/16 comment=multicast list=allowed add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6 add address=100::/64 comment="RAW Filtering - RFC6890 Discard-only" list=not_global_ipv6 add address=2001::/32 comment="RAW Filtering - RFC6890 TEREDO" list=not_global_ipv6 add address=2001:2::/48 comment="RAW Filtering - RFC6890 Benchmark" list=not_global_ipv6 add address=fc00::/7 comment="RAW Filtering - RFC6890 Unique-Local" list=not_global_ipv6 add address=::/128 comment="RAW Filtering" list=bad_src_ipv6 add address=ff00::/8 comment="RAW Filtering" list=bad_src_ipv6 add address=::/128 comment="RAW Filtering" list=bad_dst_ipv6 add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=no_forward_ipv6 add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6 


No comments:

Post a Comment