20150619 rb750gl default firewall rules - plembo/onemoretech GitHub Wiki

title: RB750GL Default firewall rules link: https://onemoretech.wordpress.com/2015/06/19/rb750gl-default-firewall-rules/ author: phil2nc description: post_id: 9821 created: 2015/06/19 09:02:06 created_gmt: 2015/06/19 13:02:06 comment_status: closed post_name: rb750gl-default-firewall-rules status: publish post_type: post

RB750GL Default firewall rules

Had to do a factory reset early this morning due to a stupid move on my part. Thought I'd take the opportunity to document the firewall rules that come with the RB750GL from the factory. From what I read, RouterBoard's used to come without any firewall rules configured. The little unit I got a short time ago did, and with a bit more experience with the way Mikrotik does things, I'm now in a better position to say that they're actually pretty good.

/ip firewall filter print Flags: X - disabled, I - invalid, D - dynamic
0;;; default configuration
chain=input action=accept protocol=icmp log=no log-prefix=""
1 ;;; default configuration
chain=input action=accept connection-state=established,related log=no log-prefix=""
2 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway log=no log-prefix=""
3 ;;; default configuration
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""
4 ;;; default configuration
chain=forward action=accept connection-state=established,related log=no log-prefix=""
5 ;;; default configuration
chain=forward action=drop connection-state=invalid log=no log-prefix=""
6 ;;; default configuration
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1-gateway log=no log-prefix=""

Check out the manual page on Firewall Filters for detailed definitions of the directives used in these rules. After my little mishap this morning, I'm convinced the most efficient and safest way to modify most things in RouterOS is on the command line. While the web gui for pfSense is light years ahead of the one that ships with RouterOS, the latter's fully evolved console interface makes manual and scripted operations a lot easier and less prone to click and drag induced error. FYI the factory reset left the upgraded firmware (6.29.1) in place, which was convenient but begged the question "what do I do if the firmware is borked?" It turns out that the answer is, "Netinstall".

Copyright 2004-2019 Phil Lembo