mikrotik rb2011 firewall defaults - plembo/onemoretech GitHub Wiki

#Default Firewall Rules for Mikrotik RB2011

Got this by running the following command in the console:

/system default-configuration print

This is a very basic, yet effective, rule set.

/ip firewall
filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
filter add chain=input action=accept connection-state=established,related comment="defconf: accept established,related"
filter add chain=input action=drop in-interface=ether1 comment="defconf: drop all from WAN"
filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
filter add chain=forward action=accept connection-state=established,related comment="defconf: accept established,related"
filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1 comment="defconf:  drop all from WAN not DSTNATed"

Pretty much how my unit shipped back when I got it around a year ago.

See Manual:Default Configurations for more RouterBoard defaults.

I like the simplicity and straightforward nature of this rule set. I've added a few of my own rules to allow for VPN connections and to wall off my main network from my wifi guests.

There's a good discussion in the Mikrotik forum about the default rules here. I'll note in passing that the guy from New Zealand reminds me of those on the OpenLDAP lists who really ruined the whole helpful community thing for me.