ROS防火墙配置

本文档介绍 ROS防火墙配置 的相关内容。

关闭不安全的服务

# 查看所有的服务

/ip service print

# 关闭不安全的服务

/ip service disable telnet,ftp,www,api,api-ssl

# 更改ssh默认端口

/ip service set ssh port=2200

# 每个服务都可以设置只允许指定的ip访问

/ip service set winbox address=192.168.88.0/24

禁用MAC远程登录

/tool mac-server set allowed-interface-list=none
/tool mac-server print

/tool mac-server mac-winbox set allowed-interface-list=none
/tool mac-server mac-winbox print

/tool mac-server ping set enabled=no
/tool mac-server ping print

禁用Neighbor Discovery

MikroTik邻居发现协议用于显示和识别网络中的其他MikroTik路由器，在所有接口上禁用邻居发现，禁用该功能后在winbox的Neighbors中就无法搜索到软路由了

/ip neighbor discovery-settings set discover-interface-list=none

Bandwidth server

Bandwidth server 用于测试两个MikroTik路由器之间的吞吐量， 在生产环境中禁用它。

/tool bandwidth-server set enabled=no

DNS cache

DNS缓存：路由器可能启用了DNS缓存，从而减少了从客户端到远程服务器的DNS请求的解析时间。 如果您的路由器上不需要DNS缓存，或者其他路由器上已经开启了DNS缓存，那么请将其禁用。

/ip dns set allow-remote-requests=no

其他的一些clients services

RouterOS可能启用了其他服务（默认情况下，它们是被RouterOS禁用的）若不需要，则将其禁用。

/ip proxy set enabled=no
/ip socks set enabled=no
/ip upnp set enabled=no
/ip cloud set ddns-enabled=no update-time=no

打开SSH strong crypto

RouterOS对SSH使用更强的加密，大多数较新的程序都使用它，可以将其打开。

/ip ssh set strong-crypto=yes

禁用未使用的接口

最好禁用路由器上所有未使用的接口，以减少对路由器的未授权访问。

/interface print
/interface set x disabled=yes

禁用LCD

有些线路板有LCD模块，用于提供信息、设置引脚或是禁用它。

/lcd set enabled=no

第一部分： Interface List，所有设备均需要导入，请根据自己情况适当修改

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN

IPv4防火墙

/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ping" protocol=icmp
add action=accept chain=input comment="allow all from WAN - lian jie ros" in-interface-list=WAN src-address-list=allowed_to_router
add action=drop chain=input comment="input dns 53" dst-port=53 in-interface-list=WAN protocol=udp
add action=drop chain=input comment="--------drop all from WAN - lian jie ros UP RouterOS" in-interface-list=WAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

# 默认未修改

/ip firewall filter
add action=accept chain=input comment="accept ping" protocol=icmp
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=drop chain=input comment="drop all from WAN" in-interface-list=WAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

IPv6 防火墙规则，需要启用 IPv6 package 后再导入

/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::1.2.3.4/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::1.2.3.4/104 comment="defconf: other" list=bad_ipv6

/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/16
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN