Re: [44net] firewall rules at AMPR.ORG router ?

The firewall filters in a MikroTik (and on Linux in general) are far more advanced than the simple access lists in a Cisco router. On a Cisco router you generally just have static rules that allow e.g. traffic incoming on some ports. (there are some exceptions, e.g. "reflexive" access lists) On a MikroTik or Linux system there is a table of open connections (you can see it on a separate tab in the MikroTik router), and you can easily allow all traffic belonging to existing open connections. This means you don't need to do anything to allow replies to outgoing connections, other than having a rule that allows "established, related" in all directions and a rule that allows "new" in outgoing direction. (or just a rule that allows everything in outgoing direction) To allow some things in incoming direction (e.g. outside access to your IPIP tunnel), you need only to allow some new traffic matching a certain pattern. Once the connection completes, it will be in the connection table and again it will be matched by the "established, related" rule that you normally put at the top so it will be matched first. The checkpoint firewall of course also offers such features. In the default configuration, the MikroTik is delivered with some rules that allow "established, related", block other traffic incoming on ether1 (normally the internet port), and allow everything else. I don't like that, because once you add a new interface that is facing outside (like a tunnel), the default will be to allow new connections and thus it is possible to exploit the services on the router. Therefore I always replace such settings by a rule that allows "established, related", then one or more rules that allow "new" only from interfaces that I know are on the inside (trusted) side, then a rule that drops everything. So, a new interface is always by default untrusted until a new rule is added. Make sure that when you modify the firewall you always do it in such a sequence that you do not lock yourself out because you added the "drop" rule before the correct "accept" rules, for example. A way to avoid that is to click the "safe mode" button in the menu on the left, then make all your changes to the firewall and check that you can still navigate around the user interface (open the quick start page, for example) and when everything is OK click the "safe mode" button again so it pops back out. When you lose connectivity to the router while the safe mode is active, all changes you made after clicking it will be rolled back and you will have access again! When you reset safe mode, the changes are committed and you can logoff without losing them. (note that there is no separate "running" config and "saved" config, everything you change is always saved immediately. so a mistake cannot be corrected by power-cycling the router, as with a Cisco) Rob