Mikrotik 的 RouterBoard 硬件产品默认都有带有配置良好的防火墙规则,x86/CHR 设备的 RouterOS 默认不带防火墙规则。 如果你不小心删掉了防火墙规则,或者需要 RouterBoard 的默认防火墙规则,可以导入以下配置

第一部分:配置接口列表

所有设备均需要导入,请根据自己情况适当修改

1
/interface list
2
add comment=defconf name=WAN
3
add comment=defconf name=LAN
4
/interface list member
5
add interface=bridge list=LAN
6
add interface=ether1 list=WAN
7
add interface=pppoe-out1 list=WAN

第二部分:IPv4 防火墙规则

推荐所有设备都导入

1
/ip firewall filter
2
add action=accept chain=input comment="accept ping" protocol=icmp
3
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
4
add action=drop chain=input comment="drop invalid" connection-state=invalid
5
add action=drop chain=input comment="drop all from WAN" in-interface-list=WAN
6
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
7
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
8
add action=drop chain=forward comment="drop invalid" connection-state=invalid
9
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

第三部分:IPv6 防火墙规则

需要启用 IPv6 package 后再导入

1
/ipv6 firewall address-list
2
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
3
add address=::1/128 comment="defconf: lo" list=bad_ipv6
4
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
5
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
7
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
8
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
9
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
10
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
11
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
12
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
13
add address=::/104 comment="defconf: other" list=bad_ipv6
14
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
15
/ipv6 firewall filter
16
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
17
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
18
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
19
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
20
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/16
21
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
22
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
23
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
24
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
25
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
26
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
27
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
28
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
29
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
30
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
31
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
32
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
33
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
34
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
35
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
36
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
37
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN

END

非原著,全文转载于: https://www.vsean.net/2019/11/26/routeros-default-firewall-rule/

网站版权声明不适用于本文章,所有权利归属于原著网站