Community discussions

MikroTik App
  4. RouterOS
  5. General

Default Firewall Rule in V7.12.1 Ram arch  [SOLVED]

Post Reply
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 357
Joined: Tue Dec 21, 2021 5:12 am

Default Firewall Rule in V7.12.1 Ram arch

Wed Apr 24, 2024 3:43 pm

Hello For all..!
Anyone can give me the default Firewall Rules as a script that came with the Latest version of the Router OS.
Thanks in advance.
Top
 
erlinden
Forum Guru
Forum Guru
Posts: 2001
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Default Firewall Rule in V7.12.1 Ram arch  [SOLVED]

Wed Apr 24, 2024 4:03 pm

As far as I know it hasn't changed...
By using this statement you get the default config:
Code: Select all
/system default-configuration print
If you don't have a MikroTik (I assume you have one, if you are looking for this info), you can find the default firewall rules here on the forum:
Code: Select all
/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
And in case of IPv6:
Code: Select all
/ipv6 firewall address-list
add list=bad_ipv6 address=::/128 comment="defconf: unspecified address"
add list=bad_ipv6 address=::1 comment="defconf: lo"
add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local"
add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped"
add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat"
add list=bad_ipv6 address=100::/64 comment="defconf: discard only "
add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation"
add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID"
add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone"
add list=bad_ipv6 address=::224.0.0.0/100 comment="defconf: other"
add list=bad_ipv6 address=::127.0.0.0/104 comment="defconf: other"
add list=bad_ipv6 address=::/104 comment="defconf: other"
add list=bad_ipv6 address=::255.0.0.0/104 comment="defconf: other"

/ipv6 firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
add chain=input action=accept protocol=udp port=33434-33534 comment="defconf: accept UDP traceroute"
add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="defconf: accept DHCPv6-Client prefix delegation."
add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6"
add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6"
add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1"
add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
add chain=forward action=accept protocol=139 comment="defconf: accept HIP"
add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
add chain=forward action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
Top
 
User avatar
Techsystem
Member
Member
Topic Author
Posts: 357
Joined: Tue Dec 21, 2021 5:12 am

Re: Default Firewall Rule in V7.12.1 Ram arch

Wed Apr 24, 2024 6:30 pm

Hey erlinden glad yo have you here ..!
Thank you so much..!
Top
Post Reply

Who is online

Users browsing this forum: Seekport [Bot] and 30 guests
  4. RouterOS
  5. General