RB750GL Default firewall rules

Had to do a factory reset early this morning due to a stupid move on my part. Thought I’d take the opportunity to document the firewall rules that come with the RB750GL from the factory.

From what I read, RouterBoard’s used to come without any firewall rules configured. The little unit I got a short time ago did, and with a bit more experience with the way Mikrotik does things, I’m now in a better position to say that they’re actually pretty good.

[admin@rb1] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; default configuration
      chain=input action=accept protocol=icmp log=no log-prefix="" 

 1    ;;; default configuration
      chain=input action=accept connection-state=established,related log=no log-prefix="" 

 2    ;;; default configuration
      chain=input action=drop in-interface=ether1-gateway log=no log-prefix="" 

 3    ;;; default configuration
      chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix="" 

 4    ;;; default configuration
      chain=forward action=accept connection-state=established,related log=no log-prefix="" 

 5    ;;; default configuration
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

 6    ;;; default configuration
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1-gateway log=no log-prefix="" 

Check out the manual page on Firewall Filters for detailed definitions of the directives used in these rules.

After my little mishap this morning, I’m convinced the most efficient and safest way to modify most things in RouterOS is on the command line. While the web gui for pfSense is light years ahead of the one that ships with RouterOS, the latter’s fully evolved console interface makes manual and scripted operations a lot easier and less prone to click and drag induced error.

FYI the factory reset left the upgraded firmware (6.29.1) in place, which was convenient but begged the question “what do I do if the firmware is borked?” It turns out that the answer is, “Netinstall“.

This entry was posted in System Administration on by .

About phil

My name is Phil Lembo. In my day job I’m an enterprise IT architect for a leading distribution and services company. The rest of my time I try to maintain a semi-normal family life in the suburbs of Raleigh, NC. E-mail me at philipATlembobrothersDOTcom. The opinions expressed here are entirely my own and not those of my employers, past, present or future (except where I quote others, who will need to accept responsibility for their own rants).