Help with firewall

tamiko · June 10, 2024, 8:34pm

Hi

Router used as home and business. Must be secure, as it operates with payments.

Can you please review my firewall and advise to add/remove something?


config rule
    option name 'AntiDOS'
    option src '*'
    option proto 'all'
    option dest_ip '*'
    option connlimit '10'
    option target 'DROP'

config rule
    option proto 'tcp'
    option length '0:39'
    option target 'DROP'

config rule
    option proto 'udp'
    option length '0:39'
    option target 'DROP'

config rule
    option name 'Rate-Limit'
    option src '*'
    option proto 'all'
    option dest_ip '*'
    option limit '100/s'
    option target 'ACCEPT'

config rule
    option proto 'icmp'
    option target 'DROP'

config rule
    option proto 'igmp'
    option target 'DROP'

config rule
    option name 'TTL-Limit'
    option src '*'
    option proto 'all'
    option dest_ip '*'
    option ttl 'lt 5'
    option target 'DROP'

config rule
    option name 'no-spoof'
    option src '*'
    option proto 'all'
    option dest_ip '!192.168.4.1/24' 
    option target 'DROP'

config rule
    option name 'Invalid-TCP-Flags'
    option src '*'
    option proto 'tcp'
    option tcp_flags 'ALL NONE,ALL ALL'
    option target 'DROP'

config rule
    option name 'Invalid-UDP-Packets'
    option src '*'
    option proto 'udp'
    option length '0'
    option target 'DROP'

config rule
    option name 'maccheck'
    option src 'lan'
    option proto 'tcp'
    option dest_ip '192.168.4.1'
    option dest_port '443'
    option mac '!xxxxxxxxxxxx'
    option target 'DROP'

config rule
    option name 'sshcheck'
    option src 'lan'
    option proto 'tcp'
    option dest_port '22'
    option mac '!xxxxxxxxxxxxx'
    option target 'DROP'

config rule
    option name 'anti-ntp-dos'
    option src '*'
    option proto 'udp'
    option dest_port '123'
    option limit '1/hour'
    option target 'ACCEPT'

config rule
    option name 'no80'
    option src '*'
    option proto 'all'
    option dest_port '80'
    option target 'DROP'

config rule
    option name 'nodos53'
    option src '*'
    option proto 'udp'
    option dest_port '53'
    option limit '60/minute'
    option target 'ACCEPT'

config rule
    option name 'nodos-alt5353'
    option src '*'
    option proto 'udp'
    option dest_port '5353'
    option limit '60/minute'
    option target 'ACCEPT'

config rule
    option name 'anti-dos-limit'
    option src 'lan'
    option proto 'all'
    option rate '1000/second'
    option target 'DROP'
    option connlimit '1'
    option connlimit-mask '24'
    option connlimit-timeout '0'

config rule
    option name 'Block-crap'
    option src 'lan'
    option proto 'all'
    option target 'DROP'

config rule
    option name '443-allow'
    option src 'guest'
    option proto 'tcp'
    option dest_port '443'
    option target 'ACCEPT'

config rule
    option name 'mainguestr2'
    option src 'guest'
    option proto 'all'
    option target 'DROP'

krazeh · June 10, 2024, 9:20pm

You appear to have added a number of unnecessary/redundant rules. Where did you get the advice to make these additions to the default config?

tamiko · June 10, 2024, 9:25pm

Nowhere. Just tried to make me as secure as possible because router operates ICTVs, Chash Terminal, alarm…

krazeh · June 10, 2024, 9:26pm

So you've just made random additions in the hope it makes it more 'secure'?