Help with firewall

Hi

Router used as home and business. Must be secure, as it operates with payments.

Can you please review my firewall and advise to add/remove something?


config rule
    option name 'AntiDOS'
    option src '*'
    option proto 'all'
    option dest_ip '*'
    option connlimit '10'
    option target 'DROP'

config rule
    option proto 'tcp'
    option length '0:39'
    option target 'DROP'

config rule
    option proto 'udp'
    option length '0:39'
    option target 'DROP'

config rule
    option name 'Rate-Limit'
    option src '*'
    option proto 'all'
    option dest_ip '*'
    option limit '100/s'
    option target 'ACCEPT'

config rule
    option proto 'icmp'
    option target 'DROP'

config rule
    option proto 'igmp'
    option target 'DROP'

config rule
    option name 'TTL-Limit'
    option src '*'
    option proto 'all'
    option dest_ip '*'
    option ttl 'lt 5'
    option target 'DROP'

config rule
    option name 'no-spoof'
    option src '*'
    option proto 'all'
    option dest_ip '!192.168.4.1/24' 
    option target 'DROP'

config rule
    option name 'Invalid-TCP-Flags'
    option src '*'
    option proto 'tcp'
    option tcp_flags 'ALL NONE,ALL ALL'
    option target 'DROP'

config rule
    option name 'Invalid-UDP-Packets'
    option src '*'
    option proto 'udp'
    option length '0'
    option target 'DROP'

config rule
    option name 'maccheck'
    option src 'lan'
    option proto 'tcp'
    option dest_ip '192.168.4.1'
    option dest_port '443'
    option mac '!xxxxxxxxxxxx'
    option target 'DROP'

config rule
    option name 'sshcheck'
    option src 'lan'
    option proto 'tcp'
    option dest_port '22'
    option mac '!xxxxxxxxxxxxx'
    option target 'DROP'

config rule
    option name 'anti-ntp-dos'
    option src '*'
    option proto 'udp'
    option dest_port '123'
    option limit '1/hour'
    option target 'ACCEPT'

config rule
    option name 'no80'
    option src '*'
    option proto 'all'
    option dest_port '80'
    option target 'DROP'

config rule
    option name 'nodos53'
    option src '*'
    option proto 'udp'
    option dest_port '53'
    option limit '60/minute'
    option target 'ACCEPT'

config rule
    option name 'nodos-alt5353'
    option src '*'
    option proto 'udp'
    option dest_port '5353'
    option limit '60/minute'
    option target 'ACCEPT'

config rule
    option name 'anti-dos-limit'
    option src 'lan'
    option proto 'all'
    option rate '1000/second'
    option target 'DROP'
    option connlimit '1'
    option connlimit-mask '24'
    option connlimit-timeout '0'

config rule
    option name 'Block-crap'
    option src 'lan'
    option proto 'all'
    option target 'DROP'

config rule
    option name '443-allow'
    option src 'guest'
    option proto 'tcp'
    option dest_port '443'
    option target 'ACCEPT'

config rule
    option name 'mainguestr2'
    option src 'guest'
    option proto 'all'
    option target 'DROP'

You appear to have added a number of unnecessary/redundant rules. Where did you get the advice to make these additions to the default config?

1 Like

Nowhere. Just tried to make me as secure as possible because router operates ICTVs, Chash Terminal, alarm…

So you've just made random additions in the hope it makes it more 'secure'?

1 Like