/system identity set name=your_host_name
/user add address=1.2.3.4.0/24,9.9.9.0/29 comment="Full Name" group=full name=your_username
/user disable admin
/certificate add name=ca-template common-name=CA key-usage=key-cert-sign /certificate add name=server-template common-name=server /certificate sign ca-template name=CA /certificate sign ca=CA server-template name=server /certificate set CA trusted=yes /certificate set server trusted=yes /ip service set www-ssl certificate=server
/ip service disable telnet,ftp,www,api,api-ssl,winbox /ip service enable ssh,www-ssl
/ip ssh set strong-crypto=yes
/tool mac-server disable numbers=0 /tool mac-server mac-winbox disable numbers=0
/ip neighbor discovery settings set default=no /ip neighbor discovery set numbers=0,1,2,3,4,5,6,7,8,9,10,11 discover=no
/lcd pin set pin-number=1111
/lcd set touch-screen=disabled
/lcd set read-only-mode=yes
/lcd set default-screen=informative-slideshow
/system leds set 0 type=flash-access leds=user-led
/ip route add gateway=1.2.3.4
/ip dns set servers=1.2.3.4,5.6.7.8
/system clock set time-zone-name=Europe/Amsterdam
/system ntp client set enabled=yes server-dns-names=ntp1.polaire.nl,ntp2.polaire.nl
/system ntp client print /system clock print
/ip cloud set update-time=no
These are just basic rules to control access to services and disable outgoing connections.
Allow new connections on port 22 and 443 and already established connections.
/ip firewall filter add chain=input action=drop connection-state=invalid comment="Drop invalid" /ip firewall filter add chain=input action=accept connection-state=established comment="Accept established" /ip firewall filter add chain=input action=accept connection-state=related comment="Accept related" /ip firewall filter add chain=input action=accept protocol=tcp src-address=1.2.3.0/24 dst-address=1.2.3.1 in-interface=ether1 dst-port=443 comment="Accept HTTPS access from management LAN" /ip firewall filter add chain=input action=log dst-address-type=!broadcast,multicast comment="Log denied, skip logging multicast and broadcast" /ip firewall filter add chain=input action=drop comment="Drop all"
Per default i'm not allowing any outgoing connection, for example automatic downloading of packages, phone home, etc. Exceptions are DNS lookup, NTP time sync.
/ip firewall address-list add list=DNS address=1.2.3.4/32 /ip firewall address-list add list=DNS address=1.2.3.5/32 /ip firewall address-list add list=NTP address=1.2.3.6/32 /ip firewall address-list add list=NTP address=1.2.3.7/32 /ip firewall filter add chain=output action=drop connection-state=invalid comment="Drop invalid" /ip firewall filter add chain=output action=accept connection-state=established comment="Accept established" /ip firewall filter add chain=output action=accept connection-state=related comment="Accept related" /ip firewall filter add chain=output action=accept protocol=udp dst-address-list=DNS dst-port=53 comment="Accept DNS lookups" /ip firewall filter add chain=output action=accept protocol=udp dst-address-list=NTP dst-port=123 comment="Accept NTP sync" /ip firewall filter add chain=output action=log comment="Log denied" /ip firewall filter add chain=output action=drop comment="Drop all"
/port set usb3 baud-rate=9600 data-bits=8 parity=none stop-bits=1
/system serial-terminal usb3
/system routerboard usb power-reset
Current recommended practice in RFC3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or other complicated routing, then loose mode is recommended.
strict - Strict mode as defined in RFC3704 Strict Reverse Path. Each incoming packet is tested against the FIB and if the interface is not the best reverse path the packet check will fail. By default failed packets are discarded.
/ip settings set rp-filter=strict