Mikrotik Default FW Rules
I have been looking for a while for a good set of basic Mikrotik firewall rules. Default ones on the box are probably the best for a standard home user, so here they are:
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN /ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6 add address=::1/128 comment="defconf: lo" list=bad_ipv6 add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6 add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6 add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6 add address=100::/64 comment="defconf: discard only " list=bad_ipv6 add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6 add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6 add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6 /ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6 add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10 add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6 add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6 add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6 add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6 add action=accept chain=forward comment="defconf: accept HIP" protocol=139 add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
Sometimes I struggle to find these. This set is from RouterOS 7.1.
Jekyll Post Generator
Today I remembered this blog, and what a pain it can be to write. Then I found this nice Gist, which houses a couple of Bash scripts to auto-generate the skeletal files required to make a Jekyll post - and life got a little better. I plan to improve on them a bit, they’re a bit jank - but it’s a great place to start.
Check it out here if that’s your thing: https://gist.github.com/aamnah/f89fca7906f66f6f6a12.
I have updated it a little, adding a couple of options that automatically create a nicer page in Jekyll (permalink), and added time to the date, so creating multiple posts in a day shows up in order.
# Create a new jekyll post with the current date and the given title # and print the path to the post file. # # author: andreasl post_title="$*" [ -z "$post_title" ] && printf 'Error: Script needs a post title.\n' && exit 1 #repo_dir="$(git rev-parse --show-toplevel)" repo_dir="/home/james/blog" post_date="$(date '+%Y-%m-%d')" post_datetime="$(date '+%Y-%m-%dT%H:%M:%S%:z')" title_slug="$(printf -- "$post_title" | sed -E 's/[^a-zA-Z0-9]+/-/g' | tr "[:upper:]" "[:lower:]")" post_path="${repo_dir}/_posts/${post_date}-${title_slug}.md" [ -e "$post_path" ] && printf 'Error: Post exists already.\n' && exit 2 IFS= read -r -d '' front_matter << EOF --- title: "${*}" date: ${post_datetime} tags: [] layout: post permalink: /${title_slug}/ --- EOF printf -- "${front_matter}" > "${post_path}" printf -- '%s\n' "${post_path}"
Whoops
Well, about 11 months ago I wrote the last post on this blog. What a total pain. I moved continents with my family, I’ve had 3 jobs since that last post. It’s been weird.
Things are settling back down now, I’m working for a US based startup doing internet things, which is neat. I’m going to try and knock out some useful posts at some point.
Still using Jekyll, but honestly I blame it for making writing more difficult than it previously was under Wordpress. We’ll see. Also, Wordpress is garbage now!
See you soon (or in nearly a year, who knows).
Moving to Jekyll
Since I am moving abroad soon (in 8 days), I need to put my server in a shipping container, and send it on a long voyage. That means no self-hosted Wordpress for about 3 months. With this deadline, I was forced to either move to a VPS somewhere (and pay for it), or check out Jekyll/Hugo/Ghost/whatever - the blogging platforms the cool kids are using. This is what I used to do it. You are reading the results, assuming it’s not like 2025 and I’ve moved to something else.
Changing MTU in EVE-NG (allowing Jumbo frames!)
EVE-NG rules. As far as network simulation software goes, it’s the best.
When studying or otherwise, EVE-NG is the way I prefer to try things out. One thing that happens, however, when using virtualised networks, is you obscure some underlaying things - one of them being MTU. In a previous post, I went through how the base OS that EVE-NG runs on virtualises the links between routers and switches, here I will show a way to boost the MTU these virtual network links use, so that we can throw proper jumbos across the network.
In this topology, I have 2 routers, connected with dual Ethernet links, configured in a LAG. This doesn’t affect MTU at all, I just thought I’d mention it so it’s not confusing.
Topology of this little lab The link between these routers (ae0) is set to a layer-2 MTU of 9192, which is the maximum for the platform (Juniper vSRX 3.0). This means that we should be able to send an IP packet (like a ping) of over 9000 bytes.. And yet - we can’t: