• Mikrotik Default FW Rules

    I have been looking for a while for a good set of basic Mikrotik firewall rules. Default ones on the box are probably the best for a standard home user, so here they are:

    /ip firewall filter
    add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
    add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
    add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
    add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
    add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
    add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
    add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
    add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
    add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
    add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
    add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
    /ip firewall nat
    add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
    
    
    /ipv6 firewall address-list
    add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
    add address=::1/128 comment="defconf: lo" list=bad_ipv6
    add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
    add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
    add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
    add address=100::/64 comment="defconf: discard only " list=bad_ipv6
    add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
    add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
    add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
    /ipv6 firewall filter
    add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
    add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
    add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
    add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
    add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
    add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
    add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
    add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
    add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
    add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
    add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
    add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
    add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
    add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
    add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
    add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
    add action=accept chain=forward comment="defconf: accept HIP" protocol=139
    add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
    add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
    add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
    add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
    add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
    

    Sometimes I struggle to find these. This set is from RouterOS 7.1.

  • Jekyll Post Generator

    Today I remembered this blog, and what a pain it can be to write. Then I found this nice Gist, which houses a couple of Bash scripts to auto-generate the skeletal files required to make a Jekyll post - and life got a little better. I plan to improve on them a bit, they’re a bit jank - but it’s a great place to start.

    Check it out here if that’s your thing: https://gist.github.com/aamnah/f89fca7906f66f6f6a12.

    I have updated it a little, adding a couple of options that automatically create a nicer page in Jekyll (permalink), and added time to the date, so creating multiple posts in a day shows up in order.

    # Create a new jekyll post with the current date and the given title
    # and print the path to the post file.
    #
    # author: andreasl
    
    post_title="$*"
    [ -z "$post_title" ] && printf 'Error: Script needs a post title.\n' && exit 1
    
    #repo_dir="$(git rev-parse --show-toplevel)"
    repo_dir="/home/james/blog"
    post_date="$(date '+%Y-%m-%d')"
    post_datetime="$(date '+%Y-%m-%dT%H:%M:%S%:z')"
    title_slug="$(printf -- "$post_title" | sed -E 's/[^a-zA-Z0-9]+/-/g' | tr "[:upper:]" "[:lower:]")"
    post_path="${repo_dir}/_posts/${post_date}-${title_slug}.md"
    [ -e "$post_path" ] && printf 'Error: Post exists already.\n' && exit 2
    
    IFS= read -r -d '' front_matter << EOF
    ---
    title: "${*}"
    date: ${post_datetime}
    tags: []
    layout: post
    permalink: /${title_slug}/
    ---
    EOF
    
    printf -- "${front_matter}" > "${post_path}"
    
    printf -- '%s\n' "${post_path}"
    
  • Whoops

    Well, about 11 months ago I wrote the last post on this blog. What a total pain. I moved continents with my family, I’ve had 3 jobs since that last post. It’s been weird.

    Things are settling back down now, I’m working for a US based startup doing internet things, which is neat. I’m going to try and knock out some useful posts at some point.

    Still using Jekyll, but honestly I blame it for making writing more difficult than it previously was under Wordpress. We’ll see. Also, Wordpress is garbage now!

    See you soon (or in nearly a year, who knows).

  • Moving to Jekyll

    Since I am moving abroad soon (in 8 days), I need to put my server in a shipping container, and send it on a long voyage. That means no self-hosted Wordpress for about 3 months. With this deadline, I was forced to either move to a VPS somewhere (and pay for it), or check out Jekyll/Hugo/Ghost/whatever - the blogging platforms the cool kids are using. This is what I used to do it. You are reading the results, assuming it’s not like 2025 and I’ve moved to something else.

  • Changing MTU in EVE-NG (allowing Jumbo frames!)

    EVE-NG rules. As far as network simulation software goes, it’s the best.

    When studying or otherwise, EVE-NG is the way I prefer to try things out. One thing that happens, however, when using virtualised networks, is you obscure some underlaying things - one of them being MTU. In a previous post, I went through how the base OS that EVE-NG runs on virtualises the links between routers and switches, here I will show a way to boost the MTU these virtual network links use, so that we can throw proper jumbos across the network.

    In this topology, I have 2 routers, connected with dual Ethernet links, configured in a LAG. This doesn’t affect MTU at all, I just thought I’d mention it so it’s not confusing.

    Topology of this little lab

    The link between these routers (ae0) is set to a layer-2 MTU of 9192, which is the maximum for the platform (Juniper vSRX 3.0). This means that we should be able to send an IP packet (like a ping) of over 9000 bytes.. And yet - we can’t: