I met with an operator today that is the primary technician for a hospitality operator. His background is primarily in Microsoft support so advanced routers like those made by MikroTik with complex firewalling functionality are still new to him. He explained that his PCI compliance required scanning each of his nine sites for open ports using a PCI compliance service’s software. All nine locations had failed due to open ports and upon inspection there were firewall rules in place. I showed him my web site http://MikroTikConfig.com and how easy it is to create a basic firewall. Here is the firewall script we created:
# Generate by ISP Supplies | LearnMikroTik.com's Firewall tool # Available at http://mikrotikconfig.com # /ip firewall filter add action=drop chain=forward comment="Drop invalid connections through router" connection-state=invalid add chain=forward comment="Allow established connections through router" connection-state=established add chain=forward comment="Allow related connections through router" connection-state=related add chain=forward comment="Allow new connections through router coming in LAN interface" connection-state=new \ in-interface=bridge1 add action=drop chain=forward comment="Drop all other connections through the router" add chain=input comment="Allow everything from the LAN interface to the router" in-interface=bridge1 add chain=input comment=\ "Allow established connections to the router, these are OK because we aren't allowing new connections" \ connection-state=established add chain=input comment=\ "Allow related connections to the router, these are OK because we aren't allowing new connections" \ connection-state=related add chain=input comment=\ "Allow from our VPN subnet" src-address-list=VPNAddreses add action=drop chain=input comment="Drop everything else to the router" disabled=yes /ip firewall address-list add address=10.10.10.0/24 comment="VPN Subnet" list=VPNAddresses
This firewall allowed any activity through the router, access to the router from the LAN interface and from VPN clients. We then ran the PCI test tool and all nine sites passed.
MikroTik RouterOS is a great tool for establishing a firewall that will pass any PCI test tool and do so in a cost efficient manner.