Firewall: Locked out myself. What was the reason?

mutluit · April 29, 2020, 1:28pm

While configuring the firewall I locked out myself from the device .
I don’t know which of the rules has caused this.
Device IP is 192.168.88.1 in network 192.168.0.0/17
It’s this device https://mikrotik.com/product/CRS326-24G-2SplusRM with RouterOS in Bridge Mode.

My last steps were:

importing an address list (bogon_IPs) into emptied list, s.b.
importing a firewall script file (not a real script, just a text file) into emptied rules list, s.b.
and printing them after the imports succeeded, s.b.

So, which of the rules below was the culprit?

##########
[admin2@MikroTik] /ip/firewall/filter> /ip firewall/address-list/print
Columns: LIST, ADDRESS, CREATION-TIME

LIST ADDRESS CREATION-TIME

;;; RFC6890
0 bogon_IPs 0.0.0.0/8 apr/29/2020 14:33:28
;;; RFC6890
1 bogon_IPs 172.16.0.0/12 apr/29/2020 14:33:28
;;; RFC6890
2 bogon_IPs 192.168.0.0/16 apr/29/2020 14:33:28
;;; RFC6890
3 bogon_IPs 10.0.0.0/8 apr/29/2020 14:33:28
;;; RFC6890
4 bogon_IPs 169.254.0.0/16 apr/29/2020 14:33:28
;;; Multicast
5 bogon_IPs 224.0.0.0/4 apr/29/2020 14:33:28
;;; RFC6890
6 bogon_IPs 198.18.0.0/15 apr/29/2020 14:33:28
;;; RFC6890
7 bogon_IPs 192.0.0.0/24 apr/29/2020 14:33:28
;;; RFC6890
8 bogon_IPs 192.0.2.0/24 apr/29/2020 14:33:28
;;; RFC6890
9 bogon_IPs 198.51.100.0/24 apr/29/2020 14:33:28
;;; RFC6890
10 bogon_IPs 203.0.113.0/24 apr/29/2020 14:33:28
;;; RFC6890
11 bogon_IPs 100.64.0.0/10 apr/29/2020 14:33:28
;;; RFC6890
12 bogon_IPs 240.0.0.0/4 apr/29/2020 14:33:28
;;; 6to4 relay Anycast [RFC 3068]
13 bogon_IPs 192.88.99.0/24 apr/29/2020 14:33:28

[admin2@MikroTik] /ip/firewall/filter> /ip firewall/filter/print
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 chain=input action=fasttrack-connection connection-state=established,related

2 ;;; untracked can be made in raw table (optional, advanced)
chain=input action=accept connection-state=established,related,untracked

3 chain=input action=drop connection-state=invalid

4 ;;; drop all from WAN not DNATed
chain=input action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN

5 ;;; drop all invalid dstIPs
chain=input action=drop dst-address-list=bogon_IPs

6 chain=input action=accept protocol=tcp dst-port=80

7 chain=input action=accept protocol=tcp dst-port=443

8 chain=input action=accept protocol=tcp dst-port=22

9 chain=input action=accept protocol=udp dst-port=53

10 chain=input action=accept protocol=tcp dst-port=53

11 chain=input action=accept protocol=udp dst-port=123

12 chain=input action=accept protocol=tcp dst-port=123

13 chain=input action=jump jump-target=icmp protocol=icmp

14 ;;; deny all other
chain=input action=drop

15 chain=output action=fasttrack-connection connection-state=established,related

16 ;;; untracked can be made in raw table (optional, advanced)
chain=output action=accept connection-state=established,related,untracked

17 chain=output action=drop connection-state=invalid

18 ;;; drop all invalid dstIPs
chain=output action=drop dst-address-list=bogon_IPs

19 chain=output action=accept protocol=tcp dst-port=80

20 chain=output action=accept protocol=tcp dst-port=443

21 chain=output action=accept protocol=tcp dst-port=22

22 chain=output action=accept protocol=udp dst-port=53

23 chain=output action=accept protocol=tcp dst-port=53

24 chain=output action=accept protocol=udp dst-port=123

25 chain=output action=accept protocol=tcp dst-port=123

26 chain=output action=jump jump-target=icmp protocol=icmp

27 ;;; deny all other
chain=output action=drop

28 chain=forward action=fasttrack-connection connection-state=established,related

29 ;;; untracked can be made in raw table (optional, advanced)
chain=forward action=accept connection-state=established,related,untracked

30 chain=forward action=drop connection-state=invalid

31 ;;; drop other invalid dstIPs
chain=forward action=drop dst-address-list=bogon_IPs

32 chain=forward action=accept protocol=tcp dst-port=80

33 chain=forward action=accept protocol=tcp dst-port=443

34 chain=forward action=accept protocol=tcp dst-port=22

35 chain=forward action=accept protocol=udp dst-port=53

36 chain=forward action=accept protocol=tcp dst-port=53

37 chain=forward action=accept protocol=udp dst-port=123

38 chain=forward action=accept protocol=tcp dst-port=123

39 chain=forward action=jump jump-target=icmp protocol=icmp

40 ;;; deny all other
chain=forward action=drop

41 ;;; echo reply
chain=icmp action=accept protocol=icmp icmp-options=0:0

42 ;;; net unreachable
chain=icmp action=accept protocol=icmp icmp-options=3:0

43 ;;; host unreachable
chain=icmp action=accept protocol=icmp icmp-options=3:1

44 ;;; host unreachable fragmentation required
chain=icmp action=accept protocol=icmp icmp-options=3:4

45 ;;; allow source quench
chain=icmp action=accept protocol=icmp icmp-options=4:0

46 ;;; allow echo request
chain=icmp action=accept protocol=icmp icmp-options=8:0

47 ;;; allow time exceed
chain=icmp action=accept protocol=icmp icmp-options=11:0

48 ;;; allow parameter bad
chain=icmp action=accept protocol=icmp icmp-options=12:0

49 ;;; deny all other
chain=icmp action=drop

##########

anav · April 29, 2020, 1:29pm

You forgot to use the the SAFE MODE button. Rookie mistake!

Besides the fact that your FW rule is a bloated horrible mess.
The best help I can give you is to reset to defaults and only add what you need for actual functionality, the rest is next to useless.

mutluit · April 29, 2020, 1:31pm

True! I remember I saw it in the GUI, and also read about it…

But I would love to find out which of the above rules did cause this.

The device has a console port. Would that give me access to the device? I guess yes, as it’s just serial console via RJ-45.
I would like to not start over from scratch by resetting the device to factory settings.
Now I’ve to find such an adapter cable at ebay etc. Man, why is this damn cable not included with the device… [/rant off :-]

mkx · April 29, 2020, 2:03pm

This one:

5 ;;; drop all invalid dstIPs
chain=input action=drop dst-address-list=bogon_IPs

because …

[admin2@MikroTik] /ip/firewall/filter> /ip firewall/address-list/print
Columns: LIST, ADDRESS, CREATION-TIME
# LIST ADDRESS CREATION-TIME
;;; RFC6890
2 bogon_IPs 192.168.0.0/16 apr/29/2020 14:33:28

router’s own IP address is part of it, dummy!

And I concur with @anav’s advice: search for SOHO default firewall rules (I remember @zacharias posting them recently) because CRS doesn’t come with any. And go from there, your firewall is currently complete mess. For example, it’s entirely useless (not to use harsh words) to fast-track packets in chains input and output, they will be L3-processed by device itself hence no use of using shortcuts. And there are many more such rules in the setup.

mutluit · April 29, 2020, 2:17pm

This one:

5 ;;; drop all invalid dstIPs
chain=input action=drop dst-address-list=bogon_IPs

because …

[admin2@MikroTik] /ip/firewall/filter> /ip firewall/address-list/print
Columns: LIST, ADDRESS, CREATION-TIME
# LIST ADDRESS CREATION-TIME
;;; RFC6890
2 bogon_IPs 192.168.0.0/16 apr/29/2020 14:33:28

router’s own IP address is part of it, dummy!

OMF holy sheat!
Yes, I should’ve read the crap when copying from the MT wiki page…
Ok my err, I added it in the wrong chain..

And I concur with @anav’s advice: search for SOHO default firewall rules (I remember @zacharias posting them recently) because CRS doesn’t come with any. And go from there, your firewall is currently complete mess. For example, it’s entirely useless (not to use harsh words) to fast-track packets in chains input and output, they will be L3-processed by device itself hence no use of using shortcuts. And there are many more such rules in the setup.

That’s not that important as I’m still just learning and also experimenting.

RJ45 console cable (adapter) I just ordered, should arrive in the next few days.
Then it should be possible to fix the error w/o resetting the device.

UPDATE: Yippea! I already have such an adapter as a quick search in the cable boxes was positive…

mkx · April 29, 2020, 2:40pm

Well, be everybody’s guest and do whatever pleases you …

I’ve always found learning by starting from solid cases to be the best. Study default firewall filter rule set, try to understand what each and every line does and how it affects packets. And then look at other examples, think of how they fit into existing frame-work, think if they provide any extra functionality or security, implement them and observe them explode into your face … ah, you did the last step already

anav · April 29, 2020, 2:57pm

The one that made me chuckle…
4 ;;; drop all from WAN not DNATed
chain=input action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WA

Must be a new feature Port Inputting…

mutluit · April 29, 2020, 4:20pm

Ok, finally unlocked!
I had to use a stoneage old laptop (IBM Thinkpad 570, Pentium-II single core CPU with 331 MHz and a whopping 192 MB RAM and Windows XP-Pro) that has a serial port.
Had some problems to get any terminal working (PuTTY, HyperTerminal, and also looked around in cygwin that I ages ago had installed there).
Then HyperTerminal finally worked with these params for COM1: 115200 baud, 8 data bits, No parity, 1 stop bit, HardwareFlowcontrol, and VT100 terminal emulation.
The usual MikroTik terminal login appers (username, password)…
So, the rescue operation was finally successful Took me “only” about 3 hours! OMFG!

anav · April 29, 2020, 4:30pm

Too funny,
My method takes about 2 minutes. I use a paperclip…

mutluit · April 29, 2020, 4:31pm

Yeah, but you lose all your previous settings, and have to start from scratch every time, isn’t it?
I wanted to keep my settings, and just fix the error. It works over the console port.
Next time I’ll of course will require also less than 2 minutes as I now know how to do it via the console port…

Zacharias · April 29, 2020, 4:35pm

Firewall unless told otherwise, will block Layer 3 Activity…
So instead of spending 3 hours with that laptop you could as well login by MAC in less that 1 minute…

@anav a pencil works better…

mutluit · April 29, 2020, 4:37pm

I had disabled all the MAC things as is recommended in the MT wiki page titled “Securing your router” or something that…

anav · April 29, 2020, 4:39pm

Hi Zach, no I use notepadd ++ cut and paste
or that funny feature in Files called backup and restore.

Your just afraid of a tiny paper clip.

Hy mut - no worries with keeping your winbox mAC interface set to your admin interface… mac telnet is set to NONE. (under tools)
(under IP services, I only have winbox active/allowed)

Zacharias · April 29, 2020, 4:43pm

I had disabled all the MAC things as is recommended in the MT wiki page titled “Securing your router” or something that…

Yes indeed is a good practice in case there is an actual risk of someone discovering your device through your Lan Network and trying to access it…
If there is no such risk why would you disable all MAC access and why for all the ports ?

mutluit · April 29, 2020, 4:45pm

In Webinterface (Webfig) I do upload my text file via the File menu, then in terminal window (ssh) I issue the command:
/import myfile.txt
It works for me.
One can upload the file also without using any GUI: via “scp” which is part of the ssh package. It’s also avail in PuTTY, IIRC.

mutluit · April 29, 2020, 4:48pm

Do you know, and can you know, what all and each of the attached users in your LAN are trying?..
I apply and practice proactive precaution…

anav · April 29, 2020, 4:48pm

Good practice is to limit mac access to winbox to only the interface the admin uses not necessarily all lan interfaces…
Furthermore you also have users list to access winbox, and also on the input chain I only allow the admin user interface as in-interface-list and then only allow
admin specificed IPs (admin-access-list) as a source.

Thus by way of
a. input firewall rule (allows only admin to full router)
b. input firewall rules (allow lan users to only services they require on the router ie DNS)
b. ip services - only winbox active
c. tools winbox mac - specific interface only
d. users. specific to interface or IP or both
e. password

Then have no worries using mac within the router for specific and secure purposes.

mkx · April 29, 2020, 4:51pm

And place a sentry near the device to prevent some trespassing by to plug their gear into management port.

Or get out of paranoia mode and use some common sense.

anav · April 29, 2020, 4:54pm

Managed port LOL, my garage is so messy, I would likely get sued by the trespasser for falling over obstacles LOL.
The admin access is specific to a static IP.

Nothing wrong with applying logic and good security practices.

Furthermore MKX if you were actually paying attention instead of drinking too much beer you would have picked up on my post as a response to mutt for this
“Do you know, and can you know, what all and each of the attached users in your LAN are trying?..
I apply and practice proactive precaution…”

In other words he was blocking all MAC traffic which defeats using macwinbox connectivity.
I was attempting to demonstrate that one can leave MACWINBOX up and running and still feel secure from other LAN users.

mutluit · April 29, 2020, 5:01pm

I don’t know about others, but for me is this somewhat “unnatural” as I prefer normal tcp protocol over MAC/Ethernet.
I have only web access (ports 80 and 443, ie. http and https) and port 22 (ssh) activated, both from just one specific LAN IP permitted.
Will soon even change these port numbers to something >10000 or so.