I have one problem that I cannot figure out. I've configured a firewall based on Dmitry on firewalling (http://wiki.mikrotik.com/wiki/Dmitry_on_firewalling) and NetworkPro_on_firewalling (http://wiki.mikrotik.com/wiki/NetworkPro_on_firewalling).
It's a little different because I have one WAN interface with two public IPs (one is for Web server), LAN segment, DMZ segment and a VPN connection so I tweaked their configurations a bit.
Here si my firewall configuration:
Code: Select all
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Allow traffic between clients on LAN
chain=forward action=accept in-interface=LAN(eth1) out-interface=LAN(eth1)
1 ;;; LAN to DMZ traffic
chain=forward action=accept in-interface=LAN(eth1) out-interface=DMZ(eth2)
2 X ;;; DMZ to LAN traffic
chain=forward action=accept in-interface=DMZ(eth2) out-interface=LAN(eth1)
3 ;;; VPN to LAN traffic
chain=forward action=accept src-address-list=VPN dst-address-list=LAN
4 ;;; VPN to DMZ traffic
chain=forward action=accept src-address-list=VPN dst-address-list=DMZ
5 ;;; Sanity check forward
chain=forward action=jump jump-target=sanity-check
6 ;;; WAN to Web Server (DMZ) traffic
chain=forward action=accept protocol=tcp in-interface=WAN(eth5) out-interface=DMZ(eth2) dst-port=80
7 ;;; Drop everything that is not explicitly forwarded
chain=forward action=jump jump-target=drop
8 ;;; Deny illegal NAT Traversal
chain=sanity-check action=jump jump-target=drop packet-mark=illegal-nat-traversal
9 ;;; Allow the router to be visible via Neighbor Disovery to WinBox on LAN port
chain=input action=accept protocol=udp dst-address=255.255.255.255 in-interface=LAN(eth1) dst-port=5678
10 ;;; LAN services - WinBox MAC on LAN port (20561/UDP)
chain=input action=accept protocol=udp dst-address=255.255.255.255 in-interface=LAN(eth1) dst-port=20561
11 ;;; Allow the router to be visible via Neighbor Disovery to WinBox on eth3 port
chain=input action=accept protocol=udp dst-address=255.255.255.255 in-interface=ether3 dst-port=5678
12 ;;; LAN services - WinBox MAC on eth3 port (20561/UDP)
chain=input action=accept protocol=udp dst-address=255.255.255.255 in-interface=ether3 dst-port=20561
13 ;;; Allow the router to be visible via Neighbor Disovery to WinBox on eth4 port
chain=input action=accept protocol=udp dst-address=255.255.255.255 in-interface=ether4 dst-port=5678
14 ;;; LAN services - WinBox MAC on eth4 port (20561/UDP)
chain=input action=accept protocol=udp dst-address=255.255.255.255 dst-address-type="" in-interface=ether4 dst-port=20561
15 X ;;; Block port scans
chain=sanity-check action=add-src-to-address-list protocol=tcp psd=20,3s,3,1 address-list=blocked-addr address-list-timeout=1d
16 ;;; Block TCP Xmas Scan
chain=sanity-check action=add-src-to-address-list tcp-flags=fin,psh,urg,!fin,!rst,!ack protocol=tcp address-list=blocked-addr
address-list-timeout=1d
17 ;;; Block TCP NULL Scan
chain=sanity-check action=add-src-to-address-list tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp address-list=blocked-addr
address-list-timeout=1d
18 ;;; Drop everything that is in bloc-addr list
chain=sanity-check action=jump jump-target=drop src-address-list=blocked-addr
19 ;;; Drop TCP RST
chain=sanity-check action=jump jump-target=drop tcp-flags=rst protocol=tcp
20 ;;; Drop TCP SYN+FIN
chain=sanity-check action=jump jump-target=drop tcp-flags=fin,syn protocol=tcp
21 ;;; Drop invalid connections immediately
chain=sanity-check action=jump jump-target=drop connection-state=invalid
-- [Q quit|D dump|up|down]
22 ;;; Accept established connections
chain=sanity-check action=accept connection-state=established
23 ;;; Accept related connections
chain=sanity-check action=accept connection-state=related
24 ;;; Log broadcast, multicast packets
chain=sanity-check action=log dst-address-type=broadcast,multicast log-prefix="sanity-check_24"
25 ;;; Drop broadcast, multicast packets
chain=sanity-check action=jump jump-target=drop dst-address-type=broadcast,multicast
26 ;;; Drop illegal destination addresses (packet coming to LAN interface)
chain=sanity-check action=jump jump-target=drop dst-address-type=!local dst-address-list=illegal_addr in-interface=LAN(eth1)
27 ;;; Drop illegal destination addresses (packet coming to DMZ interface)
chain=sanity-check action=jump jump-target=drop dst-address-type=!local dst-address-list=illegal_addr in-interface=DMZ(eth2)
28 ;;; Drop everything that comes to LAN interface, but not with LAN source address
chain=sanity-check action=jump jump-target=drop src-address-list=!LAN in-interface=LAN(eth1)
29 ;;; Drop everything that comes to DMZ interface, but not with DMZ source address
chain=sanity-check action=jump jump-target=drop src-address-list=!DMZ in-interface=DMZ(eth2)
30 ;;; Drop packets with illegal source addresse that come to WAN interface
chain=sanity-check action=jump jump-target=drop src-address-list=illegal_addr in-interface=WAN(eth5)
31 ;;; Drop all traffic that comes from broadcast or multicast address
chain=sanity-check action=jump jump-target=drop src-address-type=broadcast,multicast
32 ;;; Allow local traffice between Router's application
chain=input action=accept src-address-type=local dst-address-type=local
33 ;;; Enabling DHCP (would not pass sanity-chec so enabling it explicitly before other checks)
chain=input action=jump jump-target=dhcp protocol=udp in-interface=LAN(eth1) port=67,68
34 ;;; Jump to Sanity Check
chain=input action=jump jump-target=sanity-check
35 ;;; Drop all packets in input chain that go to router itself, but do not have destination IP of router itself (including broadcast traf>
)
chain=input action=jump jump-target=drop dst-address-type=!local
36 ;;; Allow limited PING reguests (5pps)
chain=input action=accept protocol=icmp icmp-options=8:0-255 limit=5,5
37 ;;; Allowed services on LAN network
chain=input action=jump jump-target=LAN services in-interface=LAN(eth1)
38 ;;; Allowed services on DMZ network
chain=input action=jump jump-target=DMZ services in-interface=DMZ(eth2)
39 ;;; Allowed services from Internet to WAN_1 IP
chain=input action=jump jump-target=Public-services_1 dst-address=A.A.A.A in-interface=WAN(eth5)
40 ;;; Allowed services from Internet to WAN_2 IP - Web server
chain=input action=jump jump-target=Public-services_2 dst-address=B.B.B.B in-interface=WAN(eth5)
41 ;;; Allowed services from VPN to Router itself
chain=input action=jump jump-target=VPN services src-address-list=VPN
42 ;;; Drop everything else
chain=input action=jump jump-target=drop
43 ;;; DHCP - accept broadcast packets from 0.0.0.0 source address
chain=dhcp action=accept src-address=0.0.0.0 dst-address=255.255.255.255
44 ;;; DHCP - accept packets from source address 0.0.0.0 to be resolved in router - DHCP service
chain=dhcp action=accept src-address=0.0.0.0 dst-address-type=local
45 ;;; DHCP - allow packets with source IP from LAN to be resolved in router (DHCP renewal)
chain=dhcp action=accept dst-address-type=local src-address-list=LAN
46 ;;; LAN services - SSH (22/TCP)
chain=LAN services action=accept protocol=tcp dst-port=22
47 ;;; LAN services - DNS (53/UDP)
chain=LAN services action=accept protocol=udp dst-port=53
48 ;;; LAN services - DNS (53/TCP) - additionally
chain=LAN services action=accept protocol=tcp dst-port=53
49 X ;;; LAN services - HTTP (Web) Proxy (3128/TCP)
chain=LAN services action=accept protocol=tcp dst-port=3128
50 ;;; LAN services - Mikrotik Neighbour Discovery Protocol (5678/UDP)
chain=LAN services action=accept protocol=udp dst-port=5678
51 ;;; LAN services - WinBox (8291/TCP)
chain=LAN services action=accept protocol=tcp dst-port=8291
52 ;;; LAN services - SNMP management (161/UDP)
chain=LAN services action=accept protocol=udp dst-port=161
53 ;;; LAN services - FTP (21/TCP)
chain=LAN services action=accept protocol=tcp dst-port=21
54 X ;;; LAN services - NTP server (123/UDP)
chain=LAN services action=accept protocol=udp dst-port=123
55 ;;; LAN services - Temporary log
chain=LAN services action=log log-prefix="LAN services_55:"
56 ;;; LAN services - Drop everything else
chain=LAN services action=drop
57 ;;; DMZ services - DNS (53/UDP)
chain=DMZ services action=accept protocol=udp dst-port=53
58 ;;; DMZ services - DNS (53/TCP) - additionally
chain=DMZ services action=accept protocol=tcp dst-port=53
59 ;;; DMZ services - Temporary log
chain=DMZ services action=log log-prefix="DMZ services_59:"
61 ;;; Public-services_1 - SSH (22/TCP)
chain=Public-services_1 action=accept protocol=tcp dst-port=22
62 ;;; Public-services_1 - PPTP - VPN (1723/UDP)
chain=Public-services_1 action=accept protocol=tcp dst-port=1723
63 ;;; Public-services_1 - GRE for PPTP - VPN
chain=Public-services_1 action=accept protocol=gre
64 ;;; Public-services_1 services - Temporary log
chain=Public-services_1 action=log log-prefix="Public-servics_1_64:"
65 ;;; Public-services_1 - Drop everything else
chain=Public-services_1 action=drop
66 ;;; Public-services_2 - HTTP port 80 - Web server
chain=Public-services_2 action=accept protocol=tcp dst-port=80
67 ;;; Public-services_2 services - Temporary log
chain=Public-services_2 action=log log-prefix="Public-servics_2_67:"
68 ;;; Public-services_2 - Drop everything else
chain=Public-services_2 action=drop
69 ;;; VPN services - SSH (22/TCP)
chain=VPN services action=accept protocol=tcp dst-port=22
70 ;;; VPN services - Mikrotik Neighbour Discovery Protocol (5678/UDP)
chain=VPN services action=accept protocol=udp dst-port=5678
71 ;;; VPN services - WinBox (8291/TCP)
chain=VPN services action=accept protocol=tcp dst-port=8291
72 ;;; VPN services - SNMP management (161/UDP)
chain=VPN services action=accept protocol=udp dst-port=161
73 ;;; VPN services - FTP (21/TCP)
chain=VPN services action=accept protocol=tcp dst-port=21
74 ;;; VPN services - Temporary log
chain=VPN services action=log log-prefix="VPN services_74:"
75 ;;; VPN services - Drop everything else
chain=VPN services action=drop
76 ;;; Drop - Log before dropping
chain=drop action=log log-prefix="drop_76:"
77 ;;; Drop everything else
chain=drop action=drop
Pay attention to rules 24 and 25 and 76 and 77. I think these are the rules where WinBox traffic should be dropped.
And the log shows that traffic seems to be matched properly:
Code: Select all
02:32:31 firewall,info sanity-check_24 sanity-check: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50
02:32:31 firewall,info drop_76: drop: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50
02:32:31 firewall,info sanity-check_24 sanity-check: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50
02:32:31 firewall,info drop_76: drop: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50
02:32:31 firewall,info sanity-check_24 sanity-check: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50
02:32:31 firewall,info drop_76: drop: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50
02:32:32 firewall,info sanity-check_24 sanity-check: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50
02:32:32 firewall,info drop_76: drop: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50
02:32:32 firewall,info sanity-check_24 sanity-check: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50
02:32:32 firewall,info drop_76: drop: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50
02:32:32 firewall,info sanity-check_24 sanity-check: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50
02:32:32 firewall,info drop_76: drop: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50
02:32:32 firewall,info sanity-check_24 sanity-check: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50
02:32:32 firewall,info drop_76: drop: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50
What is the problem?
And if you have some comment about some other firewall rules (VPN, DMZ, LAN) that I should've configured differently please advise me, cause I'm not extremely experienced in firewalls.
Thanks!