Community discussions

MikroTik App
 
miro10hr
Member Candidate
Member Candidate
Topic Author
Posts: 101
Joined: Fri Nov 11, 2011 3:03 pm

Firewall and WinBox problem (Dmitry, NetworkPro)

Tue Jan 10, 2012 4:38 pm

Hi all,

I have one problem that I cannot figure out. I've configured a firewall based on Dmitry on firewalling (http://wiki.mikrotik.com/wiki/Dmitry_on_firewalling) and NetworkPro_on_firewalling (http://wiki.mikrotik.com/wiki/NetworkPro_on_firewalling).

It's a little different because I have one WAN interface with two public IPs (one is for Web server), LAN segment, DMZ segment and a VPN connection so I tweaked their configurations a bit.

Here si my firewall configuration:
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; Allow traffic between clients on LAN
     chain=forward action=accept in-interface=LAN(eth1) out-interface=LAN(eth1) 

 1   ;;; LAN to DMZ traffic
     chain=forward action=accept in-interface=LAN(eth1) out-interface=DMZ(eth2) 

 2 X ;;; DMZ to LAN traffic
     chain=forward action=accept in-interface=DMZ(eth2) out-interface=LAN(eth1) 

 3   ;;; VPN to LAN traffic
     chain=forward action=accept src-address-list=VPN dst-address-list=LAN 

 4   ;;; VPN to DMZ traffic
     chain=forward action=accept src-address-list=VPN dst-address-list=DMZ 

 5   ;;; Sanity check forward
     chain=forward action=jump jump-target=sanity-check 

 6   ;;; WAN to Web Server (DMZ) traffic
     chain=forward action=accept protocol=tcp in-interface=WAN(eth5) out-interface=DMZ(eth2) dst-port=80 

 7   ;;; Drop everything that is not explicitly forwarded

     chain=forward action=jump jump-target=drop 

 8   ;;; Deny illegal NAT Traversal
     chain=sanity-check action=jump jump-target=drop packet-mark=illegal-nat-traversal 

 9   ;;; Allow the router to be visible via Neighbor Disovery to WinBox on LAN port
     chain=input action=accept protocol=udp dst-address=255.255.255.255 in-interface=LAN(eth1) dst-port=5678 

10   ;;; LAN services - WinBox MAC on LAN port (20561/UDP)
     chain=input action=accept protocol=udp dst-address=255.255.255.255 in-interface=LAN(eth1) dst-port=20561 

11   ;;; Allow the router to be visible via Neighbor Disovery to WinBox on eth3 port
     chain=input action=accept protocol=udp dst-address=255.255.255.255 in-interface=ether3 dst-port=5678 

12   ;;; LAN services - WinBox MAC on eth3 port (20561/UDP)
     chain=input action=accept protocol=udp dst-address=255.255.255.255 in-interface=ether3 dst-port=20561 

13   ;;; Allow the router to be visible via Neighbor Disovery to WinBox on eth4 port
     chain=input action=accept protocol=udp dst-address=255.255.255.255 in-interface=ether4 dst-port=5678 

14   ;;; LAN services - WinBox MAC on eth4 port (20561/UDP)
     chain=input action=accept protocol=udp dst-address=255.255.255.255 dst-address-type="" in-interface=ether4 dst-port=20561 


15 X ;;; Block port scans
     chain=sanity-check action=add-src-to-address-list protocol=tcp psd=20,3s,3,1 address-list=blocked-addr address-list-timeout=1d 

16   ;;; Block TCP Xmas Scan
     chain=sanity-check action=add-src-to-address-list tcp-flags=fin,psh,urg,!fin,!rst,!ack protocol=tcp address-list=blocked-addr 
     address-list-timeout=1d 

17   ;;; Block TCP NULL Scan
     chain=sanity-check action=add-src-to-address-list tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp address-list=blocked-addr 
     address-list-timeout=1d 

18   ;;; Drop everything that is in bloc-addr list
     chain=sanity-check action=jump jump-target=drop src-address-list=blocked-addr 

19   ;;; Drop TCP RST
     chain=sanity-check action=jump jump-target=drop tcp-flags=rst protocol=tcp 

20   ;;; Drop TCP SYN+FIN
     chain=sanity-check action=jump jump-target=drop tcp-flags=fin,syn protocol=tcp 

21   ;;; Drop invalid connections immediately
     chain=sanity-check action=jump jump-target=drop connection-state=invalid 

-- [Q quit|D dump|up|down]
22   ;;; Accept established connections
     chain=sanity-check action=accept connection-state=established 

23   ;;; Accept related connections
     chain=sanity-check action=accept connection-state=related 

24   ;;; Log broadcast, multicast packets
     chain=sanity-check action=log dst-address-type=broadcast,multicast log-prefix="sanity-check_24" 

25   ;;; Drop broadcast, multicast packets
     chain=sanity-check action=jump jump-target=drop dst-address-type=broadcast,multicast 

26   ;;; Drop illegal destination addresses (packet coming to LAN interface)
     chain=sanity-check action=jump jump-target=drop dst-address-type=!local dst-address-list=illegal_addr in-interface=LAN(eth1) 

27   ;;; Drop illegal destination addresses (packet coming to DMZ interface)
     chain=sanity-check action=jump jump-target=drop dst-address-type=!local dst-address-list=illegal_addr in-interface=DMZ(eth2) 

28   ;;; Drop everything that comes to LAN interface, but not with LAN source address
     chain=sanity-check action=jump jump-target=drop src-address-list=!LAN in-interface=LAN(eth1) 

29   ;;; Drop everything that comes to DMZ interface, but not with DMZ source address
     chain=sanity-check action=jump jump-target=drop src-address-list=!DMZ in-interface=DMZ(eth2) 


30   ;;; Drop packets with illegal source addresse that come to WAN interface
     chain=sanity-check action=jump jump-target=drop src-address-list=illegal_addr in-interface=WAN(eth5) 

31   ;;; Drop all traffic that comes from broadcast or multicast address
     chain=sanity-check action=jump jump-target=drop src-address-type=broadcast,multicast 

32   ;;; Allow local traffice between Router's application
     chain=input action=accept src-address-type=local dst-address-type=local 

33   ;;; Enabling DHCP (would not pass sanity-chec so enabling it explicitly before other checks)
     chain=input action=jump jump-target=dhcp protocol=udp in-interface=LAN(eth1) port=67,68 

34   ;;; Jump to Sanity Check
     chain=input action=jump jump-target=sanity-check 

35   ;;; Drop all packets in input chain that go to router itself, but do not have destination IP of router itself (including broadcast traf>
)
     chain=input action=jump jump-target=drop dst-address-type=!local 

36   ;;; Allow limited PING reguests (5pps)
     chain=input action=accept protocol=icmp icmp-options=8:0-255 limit=5,5 


37   ;;; Allowed services on LAN network
     chain=input action=jump jump-target=LAN services in-interface=LAN(eth1) 

38   ;;; Allowed services on DMZ network
     chain=input action=jump jump-target=DMZ services in-interface=DMZ(eth2) 

39   ;;; Allowed services from Internet to WAN_1 IP
     chain=input action=jump jump-target=Public-services_1 dst-address=A.A.A.A in-interface=WAN(eth5) 

40   ;;; Allowed services from Internet to WAN_2 IP - Web server
     chain=input action=jump jump-target=Public-services_2 dst-address=B.B.B.B in-interface=WAN(eth5) 

41   ;;; Allowed services from VPN to Router itself
     chain=input action=jump jump-target=VPN services src-address-list=VPN 

42   ;;; Drop everything else
     chain=input action=jump jump-target=drop 

43   ;;; DHCP - accept broadcast packets from 0.0.0.0 source address
     chain=dhcp action=accept src-address=0.0.0.0 dst-address=255.255.255.255 

44   ;;; DHCP - accept packets from source address 0.0.0.0 to be resolved in router - DHCP service
     chain=dhcp action=accept src-address=0.0.0.0 dst-address-type=local 


45   ;;; DHCP - allow packets with source IP from LAN to be resolved in router (DHCP renewal)
     chain=dhcp action=accept dst-address-type=local src-address-list=LAN 

46   ;;; LAN services - SSH (22/TCP)
     chain=LAN services action=accept protocol=tcp dst-port=22 

47   ;;; LAN services - DNS (53/UDP)
     chain=LAN services action=accept protocol=udp dst-port=53 

48   ;;; LAN services - DNS (53/TCP) - additionally
     chain=LAN services action=accept protocol=tcp dst-port=53 

49 X ;;; LAN services - HTTP (Web) Proxy (3128/TCP)
     chain=LAN services action=accept protocol=tcp dst-port=3128 

50   ;;; LAN services - Mikrotik Neighbour Discovery Protocol (5678/UDP)
     chain=LAN services action=accept protocol=udp dst-port=5678 

51   ;;; LAN services - WinBox (8291/TCP)
     chain=LAN services action=accept protocol=tcp dst-port=8291 

52   ;;; LAN services - SNMP management (161/UDP)

     chain=LAN services action=accept protocol=udp dst-port=161 

53   ;;; LAN services - FTP (21/TCP)
     chain=LAN services action=accept protocol=tcp dst-port=21 

54 X ;;; LAN services - NTP server (123/UDP)
     chain=LAN services action=accept protocol=udp dst-port=123 

55   ;;; LAN services - Temporary log
     chain=LAN services action=log log-prefix="LAN services_55:" 

56   ;;; LAN services - Drop everything else
     chain=LAN services action=drop 

57   ;;; DMZ services - DNS (53/UDP)
     chain=DMZ services action=accept protocol=udp dst-port=53 

58   ;;; DMZ services - DNS (53/TCP) - additionally
     chain=DMZ services action=accept protocol=tcp dst-port=53 

59   ;;; DMZ services - Temporary log
     chain=DMZ services action=log log-prefix="DMZ services_59:" 

61   ;;; Public-services_1 - SSH (22/TCP)
     chain=Public-services_1 action=accept protocol=tcp dst-port=22 

62   ;;; Public-services_1 - PPTP - VPN (1723/UDP)
     chain=Public-services_1 action=accept protocol=tcp dst-port=1723 

63   ;;; Public-services_1 - GRE for PPTP - VPN
     chain=Public-services_1 action=accept protocol=gre 

64   ;;; Public-services_1 services - Temporary log
     chain=Public-services_1 action=log log-prefix="Public-servics_1_64:" 

65   ;;; Public-services_1 - Drop everything else
     chain=Public-services_1 action=drop 

66   ;;; Public-services_2 - HTTP port 80 - Web server
     chain=Public-services_2 action=accept protocol=tcp dst-port=80 

67   ;;; Public-services_2 services - Temporary log
     chain=Public-services_2 action=log log-prefix="Public-servics_2_67:" 


68   ;;; Public-services_2 - Drop everything else
     chain=Public-services_2 action=drop 

69   ;;; VPN services - SSH (22/TCP)
     chain=VPN services action=accept protocol=tcp dst-port=22 

70   ;;; VPN services - Mikrotik Neighbour Discovery Protocol (5678/UDP)
     chain=VPN services action=accept protocol=udp dst-port=5678 

71   ;;; VPN services - WinBox (8291/TCP)
     chain=VPN services action=accept protocol=tcp dst-port=8291 

72   ;;; VPN services - SNMP management (161/UDP)
     chain=VPN services action=accept protocol=udp dst-port=161 

73   ;;; VPN services - FTP (21/TCP)
     chain=VPN services action=accept protocol=tcp dst-port=21 

74   ;;; VPN services - Temporary log
     chain=VPN services action=log log-prefix="VPN services_74:" 

75   ;;; VPN services - Drop everything else
     chain=VPN services action=drop 

76   ;;; Drop - Log before dropping
     chain=drop action=log log-prefix="drop_76:" 

77   ;;; Drop everything else
     chain=drop action=drop
My problem is that I don't want to have WinBox MAC access from DMZ segment and although I thine that everything is configured properly somehow I still have accesss. I connect with laptop to DMZ segment, put IP from that segment and can connect with WinBox.

Pay attention to rules 24 and 25 and 76 and 77. I think these are the rules where WinBox traffic should be dropped.
And the log shows that traffic seems to be matched properly:
02:32:31 firewall,info sanity-check_24 sanity-check: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50 
02:32:31 firewall,info drop_76: drop: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50 
02:32:31 firewall,info sanity-check_24 sanity-check: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50 
02:32:31 firewall,info drop_76: drop: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50 
02:32:31 firewall,info sanity-check_24 sanity-check: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50 
02:32:31 firewall,info drop_76: drop: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50 
02:32:32 firewall,info sanity-check_24 sanity-check: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50 
02:32:32 firewall,info drop_76: drop: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50 
02:32:32 firewall,info sanity-check_24 sanity-check: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50 
02:32:32 firewall,info drop_76: drop: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50 
02:32:32 firewall,info sanity-check_24 sanity-check: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50 
02:32:32 firewall,info drop_76: drop: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50 
02:32:32 firewall,info sanity-check_24 sanity-check: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50 
02:32:32 firewall,info drop_76: drop: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50
But I can still use WinBox to log to router. I attached a picture from torch when I log to router. And although this traffic should be dropped it is correctly identified in the router.
What is the problem?
And if you have some comment about some other firewall rules (VPN, DMZ, LAN) that I should've configured differently please advise me, cause I'm not extremely experienced in firewalls.

Thanks!
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: No registered users and 93 guests