Community discussions

MikroTik App
 
User avatar
eugenevdm
Member Candidate
Member Candidate
Topic Author
Posts: 208
Joined: Tue Jun 01, 2004 12:23 pm
Location: Stellenbosch, South Africa
Contact:

Can bridge be used as firewall, and if so, how?

Thu Jan 26, 2012 9:59 am

We have this setup:

Internet
|
Core Router
|
MikroTik (Transparent) Bridge
|
Windows 2008 Server with RDP

On MT Bridge, we have this rule:

/ip firewall filter chain=forward action=drop protocol=tcp dst-address=196.x.x.x dst-port=!3389

The idea is that all packets from the outside except RDP (port 3389) is dropped.

The rule fails because it's a bridge and now any traffic originating from the RDP server is also dropped.

How can we do this?
 
User avatar
Aug
Member
Member
Posts: 312
Joined: Thu Jun 07, 2007 2:10 am

Re: Can bridge be used as firewall, and if so, how?

Thu Jan 26, 2012 12:04 pm

bridge > settings > use ip firewall
 
User avatar
eugenevdm
Member Candidate
Member Candidate
Topic Author
Posts: 208
Joined: Tue Jun 01, 2004 12:23 pm
Location: Stellenbosch, South Africa
Contact:

Re: Can bridge be used as firewall, and if so, how?

Thu Jan 26, 2012 12:35 pm

>bridge > settings > use ip firewall

Already done, doesn't work.

Because bridge has no src interface or dst interface, all traffic is just "bridge".

Sure traffic gets in:

Internet Src->Firewall->OK @ 3389

but traffic also goes out

RDP Src->Firewall>Internet->Not OK because !3389 (TCP confirmations use random port)
 
User avatar
nickshore
Long time Member
Long time Member
Posts: 521
Joined: Thu Mar 03, 2005 4:14 pm
Location: Suffolk, UK.
Contact:

Re: Can bridge be used as firewall, and if so, how?

Thu Jan 26, 2012 5:25 pm

should be a filter in bridge not ip firewall

eg
/interface bridge filter
add action=drop chain=forward dst-address=192.168.55.0/24 dst-port=!3389 ip-protocol=tcp mac-protocol=ip
 
User avatar
Aug
Member
Member
Posts: 312
Joined: Thu Jun 07, 2007 2:10 am

Re: Can bridge be used as firewall, and if so, how?

Thu Jan 26, 2012 8:42 pm

yes you can use bridge filter also.

If you want to use ip firewall filter, I believe you need connection tracking enabled and bridge-settings-use ip firewall.

Either way should work.
 
User avatar
eugenevdm
Member Candidate
Member Candidate
Topic Author
Posts: 208
Joined: Tue Jun 01, 2004 12:23 pm
Location: Stellenbosch, South Africa
Contact:

Re: Can bridge be used as firewall, and if so, how?

Thu Jan 26, 2012 10:56 pm

should be a filter in bridge not ip firewall
Thanks nickshore, I ended up doing this, to allow FTP and RDP and block everything else:
/interface bridge filter> pr

Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; Accept ICMP for PING
     chain=forward action=accept mac-protocol=ip dst-address=196.x.x.x/32 ip-protocol=icmp 

 1   ;;; Accept FTP Transfer Port
     chain=forward action=accept mac-protocol=ip dst-address=196.x.x.x/32 dst-port=20 ip-protocol=tcp 

 2   ;;; Accept FTP Control Port
     chain=forward action=accept mac-protocol=ip dst-address=196.x.x.x/32 dst-port=21 ip-protocol=tcp 

 3   ;;; Accept RDP
     chain=forward action=accept mac-protocol=ip dst-address=196.x.x.x/32 dst-port=3389 ip-protocol=tcp 

 4   ;;; Log everything that is about to get dropped
     chain=forward action=log mac-protocol=ip dst-address=196.x.x.x/32 ip-protocol=tcp log-prefix="firewall_drop" 

 5   ;;; Drop everything
     chain=forward action=drop mac-protocol=ip dst-address=196.x.x.x/32 ip-protocol=tcp 
So far so good. I see some packets originating from the server to the outside on port 443, but nmap reports what I want to see, everything blocked except FTP.
 
User avatar
eugenevdm
Member Candidate
Member Candidate
Topic Author
Posts: 208
Joined: Tue Jun 01, 2004 12:23 pm
Location: Stellenbosch, South Africa
Contact:

Re: Can bridge be used as firewall, and if so, how?

Fri Jan 27, 2012 10:35 pm

I confirm packets don't get out of the RDP server. I tried adding this rule:
;;; Allow everything out
     chain=forward action=accept mac-protocol=ip src-address=196.x.x.x/32 ip-protocol=tcp 
Sure packets get out, but TCP/IP acknowledgements don't return.

Any advice?
 
lahoras
newbie
Posts: 48
Joined: Mon Aug 13, 2007 2:00 am
Location: Tunuyan -Mendoza - Argentina

Re: Can bridge be used as firewall, and if so, how?

Sat Apr 07, 2012 10:14 am

eugenevdm,i'm trying use firewall on bridge to block passthrough between wlans of my RB433, my case is similar because I want that windows customers can not access to other users that by default accidentaly have same group name and have any resource shared.

It was imposible for me makes that works, until I try this rule:

chain=forward action=drop mac-protocol=ip src-address=192.168.28.0/28  dst-port=135-139 ip-protocol=udp

If you wacht diference is adress, that is src and not dst, I was loging connections and here is the answer, src nated address has not the same port, in my case works fine now, can you check if this works on your net?

thanks in advance.

ARIEL

Who is online

Users browsing this forum: EmuAGR and 68 guests