Can bridge be used as firewall, and if so, how?
RouterOS general discussion

8 posts   •   Page 1 of 1
User avatar
eugenevdm
Member Candidate
Member Candidate
 
Posts: 207
Joined: Tue Jun 01, 2004 12:23 pm
Location: Stellenbosch, South Africa

Can bridge be used as firewall, and if so, how?

by eugenevdm » Thu Jan 26, 2012 10:59 am

We have this setup:

Internet
|
Core Router
|
MikroTik (Transparent) Bridge
|
Windows 2008 Server with RDP

On MT Bridge, we have this rule:

/ip firewall filter chain=forward action=drop protocol=tcp dst-address=196.x.x.x dst-port=!3389

The idea is that all packets from the outside except RDP (port 3389) is dropped.

The rule fails because it's a bridge and now any traffic originating from the RDP server is also dropped.

How can we do this?
The Snowball Effect
Superior Internet Solutions

User avatar
Aug
Member Candidate
Member Candidate
 
Posts: 299
Joined: Thu Jun 07, 2007 2:10 am

Re: Can bridge be used as firewall, and if so, how?

by Aug » Thu Jan 26, 2012 1:04 pm

bridge > settings > use ip firewall
Aug

User avatar
eugenevdm
Member Candidate
Member Candidate
 
Posts: 207
Joined: Tue Jun 01, 2004 12:23 pm
Location: Stellenbosch, South Africa

Re: Can bridge be used as firewall, and if so, how?

by eugenevdm » Thu Jan 26, 2012 1:35 pm

>bridge > settings > use ip firewall

Already done, doesn't work.

Because bridge has no src interface or dst interface, all traffic is just "bridge".

Sure traffic gets in:

Internet Src->Firewall->OK @ 3389

but traffic also goes out

RDP Src->Firewall>Internet->Not OK because !3389 (TCP confirmations use random port)
The Snowball Effect
Superior Internet Solutions

User avatar
nickshore
Member
Member
 
Posts: 338
Joined: Thu Mar 03, 2005 5:14 pm
Location: Suffolk, UK.

Re: Can bridge be used as firewall, and if so, how?

by nickshore » Thu Jan 26, 2012 6:25 pm

should be a filter in bridge not ip firewall

eg

/interface bridge filter
add action=drop chain=forward dst-address=192.168.55.0/24 dst-port=!3389 ip-protocol=tcp mac-protocol=ip
Nick Shore MTCNA MTCWE MTCRE MTCINE MTCTCE
LinITX.com - MultiThread Consultants
Get your MikroTik RBs and Training: http://linitx.com/brand/mikrotik
Official UK MikroTik Distributor
IRC chan: #routerboard on irc.z.je (IPv4 and IPv6)

User avatar
Aug
Member Candidate
Member Candidate
 
Posts: 299
Joined: Thu Jun 07, 2007 2:10 am

Re: Can bridge be used as firewall, and if so, how?

by Aug » Thu Jan 26, 2012 9:42 pm

yes you can use bridge filter also.

If you want to use ip firewall filter, I believe you need connection tracking enabled and bridge-settings-use ip firewall.

Either way should work.
Aug

User avatar
eugenevdm
Member Candidate
Member Candidate
 
Posts: 207
Joined: Tue Jun 01, 2004 12:23 pm
Location: Stellenbosch, South Africa

Re: Can bridge be used as firewall, and if so, how?

by eugenevdm » Thu Jan 26, 2012 11:56 pm

should be a filter in bridge not ip firewall


Thanks nickshore, I ended up doing this, to allow FTP and RDP and block everything else:

Code: Select all
/interface bridge filter> pr

Flags: X - disabled, I - invalid, D - dynamic
 0   ;;; Accept ICMP for PING
     chain=forward action=accept mac-protocol=ip dst-address=196.x.x.x/32 ip-protocol=icmp

 1   ;;; Accept FTP Transfer Port
     chain=forward action=accept mac-protocol=ip dst-address=196.x.x.x/32 dst-port=20 ip-protocol=tcp

 2   ;;; Accept FTP Control Port
     chain=forward action=accept mac-protocol=ip dst-address=196.x.x.x/32 dst-port=21 ip-protocol=tcp

 3   ;;; Accept RDP
     chain=forward action=accept mac-protocol=ip dst-address=196.x.x.x/32 dst-port=3389 ip-protocol=tcp

 4   ;;; Log everything that is about to get dropped
     chain=forward action=log mac-protocol=ip dst-address=196.x.x.x/32 ip-protocol=tcp log-prefix="firewall_drop"

 5   ;;; Drop everything
     chain=forward action=drop mac-protocol=ip dst-address=196.x.x.x/32 ip-protocol=tcp


So far so good. I see some packets originating from the server to the outside on port 443, but nmap reports what I want to see, everything blocked except FTP.
The Snowball Effect
Superior Internet Solutions

User avatar
eugenevdm
Member Candidate
Member Candidate
 
Posts: 207
Joined: Tue Jun 01, 2004 12:23 pm
Location: Stellenbosch, South Africa

Re: Can bridge be used as firewall, and if so, how?

by eugenevdm » Fri Jan 27, 2012 11:35 pm

I confirm packets don't get out of the RDP server. I tried adding this rule:

Code: Select all
;;; Allow everything out
     chain=forward action=accept mac-protocol=ip src-address=196.x.x.x/32 ip-protocol=tcp


Sure packets get out, but TCP/IP acknowledgements don't return.

Any advice?
The Snowball Effect
Superior Internet Solutions

lahoras
newbie
 
Posts: 44
Joined: Mon Aug 13, 2007 2:00 am
Location: Mendoza - Argentina

Re: Can bridge be used as firewall, and if so, how?

by lahoras » Sat Apr 07, 2012 10:14 am

eugenevdm,i'm trying use firewall on bridge to block passthrough between wlans of my RB433, my case is similar because I want that windows customers can not access to other users that by default accidentaly have same group name and have any resource shared.

It was imposible for me makes that works, until I try this rule:

Code: Select all

chain=forward action=drop mac-protocol=ip src-address=192.168.28.0/28  dst-port=135-139 ip-protocol=udp



If you wacht diference is adress, that is src and not dst, I was loging connections and here is the answer, src nated address has not the same port, in my case works fine now, can you check if this works on your net?

thanks in advance.

ARIEL

8 posts   •   Page 1 of 1

Who is online

Users browsing this forum: Bing [Bot], rpra and 50 guests

It is currently Mon Dec 22, 2014 12:10 pm