I dont see what I am doing wrong, please advise. I run the proxy service on port 8080. I have a rule to deny users that I do not want to use the proxy via a “/ip proxy access” rule, but I want to refuse users coming in on ether1 from connecting to port 8080 at all via a firewall rule.
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Drop external proxy request
chain=input in-interface=ether1 dst-port=8080 action=drop
As you can see above, my first firewall rule says to block inbound connections to the router on port 8080, but if I look at the connection list, I see attempts being allowed to connect
Flags: S - seen reply, A - assured
# PR.. SRC-ADDRESS DST-ADDRESS TCP-STATE TIMEOUT
0 S tcp 59.61.157.254:1175 64.105.225.181:8080 close 23h18m27s
1 S tcp 59.61.157.254:2957 64.105.225.181:8080 close 23h18m28s
2 S tcp 81.56.164.158:24334 64.105.225.181:8080 close 23h18m30s
3 S tcp 59.61.157.254:3616 64.105.225.181:8080 close 23h18m30s
4 S tcp 81.56.164.158:28202 64.105.225.181:8080 close 23h18m32s
5 S tcp 59.61.157.254:1453 64.105.225.181:8080 close 23h18m32s
6 S tcp 59.61.157.254:3049 64.105.225.181:8080 close 23h18m37s
7 S tcp 59.61.157.254:3582 64.105.225.181:8080 close 23h18m41s
8 S tcp 59.61.157.254:4511 64.105.225.181:8080 close 23h18m41s
9 S tcp 59.61.157.254:2697 64.105.225.181:8080 close 23h18m41s
10 S tcp 59.61.157.254:4226 64.105.225.181:8080 close 23h18m41s
11 S tcp 59.61.157.254:4867 64.105.225.181:8080 close 23h18m47s
and the hit count goes up on my rule in “ip proxy access” which denies them. Therefore the requests are still getting through on port 8080 to the proxy which it denies. I just dont want any hits from ether1 to come in at all…
I looked at the things you suggested, but it is not helping me to determin how to rewrite the firewall rule.
If I send you a supout file do you think you can see why I am not able to block traffic from ether1 talking to the proxy at port 8080. The reason I want to block it at the firewall is because I use the web-proxy logs for certain reasons, but I do not want to see the log the entries where action=deny from these people on ether1. Therefore, I want the firewall to disallow it. Please help
This rule,
‘ip firewall filter add action=drop chain=input dst-port=8080 protocol=tcp in-interface=ether1’
blocks all traffic that originated to the router with the following options (protocol=tcp in-interface, dst-port).
There is also ‘ip web-proxy access’, that filter data originated to proxy.
My problem is that people on the Internet are constantly trying to use my proxy. I have denied people from using it with a rule in “ip proxy access”. Therefore they are successfully denied. I understand that.
But I do not want them to see the proxy at all!!! I want the firewall to block the requests they are making to the proxy so that I do not have to look at all of the log entries that they are making each time they try to connect to the proxy and get denied.
I put in the firewall rule as listed above, but the requests are still seen by the proxy instead of being thrown away by the firewall rule.
hecklertm,
firewall rule should drop traffic, and there should not be any log entries from web-proxy acccess (if you don’t have action=log chain=input in firewall).
Actually, it’s better to disalow access at all to the router (proxy), and allow only trusted user’s src-addresses.
This one hits web-proxy, because you have blocked 8080 port in firewall.
HTTP uses 80, that’s why it doesn’t match by firewall rule.
As I said, it’s better to limit all traffic, and allow only trusted hosts in firewall (who uses proxy).
serge: Here is my firewall settings to protect the router. Can you please explain to me where I am allowing users other than the ones I put the rule in as “Local LAN”. I only let the addresses I listed to access the router as you had suggested.
there are also such people that just searches for proxy servers and tries to connect to them. there are several programs that automate this process. think you are beeing victim to those serches. and as you have sisabled access to your proxy they cannot use that.
FYI to everyone. This issue was not resolved. The mikrotik firewall is not blocking inbound traffic to the proxy service on the router on port 80 and 8080 as it should based on the firewall rules I have in place. Obviously, there is a serious problem causing the firewall rules to not relate to traffic going to the proxy service.
Regardless of whether the proxy access rules can stop someone from using the proxy, the firewall rules should be able to stop them from communicating with the proxy service at all!!! This is a bug. Needs to be fixed.
You can’t block users via the firewall, because it skips the firewall rules due to the DST-NAT rules required by the proxy… Take a look at the Packet Flow section of the documentation, this is not a bug. http://www.mikrotik.com/docs/ros/2.9/ip/flow
If you want to deny users access to the proxy I believe you’d do this in the ACCESS section of the Proxy menu. I’m not sure as I have not used Proxy all that much. Refer to the documentation.
Or redefine the scope of the DST-NAT rule so that it only NAT’s traffic on the interface you are proxying.. I believe this would be the fix.
wildbill: Very interesting thought. Thank you for the effort. I looked into the nat settings and did a “print all” so that I could see the dynamic rules also, and I set any dynamic rults pertaining to non-authenticated hotspot users to not apply to ether1 (which is the ethernet port I do not want the proxy to be visible on). Unfortunately, it did not make a difference. I also did not see any rules in there related to the proxy service. For some reson, the dst rules to redirect the proxy requests are not there. If they were, I would tell the rule to ignore ether1 as you recommended.
I my prior post I called this a “bug” because if there is not way to get around it, then it smells like a bug to me. You came the clostest to anyone so far to come up with an idea to why the proxy is circumventing the firewall rules. Any other ideas?
This time move your filter rule up to the top of the list in the INPUT chain. It will block requests to port 8080. At least it did on my router using the proxy in NON-transparent mode (AND in transparent mode). Which is what you seem to be using it in as there are no NAT rules redirecting traffic to port 8080.
Even in transparent mode it will get dropped. So my previous statement about packet flow was incorrect. Unless it gets bypassed for just DST-NAT rules, I currently have a redirect rule in the DST-NAT chain to redirect port 80 traffic to 8080 (for transparent proxy) and the INPUT filter still applies.
My home router is also running 2.9.26. Here’s what the rule looks like as well as my proxy config:
# First rule in INPUT Chain
/ ip firewall filter
add chain=input in-interface=LAN protocol=tcp dst-port=8080 action=drop comment="" disabled=yes
# Proxy config
/ ip proxy
set enabled=yes src-address=0.0.0.0 port=8080 parent-proxy=0.0.0.0:0 cache-administrator="webmaster" \
max-disk-cache-size=none max-ram-cache-size=7334KiB cache-only-on-disk=no maximal-client-connections=1000 \
maximal-server-connections=1000 max-object-size=3667KiB max-fresh-time=3d
/ ip proxy access
add dst-port=23-25 action=deny comment="block telnet & spam e-mail relaying" disabled=no
Are your interfaces bridged maybe? All mine are routed.