Bridge Question

nbk · June 17, 2008, 3:19pm

I am replacing a firebox in one of my locations. The firebox is set in drop in mode so I had to bridge my External Port and DMZ port on my mikrotik install. I have the bridge setup and it passes traffic, however when I set firewall rules for my DMZ none are taking effect. I have made sure I told it to use the IP Firewall. Anyone have any suggestions. Here is a bit of the config. I am testing using ICMP to my DMZ

/interface bridge port
add bridge=bridge1 comment=“” disabled=no edge=auto external-fdb=auto
horizon=none interface=ether1-External path-cost=10 point-to-point=auto
priority=0x80
add bridge=bridge1 comment=“” disabled=no edge=auto external-fdb=auto
horizon=none interface=ether2-Optional path-cost=10 point-to-point=auto
priority=0x80
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes

/ip firewall filter
add action=accept chain=forward comment=“Allow all outgoing” disabled=no
out-interface=bridge1
add action=accept chain=forward comment=“” disabled=no
src-address=216.234.27.0/24
add action=accept chain=forward comment=“” connection-state=established
disabled=no
add action=drop chain=forward comment=“” disabled=no protocol=udp
add action=drop chain=forward comment=“” disabled=no protocol=tcp
add action=drop chain=forward comment=“” disabled=no protocol=icmp

msorensen · June 17, 2008, 3:35pm

For reasons that I do not understand, those rules did apply to bridged traffic on versions of RouterOS… until version 3.

Now you have to specifically enable firewall rules on the bridge.

From WinBox/Bridge, Bridge Tab, Settings button, check “use IP firewall”

Or:

/interface bridge settings
set use-ip-firewall=yes

nbk · June 17, 2008, 3:43pm

The odd thing is I do have that set.

msorensen · June 17, 2008, 3:52pm

That is an odd set of FW rules…

In fact, reading this one:

add action=accept chain=forward comment=“Allow all outgoing” disabled=no
out-interface=bridge1

… makes me wonder if that rule would accept everything… because in a bridge all “foreward” packets come in from the Bridge, and all packets go out to the Bridge.

Perhaps you could describe exactly what traffic (protocol & port) that you are hoping to drop. And exactly what traffic (protocol & port) that you are hoping to accept.

nbk · June 17, 2008, 4:37pm

The real you asked about was to allow all outgoing traffic. We are trying to block anything except for what we explicitly open. This is working now when you meantioned the rule I got to thinking about it and moved the outgoing rule to the bottom and it started to work. When we have set these up in the past we always had the outgoing rules before the deny and everything worked fine. I just wonder if it’s something with using the bridge.

msorensen · June 17, 2008, 4:49pm

We are trying to block anything except for what we explicitly open

that is the correct approach for a protective firewall.

it looks like your current rules where an effort to allow ANYTHING from your internal network (you’re calling it a DMZ). And are allowing ANYTHING from 216.234.27.0/24. And then want to drop everything else…

This is how I would write that…

add chain=forward connection-state=invalid action=drop comment=“Drop Invalid” disabled=no
add chain=forward connection-state=established action=accept comment=“Allow Established Connections” disabled=no
add chain=forward connection-state=related action=accept comment=“Allow Related Connections” disabled=no
add chain=forward src-address= action=accept disabled=no
add chain=forward src-address=216.234.27.0/24 action=accept disabled=no
add chain=forward action=drop comment=“Drop Everything Else” disabled=no

But… instead of

add chain=forward src-address= action=accept disabled=no
add chain=forward src-address=216.234.27.0/24 action=accept disabled=no

I would suggest writing rules which only allow certain protocols/ports to be accepted.

And, only from (and/or to) certain specified IP blocks when it is possible to narrow it down to that level…

msorensen · June 17, 2008, 5:02pm

When we have set these up in the past we always had the outgoing rules before the deny and everything worked fine. I just wonder if it’s something with using the bridge.

I think that one problem with the bridge is that from the perspective of the forward firewall chains, all packets come in from the bridge, and all packets depart and are outbound to the bridge.

For “source” and “destination” I would suggest thinking in terms of specific IP address, and specify “source” and/or “desitination” protocols/ports and specify IP address blocks whenever possible.

And…

When we have set these up in the past we always had the outgoing rules before the deny

Mikrotik (and all other commercial grade firewalls that I can think of) processes the rules in numerical order. As soon as there is a “Match” (when that packet matches the rule) the “Action” is then executed.

If the Action was “accept” or “drop” - that’s it - game over - Mikrotik accepts or drops as instructed - no further processing is done.

So… you need to mentally process the rules in the order in which you place them.

Normally, when writing protective firewall rules, you would want to write rules in the following order:

Drop traffic that you definately do not want, defined as broadly as possible.
Specifically accept traffic that you do want, with the tightest possible definition of source and destination protocols & ports, and source and destination ip address blocks.
Drop everything else.

nbk · June 17, 2008, 5:57pm

The problem in the end was with this

add chain=forward connection-state=established action=accept comment=“Allow Established Connections” disabled=no

The action should have been outgoing. I was not paying full attention to what I was doing. Thank you for your help…

shanen_au · February 5, 2009, 10:50am

Thanks