Bug in Wiki Article?: Firewall>Protecting your customers?

alex_rhys-hurn · December 27, 2007, 9:03pm

Hi folks,

I have been playing with the IP>FIREWALL>FILTER settings for the past few days.

I have implemented the firewall settings as per this article: http://wiki.mikrotik.com/wiki/Protecting_your_customers If the article needs an edit I will gladly do it, is the wiki auther here?

Now, everything works as expected EXCEPT for the very last rule:

add chain=forward action=drop comment="drop everything else"

When I deploy this everything works well, except that if that rule shown above is enabled I cannot pass any traffic through the router, except for the ICMP and udp rules that already allow those types of traffic. Also funnily enough HTTP traffic is passed but NOTHING else, no SMTP no TELNET or anything.

So this makes sense to me, that I would then need to specify and allow all the specific types of traffic that I allow to pass through the router, but the wiki article doesnt imply thats the way it works, it implies that that rule only affects incoming traffic and not necessarily outgoing traffic as well.

My Router has 3 interfaces, 1 for the Internet and two for Local use, could that affect it?

Help appreciated, full filter rules in my router below:

/ip firewall filter 
add action=accept chain=forward comment="allow established connections for \
    customers" connection-state=established disabled=no 
add action=accept chain=forward comment="allow related connections for \
    customers" connection-state=related disabled=no 
add action=drop chain=forward comment="drop invalid connections for customers" \
    connection-state=invalid disabled=no 
add action=jump chain=forward comment="jump to the virus chain" disabled=no \
    jump-target=virus 
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no \
    dst-port=135-139 protocol=tcp 
add action=drop chain=virus comment="Drop Messenger Worm" disabled=no \
    dst-port=135-139 protocol=udp 
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no \
    dst-port=445 protocol=tcp 
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no \
    dst-port=445 protocol=udp 
add action=drop chain=virus comment="________" disabled=no dst-port=593 \
    protocol=tcp 
add action=drop chain=virus comment="________" disabled=no dst-port=1024-1030 \
    protocol=tcp 
add action=drop chain=virus comment="Drop MyDoom" disabled=no dst-port=1080 \
    protocol=tcp 
add action=drop chain=virus comment="________" disabled=no dst-port=1214 \
    protocol=tcp 
add action=drop chain=virus comment="ndm requester" disabled=no dst-port=1363 \
    protocol=tcp 
add action=drop chain=virus comment="ndm server" disabled=no dst-port=1364 \
    protocol=tcp 
add action=drop chain=virus comment="screen cast" disabled=no dst-port=1368 \
    protocol=tcp 
add action=drop chain=virus comment="hromgrafx" disabled=no dst-port=1373 \
    protocol=tcp 
add action=drop chain=virus comment="cichlid" disabled=no dst-port=1377 \
    protocol=tcp 
add action=drop chain=virus comment="Worm" disabled=no dst-port=1433-1434 \
    protocol=tcp 
add action=drop chain=virus comment="Bagle Virus" disabled=no dst-port=2745 \
    protocol=tcp 
add action=drop chain=virus comment="Drop Dumaru.Y" disabled=no dst-port=2283 \
    protocol=tcp 
add action=drop chain=virus comment="Drop Beagle" disabled=no dst-port=2535 \
    protocol=tcp 
add action=drop chain=virus comment="Drop Beagle.C-K" disabled=no \
    dst-port=2745 protocol=tcp 
add action=drop chain=virus comment="Drop MyDoom" disabled=no \
    dst-port=3127-3128 protocol=tcp 
add action=drop chain=virus comment="Drop Backdoor OptixPro" disabled=no \
    dst-port=3410 protocol=tcp 
add action=drop chain=virus comment="Worm" disabled=no dst-port=4444 \
    protocol=tcp 
add action=drop chain=virus comment="Worm" disabled=no dst-port=4444 \
    protocol=udp 
add action=drop chain=virus comment="Drop Sasser" disabled=no dst-port=5554 \
    protocol=tcp 
add action=drop chain=virus comment="Drop Beagle.B" disabled=no dst-port=8866 \
    protocol=tcp 
add action=drop chain=virus comment="Drop Dabber.A-B" disabled=no \
    dst-port=9898 protocol=tcp 
add action=drop chain=virus comment="Drop Dumaru.Y" disabled=no dst-port=10000 \
    protocol=tcp 
add action=drop chain=virus comment="Drop MyDoom.B" disabled=no dst-port=10080 \
    protocol=tcp 
add action=drop chain=virus comment="Drop NetBus" disabled=no dst-port=12345 \
    protocol=tcp 
add action=drop chain=virus comment="Drop Kuang2" disabled=no dst-port=17300 \
    protocol=tcp 
add action=drop chain=virus comment="Drop SubSeven" disabled=no dst-port=27374 \
    protocol=tcp 
add action=drop chain=virus comment="Drop PhatBot, Agobot, Gaobot" disabled=no \
    dst-port=65506 protocol=tcp 
add action=accept chain=forward comment="allow ping" disabled=no protocol=icmp 
add action=accept chain=forward comment="allow udp" disabled=no protocol=udp 
add action=drop chain=forward comment="drop everything else" disabled=yes

normis · December 28, 2007, 8:05am

you are right, the drop rule is out of place. somebody wanted to expand a small article but forgot to do some changes.

the examples in the wiki are meant only for experiments, to make you understand the firewall better. it’s not meant for using as-is.

alex_rhys-hurn · December 28, 2007, 12:31pm

Ok, I have understood the firewall now.

Sometimes it is useful to be thrown a wildcard like that in the wiki as it forces me to go and troubleshoot and therefore learn.

I will make an edit to the wiki to point out that, and maybe improve a bit.

Cheers,

Alex

alex_rhys-hurn · December 28, 2007, 4:57pm

Ok Folks,

I have made a small edit to the wiki article to clarify how its working.

The wiki article in question can be found here: http://wiki.mikrotik.com/wiki/Protecting_your_customers

Can everybody check it and let me know if I gooffed up?

Thanks.

ALex