We have this setup:
Internet
|
Core Router
|
MikroTik (Transparent) Bridge
|
Windows 2008 Server with RDP
On MT Bridge, we have this rule:
/ip firewall filter chain=forward action=drop protocol=tcp dst-address=196.x.x.x dst-port=!3389
The idea is that all packets from the outside except RDP (port 3389) is dropped.
The rule fails because it’s a bridge and now any traffic originating from the RDP server is also dropped.
How can we do this?
bridge > settings > use ip firewall
bridge > settings > use ip firewall
Already done, doesn’t work.
Because bridge has no src interface or dst interface, all traffic is just “bridge”.
Sure traffic gets in:
Internet Src->Firewall->OK @ 3389
but traffic also goes out
RDP Src->Firewall>Internet->Not OK because !3389 (TCP confirmations use random port)
should be a filter in bridge not ip firewall
eg
/interface bridge filter
add action=drop chain=forward dst-address=192.168.55.0/24 dst-port=!3389 ip-protocol=tcp mac-protocol=ip
yes you can use bridge filter also.
If you want to use ip firewall filter, I believe you need connection tracking enabled and bridge-settings-use ip firewall.
Either way should work.
should be a filter in bridge not ip firewall
Thanks nickshore, I ended up doing this, to allow FTP and RDP and block everything else:
/interface bridge filter> pr
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Accept ICMP for PING
chain=forward action=accept mac-protocol=ip dst-address=196.x.x.x/32 ip-protocol=icmp
1 ;;; Accept FTP Transfer Port
chain=forward action=accept mac-protocol=ip dst-address=196.x.x.x/32 dst-port=20 ip-protocol=tcp
2 ;;; Accept FTP Control Port
chain=forward action=accept mac-protocol=ip dst-address=196.x.x.x/32 dst-port=21 ip-protocol=tcp
3 ;;; Accept RDP
chain=forward action=accept mac-protocol=ip dst-address=196.x.x.x/32 dst-port=3389 ip-protocol=tcp
4 ;;; Log everything that is about to get dropped
chain=forward action=log mac-protocol=ip dst-address=196.x.x.x/32 ip-protocol=tcp log-prefix="firewall_drop"
5 ;;; Drop everything
chain=forward action=drop mac-protocol=ip dst-address=196.x.x.x/32 ip-protocol=tcp
So far so good. I see some packets originating from the server to the outside on port 443, but nmap reports what I want to see, everything blocked except FTP.
I confirm packets don’t get out of the RDP server. I tried adding this rule:
;;; Allow everything out
chain=forward action=accept mac-protocol=ip src-address=196.x.x.x/32 ip-protocol=tcp
Sure packets get out, but TCP/IP acknowledgements don’t return.
Any advice?
eugenevdm,i’m trying use firewall on bridge to block passthrough between wlans of my RB433, my case is similar because I want that windows customers can not access to other users that by default accidentaly have same group name and have any resource shared.
It was imposible for me makes that works, until I try this rule:
chain=forward action=drop mac-protocol=ip src-address=192.168.28.0/28 dst-port=135-139 ip-protocol=udp
If you wacht diference is adress, that is src and not dst, I was loging connections and here is the answer, src nated address has not the same port, in my case works fine now, can you check if this works on your net?
thanks in advance.
ARIEL