Hi and Help,
Please forgive me if this belongs in the Newbie section or should go to Support rather than Forum (I am not eligable because I bought my router through a reseller of a reseller and it will take forever to get it escallated…) but if I am correct this appears to be a pretty serious “bug” that means anyone with LAN access can try to hack a MikroTik box and the only protection is a password which can’t be protected from a brute force attack.
Problem Description
I can not block a WinBox connection to a MAC address using filters.
Setup Description
Following my problems with a fairly involved firewall setup I simplified the configuration as much as possible. I reset my RB450G cleared the switch script, added an IP address to port 1 and added 2 very simple firewall rules which I think should block all connection attempts to the router configuration.
MikroTik RouterOS 4.14 (c) 1999-2010 http://www.mikrotik.com/
[admin@MikroTik] > ip firewall filter export
# jan/02/1970 00:04:49 by RouterOS 4.14
# software id = 6KZV-LX84
#
/ip firewall filter
add action=drop chain=input comment="" disabled=no
add action=drop chain=output comment="" disabled=no
I think with this setup I shouldn’t be able to access the configuration at all with any tool. If I try to connect using an IP address the filters work as I would expect and WinBox times out but I can still connect to the box if I use its MAC address.
I think this may be related to the similar DHCP issue in http://forum.mikrotik.com/viewtopic.php?uid=42736&f=2&t=14050&start=0 but this seems a lot more serious.
There may be a possible workaround using Mangle. The packets do go through Input and Output here but I can’t work out how to block them from Mangle (drop is not an option in mangle)
I am probably missing something but if I am not this a very big hole. It doesn’t seem to be addressed by firewall setups like the examples in the Wiki.
Ben