catch-all rule block all the traffic

plisken · January 8, 2019, 10:15am

If I activate catch-all rule into the firewall filter, I have no longer access to the router and I have no longer internet access.
Is this a bug, or am I doing something wrong?
RB1100AHx4 with RouterOS 6.43.8

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="blok externe dns aanvragen udp" dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input comment="blok externe dns aanvragen tcp" dst-port=53 in-interface=ether1 protocol=tcp
add action=drop chain=forward comment="drop bogon list" dst-address-list=bogons log=yes log-prefix=bogon-list
add action=drop chain=input comment="drop ongeautoriseerde logins naar de router toe" dst-address-list=routers dst-port=21,22,23,80,443,8291 protocol=tcp src-address-list=!management
add action=drop chain=input comment="Catch all rule"

mkx · January 8, 2019, 10:24am

I sense some inconsistency in referral to the WAN and LAN interfaces … in some rules you’re using WAN interface list, in some ether1 port. Check into it.

How does ‘lack of internet connectivity’ show? You can’t do just anything (not even telnet to google’s http server on port 80, i.e. telnet 216.58.205.100 80) or something else (important), such as DNS resolving, doesn’t work?

Rules for chain=forward don’t explain lack of internet connectivity … unless you’re using some kind of socks proxy which is supposed to reside on router itself (and for that chain=input should allow connections).

CZFan · January 8, 2019, 12:38pm

With a “Default Drop” Rule, you will typically also need to allow “new” from LAN.
If you are using the router as DNS server, the the below rule should be removed as that will prevent the router from doing DNS lookups successfully and the symptom will be there is no internet access, i.e. you will be able to ping Google IP, but not browse by name/fqdn

You have a drop all rule at the bottom, so I do not see need for this rule any way, same goes for the DNS incoming rules for dst port 53.

add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

anav · January 8, 2019, 5:28pm

The basics and clean up!!

/ip firewall filter
{input chain}
add action=accept chain=input comment=“defconf: accept established,related” connection-state=established,related
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp (optional)
+++++++++++++++++++++++++++++++++++++++++++++++
add action=drop chain=input comment=“DROP ALL ELSE” log-prefix=
“INPUT DROP ALL”

Where the ++++++++++++ occurs is where you add any ALLOW INPUT rules you wish to ensure are included/processed such as:
add action=accept chain=input comment=“Allow ADMIN to Router”
in-interface-list=LAN src-address-list=adminaccess (make a firewall address list of allowed LANIPs with access to router)
add action=accept chain=input comment=“Allow LAN DNS queries-UDP” dst-port=53
in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“Allow LAN DNS queries - TCP” dst-port=
53 in-interface-list=LAN protocol=tcp

{forward chain}
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related” connection-state=established,related
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=drop chain=forward comment=
“DROP ALL other FORWARD traffic” log-prefix=“FORWARD DROP ALL”

Where the ++++++++++++ occurs is where you add any ALLOW FORWARD rules you wish to ensure are included/processed such as:
add action=accept chain=forward comment=“ENABLE LAN to WAN” in-interface=
HomeBridge log-prefix=“ALLOWED LAN 2 WAN TRAFFIC” out-interface-list=WAN
add action=accept chain=forward comment=
“Allow Port Forwarding - DSTNAT” connection-nat-state=dstnat

plisken · January 9, 2019, 11:01am

@ anav, thanks for your effort and share this firewall rules.
I appreciate this verry much.

nitrohydride · January 9, 2019, 11:18am

i feel blocked port 53 UDP for LAN users. Do you have external DHCP server in your dhcp settings ? Do you have option “accept remote request” enabled ?

plisken · January 9, 2019, 12:40pm

I have not a external DHCP-server and i have allow remote requests enabled.

I have add two rules in the firewall

add action=drop chain=input comment="Deny WAN DNS queries-UDP" dst-port=53 in-interface-list=WAN log=yes protocol=udp
add action=drop chain=input comment="Deny WAN DNS queries-TCP" dst-port=53 in-interface-list=WAN protocol=tcp

anav · January 9, 2019, 3:08pm

Why do you include input block rules for DNS?
I also allow IP DNS remote requests and have identified 8,8,8,8 and 208.67.220.220 for example as available remote servers that can be accessed.
For each DHCP network, I identify the DNS as being provided by the gateway, which then goes to the above list.

In your setup how will any user get to the internet and look stuff up???
What am I missing here??