DMZ firewall

CSteve · September 5, 2017, 11:45am

Hi,

I m trying to setup and tighten up my dmz firewall. The dmz is on 10.0.100.0/24 network, and its gateway in on port eth12. I would like to enable just the ports being used(dns 53 tcp/udp, ping, and web on port 80) The srcnat and dstnat is correctly configured.

My problem is in the filter section, in forwarding traffic from the vlan, and to the vlan from port 12.
Why is that i can t ping google.com if i use these filter rules(i can ping ip-s) :

add chain=forward comment=" Dmz intiation" out-interface=ether12 protocol=icmp src-address=10.0.100.22
add chain=forward dst-port=53 out-interface=ether12 protocol=udp src-address=10.0.100.22
add chain=forward dst-port=53 out-interface=ether12 protocol=tcp src-address=10.0.100.22
add chain=forward dst-port=80,443 out-interface=ether12 protocol=tcp src-address=10.0.100.22

add chain=forward connection-state=established,related,new dst-address=10.0.100.22 in-interface=ether12 protocol=icmp
add chain=forward connection-state=established,related dst-address=10.0.100.22 dst-port=53 in-interface=ether12 protocol=tcp
add chain=forward dst-address=10.0.100.22 dst-port=53 in-interface=ether12 protocol=udp
add chain=forward connection-state=established dst-address=10.0.100.22 dst-port=80,443 in-interface=ether12 protocol=tcp

But if i enable this rule, then i can
add chain=forward connection-state=established,related disabled=yes dst-address=10.0.100.22 in-interface=ether12

I would like to use the first method to tighten up port security, and not use the last rule.

Any insight would be appreciated.

Sob · September 5, 2017, 5:09pm

Can you describe it a little better? I understood the first paragraph as dmz connected to ether12, but from the rules it looks like ether12 is wan and dmz is somewhere else. Also some description of required incoming and outgoing connections would be nice. First four rules look like attempt allow outgoing traffic (icmp and port 53,80,443), while the rest look like the same for incoming connections. And everything with connection states is huge mess.

CSteve · September 5, 2017, 6:16pm

Indeed ether12 is the wan, and vlan 10.0.100.0/24 is the mentioned dmz vlan. I m trying to sort out just the incoming and outgoing traffic through the wan port to/from this mentionned vlan. I also would like to only allow these ports 53,80,443, and ping because theres a webserver behind a nat on 10.0.100.22.

Sob · September 5, 2017, 7:04pm

I assume it’s part of some bigger config, so you’ll need to adapt it, or just use it as inspiration, but my recommended solution is simple “block everything by default and only allow some exceptions”, which looks like this:

/ip firewall filter
add chain=forward connection-state=established,related action=accept comment="allow established & related"
add chain=forward connection-state=invalid action=drop comment="drop invalid"
add chain=forward connection-nat-state=dstnat action=accept comment="allow forwarded ports"
<other allow rules>    
add chain=forward action=reject reject-with=icmp-admin-prohibited comment="reject everything else"

Typical other allow rule is:

/ip firewall filter
add chain=forward in-interface=<LAN> out-interface=<WAN> action=accept comment="Allow connections from LAN to WAN"

And that’s nice, simple and secure config.

In your case, you’d have allow rules for other networks, and then for webserver’s access to outside, you’d use e.g.:

/ip firewall filter
add chain=forward in-interface=<DMZ> out-interface=ether12 src-address=10.0.100.22 protocol=icmp action=accept
add chain=forward in-interface=<DMZ> out-interface=ether12 src-address=10.0.100.22 protocol=tcp dst-port=53,80,443 action=accept
add chain=forward in-interface=<DMZ> out-interface=ether12 src-address=10.0.100.22 protocol=udp dst-port=53 action=accept

Access from outside to webserver should just work, since it has private address, so incoming connections must use dstnat to reach it and as such are automatically allowed by “allow forwarded ports” rule. If that wasn’t enough and you’d also want direct connections from somewhere else, you could use rules like this (I’m not sure from your description if web server is also dns server, if so, you’d also allow port 53):

/ip firewall filter
add chain=forward <some source specification> dst-address=10.0.100.22 protocol=icmp action=accept
add chain=forward <some source specification> dst-address=10.0.100.22 protocol=tcp dst-port=80,443 action=accept

There’s no need to do anything special with connection-state=established,related packets, one global rule is fine, because no connection will become established or related, unless you allow first packet with connection-state=new. The above rules don’t have this option, because after you get rid of established, related and invalid at the beginning, there’s not much left after that (only new and untracked). You may limit the rule to just new if you want.

CSteve · September 12, 2017, 12:45pm

Thank you Sob, for the detailed explanation.
I learned something new with the “add chain=forward connection-nat-state=dstnat action=accept” rule.