I had this firewall rule until now to prevent requests to DNS and NTP from WAN. But after a system crash I noticed that my NTP Client wasn’t syncing time. After troubleshooting I found that the source port of the udp connection was also 123 and server replies were captured.
add action=drop chain=input dst-port=53,123 in-interface=ether6 protocol=udp
What is a reliable way to distinguish that the UDP exchange was (not) initiated from the router?
Check if are initiated outside with new connection request
Use this [DNS work both on UDP and TCP]:
/ip firewall filter
add action=drop chain=input connection-state=new dst-port=53 in-interface=ether6 protocol=tcp
add action=drop chain=input connection-state=new dst-port=53,123 in-interface=ether6 protocol=udp
If I helped you, remember to add Karma!
Thanks.
I am about to try experimenting with UDP transactions for the same reason. Maybe you can follow along with me.
My first test will be to use an address list. I plan on adding the destination address of UDP packet sends from my localnets to an address list with a timeout of 10 seconds. Then use that address list to allow UDP packets from those source addresses back into the router.
Your setup may be easier than that. You know what NTP server ip you are sending the NTP request to, right? Block all port 123 packets except from that ip.
Why make a simple thing so complicated?
the router itself do the same thing you have described, without any list.
Simply add
/ip firewall filter
add action=drop chain=input connection-state=new in-interface= protocol=udp
and the connection tracking integrated on routeros do the same thing described.
Since UDP doesn’t establish a connection, does UDP recognize the connection-state=new? I haven’t tried that. Maybe I am making it more complicated than necessary.
Not totally right, if he use dynamic NTP or NTP by wan peer, the address can change.
Connection tracking exist for this purpose, the UDP are not connection, but single package.
In this way the system memorize what connection are maded on the last 10 seconds [customizable]
Also it recognize UDP stream [like VoIP call] for 3 minutes [the counter reset each VoIP udp packet received, also this time are customizable]
For activating connection tracking simply add any filter nat or mangle rule.
If is forced active, is useless without any rule than use the system.
@rextended: Nice! I just tested it, and it works great! Thanks!
“connection-state=new” worked as you said; I just tried to get time from an Internet host and couldn’t. I thought that options with connection/established would apply to UDP. There is indeed a ‘connection’ added with the UDP stream timeout, 01:00 on my system. I am connecting to two fixed NTP servers, but it is more elegant that they don’t have to be entered in address lists, the purpose of which might not be obvious later on.
I’m happy to have helped you two.
Thanks.