Drop unwanted port-forwarding connections

ik3umt · November 28, 2019, 10:03pm

I have these forward filters as per default firewall config:

add action=accept chain=forward comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid forward" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WANs

Once I set a port forwarding (dst-nat) rule to a LAN machine, this machine is reachable from ANYONE hitting that port from internet.

What’s the correct method to drop any connection from internet to a dst-natted machine except the desired external ip address ?
Why there is not an ending “drop-all” rule in the forward chain like the one in input chain ?

nescafe2002 · November 28, 2019, 10:18pm

You can set a src-address (or src-address-list) in the forward rule:

/ip firewall address-list
add address=1.1.1.1 list=trusted
/ip firewall nat
add action=dst-nat chain=dstnat dst-address-type=local dst-port=443 protocol=tcp src-address-list=trusted to-addresses=192.168.88.100

ik3umt · November 28, 2019, 10:25pm

Nice, so allow the desired addresses into the nat rule rather than drop it with filters…

sindy · November 29, 2019, 8:25am

I’m not the author of this idea used in the default firewall configuratuion, but I read it as a way to concentrate all the decision making into a single rule in the nat table, which can choose from the same match conditions like the rules in filter. So the assumption is that you only dst-nat what you really want to let in using the dst-nat rule in nat, and the dst-nat state of the connection then prevents that traffig from matching the rule in the default configuration action=drop chain=forward in-interface-list=WAN connection-nat-state=!dstnat.

xvo · November 29, 2019, 11:16am

The idea of that rule is quite clever, actually, because it depends on interface-list=WAN rather than interface-list=LAN: most unexperienced users forget to add newly created interfaces to corresponding list, so this rules saves them from a headache trying to figure out why their guest LAN or something like that doesn’t work. The opposite situation, with second WAN, is less common, IMO, and it needs more qualified user to set up by itself, so it’s not the problem as big.

sindy · November 29, 2019, 12:38pm

It depends what we consider a problem. If the problem is that something doesn’t work (due to forgotten LAN permissive rule), the home user notices it and can solve it (or get mad about the router immediately). If he is clever/brave/skilled enough to add a WAN interface but not enough add it to the interface list, everything works, but he is likely to get hacked, so he’ll get mad about the router later, but more

xvo · November 29, 2019, 12:50pm

Exactly.
And having default firewall to be what it is now, it seems that Mikrotik engineers consider that if one is clever/brave/skilled enough to add additional WAN, he should know how to understand and adjust firewall as well.