Hi all,
I have one problem that I cannot figure out. I’ve configured a firewall based on Dmitry on firewalling (http://wiki.mikrotik.com/wiki/Dmitry_on_firewalling) and NetworkPro_on_firewalling (http://wiki.mikrotik.com/wiki/NetworkPro_on_firewalling).
It’s a little different because I have one WAN interface with two public IPs (one is for Web server), LAN segment, DMZ segment and a VPN connection so I tweaked their configurations a bit.
Here si my firewall configuration:
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Allow traffic between clients on LAN
chain=forward action=accept in-interface=LAN(eth1) out-interface=LAN(eth1)
1 ;;; LAN to DMZ traffic
chain=forward action=accept in-interface=LAN(eth1) out-interface=DMZ(eth2)
2 X ;;; DMZ to LAN traffic
chain=forward action=accept in-interface=DMZ(eth2) out-interface=LAN(eth1)
3 ;;; VPN to LAN traffic
chain=forward action=accept src-address-list=VPN dst-address-list=LAN
4 ;;; VPN to DMZ traffic
chain=forward action=accept src-address-list=VPN dst-address-list=DMZ
5 ;;; Sanity check forward
chain=forward action=jump jump-target=sanity-check
6 ;;; WAN to Web Server (DMZ) traffic
chain=forward action=accept protocol=tcp in-interface=WAN(eth5) out-interface=DMZ(eth2) dst-port=80
7 ;;; Drop everything that is not explicitly forwarded
chain=forward action=jump jump-target=drop
8 ;;; Deny illegal NAT Traversal
chain=sanity-check action=jump jump-target=drop packet-mark=illegal-nat-traversal
9 ;;; Allow the router to be visible via Neighbor Disovery to WinBox on LAN port
chain=input action=accept protocol=udp dst-address=255.255.255.255 in-interface=LAN(eth1) dst-port=5678
10 ;;; LAN services - WinBox MAC on LAN port (20561/UDP)
chain=input action=accept protocol=udp dst-address=255.255.255.255 in-interface=LAN(eth1) dst-port=20561
11 ;;; Allow the router to be visible via Neighbor Disovery to WinBox on eth3 port
chain=input action=accept protocol=udp dst-address=255.255.255.255 in-interface=ether3 dst-port=5678
12 ;;; LAN services - WinBox MAC on eth3 port (20561/UDP)
chain=input action=accept protocol=udp dst-address=255.255.255.255 in-interface=ether3 dst-port=20561
13 ;;; Allow the router to be visible via Neighbor Disovery to WinBox on eth4 port
chain=input action=accept protocol=udp dst-address=255.255.255.255 in-interface=ether4 dst-port=5678
14 ;;; LAN services - WinBox MAC on eth4 port (20561/UDP)
chain=input action=accept protocol=udp dst-address=255.255.255.255 dst-address-type="" in-interface=ether4 dst-port=20561
15 X ;;; Block port scans
chain=sanity-check action=add-src-to-address-list protocol=tcp psd=20,3s,3,1 address-list=blocked-addr address-list-timeout=1d
16 ;;; Block TCP Xmas Scan
chain=sanity-check action=add-src-to-address-list tcp-flags=fin,psh,urg,!fin,!rst,!ack protocol=tcp address-list=blocked-addr
address-list-timeout=1d
17 ;;; Block TCP NULL Scan
chain=sanity-check action=add-src-to-address-list tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp address-list=blocked-addr
address-list-timeout=1d
18 ;;; Drop everything that is in bloc-addr list
chain=sanity-check action=jump jump-target=drop src-address-list=blocked-addr
19 ;;; Drop TCP RST
chain=sanity-check action=jump jump-target=drop tcp-flags=rst protocol=tcp
20 ;;; Drop TCP SYN+FIN
chain=sanity-check action=jump jump-target=drop tcp-flags=fin,syn protocol=tcp
21 ;;; Drop invalid connections immediately
chain=sanity-check action=jump jump-target=drop connection-state=invalid
-- [Q quit|D dump|up|down]
22 ;;; Accept established connections
chain=sanity-check action=accept connection-state=established
23 ;;; Accept related connections
chain=sanity-check action=accept connection-state=related
24 ;;; Log broadcast, multicast packets
chain=sanity-check action=log dst-address-type=broadcast,multicast log-prefix="sanity-check_24"
25 ;;; Drop broadcast, multicast packets
chain=sanity-check action=jump jump-target=drop dst-address-type=broadcast,multicast
26 ;;; Drop illegal destination addresses (packet coming to LAN interface)
chain=sanity-check action=jump jump-target=drop dst-address-type=!local dst-address-list=illegal_addr in-interface=LAN(eth1)
27 ;;; Drop illegal destination addresses (packet coming to DMZ interface)
chain=sanity-check action=jump jump-target=drop dst-address-type=!local dst-address-list=illegal_addr in-interface=DMZ(eth2)
28 ;;; Drop everything that comes to LAN interface, but not with LAN source address
chain=sanity-check action=jump jump-target=drop src-address-list=!LAN in-interface=LAN(eth1)
29 ;;; Drop everything that comes to DMZ interface, but not with DMZ source address
chain=sanity-check action=jump jump-target=drop src-address-list=!DMZ in-interface=DMZ(eth2)
30 ;;; Drop packets with illegal source addresse that come to WAN interface
chain=sanity-check action=jump jump-target=drop src-address-list=illegal_addr in-interface=WAN(eth5)
31 ;;; Drop all traffic that comes from broadcast or multicast address
chain=sanity-check action=jump jump-target=drop src-address-type=broadcast,multicast
32 ;;; Allow local traffice between Router's application
chain=input action=accept src-address-type=local dst-address-type=local
33 ;;; Enabling DHCP (would not pass sanity-chec so enabling it explicitly before other checks)
chain=input action=jump jump-target=dhcp protocol=udp in-interface=LAN(eth1) port=67,68
34 ;;; Jump to Sanity Check
chain=input action=jump jump-target=sanity-check
35 ;;; Drop all packets in input chain that go to router itself, but do not have destination IP of router itself (including broadcast traf>
)
chain=input action=jump jump-target=drop dst-address-type=!local
36 ;;; Allow limited PING reguests (5pps)
chain=input action=accept protocol=icmp icmp-options=8:0-255 limit=5,5
37 ;;; Allowed services on LAN network
chain=input action=jump jump-target=LAN services in-interface=LAN(eth1)
38 ;;; Allowed services on DMZ network
chain=input action=jump jump-target=DMZ services in-interface=DMZ(eth2)
39 ;;; Allowed services from Internet to WAN_1 IP
chain=input action=jump jump-target=Public-services_1 dst-address=A.A.A.A in-interface=WAN(eth5)
40 ;;; Allowed services from Internet to WAN_2 IP - Web server
chain=input action=jump jump-target=Public-services_2 dst-address=B.B.B.B in-interface=WAN(eth5)
41 ;;; Allowed services from VPN to Router itself
chain=input action=jump jump-target=VPN services src-address-list=VPN
42 ;;; Drop everything else
chain=input action=jump jump-target=drop
43 ;;; DHCP - accept broadcast packets from 0.0.0.0 source address
chain=dhcp action=accept src-address=0.0.0.0 dst-address=255.255.255.255
44 ;;; DHCP - accept packets from source address 0.0.0.0 to be resolved in router - DHCP service
chain=dhcp action=accept src-address=0.0.0.0 dst-address-type=local
45 ;;; DHCP - allow packets with source IP from LAN to be resolved in router (DHCP renewal)
chain=dhcp action=accept dst-address-type=local src-address-list=LAN
46 ;;; LAN services - SSH (22/TCP)
chain=LAN services action=accept protocol=tcp dst-port=22
47 ;;; LAN services - DNS (53/UDP)
chain=LAN services action=accept protocol=udp dst-port=53
48 ;;; LAN services - DNS (53/TCP) - additionally
chain=LAN services action=accept protocol=tcp dst-port=53
49 X ;;; LAN services - HTTP (Web) Proxy (3128/TCP)
chain=LAN services action=accept protocol=tcp dst-port=3128
50 ;;; LAN services - Mikrotik Neighbour Discovery Protocol (5678/UDP)
chain=LAN services action=accept protocol=udp dst-port=5678
51 ;;; LAN services - WinBox (8291/TCP)
chain=LAN services action=accept protocol=tcp dst-port=8291
52 ;;; LAN services - SNMP management (161/UDP)
chain=LAN services action=accept protocol=udp dst-port=161
53 ;;; LAN services - FTP (21/TCP)
chain=LAN services action=accept protocol=tcp dst-port=21
54 X ;;; LAN services - NTP server (123/UDP)
chain=LAN services action=accept protocol=udp dst-port=123
55 ;;; LAN services - Temporary log
chain=LAN services action=log log-prefix="LAN services_55:"
56 ;;; LAN services - Drop everything else
chain=LAN services action=drop
57 ;;; DMZ services - DNS (53/UDP)
chain=DMZ services action=accept protocol=udp dst-port=53
58 ;;; DMZ services - DNS (53/TCP) - additionally
chain=DMZ services action=accept protocol=tcp dst-port=53
59 ;;; DMZ services - Temporary log
chain=DMZ services action=log log-prefix="DMZ services_59:"
61 ;;; Public-services_1 - SSH (22/TCP)
chain=Public-services_1 action=accept protocol=tcp dst-port=22
62 ;;; Public-services_1 - PPTP - VPN (1723/UDP)
chain=Public-services_1 action=accept protocol=tcp dst-port=1723
63 ;;; Public-services_1 - GRE for PPTP - VPN
chain=Public-services_1 action=accept protocol=gre
64 ;;; Public-services_1 services - Temporary log
chain=Public-services_1 action=log log-prefix="Public-servics_1_64:"
65 ;;; Public-services_1 - Drop everything else
chain=Public-services_1 action=drop
66 ;;; Public-services_2 - HTTP port 80 - Web server
chain=Public-services_2 action=accept protocol=tcp dst-port=80
67 ;;; Public-services_2 services - Temporary log
chain=Public-services_2 action=log log-prefix="Public-servics_2_67:"
68 ;;; Public-services_2 - Drop everything else
chain=Public-services_2 action=drop
69 ;;; VPN services - SSH (22/TCP)
chain=VPN services action=accept protocol=tcp dst-port=22
70 ;;; VPN services - Mikrotik Neighbour Discovery Protocol (5678/UDP)
chain=VPN services action=accept protocol=udp dst-port=5678
71 ;;; VPN services - WinBox (8291/TCP)
chain=VPN services action=accept protocol=tcp dst-port=8291
72 ;;; VPN services - SNMP management (161/UDP)
chain=VPN services action=accept protocol=udp dst-port=161
73 ;;; VPN services - FTP (21/TCP)
chain=VPN services action=accept protocol=tcp dst-port=21
74 ;;; VPN services - Temporary log
chain=VPN services action=log log-prefix="VPN services_74:"
75 ;;; VPN services - Drop everything else
chain=VPN services action=drop
76 ;;; Drop - Log before dropping
chain=drop action=log log-prefix="drop_76:"
77 ;;; Drop everything else
chain=drop action=drop
My problem is that I don’t want to have WinBox MAC access from DMZ segment and although I thine that everything is configured properly somehow I still have accesss. I connect with laptop to DMZ segment, put IP from that segment and can connect with WinBox.
Pay attention to rules 24 and 25 and 76 and 77. I think these are the rules where WinBox traffic should be dropped.
And the log shows that traffic seems to be matched properly:
02:32:31 firewall,info sanity-check_24 sanity-check: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50
02:32:31 firewall,info drop_76: drop: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50
02:32:31 firewall,info sanity-check_24 sanity-check: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50
02:32:31 firewall,info drop_76: drop: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50
02:32:31 firewall,info sanity-check_24 sanity-check: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50
02:32:31 firewall,info drop_76: drop: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50
02:32:32 firewall,info sanity-check_24 sanity-check: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50
02:32:32 firewall,info drop_76: drop: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50
02:32:32 firewall,info sanity-check_24 sanity-check: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50
02:32:32 firewall,info drop_76: drop: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50
02:32:32 firewall,info sanity-check_24 sanity-check: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50
02:32:32 firewall,info drop_76: drop: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50
02:32:32 firewall,info sanity-check_24 sanity-check: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50
02:32:32 firewall,info drop_76: drop: in:DMZ(eth2) out:(none), proto UDP, 10.50.1.2:52367->255.255.255.255:20561, len 50
But I can still use WinBox to log to router. I attached a picture from torch when I log to router. And although this traffic should be dropped it is correctly identified in the router.
What is the problem?
And if you have some comment about some other firewall rules (VPN, DMZ, LAN) that I should’ve configured differently please advise me, cause I’m not extremely experienced in firewalls.
Thanks!
