I think I have this firewall ICMP rule configured correctly but want to ask others before I deploy it. I would like to do the following -

1. Allow ICMP requests originating from any host on my LAN to any other host on my LAN.
2. Allow ICMP requests originating from any host on my LAN out to the internet and back.
3. Drop all ICMP requests not originating from my LAN (for example entering through the gateway)

Firewall rules are as follows -

0 chain=input action=accept protocol=icmp src-address-list=LAN log=no
log-prefix=“”

1 ;;; Drop Invalid Input Connections
chain=input action=drop connection-state=invalid log=no log-prefix=“”

2 ;;; Drop Invalid Forward Connections
chain=forward action=drop connection-state=invalid log=no log-prefix=“”

3 ;;; Accept Input From LAN
chain=input action=accept src-address-list=LAN log=no log-prefix=“”

4 ;;; Accept Established Connections
chain=input action=accept connection-state=established log=no
log-prefix=“”

5 ;;; Drop Everything Else
chain=input action=drop log=no log-prefix=“”

6 ;;; Accept New Connections From LAN
chain=forward action=accept connection-state=new src-address-list=LAN
log=no log-prefix=“”

7 ;;; Accept Related Conncetions
chain=forward action=accept connection-state=related log=no log-prefix=“”

8 ;;; Accept Established Conncetions
chain=forward action=accept connection-state=established log=no
log-prefix=“”

9 ;;; Drop All Other Forward Traffic
chain=forward action=drop log=no log-prefix=“”

So My questions are as follows -

1. Given the firewall rules I have in place does this seem like the best way to implement my ICMP rule?
2. Should any of my firewall rules be placed in a different order?

Any particular reason to not allow incoming ICMP?

ICMP is used for some things and that will just make debugging internet connections and having decent TCP performance harder. ICMP is used for MTU discovery, you know

http://security.stackexchange.com/questions/22711/is-it-a-bad-idea-for-a-firewall-to-block-icmp

So, unless there is zero need for anything incoming (no VPN, no web server, no email server etc.) I would NOT block ICMP incoming.

No VPN. web or email servers are running. I just want to make the router not respond to any ping requests originating from the internet. I tried to edit the default firewall rule which allows ICMP on the input chain but for some reason I was unable to make the default ICMP firewall rule NOT respond to ping requests coming in from the gateway. If I remember correctly I had the rule setup as follows -

input chain
protocol ICMP
! echo reply
action accept

When I had the rule setup as above the gateway still responded to ping requests originating from the internet so I clearly missed something with regard to the proper configuration of the rule.

Basically I would like to block only ICMP ping requests originating from the internet to the gateway.

blocking all icmp = bad.

It breaks things for you in strange ways that can be difficult to troubleshoot, and does not give you any real enhancement to security. Scanners don’t just look for “pingable” targets - hackers and malware authors are not that stupid to be fooled by such a filter. I explicitly permit ICMP in my firewall. If you must filter ICMP, the only real message you need to block is ICMP redirect.

The biggest thing dropping all ICMP breaks is PMTU discovery. (This is so prevalent that routers have a workaround feature called clamp-mss)

Here is my entire firewall filter rule set at my house:

/ip firewall filter
add chain=input comment="Allow all ICMP" protocol=icmp
add chain=input comment="Permit established connections" connection-state=established
add chain=input comment="Permit related connections" connection-state=related
add chain=input comment="Allow whitelisted sources" src-address-list=Whitelist
add action=drop chain=input comment="WAN - default deny" in-interface=ether6

Here is my entire IPv6 filter rule set: (remember that in v6, all LAN hosts have public, globally-reachable addresses)

/ipv6 firewall filter
add chain=forward connection-state=established
add chain=forward connection-state=related
add chain=forward protocol=icmpv6
add chain=forward comment="Allow whitelisted hosts and networks" src-address-list=Whitelist
add chain=forward action=drop out-interface=LAN
add chain=input comment="Allow Established" connection-state=established
add chain=input comment="Allow Related" connection-state=related
add chain=input comment="Permit ICMP" protocol=icmpv6
add chain=input comment="Trust Whitelisted Hosts" src-address-list=Whitelist
add chain=input comment="Allow DHCPv6 replies on WAN from link-local" \
    dst-address=fe80::/16 dst-port=546 in-interface=ether6 protocol=udp src-address=fe80::/16
add action=drop chain=input comment="Block New Connections from Internet" in-interface=ether6

Any tips for hardening the router further than the firewall rules I am currently using?

I thought it’s UDP port 5678, not ICMP.

UDP/5678 → Neighbor Discovery Protocol, according to that page.

Anyway, some tools might send such packets. These are basically “guinnea pig” packets. They send them somewhere to see if they make it or not. It could even be a padded TCP/SYN packet - it really doesn’t matter what the test packet is.

PMTU discovery is supposed to happen on every actual connection a host makes. If a test application or a live application sends a don’t-fragment packet that is too large for a particular hop along the path to its destination, then the discarding router is going to reply with an ICMP message. This kind of situation is exactly what ICMP protocol is for - general-purpose messaging between nodes of the inter-network.

Example:
Suppose you have a path with 12 routers between the client and server.
Suppose the link between router 8-9 has MTU of 1460.
A 1500-byte packet leaves client (guinnea pig packet if its a tool or otherwise deliberate MTU test) with the df-bit set to yes. (this is an IP header field, not TCP or UDP, by the way)
The packet gets through routers 1-7 just fine.
Router 8 has the packet, and decides to forward the packet to router 9, but then finds that the DF (don’t fragment) bit is set YES, and that the packet is larger than the MTU of the next hop (pkt=1500, mtu=1460).
Since you marked it do-not-fragment, the router must discard the packet, as it can’t fit in the hole, basically.

However, to be nice and help make things work better, router 8 sends a message:
“Hey, you don’t know me, but I’m router #8, and I had to discard a packet from you that was going to host x.x.x.x because the packet exceeded the MTU of the next hop, which is 1460 by the way.”

If you’re using TCP, then TCP is smart enough to drop down to 1460 MTU for this one session, and resend the discarded packet. Applications that use UDP must handle this on their own. TCP even has a feature to try to start off on the right foot with an appropriate MTU. If a host has an MTU of 1200, for instance, it’s going to stamp every TCP handshake with a mark (MSS) which says “by the way, my MTU is 1200, so let’s start there.” Of course, some link in the path might be using a smaller MTU, in which case TCP would still have to shrink the max packet size anyway, but at least it tried.

Of course, your application could simply not set DF-bit to yes. (Ping, for instance, does not by default, which is why you can ping with “100kilobyte packets”). If you do this, then a router will fragment the packet in stead of discarding it with a “please limit your packets to MTU-bytes” message.

This is not an option in IPv6 by the way. RFC states that no router may fragment a packet, so breaking PMTUD in v6 is going to be a much more severe issue. At least this will fix the various evilly-crafted fragment attacks.

Oops. My apologies. I misread “MTU” as “MT discovery” (as in MikroTik Discovery Protocol, thinking it was another way to say “MNDP”).

I was surprised to see that come from you, of all people. But then I usually see you in the scripting department, so I thought maybe the quantum effects deep down in packet space might be a little less familiar.

Hey ZeroByte,

You clearly know your stuff, so I hope you dont mind me taking advantage of you here

Is that your entire FW rule list at home? So tidy!

Im new to Mikrotiks and am trying to ensure mine is locked down. The only difference is that I’m dialling PPPoE from the mikrotik through an ADSL router in bridge mode.

Are there any other rules you’d add in my situation for security? Seeing as my mikrotik is basically public now…

Also, I have 2 rules that allow “established/related” connections - one for input and one for forward. Is there a difference in having both checkboxes ticked on each rule? I see you and many others have separate rules - one for established and one for related.

I also see you dont use the fasttrack. Although maybe that’s cos its a new feature. Mine is all the way at the top.

I’m running v 6.32.1

Thanks in advance!
WB

No problem, always happy to help, and thanks.
(I’ve been involved in other pursuits lately, sorry it’s been a while since you posted)

Nope - the layer2 doesn’t matter - PPPoE, L2TP, raw ethernet, 802.1Q, etc - they’re all the same because the IP firewall is a (primarily) layer3 thing. Just make sure that your “wan interface” rules reference the pppoe virtual interface, and not the physical ethernet interface itself.

Yes, you can use established and related in the same rule - when I made my ruleset, they weren’t tickboxes, but a selector, which forced two separate rules. I do recommend ticking both in a single rule. You do need a rule for input chain and a rule for forward chain, though.

As for fast track - this feature was brand new right about the time I got out of the habit of posting here, and so I haven’t played with it myself, but from what I’ve read about it, it sounds like the way to go for performance.

Awesome. Thans for your help

The only thing I have done in addition to what Zerobyte has done is to block all US DoD networks.

You’d be surprised at all the things that try to talk to those networks. Even my Wifi enabled garage door opener tries to reach the 6.0.0.0/8 network.

I know I’m a bit late to this conversation, but I started playing with IPv6 on my MT lab. I really don’t want to leave a input chain open for ALL ICMP, but the MT code is not really working right for IPv6. Or at lease I haven’t found the right balance.


Take a read from SANS:
https://www.sans.org/reading-room/whitepapers/threats/icmp-attacks-illustrated-477

ICMPv6 Guide from SANS:
https://www.sans.org/reading-room/whitepapers/detection/complete-guide-ipv6-attack-defense-33904

This is why permitting ICMP is ok but should be guarded by your firewall. Not ALL ICMP is GOOD but NO ICMP is also BAD. This is one of those things you can’t fully live without if you want ease of troubleshooting and support at the same time you need to balance security.

My goal is:
Limit inbound connections from WAN.
Limit what type of inbound connections from WAN to what can be safely monitored and are less likely to be hacked.
Limit outbound connections from LAN as to not participate in an attack if something were to make it in or run on an internal pc.


Let me know what you think.

As a followup to my previous post, Here is my Firewall settings for IPv6:

/ipv6 firewall filter
add chain=forward comment="Test Permit Any" disabled=yes
add chain=input comment="Test Permit Any" disabled=yes
add action=drop chain=input comment="Drop invalid connections on input chains" connection-state=invalid
add action=drop chain=input comment="Drop Dynamic Blocked6 list." src-address-list=Blocked6
add action=drop chain=forward comment="Drop Dynamic Blocked6 list." src-address-list=Blocked6
add action=add-dst-to-address-list address-list=Blocked6 address-list-timeout=1w chain=input comment="Drop bruteforce attacks" connection-limit=50,128 in-interface=ether1-gateway protocol=tcp
add action=add-dst-to-address-list address-list=Blocked6 address-list-timeout=1w chain=input comment="Drop bruteforce attacks" connection-limit=50,128 in-interface=ether1-gateway protocol=udp
add chain=input comment="Allow established connections" connection-state=established
add chain=input comment="Allow related connections" connection-state=related
add chain=input comment="Clinet DHCP for Router and Prefix Pass to Clients" dst-port=546-547 protocol=udp

ICMPv6 input accept and rate limit forward to Jump:

add action=jump chain=input comment="Allow limited ICMP" in-interface=ether1-gateway jump-target=icmp limit=50/5s,5:packet protocol=icmpv6

add chain=input comment="Allow limited ICMP" in-interface=ether2-master-local limit=50/5s,5:packet protocol=icmpv6
add chain=forward comment="Allow established connections" connection-state=established
add chain=forward comment="Allow related connections" connection-state=related
add chain=forward comment="Allow any to internet" out-interface=ether1-gateway

Jump QoS marking from defined Mangles (work in progress):

add action=jump chain=forward jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=icmp protocol=icmpv6
add action=jump chain=forward jump-target=udp protocol=udp
add action=drop chain=forward connection-state=invalid

Bogo and State drops for basic list:

add action=drop chain=forward comment="Bogo Drop" src-address=::/96
add action=drop chain=forward comment="Bogo Drop" src-address=::/128
add action=drop chain=forward comment="Bogo Drop" src-address=::1/128
add action=drop chain=forward comment="Bogo Drop" src-address=::ffff:0.0.0.0/96
add action=drop chain=forward comment="Bogo Drop" src-address=::224.0.0.0/100
add action=drop chain=forward comment="Bogo Drop" src-address=::/104
add action=drop chain=forward comment="Bogo Drop" src-address=::255.0.0.0/104
add action=drop chain=forward comment="Bogo Drop" src-address=::/8
add action=drop chain=forward comment="Bogo Drop" src-address=200::/7
add action=drop chain=forward comment="Bogo Drop" src-address=3ffe::/16
add action=drop chain=forward comment="Bogo Drop" src-address=2001:db8::/32
add action=drop chain=forward comment="Bogo Drop" src-address=2002:e000::/20
add action=drop chain=forward comment="Bogo Drop" src-address=2002:7f00::/24
add action=drop chain=forward comment="Bogo Drop" src-address=2002::/24
add action=drop chain=forward comment="Bogo Drop" src-address=2002:ff00::/24
add action=drop chain=forward comment="Bogo Drop" src-address=2002:a00::/24
add action=drop chain=forward comment="Bogo Drop" src-address=2002:ac10::/28
add action=drop chain=forward comment="Bogo Drop" src-address=2002:c0a8::/32
add action=drop chain=forward comment="Bogo Drop" src-address=fc00::/7
add action=drop chain=forward comment="Bogo Drop" src-address=fe80::/10
add action=drop chain=forward comment="Bogo Drop" src-address=fec0::/10
add action=drop chain=forward comment="Bogo Drop" src-address=ff00::/8
add action=drop chain=tcp comment="deny TFTP6" dst-port=69 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=111 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=135 protocol=tcp
add action=drop chain=tcp comment="deny NBT" dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="deny cifs" dst-port=445 protocol=tcp
add action=drop chain=tcp comment="deny NFS" dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=12345 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" dst-port=3133 protocol=tcp
add action=drop chain=tcp comment="deny DHCP" dst-port=67-68 protocol=tcp
add action=drop chain=udp comment="deny TFTP6" dst-port=69 protocol=udp
add action=drop chain=udp comment="deny RPC portmapper" dst-port=111 protocol=udp
add action=drop chain=udp comment="deny RPC portmapper" dst-port=137-139 protocol=udp
add action=drop chain=udp comment="deny NFS" dst-port=2049 protocol=udp
add action=drop chain=udp comment="deny BackOriffice" dst-port=3133 protocol=udp

ICMPv6 Permit Rules:

add chain=icmp comment="Echo Request" icmp-options=128:0 protocol=icmpv6
add chain=icmp comment="Echo Reply" icmp-options=129:0 protocol=icmpv6
add chain=icmp comment="Destination Unreachable" icmp-options=1:0 protocol=icmpv6
add chain=icmp comment="Limit Exceeded 1" icmp-options=3:1 protocol=icmpv6
add chain=icmp comment="Limit Exceeded 4" icmp-options=3:4 protocol=icmpv6
add chain=icmp comment="Bad Header" icmp-options=4:0 protocol=icmpv6
add chain=icmp comment="Packet Too Big" icmp-options=2:0 protocol=icmpv6

Drop all ICMP traffic not specifically permitted above:

add action=drop chain=icmp protocol=icmpv6

Cachall rules for stat tracking:

add action=drop chain=input
add action=drop chain=forward disabled=yes

There is an RFC for that out there, BTW. Because if you block some of that stuff, v6 will stop working at all.

Here’s my working ruleset for v6, it pretty much implements said rfc:

 /ipv6 firewall address-list
add address=fe80::/64 list=link-local
/ipv6 firewall filter
add chain=establishedaccept connection-state=established,related
add action=jump chain=forward jump-target=establishedaccept
add action=jump chain=forward jump-target=icmpv6accept
add chain=icmpv6accept icmp-options=0 protocol=icmpv6
add chain=icmpv6accept icmp-options=1 protocol=icmpv6
add chain=icmpv6accept icmp-options=2 protocol=icmpv6
add chain=icmpv6accept icmp-options=3 protocol=icmpv6
add chain=icmpv6accept icmp-options=11:0-1 protocol=icmpv6
add chain=icmpv6accept icmp-options=12:0-2 protocol=icmpv6
add chain=icmpv6accept icmp-options=135 protocol=icmpv6
add chain=icmpv6accept icmp-options=136 protocol=icmpv6
add chain=icmpv6accept protocol=icmpv6 src-address-list=link-local
add action=jump chain=input jump-target=icmpv6accept

barkas,
Thanks for the feedback.

I looked up Type 0 and its a reserved type but the RFC was not clear what it was used for. If you have any information to share about why you permit that, I would be interested.

Using your code as a reference, the SANS links above and RFC4884/4443/792 I have changed my rules to the following:

add chain=icmp comment="Echo Request" icmp-options=128 limit=1,5:packet protocol=icmpv6
add chain=icmp comment="Destination Unreachable" icmp-options=1 protocol=icmpv6
add chain=icmp comment="Limit Exceeded" icmp-options=3 protocol=icmpv6
add chain=icmp comment="Time Exceeded" icmp-options=11:0-1 protocol=icmpv6
add chain=icmp comment="Parameter Problem" icmp-options=12:0-2 protocol=icmpv6
add chain=icmp comment="Neighbor Solicitation" icmp-options=135 protocol=icmpv6
add chain=icmp comment="Neighbor Advertisement" icmp-options=136 protocol=icmpv6
add action=drop chain=icmp protocol=icmpv6

And I am passing all the IPv6 Test sites I could find, but blocking what we should be blocking.

Good point, I can’t remember. I shall have to go over that again.

The RFC I used is 4890.

EDIT: I don’t think your ICMPv6 codes are quite right (as were mine, btw, I think I mixed it up with ICMPv4).

So here’s the new version (I have no IPv6 atm, so I default drop on forward):

/ipv6 firewall address-list
add address=fe80::/64 list=link-local
/ipv6 firewall filter
add chain=establishedaccept connection-state=established,related
add chain=icmpv6accept comment="dest unreach" icmp-options=1 protocol=icmpv6
add chain=icmpv6accept comment="packet too big" icmp-options=2 protocol=icmpv6
add chain=icmpv6accept comment="limit exceeded" icmp-options=3:0-1 protocol=icmpv6
add chain=icmpv6accept comment="bad header" icmp-options=4:0-2 protocol=icmpv6
add chain=icmpv6accept comment=link-local protocol=icmpv6 src-address-list=link-local
add action=jump chain=forward jump-target=establishedaccept
add action=jump chain=forward jump-target=icmpv6accept
add action=drop chain=forward
add action=jump chain=input jump-target=icmpv6accept

Maybe this should be for another thread, but I just wanted to drop a quick note. While testing the IPv6 firewall rules out, I stumbled onto a verification of sorts.

Fully disabled IPv4 on 3 of my test machines and the RB750GL i am using is automatically 6to4 so that the IPv4 computers can PING from the IPv6 machines and vice versa. The 6 to 4 interface broker in the latest code (6.34.1) appears to be working much like it does on the Cisco ISR code.

here are my firewall rules.. much more complicated .. 2 sections one to limit attacks/pings on the router itself and one for my forward rules

(net changed in a couple of places for security

...


/put "cleaning out icmp_packets_bridge chain"
/ipv6 firewall filter remove [/ipv6 firewall filter find chain=icmp_packets_bridge]


/put "cleaning out icmp chain"
/ipv6 firewall filter remove [/ipv6 firewall filter find chain=ICMP]


...

/put "input jump rules"

These 2 rules jump to chains we are about to create,

jumping is handy because it allows you to reuse the same rule in different chains (I.e. Input and Forward can jump to the same chain and run the same rules)

add chain=input protocol=icmpv6 action=jump jump-target=ICMP comment="jump to chain ICMP" disabled=no


...

/put "router icmp chains"

These rules form the ‘ICMP’ chain which we jumped to from input, it limited various ICMP packet to stop people ping flooding you

add chain=ICMP protocol=icmpv6 icmp-options=129:0-255 limit=5,5:packet action=accept comment="129:0 and limit echo reply for 5pac/s" disabled=no
add chain=ICMP protocol=icmpv6 icmp-options=1:0 limit=5,5:packet action=accept comment="1:0 host/addr. unrech. limit for 5pac/s" disabled=no
add chain=ICMP protocol=icmpv6 icmp-options=1:3-4 limit=5,5:packet action=accept comment="1:3,4 host/port unrech. and limit for 5pac/s" disabled=no
add chain=ICMP protocol=icmpv6 icmp-options=128:0-255 limit=5,5:packet action=accept comment="128:0 echo request limit for 5pac/s" disabled=no
add chain=ICMP protocol=icmpv6 icmp-options=3:0-255 limit=5,5:packet action=accept comment="3:0 time exceeded limit for 5pac/s" disabled=no
add chain=ICMP protocol=icmpv6 action=drop comment="Drop everything else" disabled=no


...


\

ICMP rules

/put "doing icmp rules"
add chain=forward protocol=icmpv6 action=jump jump-target=icmp_packets_bridge
add chain=icmp_packets_bridge action=accept protocol=icmpv6 src-address=xxxx:3005:xxxx:xxxx::/64
add chain=icmp_packets_bridge action=drop protocol=icmpv6 icmp-options=128:0 dst-address=2603:xxxx:xxxx:5400:xxxx:xxxx:0182:xxxxcomment="no pinging our firewall box"
add chain=icmp_packets_bridge action=accept protocol=icmpv6 icmp-options=1:0 comment="net unreachable"
add chain=icmp_packets_bridge action=accept protocol=icmpv6 icmp-options=1:3 comment="host/address unreachable"
add chain=icmp_packets_bridge action=accept protocol=icmpv6 icmp-options=1:4 comment="port unreacheable"
add chain=icmp_packets_bridge action=accept protocol=icmpv6 icmp-options=2:0 comment="packet too big"
add chain=icmp_packets_bridge action=accept protocol=icmpv6 icmp-options=3:0-1 comment="allow limit exceeded"
add chain=icmp_packets_bridge action=accept protocol=icmpv6 icmp-options=11:0-1 comment="allow time exceed"
add chain=icmp_packets_bridge action=accept protocol=icmpv6 icmp-options=128:0 comment="allow echo request"
add chain=icmp_packets_bridge action=accept protocol=icmpv6 icmp-options=129:0 comment="echo reply"
add chain=icmp_packets_bridge action=accept protocol=icmpv6 icmp-options=135:0 comment="neighbor solicitation"
add chain=icmp_packets_bridge action=accept protocol=icmpv6 icmp-options=136:0 comment="neighbor advertisement"
add chain=icmp_packets_bridge action=accept protocol=icmpv6 icmp-options=137:0 comment="allow redirect"
#add chain=icmp_packets_bridge action=accept protocol=icmpv6 icmp-options=4:0-2 comment="allow parameter bad"
add chain=icmp_packets_bridge action=drop comment="deny all other types"



hope this helps