Firewall - Improvements

cadamuroa · May 26, 2015, 5:27pm

Hi Guys, how are you?

I’m doing the improvements in my firewall and I’d like your opinions about it.
Before, I was working with white list and now, I’m working to setup my firewall to work with black list. Is it correct?

add chain=forward comment=“Accept established connections forward” connection-state=established
add chain=forward comment=“Accept related connections forward” connection-state=related
add chain=input comment=“Accept established connections input” connection-state=established
add chain=input comment=“Accept related connections input” connection-state=related
add action=drop chain=input comment=“Drop invalid connections input” connection-state=invalid
add action=drop chain=forward comment=“Drop invalid connections forward” connection-state=invalid
add chain=input comment=“Accept EOIP connection” protocol=gre src-address-list=“Internal Network”
add chain=input comment=“Accept winbox connection” dst-port=8291 protocol=tcp src-address-list=“Internal Network”
add action=drop chain=forward comment=“Block Teamviewer connection” dst-address-list=“TeamViewer Server DNS”
add chain=input comment=“Accept internal ping” limit=50/5s,2 protocol=icmp src-address-list=“Internal Network”
add chain=forward comment=“Enable HTTP” dst-port=80,8080 protocol=tcp
add chain=forward comment=“Enable HTTPS” dst-port=443 protocol=tcp
add chain=forward comment=“Enable Exchange Servers” dst-address-list=“Exchange Server”
add chain=forward comment=“Enable SIP Port.” dst-port=5060,5061 protocol=udp src-address-list=“Voip Network”
add chain=forward dst-port=10000-20000 protocol=udp
add chain=forward comment=“Enable IAX2 Port” dst-port=4569 protocol=udp src-address-list=“Voip Network”
add chain=forward comment=“Enable VNC” dst-port=5800,5900 protocol=tcp
add chain=forward comment=“Enable POP and SMTP” dst-port=587,110,995 protocol=tcp
add chain=forward comment=“Enable databases, SQL and MYSQL” dst-port=1433,1533,3306 protocol=tcp
add action=drop chain=forward comment=“Drop forward connection”
add action=drop chain=input comment=“Drop input connection” in-interface=ether1-gateway

jarda · May 26, 2015, 8:00pm

You can accept established or related in one rule.

jarda · May 26, 2015, 8:03pm

All other rules should work with new state only as you already accepted established, related and dropped invalids.

jarda · May 26, 2015, 8:05pm

Don’t you care about output chain so your router can make whatever communication out?

cadamuroa · June 9, 2015, 3:14am

I forget about the output chain. I will improve better the firewall, and post here the changes.

ZeroByte · June 9, 2015, 12:24pm

What did you mean by this statement? My reading of the firewall rules is of a restrictive policy that only allows the given services (http(s),email,sql,etc) and blocks everything else, even user–>internet, so all of the rules are necessary…

You mentioned blacklist in the original post, but I see neither a whitelist nor a blacklist in this firewall configuration (except for “internal hosts” being allowed to ping and access the Mikrotik itself. If you’re planning to make a blacklist, I usually put the blacklist rule as rule #1 in each chain - drop src-address-list=blacklist in input and forward chains, and then drop-dst-address-list=blacklist as #1 of output and #2 of forward.

If you’re talking about the default policy of the firewall, then perhaps you should use the terms “default deny” and “default accept” - your firewall is “default deny” which means that you must explicitly list everything you wish to allow, and anything you didn’t list is blocked by default. This is the more secure method but it can be a pain to administer when you’re using it for outbound traffic to the Internet - applications that you intend to support might use strange port numbers (VoIP comes immediately to mind) and make life difficult. If I had a dollar for every customer who had to go through their SonicWall to allow ports to the Internet… well, I’d be on an island somewhere drinking piña coladas.

Good luck with your firewall!

cadamuroa · June 10, 2015, 1:41am

ZeroByte:

jarda:

All other rules should work with new state only as you already accepted established, related and dropped invalids.

What did you mean by this statement? My reading of the firewall rules is of a restrictive policy that only allows the given services (http(s),email,sql,etc) and blocks everything else, even user–>internet, so all of the rules are necessary…

cadamuroa:

I forget about the output chain. I will improve better the firewall, and post here the changes.

You mentioned blacklist in the original post, but I see neither a whitelist nor a blacklist in this firewall configuration (except for “internal hosts” being allowed to ping and access the Mikrotik itself. If you’re planning to make a blacklist, I usually put the blacklist rule as rule #1 in each chain - drop src-address-list=blacklist in input and forward chains, and then drop-dst-address-list=blacklist as #1 of output and #2 of forward.

If you’re talking about the default policy of the firewall, then perhaps you should use the terms “default deny” and “default accept” - your firewall is “default deny” which means that you must explicitly list everything you wish to allow, and anything you didn’t list is blocked by default. This is the more secure method but it can be a pain to administer when you’re using it for outbound traffic to the Internet - applications that you intend to support might use strange port numbers (VoIP comes immediately to mind) and make life difficult. If I had a dollar for every customer who had to go through their SonicWall to allow ports to the Internet… well, I’d be on an island somewhere drinking piña coladas.

Good luck with your firewall!

Thank you very much ZeroByte
I understood very well. I am work with the incorrect term. I agree with you. In my case, my firewall is default deny.