Firewall Question

gotsprings · December 15, 2012, 12:29pm

Here is an export of a working firewall

/ip firewall address-list
add address=192.168.88.0/24 disabled=no list=LocalNet
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=\
    10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
    tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s \
    udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=drop chain=input comment="Drop Invalid Input Connections" \
    connection-state=invalid disabled=no
add action=drop chain=forward comment="Drop Invalid Forward/Through Router" \
    connection-state=invalid disabled=no
add action=accept chain=input comment=\
    "Local Administration of Router/New Input" disabled=no src-address-list=\
    LocalNet
add action=accept chain=input comment="Establish New Connections At Router" \
    connection-state=established disabled=no
add action=accept chain=input comment="Reply to Pings" disabled=no protocol=\
    icmp
add action=accept chain=input comment=Winbox disabled=no dst-port=8291 \
    protocol=tcp
add action=accept chain=input comment="VPN Port" disabled=no dst-port=1723 \
    protocol=tcp
add action=accept chain=input comment="VPN Prot" disabled=no protocol=gre
add action=drop chain=input comment=\
    "Drop Input AS it should have been allowed by now" disabled=no
add action=accept chain=forward comment="Allow LAN to Make New Connections" \
    connection-state=new disabled=no src-address-list=LocalNet
add action=accept chain=forward comment="Allow Establish Connections" \
    connection-state=established disabled=no
add action=accept chain=forward comment="Allow related Connections" \
    connection-state=related disabled=no
add action=drop chain=forward comment=\
    "Drop Anything else passing through the router" disabled=no out-interface=\
    ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=no \
    out-interface=ether1-gateway src-address-list=LocalNet
add action=dst-nat chain=dstnat comment=Ubnt1 disabled=no dst-port=5225 \
    in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.21 \
    to-ports=80
add action=dst-nat chain=dstnat comment=Ubnt2 disabled=no dst-port=5226 \
    in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.22 \
    to-ports=80

This firewall seems to work fine for everything I am doing.

I read RouterOS by example and my last firewall Filter rule is different. In my firewall it has an interface of my WAN Port. In the book there is no interface specified.

If I take the last line and change it to no interface…

add action=drop chain=forward comment=\
    "Drop Anything else passing through the router" disabled=no

Then all my port forwards break.

Ideas?

Is there something wrong in my firewall?

Caci99 · December 15, 2012, 12:45pm

The last rule can not stand alone. It has some others rules above it, in the order, which first allow all needed connections for your network to work, and then it will drop everything else. If the other rules are not allowing the needed connections to work, yes, it will drop everything and leaving you out of the router, and making the networks connected through the router, unreachable.
For example, if you look at the wiki page the configuration for protecting the router:

/ip firewall filter
add chain=input connection-state=invalid action=drop \
	comment="Drop Invalid connections"  
add chain=input connection-state=established action=accept \
	comment="Allow Established connections"  
add chain=input protocol=icmp action=accept \
	comment="Allow ICMP" 
add chain=input src-address=192.168.0.0/24 action=accept \
	in-interface=!ether1 
add chain=input action=drop comment="Drop everything else"

You can see that first all needed connections are allowed, then the rest of the connections is dropped.

gotsprings · December 15, 2012, 2:20pm

That is how I layed out the firewall for the input chain.

The book shows the firewalling the forward chain.
I have a rule that only allows the local subnet to make new connections. That is done using the address list.
Established and Related are covered in the next lines.
Doesn’t match… drop.

Seemed right when i typed it.

Caci99 · December 15, 2012, 6:13pm

The forwarding chain (as you may know) applies to the traffic that goes through the router, which does not has as destination the router itself. So it matches traffic form your LAN to the outside and vice versa.
I don’t know how you can specify the traffic that comes form the outside of your own network. You need to know that one, because if you’re not allowing, you’re dropping it. I haven’t tested it, I am only guessing here. I don’t know if related connection will match a connection that was initiated from inside. For example:

192.168.1.10:6565 → 81.81.81.81:80 this is a know connection which you are allowing.
The server answers with:
81.81.81.81:80 → (your public IP):6565 does the related connection rule matches this one? If yes it is allowing it, if not, it is dropping it.