Hi,
I can still remotely ssh in, even though I’ve got this set of rules:
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp log=no log-prefix=""
2 ;;; defconf: accept established,related
chain=input action=accept connection-state=established,related log=no log-prefix=""
3 XI ;;; defconf: drop all from WAN
chain=input action=drop in-interface=ether1 log=no log-prefix=""
4 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""
5 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related log=no log-prefix=""
6 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""
7 XI ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1 log=no log-prefix=""
8 ;;; block remote ssh
chain=forward action=drop connection-state=new protocol=tcp in-interface=ether1 out-interface=ether2-master dst-port=22 log=yes
What have I done wrong?
Flags XI mean “Disabled” and “Invalid”.
The WAN cable is definitely plugged into ether1, and the LAN cable is definitely in ether2-master.
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS
0 R ether1 ether 1500 1598 4074 6C:3B:6B:2F:7F:5B
1 R ether2-master ether 1500 1598 4074 6C:3B:6B:2F:7F:5C
2 S ether3 ether 1500 1598 4074 6C:3B:6B:2F:7F:5D
3 S ether4 ether 1500 1598 4074 6C:3B:6B:2F:7F:5E
4 S ether5 ether 1500 1598 4074 6C:3B:6B:2F:7F:5F
OK, I was in a hurry and did not read properly you post.
Rule 3 should block all traffic incoming from wan, but it is disabled. So it does not block.
To block all incoming ssh traffic coming from ether1 I would put
/ip firewall filter
add chain=input action=drop in-interface=ether1 protocol=tcp dst-port=22 comment="drop ssh" disabled=no
AndreaTIK:
OK, I was in a hurry and did not read properly you post.
Rule 3 should block all traffic incoming from wan, but it is disabled. So it does not block.
When first installing, the router didn’t pick up an address ISP, and I thought that rule 3 was the culprit. Apparently not. Thus, I’ve enabled Rule 3 and temporarily disabled the specific port blocks.
as per AndreaTIK config line.
your issue is here chain=forward vs chain=input
input chain = stuff coming in to the router it self
you’re blocking port 22 through the router but not blocking 22 to the router itself
or you could disable ssh service on the router, but i probably wouldn’t do that. (/ip service set ssh disabled=yes)
I would enable rules 3 and 8. These will block all internet access to your router and protect your LAN.
Do check that e1 is your wan interface as it may not be if you run pppoe or a vlan to get to the internet.
Here’s my current filter set:
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=input comment="IP address of public bandwidth tester" protocol=udp src-address=207.32.195.2
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1 log-prefix="WANDrop " tcp-flags=""
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=not_DSTNATed
Your default input drop rule has a setting of tcp-flags=“”
This is probably the problem. Remove any reference to tcp-flags and it should then catch anything not specifically allowed before that.
The current rule set works.
You are correct it works - but I would still recommend removing that section of the rule as it is not required
In this case nothing is active but I have seen connection state rules left open but with nothing ticked so the rule looks for connections that are neither invalid, established, related or new and never catch traffic so best practice is to remove such entries.
scampbell:
You are correct it works - but I would still recommend removing that section of the rule as it is not required
It is common when rules have been checked in Winbox and options opened but not actually filled in for entries like that to get left behind as orphans.
In this case nothing is active but I have seen connection state rules left open but with nothing ticked so the rule looks for connections that are neither invalid, established, related or new and never catch traffic so best practice is to remove such entries.
Ok. I don’t recall fiddling with that rule except to disable and then enable it. Thus, I presume that it’s how the people at Mikrotik defined the default rule.
