Help on Dmitry on firewalling

mantor · April 1, 2010, 8:33pm

Hi,

I’m testing this Dmitry on firewalling (http://wiki.mikrotik.com/wiki/Dmitry_on_firewalling).

Everything is OK, but I can access the mikrotik from outside (From the Internet).

I believe that these rules:

add chain=input in-interface=Public action=jump jump-target=public-services comment=“Allowing some services to be accessible from the Internet”
add chain=public-services connection-mark=ssh action=accept comment=“SSH (22/TCP)”
add chain=public-services connection-mark=pptp action=accept comment=“PPTP (1723/TCP)”
add chain=public-services connection-mark=winbox action=accept comment=“Winbox (8291/TCP)” disabled=no
add chain=public-services connection-mark=gre action=accept comment=“GRE for PPTP”
add chain=public-services action=log comment=“Log & Drop Other Public Services”

have to allow me to access the router from the Outside.

Can someone give me a hand about this?

fewi · April 1, 2010, 8:40pm

If you don’t need any services to be available via the public interface, remove those lines you quoted completely.

Add either src-address or src-address-list filters if you need services to be available from the public interface but need to limit where from:

/ip firewall address-list
add list=Admin_Networks address=1.1.0.0/24
add list=Admin_Networks address=1.1.1.0/25

The filter rules then look like this:

/ip firewall filter
add chain=public-services connection-mark=ssh action=accept comment="SSH (22/TCP)" src-address-list=Admin_Networks

mantor · April 1, 2010, 9:15pm

Great Thank you

edmidor · April 2, 2010, 4:08am

Sometimes static src-address is not an option.
It would be nice to have secure port knocking, ex: ssh into router using a key pair - IP automatically added into allowed list for some period of time…

roadracer96 · April 2, 2010, 4:19am

You can do that.

fewi · April 2, 2010, 4:19am

You can sort of fudge port knocking with built in tools: make rules in a chain that as an action add to an address list, and accept traffic sourced from that address list. You can stagger that - a syn sent to port 65000 adds to address-list-1, a syn sent to port 65001 from an address on address-list-1 adds to address-list-2, address-list-2 members are allowed to SSH into the router.
Not quite as sophisticated as dedicated port knocking tools, but it works.

edmidor · April 2, 2010, 4:40am

How? IP should be added only after successful SSH authentication. I don’t see how can I detect it…

roadracer96 · April 2, 2010, 4:45am

Look in the wiki for actions based on log entries.

edmidor · April 3, 2010, 2:12am

Great idea, thanks!