internet FW rule

MaaS10 · August 17, 2021, 9:49am

Hey guys,
I need to change the firewall configuration so that it does not have full access to the Internet.
Just access specific IP of servers.

Is it possible?

Thanks.

sindy · August 17, 2021, 10:00am

Of course it is. But if you want a more useful answer, post the export of your current configuration, and specify what/who should have access only to specific IP addresses - the router itself, a particular device on LAN, anything connected to the LAN, …

MaaS10 · August 17, 2021, 10:42am

Sindy thanks for answering! This rules must apply to every device on LAN. I found tutorial on youtube:
https://www.youtube.com/watch?v=HhVxKbMZTSU
Can I follow this steps? Is it right?

sindy · August 17, 2021, 10:45am

I’m not young enough to spend 10 minutes watching a verbose video tutorial that doesn’t contain your existing firewall rules anyway, instead of spending two minutes to read your export and tell you what rule to put at what place.

anav · August 17, 2021, 11:01am

Forget youtube.

Post your requirements clearly, what users (eiither IPs or entire subnets) should or should not have access to.
Post your config
/export hide-sensitive file=anynameyouwish

MaaS10 · August 17, 2021, 11:27am

These rules must by applied to network 192.168.200.1/24
it’s already set, can you check if it’s okay?

sindy · August 17, 2021, 12:16pm

Unfortunately it is not OK, or, better to say, it is not sufficient. In RouterOS, the default handling of a packet in a firewall chain is “accept”, so any packet that matches none of the rules in that chain is accepted. So whatever is not accepted or dropped by one of those two rules you’ve created in chain forward of /ip firewall filter will be allowed to pass through. And both your rules only deal with TCP ports 80 and 443, so any other traffic can pass through transparently.

If you remove the protocol and dst-port match conditions from your drop rule, it will start dropping all packets that didn’t match the previous rule (which is almost what you want), so the client requests to server ports 80 or 443 will get through but the server’s responses will not (which is what you have to resolve).

If the router is connected directly to the internet with this configuration and with no other firewall between its ether1 and the internet (or was connected in the past), it is quite likely that some malware is already squatting on it. The router itself is not protected at all, nor is it protecting devices on its LAN side.

As you apparently don’t know yet what a stateful firewall is, and given that your required configuration is dead simple, as a quick solution I would recommend you to netinstall the router with the current long-term RouterOS version (6.47.10 as of writing this), which will purge any previous contents (including any eventual malware) and install a default configuration that contains a decent stateful firewall. Then, set the IP addresses on ether1 and ether2 as needed and add the address-list items as above, and then insert the rule
action=accept chain=forward dst-address-list=povolene dst-port=80,443 protocol=tcp
just before the
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment=“defconf: drop all from WAN not DSTNATed”
one, and then modify that last one to just
chain=forward action=drop (with no other match conditions)

If the router wasn’t ever directly connected to the internet but the configuration of the rest of your networking infrastructure looks similar, I’d still do the netinstall etc.

As a long-term solution, either google up what a stateful firewall means and how the firewall rules work in general (see a supercharged introduction to the firewall in one of my older posts) or, if dealing with the network is not your primary job, let the management hire a networking specialist.

Don’t take that personally, no one is born a networking specialist, but the configuration you’ve shown strongly suggests that the rest of the network needs a security audit as well.

It’s good you have edited the device name.

anav · August 17, 2021, 2:05pm

Echo the comments.
Start fresh, WITH DEFAULT FIREWALL RULES IN PLACE>

Then describe your requirements
what users/device or set of users/devices should be able to do not and what they should not be able to do without discussing the config.
That will help then tailor the config from default to your needs.
For example it appears you want people on the LAN only to be able to access specific WANIPs ???

One error in the config..
/ip address
add address=192.168.33.200/16 interface=ether1 network=192.168.0.0
add address=192.168.200.1/24 interface=ether2 network=192.168.200.0
should have been bridge1