Newbie Firewall help.

razza · December 13, 2020, 7:04pm

Why is the rule:

add action=drop chain=forward connection-state=new connection-type="" \
    dst-address=192.168.10.140 in-interface=ether2 log=yes out-interface=\
    ether1

Not stopping an SSH connection from 192.168.86.2 (ether2) to 192.168.10.140 (ether1)?

If I disable the forward all rule:

add action=accept chain=forward connection-state=new in-interface=ether2 \
    out-interface=ether1

It stops connecting along with everything else.

Complete ruleset:

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=input comment="Drop Invalid" connection-state=invalid
add action=drop chain=forward connection-state=new connection-type="" \
    dst-address=192.168.10.140 in-interface=ether2 log=yes out-interface=\
    ether1
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Winbox accept" dst-port=8291 \
    in-interface=ether1 protocol=tcp src-address=192.168.10.10-192.168.10.254
add action=accept chain=input connection-state=new dst-port=8291 \
    in-interface=ether2 protocol=tcp src-address=192.168.86.2
add action=drop chain=input comment="Drop all NOT coming from Ether1" \
    disabled=yes in-interface=!ether1
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="RDP (Any)  to 192.168.86.2" \
    connection-state=new dst-address=192.168.86.2 in-interface=ether1 \
    out-interface=ether2 protocol=tcp
add action=accept chain=forward connection-state=new in-interface=ether2 \
    out-interface=ether1
add action=drop chain=forward comment="Drop New" connection-state=new
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=ether1

Thanks in advance

razza · December 13, 2020, 7:20pm

I was doing all the config in Winbox. When I posted here I noticed the connection-type=“” part. Removing that fixed it.
I am kinda surprised that broke the rule. Would love to know why please.

Original rule

add action=drop chain=forward connection-state=new connection-type="" \
    dst-address=192.168.10.140 in-interface=ether2 log=yes out-interface=\
    ether1

sindy · December 13, 2020, 7:33pm

I’d say because connection-type=“” doesn’t match on any of the possible values of connection-type (new, established, related, untracked, invalid).

Other than that, have a look what stateful firewall means and how it works. Basically all the filter rules should be placed after the initial “accept untracked,established,related” and “drop invalid” ones in each chain, because only connection-state=new packets get past those two rules. So the decision whether to allow or not the whole connection is made once, using those rules handling new packets, and packets belonging to accepted connections are then handled by a single rule (accept established,related,untracked). And you don’t need to match on connection-state=new (which also consumes a small bit of CPU).

razza · December 13, 2020, 8:21pm

It’s connection-type not connection-state.

sindy · December 13, 2020, 8:32pm

I’ve misread that (because connection-type is rarely used), but it’s the same case. “” doesn’t match any value of connection-type so the rule as a whole never matches.

anav · December 13, 2020, 8:42pm

Unplug your router from the internet it is in a very unsafe condition.
You have given access to your winbox port to the whole world.
Assuming ether1 is your WAN port…
The source addresses you put in there are no protection.
Only use VPN tunnel to config the router from external locations.

add action=accept chain=input comment=“Winbox accept” dst-port=8291
in-interface=ether1 protocol=tcp src-address=192.168.10.10-192.168.10.254

razza · December 13, 2020, 9:06pm

Thanks Sindy.

Anav, it’s sitting in a private network. Worry not

anav · December 14, 2020, 5:41pm

phew!!! Happy routing LOL.