Output chain question

johnson73 · January 6, 2021, 9:52am

Ros are used in Input chain, Forward and output chain.
Input and Forward circuits are used everywhere, but very rarely anyone uses an “Output” circuit.
Is a firewall enough if I use Input and Forward chain? If we look at the Mikrotik wiki - wiki.mikrotik.com/wiki/Manual:Packet_Flow, we see the sequence - ‘’ prerouting, input, forward, output and postrouting. I read in the forums that the output traffic can be “intercepted” and it is not safe. I don’t know if it is, but I’ve been using this output circuit for a long time. Maybe I don’t understand? What is your experience?

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
add action=accept chain=input comment=L2TP connection-state=new dst-port=\
    500,1701,4500 in-interface=WAN protocol=udp
add action=accept chain=input comment="IKE IPSec" protocol=ipsec-esp
add action=accept chain=input comment="Allow access to router from known network" in-interface-list=!WAN \
    src-address=192.168.88.0/24
add action=drop chain=input comment="Drop " in-interface-list=!LAN

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
add action=accept chain=forward comment="Allow Pings" protocol=icmp
add action=accept chain=forward comment="Accept from local to internet" in-interface-list=!WAN \
    out-interface-list=WAN    
add action=accept chain=output comment=Output out-interface-list=WAN
add action=accept chain=output comment=Output out-interface-list=!WAN
add action=accept chain=output comment=Output
add action=drop chain=forward comment="Drop everything else" connection-nat-state=!dstnat connection-state=new \
    in-interface-list=WAN

mrz · January 6, 2021, 10:08am

Typically you use output only if you do not want specific packets originated on the router to be sent out. BTW your listed output rules do nothing but add load on the CPU.

sindy · January 6, 2021, 10:09am

You only need to add rules to the output chain of /ip firewall filter if you want to prevent the Mikrotik itself from accessing some remote sites.

johnson73 · January 6, 2021, 11:05am

then can i just remove them from the common list?

pe1chl · January 6, 2021, 11:12am

Your output chain accepts everything, so it does not do any filtering.
However, rules like that can be interesting to see counters (so you know how much output traffic there actually is).

In general it can be said that firewall rules are to be decided and maintained according to your own needs.
It is seldomly a good idea to cut/paste someone else’s rules and first assume they are good and are what you need, then later question what everything is for and if it can be deleted.
In such cases you can better reset to defaults and work from there according to what you need.

johnson73 · January 6, 2021, 11:54am

Thank you very much for the explanations!

nagylzs · January 6, 2021, 1:38pm

One useful output rule that I like to use is to block all trafic to tcp/25. Nobody uses simple SMTP to reach remote SMTP servers nowdays. Except worms and trojan programs that send out spam through misconfigured SMTP servers.

mkx · January 6, 2021, 2:23pm

But that would only have effect if router itself (e.g. a script running on router) would try to send mails. And router admin should better notice such a script. If that was result of malicious action, then also firewall filter rule could easily be disabled.

In any case, compromised router should be netinstalled, configured from clean defaults and the attack vector blocked. Otherwise everything is in vain and no rules in output chain can help router admin.

Keep in mind that ROS firewall is actually UI for linux iptables … on usual linux machine there are plenty of software pieces installed from various sources by possibly multiple local users. In such environment it makes sense for administrator to block certain outbound connections. Alas in a controlled environment such as a router/fierwall chance of unwanted outbound activities is much lower. If one doesn’t trust router vendor to do the right thing he would better change vendor.

pe1chl · January 6, 2021, 2:51pm

When you think that is useful in the output chain, you probably don’t understand the difference between forward and input/output.
For such a rule to have effect, it has to be in the forward chain.

nagylzs · January 6, 2021, 6:36pm

My mistake. Actually I always put this in the forward chain.