Questions about (basic) firewall

S8T8 · November 19, 2023, 12:25am

Dear experts,
in my home environment I’m using a basic MikroTik router plus some additions like VLAN, VPN, configured following wiki, the great pcunite’s VLAN topic, and other advices (thanks to all forum community!)
No big issues, just some clarifications;

Firewall Filter, 127.0.0.0
what’s the difference between the firewall rule add action=accept chain=input dst-address=127.0.0.1 and src-address=127.0.0.1?
Firewall Filter, drop
any difference between:
…

add action=accept chain=input comment="Admin access" in-interface-list=ManagementVLAN src-address-list=Authorized
add action=drop chain=input comment="Drop all else"
-
...
add action=accept chain=forward comment="Allow internet traffic" in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment="Drop all else"

and

...add action=drop chain=input in-interface-list=!ManagementVLAN src-address-list=!Authorized
-
...
add action=accept chain=forward comment="Allow internet traffic" in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward in-interface-list=!ManagementVLAN

?

Firewall Mangle, change MSS
Suggested in a topic,

 action=change-mss chain=forward new-mss=1372 in-interface=Wireguard protocol=tcp tcp-flags=syn tcp-mss=1373-65535

when in-interface=Wireguard is effective? Just in Site-to-Site traffic and not when we are using the VPN client to connect the device to the router?

Firewall Filter, accept ICMP

add action=accept chain=input protocol=icmp

in default config is placed after connection-state=established,related,untracked, in Advance Firewall before
where is better to have this rule placed?

Thank you!

S8T8 · November 19, 2023, 6:08pm

(updated)

S8T8 · November 21, 2023, 6:06pm

Any hints?

erlinden · November 21, 2023, 6:26pm

Have you found this topic yet:
https://forum.mikrotik.com/viewtopic.php?t=180838

@anav is well known on this forum for both his firewall knowledge as well as his communication skills

S8T8 · November 21, 2023, 7:02pm

Yes, read that topic and also did an extensive research through the forum;

question 1, read a suggestion from @rextended about use src-address instead of dst-address
question 2, is from @anav topic, add action=drop chain=input seems to be enough
question 3, @sindy indicated the use of in-interface-list but not clear when necessary
question 4, after reading MikroTik help, asked to support but answer is pending

k6ccc · November 21, 2023, 7:08pm

Re #2. I end ALL chains with a drop everything rule. The one before it is not needed.

S8T8 · November 22, 2023, 8:11pm

Thanks @k6ccc

S8T8 · November 29, 2023, 5:55pm

Questions reduced and updated, hope for some interesting answers

LdB · November 30, 2023, 1:59am

1) Firewall Filter, 127.0.0.0
what's the difference between the firewall rule add action=accept chain=input dst-address=127.0.0.1 and src-address=127.0.0.1?

source address = the rule applies to packets leaving 127.0.0.0 AKA sending from that IP
destination address = the rule applies to packets coming to 127.0.0.17 AKA receiving to that IP

2) Firewall Filter, drop
any difference between:

Basics of it Input chain means going to the router, forward chain means going thru router to some other device or service the router is connected to.

Drop on input chain drops any packet the destination would matches an IP on the router as it’s delivery point
Drop on forward chain drops any packet that would pass thru the router stopping delivery to connected devices and services

3) Firewall Mangle, change MSS

The rule is being applied on the forward chain so the MTU adjust is being applied to traffic coming into the tik and the being forwarded to a client device. If you wanted to put it on traffic from client devices to wireguard it would be

/ip firewall mangle 
add out-interface=wireguard protocol=tcp tcp-flags=syn action=change-mss new-mss=1372 chain=forward tcp-mss=1372-65535

4) Firewall Filter, accept ICMP

You want priority with least number of rules for heavy traffic load so connected stream traffic is generally as close to rule 1 as possible.
If you put ping in rule 1 every stream traffic would first be checked if it was an ICMP before passing to rule 2 which is the connected accept.
So you just put load on the router for no good reason.

So basically remember inside the input and forward chains the rules are checked in order and that order can change load on routing.

S8T8 · December 1, 2023, 11:15am

Thanks @LdB! So interesting…

127.0.0.1, default is dst-address=, in some topics I found suggestion for src-address=.
The fists, DST, should be used when same device is CAPsMAN and CAP as the same time, SRC lo allow the internal loopback interface, in case is not already allowed by design.
127.0.0.0/8 is not routable, but adding in-interface-list=none or in-interface-list=!all should “protect” more.
Make sense?
Allow an interface and then Drop everything (2 rules) VS. Drop everything except the management interface (1 rule)

Having just a single rule (at the end) should reduce load on router, correct?

add action=accept protocol=icmp

Basically should stay at the third place, after connection-state=established,related,untracked and connection-state=invalid.