RB 750G - Firewall Problems

Hello,

I just bought a Routerboard 750G which I use as a switch with additional functions like PPTP-VPN server. I have two bridges, one with some ports to the external net and the intranet with some ports. All parts are working like expected but only the firewall doesn’t. My rules seem to be ignored and all services from the RouterOS are accessible over the external net (172.X.Y.Z) so I had to deactivate the external interface. Here is my firewall config:

Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; allow SSH from external
     chain=input action=accept connection-state=new protocol=tcp 
     dst-address=172.X.Y.Z in-interface=external dst-port=22 

 1   ;;; allow PING from external
     chain=input action=accept connection-state=new protocol=icmp 
     dst-address=172.X.Y.Z in-interface=external icmp-options=8:0 

 2   ;;; allow PPTP TCP Connect
     chain=input action=accept connection-state=new protocol=tcp 
     dst-address=172.X.Y.Z in-interface=external dst-port=1723 

 3   ;;; allow PPTP gre Requests
     chain=input action=accept 

 4   ;;; allow established connections
     chain=input action=accept connection-state=established dst-address=172.X.Y.Z 

 5   ;;; drop ssh brute forcers
     chain=input action=drop protocol=tcp src-address-list=ssh_blacklist 
     in-interface=external dst-port=22 

 6   ;;; ssh brute force address list - add to 10 days blacklist
     chain=input action=add-src-to-address-list connection-state=new protocol=tcp 
     src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=1w3d 
     in-interface=external dst-port=22 

 7   ;;; ssh brute force address list - add to stage3
     chain=input action=add-src-to-address-list connection-state=new protocol=tcp 
     src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=1m 
     in-interface=external dst-port=22 

 8   ;;; ssh brute force address list - add to stage2
     chain=input action=add-src-to-address-list connection-state=new protocol=tcp 
     src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m 
     in-interface=external dst-port=22 

 9   ;;; ssh brute force address list - add to stage1
     chain=input action=add-src-to-address-list connection-state=new protocol=tcp 
     address-list=ssh_stage1 address-list-timeout=1m in-interface=external dst-port=22 

10   ;;; drop all other requests on external-bridge
     chain=input action=drop in-interface=external

I thought this should block all traffic expect PPTP, SSH and Pings.

By the way: Is it possible to configure SSH Public Key only login?

As you can see in packet flow diagram bridge forward traffic are not being processed through IP firewall by default. Set

/interface bridge settings set use-ip-firewall=yes

to change this behavior.

You can try this guide http://wiki.mikrotik.com/wiki/Use_SSH_to_execute_commands_(DSA_key_login) to setup SSH DSA key login.

Hey,

thank you for your fast answer. But I think you didn’t understand my needs correctly or I didn’t understand the forwarding model. I don’t want to filter traffic from one port in the “external”-bridge to another. I only want to filter traffic for the Routerboard on his IP (172.X.Y.Z) on the “external” bridge.

Hello,

thank you for this fast answer. But I don’t know if I misunderstood the concept of the firewalling on the RouterOS or if you misunderstood my question. I think the link you gave me shows how to process traffic going through the bridge by the firewall. But I don’t want firewalling of traffic going through the bridge but only traffic to the routerboards IP assigned to this bridge. Is it also necessary to activate ip-firewall for the bridge to only filter the traffic to the routerboard itself?

I followed this instructions but after this SSH login works without a password or with the Passpharse of the key, but I want that only this form is allowed to prevent from hacking. I think this is a better method than only prevent brute-force with firewalling.