Hi all,
I changed ISPS and have had to reconfigure my firewall. pppoe-out1 is my WAN interface. This is a home setup. I want to be able to ssh into the router but only from the LAN. The same applies to using FTP and other services of the router. I do not plan to run any servers. I do however use programs like skype, teamtalk, teamspeak for chat, team viewer for remote tech support. I also want automatic update facilities like windows update to work.
Here are my rules so far.

may/26/2017 20:59:08 by RouterOS 6.39.1

software id = 7S88-QHXW

/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface=ether1
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="pppoe-out1 drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface=pppoe-out1
add action=accept chain=input connection-state=established,related in-interface=pppoe-out1
add action=drop chain=input connection-state=invalid,new in-interface=pppoe-out1

Most of my stuff is working except ssh. The moment I enable ssh, I see brute force attempts from the internet. I cannot understand why the above rules are not blocking ssh connections. No one has got in but the port is open so people try getting in. I want to only use ssh to login into the router from the LAN.

How do I achieve the above?
I am running 6.39.1 of Router OS.

You’re missing one last rule:

add action=drop chain=input comment="defconf: drop all from WAN" in-interface=pppoe-out1

input chain refers to traffic addressed for the router itself; forward for anything traversing it.

BTW, you can always check which were the default configuration firewall filter rules by opening a terminal and issuing:

/system default-configuration print

Hi,
add action=drop chain=input comment=“defconf: drop all from WAN” in-interface=pppoe-out1
did the trick in terms of when I port scan the router from the outside, all the ports are shown as filtered. However, why do I need this rule if I am already dropping invalid and new packets? What kind of traffic is left?

Pranav

Go to IP-Services and make those services you need only accessible from within you own network.

Is never wrong to have a catchall block at the end of your firewall rules if got the rest of the filtering working correctly.

did the trick in terms of when I port scan the router from the outside, all the ports are shown as filtered. However, why do I need this rule if I am already dropping invalid and new packets? What kind of traffic is left?

Edit:
AFAIK, states are OR’ed, so it should block incoming traffic.

In any case, it’s best practice to add seperate drop rules for invalid and WAN connections:

 filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid from ANY port"
 filter add chain=input action=drop in-interface=pppoe-out1 \
 comment="defconf: drop all from WAN (if we reach this rule it should be dropped regardless of state"

Hi all,
I was wrong about my initial report. I did another port scan and the ports remain open. My updated set of rules is below.
I have also checked the default configuration and except a rule for accepting icmp traffic, I have the remaining rules in place or so I think.
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection
connection-state=established,related

2 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related

3 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new
connection-nat-state=!dstnat in-interface=ether1

4 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid

5 ;;; pppoe-out1 drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new
connection-nat-state=!dstnat in-interface=pppoe-out1


6 chain=input action=accept connection-state=established,related
in-interface=pppoe-out1

7 chain=input action=drop connection-state=invalid,new
in-interface=pppoe-out1

8 ;;; defconf: drop all from WAN
chain=input action=drop in-interface=pppoe-out1

9 ;;; defconf: drop all from WAN
chain=input action=drop in-interface=ether1

Pranav

Do you mean that you’re still seeing SSH scans with these rules in place?

Have you cleared all the connections on Connections tab?

Hi,
ok I removed the new portion from connection-state from rule number 7. My revised rules are below.
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection
connection-state=established,related

2 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related

3 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new
connection-nat-state=!dstnat in-interface=ether1

4 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid

5 ;;; pppoe-out1 drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new
connection-nat-state=!dstnat in-interface=pppoe-out1

6 chain=input action=accept connection-state=established,related

6 chain=input action=accept connection-state=established,related
in-interface=pppoe-out1

7 chain=input action=drop connection-state=invalid in-interface=pppoe-out1

8 ;;; defconf: drop all from WAN
chain=input action=drop in-interface=pppoe-out1

9 ;;; defconf: drop all from WAN
chain=input action=drop in-interface=ether1

if I now run nmap on my WAN address, I get the following output
Host is up (0.0016s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
53/tcp open domain
2000/tcp open cisco-sccp
8291/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 6.74 seconds
Pranav

Odd… is pppoe-out1 your WAN interface???

Hi,
<snip Odd… is pppoe-out1 your WAN interface???
PL] How do I confirm this? I ask because my new ISP is doing something strange. It is also giving me an ip address on ether1 but when I go to whatismyip.com, I see the address assigned to pppoe-out1. I have also tried disabling the client on ether1 without any problems. The SSH scans have continued. As of now, I have disabled ssh once again. To reply to queries in previous posts, yes, I was seeing SSH scans. I am not sure about the connections tab. Where it is on the terminal? I looked under ip and did not find it.

Pranav

Where you disable SSH you can control also the availability to which IPv4/6 and range.

I can’t use terminal in web interface so you have to look for “Available From”.

Use winbox, post screenshots of interfaces and IP > addresses

The DHCP IP on ether1 is being handed by the ISP modem so that you can manage it.

Hi,
<snip The DHCP IP on ether1 is being handed by the ISP modem so that you can manage it.
PL] There is no modem. I have an Ethernet cable coming into my house. It goes to a media converter from where the traffic is placed on to a fiber optic cable. The ISP does have a feature where I can use a browser to login in which case, I do not need to use PPPOE.
Since I last updated this forum, I have added a few more rules and things appear to be under control but I will continue to observe. I am dropping traffic destined to port 22 on TCP and UDP on the input chain on the pppoe-out1 interface. I have disabled the dhcp-client on Ether1 such that it no longer has an IP address and I am still on the Internet without problems.
The rules are below.

may/28/2017 07:50:08 by RouterOS 6.39.1

software id = 7S88-QHXW

/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related"
connection-state=established,related
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new disabled=no in-interface=ether1
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid disabled=no
add action=drop chain=forward comment=
"pppoe-out1 drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface=pppoe-out1
add action=accept chain=input connection-state=established,related
in-interface=pppoe-out1
add action=drop chain=input dst-port=22 in-interface=pppoe-out1 protocol=tcp
add action=drop chain=input dst-port=22 in-interface=pppoe-out1 protocol=udp
add action=drop chain=input dst-port=53 in-interface=pppoe-out1 protocol=udp
add action=drop chain=input connection-state=invalid in-interface=pppoe-out1
add action=drop chain=input comment="defconf: drop all from WAN"
in-interface=pppoe-out1
add action=drop chain=input comment="defconf: drop all from WAN"
in-interface=ether1

I should also state that I am running my port scans from inside my router to the WAN interface. I realize this is not the best way to do things but I don't have a machine setup from where I can scan the interface from the outside. I'll also work on restricting the ssh and ftp services to the subnet used inside my LAN.