Hi all,
I have a bunch of firewall rules that I have added over the past week by reading the wiki. <chuckle
Is there a way to validate them? I have exported them. The resulting file is attached.
fwRules.rsc (7.77 KB)
What do you mean by validate? For someone to read your rules and tell you if it works or not you need to let us know what you are trying to accomplish with your firewall.
Hi,
My bad. My objectives behind the rules are as follows.
- I need to prevent someone from the internet accessing the router. This could via telnet, ssh, ftp, winbox etc.
- I want to block or at least slow down port scans.
- if I have malware on my internal network, then that malware should not be able to send out too many messages in the form of e-mail or to communicate with its command and control servers. I realise that this is a difficult one so I will settle for options 1 and 2.
In terms of applications, I use skype, ventrilo and teamtalk besides web browsers from inside my network and in general, if something has initiated a connection from inside my network, I am happy to let it run.
There are quite a number of rules in the file I have attached so feel free to give me a reference to some place where I can read more about building them and will be able to audit them myself.
Pranav
Here are a basic set of rules that will protect the router. It will only accept connections from a known IP that you specify and your LAN port. If you want to allow more services to be run on the router, place them before the drop all command
/ip firewall filter
add action=accept chain=input comment="Accept established connections" connection-state=established disabled=no
add action=accept chain=input comment="Accept related connections" connection-state=related disabled=no
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid disabled=no
add action=accept chain=input comment="Accept everything from known IP Addresses" disabled=no src-address-list=known
add action=accept chain=input comment="Accept everything from LAN" disabled=no in-interface=LAN
add action=drop chain=input comment="Drop everything else" disabled=no
Here is also a basic set of rules to protect your LAN users and to limit spam. It looks for an unusual amount of e-mail traffic being sent by one host, and will start to drop traffic if there is, then it checks to see if a guest has too many concurrent connections at once, currently set to 200, but you can change that to whatever level you want, and will block them for 2 hours if they exceed that limit. You can add a specific hosts to the “Do-Not-Block” address list to exclude them from the connection limit. It then allows them online, but only access out of the WAN interface that you specify.
/ip firewall filter
add action=add-src-to-address-list address-list="Block Spam" address-list-timeout=1h chain=forward comment="Detect Possible Spamer" \
connection-limit=10,32 disabled=no dst-port=25 limit=30,5 protocol=tcp
add action=drop chain=forward comment="Detect Possible Spamer" disabled=no dst-port=25 protocol=tcp src-address-list="Block Spam"
add action=drop chain=forward comment="Detect abuse on network" disabled=no in-interface=LAN src-address-list=abuse
add action=add-src-to-address-list address-list=abuse address-list-timeout=2h chain=forward comment=Detect abuse on network" connection-limit=\
200,32 disabled=no in-interface=LAN src-address-list=!Do-Not-Block
add action=log chain=forward comment="[tag]abuse_detect[/tag] Detect abuse on network" disabled=no log-prefix="Abuse Limit Reached" src-address-list=abuse
add action=accept chain=forward comment="Accept established connections" connection-state=established disabled=no
add action=accept chain=forward comment="Accept related connections" connection-state=related disabled=no
add action=drop chain=forward comment="Drop invalid connections" connection-state=invalid disabled=no
add action=accept chain=forward comment="Allow connections out to the internet" disabled=no out-interface=WAN
add action=drop chain=forward comment="Drop everything else" disabled=no
Hi Feklar,
Many thanks for the rules.
I have most of these in place. See my configuration below. I have one question about one of the rules.
add action=drop chain=input comment=“default configuration” disabled=no
in-interface=ether1-gateway
PL] Since my isp uses pppoe, should the in-interface of this rule be pppoe?
/ip firewall filter
add action=accept chain=input comment=“Allow trusted” connection-state=new
disabled=no src-address-list=trusted
add action=accept chain=input comment=“default configuration” disabled=no
protocol=icmp
add action=accept chain=input comment=“default configuration”
connection-state=established disabled=no
add action=accept chain=input comment=“default configuration”
connection-state=related disabled=no
add action=drop chain=input comment=“default configuration” disabled=no
in-interface=ether1-gateway
add action=drop chain=virus comment=“Drop Blaster Worm” disabled=no dst-port=
135-139 protocol=tcp
add action=drop chain=virus comment=“Drop Messenger Worm” disabled=no
dst-port=135-139 protocol=udp
add action=drop chain=virus comment=“Drop Blaster Worm” disabled=no dst-port=
445 protocol=tcp
add action=drop chain=virus comment=“Drop Blaster Worm” disabled=no dst-port=
445 protocol=udp
add action=drop chain=virus comment=________ disabled=no dst-port=1024-1030
protocol=tcp
add action=drop chain=virus comment=“Drop MyDoom” disabled=no dst-port=1080
protocol=tcp
add action=drop chain=virus comment=________ disabled=no dst-port=1214
protocol=tcp
add action=drop chain=virus comment=“ndm requester” disabled=no dst-port=1363
protocol=tcp
add action=drop chain=virus comment=“ndm server” disabled=no dst-port=1364
protocol=tcp
add action=drop chain=virus comment=“screen cast” disabled=no dst-port=1368
protocol=tcp
add action=drop chain=virus comment=hromgrafx disabled=no dst-port=1373
protocol=tcp
add action=drop chain=virus comment=cichlid disabled=no dst-port=1377
protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=1433-1434
protocol=tcp
add action=drop chain=virus comment=“Bagle Virus” disabled=no dst-port=2745
protocol=tcp
add action=drop chain=virus comment=“Drop Dumaru.Y” disabled=no dst-port=2283
protocol=tcp
add action=drop chain=virus comment=“Drop Beagle” disabled=no dst-port=2535
protocol=tcp
add action=drop chain=virus comment=“Drop Beagle.C-K” disabled=no dst-port=
2745 protocol=tcp
add action=drop chain=virus comment=“Drop MyDoom” disabled=no dst-port=
3127-3128 protocol=tcp
add action=drop chain=virus comment=“Drop Backdoor OptixPro” disabled=no
dst-port=3410 protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=
tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=
udp
add action=drop chain=virus comment=“Drop Sasser” disabled=no dst-port=5554
protocol=tcp
add action=drop chain=virus comment=“Drop Beagle.B” disabled=no dst-port=8866
protocol=tcp
add action=drop chain=virus comment=“Drop Dabber.A-B” disabled=no dst-port=
9898 protocol=tcp
add action=drop chain=virus comment=“Drop Dumaru.Y” disabled=no dst-port=
10000 protocol=tcp
add action=drop chain=virus comment=“Drop MyDoom.B” disabled=no dst-port=
10080 protocol=tcp
add action=drop chain=virus comment=“Drop NetBus” disabled=no dst-port=12345
protocol=tcp
add action=drop chain=virus comment=“Drop Kuang2” disabled=no dst-port=17300
protocol=tcp
add action=drop chain=virus comment=“Drop SubSeven” disabled=no dst-port=
27374 protocol=tcp
add action=drop chain=virus comment=“Drop PhatBot, Agobot, Gaobot” disabled=
no dst-port=65506 protocol=tcp
add action=jump chain=forward comment=“jump to the virus chain” disabled=no
jump-target=virus
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment="Port scanners to list "
disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“NMAP FIN Stealth scan”
disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“SYN/FIN scan” disabled=no
protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“SYN/RST scan” disabled=no
protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“FIN/PSH/URG scan” disabled=
no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“ALL/ALL scan” disabled=no
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“NMAP NULL scan” disabled=no
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment=“dropping port scanners” disabled=no
src-address-list=“port scanners”
add action=drop chain=input comment=“drop ftp brute forcers” disabled=no
dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content=“530 Login incorrect” disabled=no
dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist
address-list-timeout=3h chain=output content=“530 Login incorrect”
disabled=no protocol=tcp
add action=drop chain=input comment=“drop ssh brute forcers” disabled=no
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist
address-list-timeout=1w3d chain=input connection-state=new disabled=no
dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3
address-list-timeout=1m chain=input connection-state=new disabled=no
dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2
address-list-timeout=1m chain=input connection-state=new disabled=no
dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1
address-list-timeout=1m chain=input connection-state=new disabled=no
dst-port=22 protocol=tcp
add action=drop chain=input comment=“drop ftp brute forcers” disabled=no
dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content=“530 Login incorrect” disabled=no
dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist
address-list-timeout=3h chain=output content=“530 Login incorrect”
disabled=no protocol=tcp
add action=drop chain=input comment=“drop ssh brute forcers” disabled=no
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist
address-list-timeout=1w3d chain=input connection-state=new disabled=no
dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3
address-list-timeout=1m chain=input connection-state=new disabled=no
dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2
address-list-timeout=1m chain=input connection-state=new disabled=no
dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1
address-list-timeout=1m chain=input connection-state=new disabled=no
dst-port=22 protocol=tcp
add action=drop chain=input connection-state=new disabled=no in-interface=
pppoe-out1 src-address-list=!TRUSTED
Yes you will want the in interface to be the PPoE one in that case.
For your rules, they work and they will do what you expect. Just a few comments:
1.) What is the point of blocking port scanners if you are already dropping everything that is coming into your WAN interface that is not from your LAN or a known IP address? That’s just extra rules to process, unless you expect port scanning from your LAN.
2.) The same applies to FTP above, unless you want to allow SSH and FTP to any IP address on the internet, then having rules to block brute forcing is kind of pointless along with a drop everything rule from unknown IP addresses, unless once again you expect some of that from your LAN users.
3.) For the Virus chain, you can have that if you would like, but viruses change all the time and trying to keep up with common ports and services that they use will be difficult. So the question then becomes, do you want those rules in place to protect your LAN users from the internet, or do you want to protect the internet from your LAN users? If it’s the first option, then the rules provided above are much more effective in doing so, and a lot easier to manage and maintain.
PL] It is the first option. I want to protect my LAN users from the internet.
Thanks again and I see I have some trimming to do.