I have a few questions and will try and be as clear and concise as possible. My question is specific to these areas - I am not asking for “securing your router” in general items. Considering that, I understand you can limit router access via winbox with filter rules that look like this for a default setup:
You can also use /ip service to set allowed IP addresses:
/ip service set winbox address=192.168.88.0/24
Question 1 - What is the difference between these two approaches and their advantage or disadvantages? Is there ever a time you would use both?
Consider I have another network configured on the router - 192.168.89.0/24 for example. I was surprised I could access the router via Winbox at 192.168.89.1 My IP address was in the .88 network so I, I understand the FW allowed me to pass.
Question 2 - Is this a vulnerability in any way? I did add a dst-address to the FW accept rule of 192.168.88.1 and that prohibited this behavior. With multiple networks configured on a router, any of those X.X.X.1 addresses will allow access from the allowed list. I assumed the router would only respond at 192.168.88.1, so it was slightly disconcerting. I assume this is normal behavior.
On Question2 : Remember there is no “deny any” rule! So your firewall rule was not “hit” when trying for 192.168.89.1 and therefore without a last “deny any any” rule you pass…
From the WIKI :
When processing a chain, rules are taken from the chain in the order they are listed there from top to bottom. If a packet matches the criteria of the rule, then the specified action is performed on it, and no more rules are processed in that chain (the exception is the passthrough action). If a packet has not matched any rule within the built-in chain, then it is accepted.
On Question1 : Personally each of my services are “limited” to a certain range. I do not handle access to eg. Winbox through separate rules.
I do not know exactly the “internals” (or advantages/disadvantes on this approach) but obviously if you are come knocking on the Winbox services port with an IP not listed … nothing happens.
The firewall rules allow any type of connection to the router from your address list.
While “available from” is tied to a specific service.
However, if you want, you can add protocol=tcp dst-port=8291 to you firewall rule.
Then there won’t be any point to have “available from” to be specified.
No surprise here: in your firewall rule you allow access from some IP’s, not to some IP’s. So destination address can be any of the router’s own addresses.
If you want to restrict the addresses which you can connect to - use “dst-address” or “dst-address-list” conditions.
But I don’t really see any benefit in it.
Once again you have given me a great response - thank you.
So the firewall rule has more flexibility in terms of the ability to use an interface, interface lists, etc… VS and address tied to the service. I do indeed limit it to TCP and the port number I use, so that essentially mimics the “available from” - got it.
“But I don’t really see any benefit in it.” - Thank you for confirming this.
I use both
a. firewall input rule limited by source address list and in-interface list (not port specific as the admin I want full access)***
b. use ip services winbox that limits to specific IP (I add IPs when needed depending on what network I will be working within).
c. for login System users
d. use drop all else rules at end of input and forward chain as standard practice.
*** silly reason but one of them is that I use to post my config a lot and didnt want to have to ensure i Scrubbed my winbox port everytime…
Thank you anav. I am with you on
a. understood
b. Am I correct that you could use a source address list for specific IPs as well. Admin and users? Just trying to understand.
c. as above in b?
d. for sure.
Would it make sense to everything in a list - perhaps one address list for users and one for admin? Thank you for helping me understand this.
IMHO there’s a big difference between blocking winbox access using (a very specific if you will) firewall filter rule and setting alowed addresses on service itself: in the later case initial conection is established and only service then decides to drop connection. In case of some nasty vulnerability attacker could gain access. In former case firewall blocks access and vulnerable service is safe from most abusers.
In addition to that: if firewall action is “drop”, then “door” is stealth to trespassers (and shut for them as well). If action is “reject”, then trespassers see that the door is there, but securely shut. If service denies access, then it’s doorman waveing away the tresspasser. Which kind of securing the gate is the best?
