Community discussions

 
alphalt
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 94
Joined: Sat Aug 01, 2009 1:53 pm
Location: Denmark

IP firewall rules wihen default chain action is DROP

Sun Jan 28, 2018 11:36 pm

Hi all,
My question might look like super beginner one, but I was always wondering about it. If I search through Mikrotik Wiki, I can find a lot of very nice firewall rule examples, where you can detect port scanning, brute force and so on. All these rules are based on detecting certain activity, finding IP address of an attacker and adding it to the black list. But does it make any sense at all having rules with DROP action, when last rule in let's say forward chain is DROP. Meaning that if there is no matching rules, then everything is dropped. So what is the meaning of having several different rules trying to detect port scanning while anyway all traffic will be dropped at the end? Wouldn't it be enough to have first rule to accept established packets and then drop all? Please share your thoughts.
Regards,
alpha
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2411
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: IP firewall rules wihen default chain action is DROP

Mon Jan 29, 2018 1:24 am

It's a matter of efficiency. If a firewall rule has an action that has an accept, drop or reject as an action, processing in that built in chain is finished. Otherwise, all rules are processed from top to bottom until such a rule is encountered and matched.
PEAR2_Net_RouterOS(1.0.0b6) - My API client in PHP
(Rate my posts? If you want... no pressure...)
 
alphalt
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 94
Joined: Sat Aug 01, 2009 1:53 pm
Location: Denmark

Re: IP firewall rules wihen default chain action is DROP

Mon Jan 29, 2018 9:06 am

Hi,
Thanks for reply. I think my question was not very clear. I will try to explain with the example from Mikrotik Wiki. Here is an example firewall script I found in the wiki:
/ip firewall filter
 add chain=forward comment="Accept established and related packets" connection-state=established,related
 add action=drop chain=forward comment="Drop invalid packets" connection-state=invalid
 add action=drop chain=forward comment="Drop new connections from internet which are not dst-natted" connection-nat-state=!dstnat connection-state=new in-interface=WAN
 add action=drop chain=forward comment="Drop all packets from public internet which should not exist in public network" in-interface=WAN src-address-list=NotPublic
 add action=drop chain=forward comment="Drop all packets from local network to internet which should not exist in public network" dst-address-list=NotPublic in-interface=LAN
 add action=drop chain=forward comment="Drop all packets in local network which does not have local network address" in-interface=LAN src-address=!192.168.88.0/24
 
Now, imagine that after all these rules I have just drop rule, which drops all the rest of the packets. So, my initial question was if script as above does make any sense in case that default chain policy is drop, meaning that most bottom rule is:
/ip firewall filter
add action=drop chain=forward comment="Drop all the rest"
Is there any meaning to include drop rules based on some conditions while last rule anyway is drop. The reason I have this question is that you can find a lot of firewall script examples out there in the forums and Wiki, and most of them are applied in chains with default policy DROP.
Regards,
alpha
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2411
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: IP firewall rules wihen default chain action is DROP  [SOLVED]

Mon Jan 29, 2018 11:54 am

For that particular example, you're right, it doesn't make sense, since there aren't any accept rules later on. Perhaps that example was made such that it could be inserted into any rule set with no modifications.

But a better rule set would indeed be to just accept the allowed and drop the rest, so in that example:
/ip firewall filter
 add chain=forward comment="Accept established and related packets" connection-state=established,related
 add chain=forward comment="Accept new connections from local network addresses to internet which should exist in public network" connection-state=new src-address=192.168.88.0/24 dst-address-list=!NotPublic in-interface=LAN
 add chain=forward comment="Accept new connections from public internet which should exist in public network" connection-state=new src-address-list=!NotPublic in-interface=WAN
 add action=drop chain=forward comment="Drop all the rest"
Though to be honest, I think a more long term optimal rule set also involves using custom chains to group rules that have passed previous checks, e.g.
/ip firewall filter
 add chain=forward comment="Accept established and related packets" connection-state=established,related
 add action=jump chain=forward comment="Go to LAN related checks"  connection-state=new in-interface=LAN jump-target="check-lan"
 add action=jump chain=forward comment="Go to WAN related checks"  connection-state=new in-interface=WAN jump-target="check-wan"
 add action=drop chain=forward comment="Drop all the rest"

 add chain="check-lan" comment="Accept new connections from local network addresses to internet which should exist in public network" src-address=192.168.88.0/24 dst-address-list=!NotPublic

 add chain="check-wan" comment="Accept new connections from public internet which should exist in public network" src-address-list=!NotPublic
If no matches are found within a custom chain, it returns to the chain it jumped from, and rules continue once again from there to the bottom. So the effect of this is the same as the above, except that this second one can more easily be extended to include more complicated checks, while still being easy to read from a human standpoint.
PEAR2_Net_RouterOS(1.0.0b6) - My API client in PHP
(Rate my posts? If you want... no pressure...)
 
alphalt
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 94
Joined: Sat Aug 01, 2009 1:53 pm
Location: Denmark

Re: IP firewall rules wihen default chain action is DROP

Mon Jan 29, 2018 2:57 pm

Hi,
Ok, now it gives meaning. You can drop packets based on some properties just before you accept them, for example if you want to allow SSH traffic.Thanks, it answers my question.
Regards,
alpha
 
ceylan
just joined
Posts: 23
Joined: Sat Feb 10, 2018 3:03 pm
Location: CYPRUS
Contact:

Re: IP firewall rules wihen default chain action is DROP

Mon Sep 30, 2019 2:15 pm

hi. i am trying something..not allowing my clients to enter youtube.I blocked all other websites but they can enter youtube.i think i need to close the https port for youtube. but how can i do that ?!
 
anav
Forum Guru
Forum Guru
Posts: 3113
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: IP firewall rules wihen default chain action is DROP

Mon Sep 30, 2019 5:59 pm

hi. i am trying something..not allowing my clients to enter youtube.I blocked all other websites but they can enter youtube.i think i need to close the https port for youtube. but how can i do that ?!
Two points
a. this thread is about a different topic, so start a new one and
b. before you start a new thread search the beginner basics forum and the general forum for blocking youtube. It has been widely discussed.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)

Who is online

Users browsing this forum: MSN [Bot] and 31 guests