Community discussions

 
sergiog84
just joined
Topic Author
Posts: 2
Joined: Fri Sep 07, 2018 2:02 pm

Firewall rules with port scanner dropping

Fri Sep 07, 2018 2:16 pm

Hi Guys,

Decided to secure my network and gain more control using a mikrotik and been using it for just over a week, I kept all the default firewall rules and added some additional ones to block bogon's, stop port scanners but still seeing stuff that is making me nervous. Hoping someone might be able to assist to ensure I have everything correct or not missing anything,

My network is not using the default IP of the mikrotik, I have changed it,

add address=192.168.0.0/16 list=Bogon
add address=10.0.0.0/8 list=Bogon
add address=172.16.0.0/12 list=Bogon
add address=127.0.0.0/8 list=Bogon
add address=0.0.0.0/8 list=Bogon
add address=169.254.0.0/16 list=Bogon
add address=224.0.0.0/4 list=Bogon
add address=198.18.0.0/15 list=Bogon
add address=192.0.0.0/24 list=Bogon
add address=192.0.2.0/24 list=Bogon
add address=198.51.100.0/24 list=Bogon
add address=203.0.113.0/24 list=Bogon
add address=100.64.0.0/10 list=Bogon
add address=192.88.99.0/24 list=Bogon
add list=Bogon
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="Allow Management Input" src-address=xxx.xxx.xxx.xxx/24
add action=add-src-to-address-list address-list="Internet Ping Block" address-list-timeout=1d chain=input comment="Drop Internet Pings" in-interface-list=WAN log=yes protocol=icmp
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=1h chain=input comment="Port scanners to list " log=yes protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=1d chain=forward comment="dropping port scanners" log=yes src-address-list="port scanners"
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=1d chain=input comment="FIN/PSH/URG scan" log=yes protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=1d chain=input comment="NMAP NULL scan" log=yes protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=1d chain=input comment="ALL/ALL scan" log=yes protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=1d chain=input comment="SYN/FIN scan" log=yes protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=1d chain=input comment="SYN/RST scan" log=yes protocol=tcp tcp-flags=syn,rst
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" disabled=yes dst-port=4500 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

Are there any further rules I should have, or any that I have in the wrong order here?
 
User avatar
k6ccc
Member
Member
Posts: 479
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: Firewall rules with port scanner dropping

Fri Sep 07, 2018 6:40 pm

You have a bunch of rules that add addresses to the Port Scanners list, but you never drop them.

Do you have a drop everything rule at the end of the Input and Forward chains?

My opinion is that dropping pings from the internet creates more problems than it solves. I know some people firmly believe that your router should not respond to pings from the internet, but it is very much a useful troubleshooting and testing tool. For example, I have a commercial service that tests a bunch of things to see if they can be seen from the internet. Although there are services other than ping that are tested (for example, port 80 and 443 on my web server), being able to ping the router can help determine where a problem may be happening.
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission


Jim
 
sergiog84
just joined
Topic Author
Posts: 2
Joined: Fri Sep 07, 2018 2:02 pm

Re: Firewall rules with port scanner dropping

Mon Sep 10, 2018 10:57 am

The rules I have posted are the only ones I have on the firewall.

Any advice on how I can drop them? additionally, as I am new to Mikrotk I am hoping if you could tell me if my rule list is set out correctly also?

Thanks again.
 
User avatar
k6ccc
Member
Member
Posts: 479
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: Firewall rules with port scanner dropping

Mon Sep 10, 2018 11:27 pm

This is the last rule in my input chain. There is a similar rule in the forward chain.
add action=drop chain=input comment=\
    "Drop any other input packets that get this far" log-prefix=\
    "Dropped connection"
Remember how rule processing works. It's top to bottom, and if a rule is not explicitly dropped or accepted and makes it to the end of the chain, there is an implied accept. Therefore, most of us accept or otherwise process rules and then at the end of each chain add a rule to drop everything. If you look at the above rule, there are no filters, and only an action of drop. That means that any packet that gets to that rule will be dropped.

Here is an example of a rule that would drop any packets in your port scanners list (and log it).
add action=drop chain=Input comment=\
    "Drop all packets from IPs on the Port Scanners list" log=yes log-prefix=\
    "Port scanners" src-address-list="Port Scanners"
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission


Jim

Who is online

Users browsing this forum: No registered users and 29 guests