Community discussions

 
DTB
just joined
Topic Author
Posts: 2
Joined: Tue Apr 30, 2019 11:02 am

Some advice regarding the order of firewall rule

Tue Apr 30, 2019 11:41 am

Hi All, I am one of those self-taught-out-of-necessity guys. My familiarity with winbox and networking is somewhat patchy at best.
Just looking for some advice on firewall and firewall rule order. I have searched, and gone through the Mik basic securing manual amidst others. Couldn't get concrete answers

Could anyone give clarity on how important the order is, what the general order should be?
I've got 7 active Subnets, some must be connected, others isolated. All that seems to be working as I'd like. Not all devices are vlan aware, so it's a bit of a mess, but I don't think that's too relevant for this.
Any advice on the rules and order I have below would be appreciated.
Some rules indicated with # have had no traffic. are they configured wrong? (Rule 7,8,9,15,16)
I can post diagrams and Config if needed

Thanks
0    ;;; Drop all to VLAN 90 not from VLAN address list
      chain=input action=drop dst-address=192.168.90.0/24 dst-address-list=!LAN Subnets log=no log-prefix="" 

 1    chain=forward action=drop src-address=192.168.90.0/24 dst-address-list=!LAN Subnets log=no log-prefix="" 

 2    ;;; Drop all communication between LAN Subnets list (Except VLAN 90)
      chain=forward action=drop src-address-list=LAN Subnets dst-address-list=LAN Subnets log=no log-prefix="" 

 3    ;;; Drop all communication between VLAN 100 and VLAN 90
      chain=forward action=drop src-address=192.168.100.0/24 dst-address=192.168.90.0/24 log=no log-prefix="" 

 4    ;;; defconf: drop all from WAN
      chain=input action=drop in-interface=ether7 log=no log-prefix="PING -" 

 5 X  ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix="" 

 6    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

 #7    ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether7 log=no log-prefix="" 

 #8    ;;; Add Syn Flood IP to the list
      chain=input action=add-src-to-address-list tcp-flags=syn connection-limit=30,32 protocol=tcp address-list=Syn_Flooder address-list-timeout=30m log=no log-prefix="" 

 #9    ;;; Drop to syn flood list
      chain=input action=drop src-address-list=Syn_Flooder log=no log-prefix="" 

10    ;;; Port Scanner Detect
      chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=Port_Scanner address-list-timeout=1w log=no log-prefix="" 

11    ;;; Drop to port scan list
      chain=input action=drop src-address-list=Port_Scanner log=no log-prefix="PORT SCAN -" 

12    ;;; Jump for icmp input flow
      chain=input action=jump jump-target=ICMP protocol=icmp log=no log-prefix="" 

13    ;;; Jump for icmp forward flow
      chain=forward action=jump jump-target=ICMP protocol=icmp log=no log-prefix="" 

14    ;;; Drop to bogon list
      chain=forward action=drop dst-address-list=bogons log=yes log-prefix="Bogon -" 

#15    ;;; Add Spammers to the list for 3 hours
      chain=forward action=add-src-to-address-list connection-limit=30,32 protocol=tcp address-list=spammers address-list-timeout=3h dst-port=25,587 limit=30/1m,0:packet log=no log-prefix="" 

#16    ;;; Avoid spammers action
      chain=forward action=drop protocol=tcp src-address-list=spammers dst-port=25,587 log=no log-prefix="" 

17    ;;; Accept DNS - UDP
      chain=input action=accept protocol=udp port=53 log=no log-prefix="" 

18    ;;; Accept DNS - TCP
      chain=input action=accept protocol=tcp port=53 log=no log-prefix="" 

19    ;;; Accept to established connections
      chain=input action=accept connection-state=established log=no log-prefix="" 

20    ;;; Accept to related connections
      chain=input action=accept connection-state=related log=no log-prefix="" 

21    ;;; Full access to SUPPORT address list
      chain=input action=accept src-address-list=support log=no log-prefix="" 

22 X  ;;; CHECKKKKKKK - Drop anything else! 
      chain=input action=drop log=no log-prefix="" 

23    ;;; Echo request - Avoiding Ping Flood
      chain=ICMP action=accept protocol=icmp icmp-options=8:0 limit=1,10:packet log=no log-prefix="" 

24    ;;; Echo reply
      chain=ICMP action=accept protocol=icmp icmp-options=0:0 log=no log-prefix="" 

25    ;;; Time Exceeded
      chain=ICMP action=accept protocol=icmp icmp-options=11:0 log=no log-prefix="" 

26    ;;; Destination unreachable
      chain=ICMP action=accept protocol=icmp icmp-options=3:0-1 log=no log-prefix="" 

27    ;;; PMTUD
      chain=ICMP action=accept protocol=icmp icmp-options=3:4 log=no log-prefix="" 

28    ;;; Drop to the other ICMPs
      chain=ICMP action=drop protocol=icmp log=no log-prefix="" 

29    ;;; Jump for icmp output
      chain=output action=jump jump-target=ICMP protocol=icmp log=no log-prefix="" 
 
mkx
Forum Guru
Forum Guru
Posts: 2431
Joined: Thu Mar 03, 2016 10:23 pm

Re: Some advice regarding the order of firewall rule

Tue Apr 30, 2019 12:03 pm

Rules for individual cgain (input, forward, output) are processed in order from rule 1 towarss the end. Processing stops when there's a match.

So: generaly rules which affect most packets should come earlier. When there are rules potentially matching same packets, order is obviously very important.

My prefered way of constructing firewall rules is: start with defaults and add necessary rules as liw in the chain as possible. Unless there's some "high volume" rule I'm introducing, in this case it goes somehow higher (but most probably not above the fasttrack rule).
When deciding about the volume: a deny rule is obviously low volume, a general accept established,related is a very high volume one ...
BR,
Metod
 
DTB
just joined
Topic Author
Posts: 2
Joined: Tue Apr 30, 2019 11:02 am

Re: Some advice regarding the order of firewall rule

Tue Apr 30, 2019 1:15 pm

Thank you that makes sense.
just a few more questions
1. None of the accept / established rules will allow the traffic you're trying to block?
2. By doing all the blocking first, is that just inefficient or is that potentially a problem?

3. Can you see any problem with Rule 7,8,9,15,16, that they haven't been catching any traffic.
Its not being allowed is it?

4. All the inter-LAN rules are quite low volume, Should they go last in the chain?

I needed to disable fasttrack for the Queues (or Vlans or something, I forget which) but I will look into it again.

Really Appreciate your help
#7    ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether7 log=no log-prefix=""
      
#8    ;;; Add Syn Flood IP to the list
      chain=input action=add-src-to-address-list tcp-flags=syn connection-limit=30,32 protocol=tcp address-list=Syn_Flooder address-list-timeout=30m log=no log-prefix="" 

 #9    ;;; Drop to syn flood list
      chain=input action=drop src-address-list=Syn_Flooder log=no log-prefix=""
      
#15    ;;; Add Spammers to the list for 3 hours
      chain=forward action=add-src-to-address-list connection-limit=30,32 protocol=tcp address-list=spammers address-list-timeout=3h dst-port=25,587 limit=30/1m,0:packet log=no log-prefix="" 

#16    ;;; Avoid spammers action
      chain=forward action=drop protocol=tcp src-address-list=spammers dst-port=25,587 log=no log-prefix=""

 
mkx
Forum Guru
Forum Guru
Posts: 2431
Joined: Thu Mar 03, 2016 10:23 pm

Re: Some advice regarding the order of firewall rule

Tue Apr 30, 2019 2:24 pm

  1. As I wrote: rules get triggered when all criteria are met. Then really depends on zhe ordrr of rules (if matching allow comes before matching deny, then traffic is allowed). If none rules match, then traffic is (implicitly) allowed.
  2. Many forum regulars consider approach "allow what needed, deny everything else" to be better as one doesn't have to think too much about what else needs to be blocked. Itis safer this way. For thjs approach to work, the very last rule in both chain=input and forward should be unconditional action=drop ... just be sure you allow management access (that's chain=input) from your management workstation before enabling the general drop rule.
  3. Assuming ether7 is your WAN interface: although rule #7 is one of default filter rules I'd be quite surprised if it caught any traffic in a typical home environment wuth single WAN IP address. Reasoning: if a port is DST-NATted, then this rule won't block it. If the port is not DST-NATed, then it will be dealt with in chain=inout (because tge original dst-address will be router's own WAN IP). Things are different if there are multiple WAN addresses, then there might be connections hitting this rule.
    Rules 8 and 9 trigger only under particular condition (rule #9 is a consequence of triggering #8) and nowadays potential attackers use different techniques. Quite probably rule #6 would handle those cases eventually.
    Similarly goes for rules 15 and 16, which are not even necessary if you don't expose SMTP and SSL SMTP service to internet (see discussion about rule #7).
  4. disabling fast-track entirely might not be necessary. You might keep it but try to adjust criteria so that traffic which needs to hit queues (if that's not all of it) does escape this rule. You might have to play a bit to make it work.
    Regarding inter-VLAN traffic: you can put rules lower on the list. Not necessarily at the end if the list, probably they will get hit by far more terffic than these spammers and synflooders gibberish.

    There's an important rule missing:
    add chain=forward action=accept connection-state=established,related log=no
    
    and place it right behind the disabled rule #5. This rule should take care of most allowed traffic between all interfaces (both WAN and VLANs) while not disabling queue processing.
BR,
Metod
 
anav
Forum Guru
Forum Guru
Posts: 2827
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Some advice regarding the order of firewall rule

Tue Apr 30, 2019 4:09 pm

Such dry explanations MKX. Why not spice it up a little........
For example, the drop rule is safer, like wearing a condom 24/7! ;-)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
mkx
Forum Guru
Forum Guru
Posts: 2431
Joined: Thu Mar 03, 2016 10:23 pm

Re: Some advice regarding the order of firewall rule

Tue Apr 30, 2019 4:15 pm

@anav, I'm leaving stunts to you, Canadians. We, Slovenians, don't have feeling for that (did you hear about duel Petterson v.s. Žižek?)
BR,
Metod
 
anav
Forum Guru
Forum Guru
Posts: 2827
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Some advice regarding the order of firewall rule

Tue Apr 30, 2019 9:58 pm

Interesting MKX, so what you are saying is that we agree upon more things than we disagree upon. I can live with that. ;-)
https://travel.gc.ca/destinations/slovenia


https://www.worldnomads.com/travel-safe ... n-slovenia
My favourite quote: "Slovenia is one of the safest places you can visit. The biggest danger you're likely to face is falling into a pretty lake because you were to distracted by the peaceful backdrop of the snowy Alps."

Sounds like I should pay you a visit.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)

Who is online

Users browsing this forum: No registered users and 24 guests