Community discussions

MUM Europe 2020
 
codebreaker
just joined
Topic Author
Posts: 7
Joined: Sat Jul 13, 2019 1:46 pm

Help me fix my crappy firewall

Mon Feb 10, 2020 2:12 pm

Hi,

I set my self a goal to fix my crappy firewall rules with the following goals
1. All allowed packets must be explicitly accepted
2. All disallowed packets must be explicitly dropped
3. All other packets must be dropped and logged

At the end of this journey, nothing known should reach the last rule on the firewall (chain=input action=drop log=yes). This log will (in distant future) be sent to a central logging service with alerts attached to it.

Here are my firewall rules:
[admin@RB01] /ip firewall filter> print 
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; SYN Flood protect
      chain=forward action=jump jump-target=SYN-Protect tcp-flags=syn connection-state=new protocol=tcp 

 2    chain=SYN-Protect action=accept tcp-flags=syn connection-state=new protocol=tcp limit=400,5 

 3    chain=SYN-Protect action=drop tcp-flags=syn connection-state=new protocol=tcp 

 4    ;;; accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 5    ;;; drop invalid
      chain=input action=drop connection-state=invalid 

 6    ;;; accept ICMP
      chain=input action=accept protocol=icmp 

 7    ;;; accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1 

 8    ;;; fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related 

 9    ;;; accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

10    ;;; drop invalid
      chain=forward action=drop connection-state=invalid 

11    ;;; Allow portforward
      chain=forward action=accept connection-state=new connection-nat-state=dstnat in-interface=ether1_UPLINK 

12    ;;; Allow access to Winbox from management network
      chain=input action=accept src-address=172.29.10.0/24 dst-address=172.29.10.1 in-interface=MANAGEMENT_VLAN log=no log-prefix="" 

13    ;;; RouterOS deighbor deiscovery featre
      chain=forward action=accept protocol=udp src-address=172.29.10.0/24 in-interface=MANAGEMENT_VLAN 

14    ;;; Allow management network access to the whole network
      chain=forward action=accept src-address=172.29.10.0/24 in-interface=MANAGEMENT_VLAN out-interface=all-vlan log=no log-prefix="" 

15    ;;; Allow access to DNS server (UDP)
      chain=forward action=accept protocol=udp dst-address=172.29.10.100 in-interface=all-vlan out-interface=MANAGEMENT_VLAN dst-port=53 

16    ;;; Allow access to DNS server (TCP)
      chain=forward action=accept protocol=tcp dst-address=172.29.10.100 in-interface=all-vlan out-interface=MANAGEMENT_VLAN dst-port=53 

17    ;;; Allow CODEBREAKER devices access to proxy server
      chain=forward action=accept protocol=tcp dst-address=172.28.30.103 in-interface=CODEBREAKER_DEVICES_VLAN out-interface=CODEBREAKER_VM_VLAN dst-port=80,443 

18    ;;; Allow Home Devices access to the SMB share on OMV
      chain=forward action=accept protocol=tcp dst-address=172.29.10.107 in-interface=HOME_DEVICES_VLAN out-interface=MANAGEMENT_VLAN dst-port=445 

19    ;;; Drop all inter-VLAN packets 
      chain=forward action=drop in-interface=all-vlan out-interface=all-vlan log=no log-prefix="" 

20    ;;; Drop Winbox on WAN
      chain=input action=drop protocol=tcp in-interface=ether1_UPLINK dst-port=8291 

21    ;;; drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1_UPLINK 

22    ;;; Drop everything else 
      chain=input action=drop log=yes log-prefix="DROP_ALL_" 
I've added syn flood protection to my firewall from mikrotik wiki. But in my drop all rule log I get a lot to TCP SYC packages. I understand what SYN packets do in a TCP handshake, but I don't understand what are these. Are they part of an SYN Flood attack? These packets should be dropped? Accepted? If so, how?
12:41:15 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 185.45.194.209:50027->192.168.1.2:64501, len 52 
12:41:29 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 194.26.29.130:8080->192.168.1.2:33392, len 44 
12:41:36 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 37.194.213.234:51553->192.168.1.2:445, len 44 
12:42:02 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 51.83.206.126:58862->192.168.1.2:3389, len 52 
12:42:05 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 89.164.185.107:35592->192.168.1.2:49698, len 60 
12:42:05 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 51.83.206.126:58862->192.168.1.2:3389, len 52 
12:42:06 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 89.164.185.107:35592->192.168.1.2:49698, len 60 
12:42:08 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 89.164.185.107:35592->192.168.1.2:49698, len 60 
12:42:11 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 51.83.206.126:58862->192.168.1.2:3389, len 48 
12:42:12 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 95.178.157.169:35106->192.168.1.2:23, len 44 
12:42:12 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 89.164.185.107:35592->192.168.1.2:49698, len 60 
12:42:13 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 80.61.214.49:6259->192.168.1.2:64501, len 52 
12:42:16 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 80.61.214.49:6259->192.168.1.2:64501, len 52 
12:42:20 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 89.164.185.107:35592->192.168.1.2:49698, len 60 
12:42:22 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 80.61.214.49:6259->192.168.1.2:64501, len 52 
12:42:57 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 89.248.174.193:46203->192.168.1.2:9200, len 44 
12:43:18 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 175.113.235.76:16432->192.168.1.2:8080, len 44 
12:43:20 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 200.98.136.210:40401->192.168.1.2:1433, len 44 
12:44:47 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto UDP, 77.247.108.243:5113->192.168.1.2:3060, len 443 
12:45:13 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto UDP, 45.143.220.171:5716->192.168.1.2:5060, len 419 
12:45:42 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 94.102.53.10:51195->192.168.1.2:18551, len 44 
12:45:47 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 185.184.79.33:60000->192.168.1.2:3402, len 44 
12:46:00 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 51.91.254.98:53735->192.168.1.2:23, len 44 
12:46:06 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 172.5.192.246:8660->192.168.1.2:64501, len 52 
12:46:09 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 172.5.192.246:8660->192.168.1.2:64501, len 52 
12:46:17 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 111.250.137.232:11459->192.168.1.2:23, len 44 
12:46:18 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 139.162.99.58:55568->192.168.1.2:808, len 44 
12:46:20 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 89.201.216.245:56838->192.168.1.2:49698, len 60 
12:46:23 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 89.201.216.245:56838->192.168.1.2:49698, len 60 
12:46:29 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 89.201.216.245:56838->192.168.1.2:49698, len 60 
12:46:36 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 172.87.221.218:40068->192.168.1.2:1433, len 44 
12:46:41 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 89.201.216.245:41729->192.168.1.2:49698, len 60 
12:46:44 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 89.201.216.245:41729->192.168.1.2:49698, len 60 
12:46:48 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 113.12.84.131:52863->192.168.1.2:445, len 44 
12:46:50 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 89.201.216.245:41729->192.168.1.2:49698, len 60 
12:46:56 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 95.178.159.219:21481->192.168.1.2:23, len 44 
12:47:32 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 185.45.194.209:51277->192.168.1.2:64501, len 52 
12:47:33 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 185.45.194.209:51277->192.168.1.2:64501, len 52 
12:47:36 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 185.45.194.209:51277->192.168.1.2:64501, len 52 
12:47:40 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 185.45.194.209:51277->192.168.1.2:64501, len 52 
12:47:48 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 194.26.29.130:8080->192.168.1.2:4002, len 44 
12:47:48 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 185.45.194.209:51277->192.168.1.2:64501, len 52 
12:47:59 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto UDP, 185.156.175.89:38429->192.168.1.2:64501, len 48 
12:48:03 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 185.156.175.89:38927->192.168.1.2:64501, len 60 
12:48:04 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 185.156.175.89:38927->192.168.1.2:64501, len 60 
12:48:05 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 185.45.194.209:51277->192.168.1.2:64501, len 52 
12:48:06 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 185.156.175.89:38927->192.168.1.2:64501, len 60 
12:48:10 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 185.156.175.89:38927->192.168.1.2:64501, len 60 
12:48:49 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 61.177.172.128:31682->192.168.1.2:22, len 60 
12:48:50 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 61.177.172.128:31682->192.168.1.2:22, len 60 
12:48:52 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 61.177.172.128:31682->192.168.1.2:22, len 60 
12:48:55 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 61.177.172.128:38517->192.168.1.2:22, len 60 
12:48:56 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 61.177.172.128:38517->192.168.1.2:22, len 60 
12:48:58 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 61.177.172.128:38517->192.168.1.2:22, len 60 
12:49:01 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 61.177.172.128:45588->192.168.1.2:22, len 60 
12:49:02 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 61.177.172.128:45588->192.168.1.2:22, len 60 
12:49:04 firewall,info DROP_ALL_ input: in:ether1_UPLINK out:(unknown 0), src-mac 64:6e:ea:31:9c:b9, proto TCP (SYN), 61.177.172.128:45588->192.168.1.2:22, len 60
Here the rest of the config, if needed:
# feb/10/2020 12:46:03 by RouterOS 6.46.3
# software id = GYLW-MC9Q
#
# model = RB4011iGS+
# serial number = AAAF0A95696C
/caps-man datapath
add local-forwarding=yes name=HOME_DEVICES_DATAPATH vlan-id=2720 vlan-mode=use-tag
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1_UPLINK
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] name=ether10_cAP poe-out=off
/interface vlan
add interface=BR1 name=CODEBREAKER_DEVICES_VLAN vlan-id=2820
add interface=BR1 name=CODEBREAKER_VM_VLAN vlan-id=2830
add interface=BR1 name=HOME_DEVICES_VLAN vlan-id=2720
add interface=BR1 name=HOME_VM_VLAN vlan-id=2730
add interface=BR1 name=MANAGEMENT_VLAN vlan-id=10
/caps-man security
add authentication-types=wpa-psk,wpa2-psk name=HOME_DEVICES_SECURITY
/caps-man configuration
add country=croatia datapath=HOME_DEVICES_DATAPATH name=HOME_DEVICES_CONFIGURATION security=HOME_DEVICES_SECURITY ssid=CODE
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=MANAGEMENT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=MANAGEMENT_POOL ranges=172.29.10.200-172.29.10.254
add name=CODEBREAKER_DEVICES_POOL ranges=172.28.20.100-172.28.20.254
add name=HOME_DEVICES_POOL ranges=172.27.20.100-172.27.20.254
/ip dhcp-server
add address-pool=MANAGEMENT_POOL disabled=no interface=MANAGEMENT_VLAN name=MANAGEMENT_DHCP
add address-pool=CODEBREAKER_DEVICES_POOL disabled=no interface=CODEBREAKER_DEVICES_VLAN name=CODEBREAKER_DEVICES_DHCP
add address-pool=HOME_DEVICES_POOL disabled=no interface=HOME_DEVICES_VLAN name=HOME_DEVICES_DHCP
/system logging action
add disk-file-count=1 disk-file-name=/flash/info.log disk-lines-per-file=50000 name=info target=disk
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=HOME_DEVICES_CONFIGURATION
/interface bridge port
add bridge=BR1 interface=ether2
add bridge=BR1 interface=ether3 pvid=10
add bridge=BR1 interface=sfp-sfpplus1
add bridge=BR1 interface=ether10_cAP
/ip neighbor discovery-settings
set discover-interface-list=MANAGEMENT
/ip settings
set tcp-syncookies=yes
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether2,ether10_cAP vlan-ids=10,2830,2820,2730,2720
/interface list member
add interface=MANAGEMENT_VLAN list=MANAGEMENT
/ip address
add address=192.168.1.2/24 interface=ether1_UPLINK network=192.168.1.0
add address=172.29.10.1/24 interface=MANAGEMENT_VLAN network=172.29.10.0
add address=172.28.30.1/24 interface=CODEBREAKER_VM_VLAN network=172.28.30.0
add address=172.28.20.1/24 interface=CODEBREAKER_DEVICES_VLAN network=172.28.20.0
add address=172.27.20.1/24 interface=HOME_DEVICES_VLAN network=172.27.20.0
add address=172.27.30.1/24 interface=HOME_VM_VLAN network=172.27.30.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-server network
add address=172.27.20.0/24 dns-server=172.29.10.100,1.1.1.1 gateway=172.27.20.1
add address=172.28.20.0/24 dns-server=172.29.10.100,1.1.1.1 gateway=172.28.20.1
add address=172.29.10.0/24 dns-server=172.29.10.100,1.1.1.1 gateway=172.29.10.1
/ip dns
set servers=1.1.1.1
/ip firewall filter
add action=jump chain=forward comment="SYN Flood protect" connection-state=new jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=accept chain=SYN-Protect connection-state=new limit=400,5 protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect connection-state=new protocol=tcp tcp-flags=syn
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="Allow portforward" connection-nat-state=dstnat connection-state=new in-interface=ether1_UPLINK
add action=accept chain=input comment="Allow access to Winbox from management network" dst-address=172.29.10.1 in-interface=MANAGEMENT_VLAN src-address=172.29.10.0/24
add action=accept chain=forward comment="RouterOS deighbor deiscovery featre" in-interface=MANAGEMENT_VLAN protocol=udp src-address=172.29.10.0/24
add action=accept chain=forward comment="Allow management network access to the whole network" in-interface=MANAGEMENT_VLAN out-interface=all-vlan src-address=172.29.10.0/24
add action=accept chain=forward comment="Allow access to DNS server (UDP)" dst-address=172.29.10.100 dst-port=53 in-interface=all-vlan out-interface=MANAGEMENT_VLAN protocol=udp
add action=accept chain=forward comment="Allow access to DNS server (TCP)" dst-address=172.29.10.100 dst-port=53 in-interface=all-vlan out-interface=MANAGEMENT_VLAN protocol=tcp
add action=accept chain=forward comment="Allow CODEBREAKER devices access to proxy server" dst-address=172.28.30.103 dst-port=80,443 in-interface=CODEBREAKER_DEVICES_VLAN out-interface=CODEBREAKER_VM_VLAN protocol=tcp
add action=accept chain=forward comment="Allow Home Devices access to the SMB share on OMV" dst-address=172.29.10.107 dst-port=445 in-interface=HOME_DEVICES_VLAN out-interface=MANAGEMENT_VLAN protocol=tcp
add action=drop chain=forward comment="Drop all inter-VLAN packets " in-interface=all-vlan out-interface=all-vlan
add action=drop chain=input comment="Drop Winbox on WAN" dst-port=8291 in-interface=ether1_UPLINK protocol=tcp
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1_UPLINK
add action=drop chain=input comment="Drop everything else " log=yes log-prefix=DROP_ALL_
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1_UPLINK
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether1_UPLINK protocol=tcp to-addresses=172.29.10.109 to-ports=443
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1_UPLINK protocol=tcp to-addresses=172.29.10.109 to-ports=80
add action=dst-nat chain=dstnat dst-port=18180 in-interface=ether1_UPLINK protocol=tcp to-addresses=172.29.10.101 to-ports=18180
/ip route
add check-gateway=ping distance=1 gateway=192.168.1.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=172.29.10.0/24
set api disabled=yes
set winbox address=172.29.10.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=RB01
/system logging
add topics=firewall
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=MANAGEMENT
/tool mac-server mac-winbox
set allowed-interface-list=MANAGEMENT
/tool mac-server ping
set enabled=no
 
User avatar
karlisi
Member Candidate
Member Candidate
Posts: 282
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: Help me fix my crappy firewall

Mon Feb 10, 2020 3:47 pm

At the end of this journey, nothing known should reach the last rule on the firewall (chain=input action=drop log=yes). This log will (in distant future) be sent to a central logging service with alerts attached to it.
Not exactly. These SYN packets are dropped in input chain, they are coming to router itself, not trough it. Drop rule #22 protects your router from anything you not allowed in prior rules in input chain. In context with this, rule #20 is unneeded because default drop rule #22 will do that
20    ;;; Drop Winbox on WAN
      chain=input action=drop protocol=tcp in-interface=ether1_UPLINK dst-port=8291 
22    ;;; Drop everything else 
      chain=input action=drop log=yes log-prefix="DROP_ALL_" 
Last edited by karlisi on Mon Feb 10, 2020 3:58 pm, edited 1 time in total.
---
Karlis
 
pe1chl
Forum Guru
Forum Guru
Posts: 6224
Joined: Mon Jun 08, 2015 12:09 pm

Re: Help me fix my crappy firewall

Mon Feb 10, 2020 3:54 pm

Hi,

I set my self a goal to fix my crappy firewall rules
First steps to take:
- update RouterOS (you have already done that)
- reset configuration to defaults (you did that long ago on an older version, it now has to be re-done)

The firewall you have then is much closer to what you want.
 
User avatar
karlisi
Member Candidate
Member Candidate
Posts: 282
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: Help me fix my crappy firewall

Mon Feb 10, 2020 3:56 pm

About other firewall rules. Rule #11 is unneeded because rule #21 already does that
11    ;;; Allow portforward
      chain=forward action=accept connection-state=new connection-nat-state=dstnat in-interface=ether1_UPLINK 
21    ;;; drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1_UPLINK       
      
Rule #1 I would put somwhere behind rule #10 because now all packets, including established and related connections goes trough this rule and unnecessary consumes router resources.
---
Karlis
 
WeWiNet
Member Candidate
Member Candidate
Posts: 240
Joined: Thu Sep 27, 2018 4:11 pm

Re: Help me fix my crappy firewall

Mon Feb 10, 2020 4:28 pm

DO NOT LOG LAST DROP RULE TO DISK (I see you log to disk :shock: !)

It is completely useless and non-sense to log your last drop rule (actually there will be two rule, one on forward and one on input chain).
Once you log your last drop rule you will see how much stuff gets dropped which is of no interest at all.
(but its a good exercise to do. just make sure you don;t blow up your connection or memory (don't log that to disk please :-))
Dropped is all you "do not need", which is not the same as "dangerous".

What you really want to do is log "suspicious" activity, or things that are known to be not good (login attempts to the router for example).
Most important is securing the router (input rules from WAN (ideally non for NEW connections), and also DNS access connections from WAN).
But all the rules are on the Wiki (and as said, use the new default rules is best starting point).

From there onwards add Bogons, SSH brut force, ICMP packets etc. on the various chains.
WeWiNet

**
MTCNA
hapac2, map, hap-lite, ltap-mini, RB4011 (good!), Audience (better) :-) !!!
 
codebreaker
just joined
Topic Author
Posts: 7
Joined: Sat Jul 13, 2019 1:46 pm

Re: Help me fix my crappy firewall

Tue Feb 11, 2020 2:56 pm

Thank you all for your inputs.

I've implemented your suggestions and added a few things. Bellow is the latest version of firewall and script.

Since I have "accept known, drop everything else" firewall rules, do I need Bogons protection, since those packets will be eventually dropped by drop all rule?

Regarding the writing log to disk, first I setup logging to disk to persist the log because my router restarted right in from of me for (to me) no apparent reason. And then later I added logging to the drop rule to see what exactly I am dropping whilest forgetting I had logging to disk configured. (excuses, excuses...)

Firewall rules:
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 2    ;;; drop invalid
      chain=input action=drop connection-state=invalid 

 3    ;;; accept ICMP
      chain=input action=accept protocol=icmp 

 4    ;;; accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1 

 5    ;;; allow access to winbox from management network
      chain=input action=accept src-address=172.29.10.0/24 dst-address=172.29.10.1 in-interface=MANAGEMENT_VLAN 

 6    ;;; drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN 

 7    ;;; accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

 8    ;;; accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

 9    ;;; fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related 

10    ;;; accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

11    ;;; drop invalid
      chain=forward action=drop connection-state=invalid 

12    ;;; sYN Flood protect
      chain=forward action=jump jump-target=SYN-Protect tcp-flags=syn connection-state=new protocol=tcp 

13    ;;; allow all from WAN DSTNATed
      chain=forward action=accept connection-state=new connection-nat-state=dstnat in-interface-list=WAN log=no log-prefix="" 

14    ;;; allow access to the internet
      chain=forward action=accept src-address-list=INTERNET_ACCESS out-interface-list=WAN log=no log-prefix="" 

15    ;;; allow access to DNS server (tcp)
      chain=forward action=accept protocol=tcp dst-address=172.29.10.100 dst-port=53 

16    ;;; allow access to DNS server (udp)
      chain=forward action=accept protocol=udp dst-address=172.29.10.100 dst-port=53 

17    ;;; allow CODEBREAKER devices access to proxy server
      chain=forward action=accept protocol=tcp dst-address=172.28.30.103 in-interface=CODEBREAKER_DEVICES_VLAN out-interface=CODEBREAKER_VM_VLAN dst-port=80,443 

18    ;;; allow Home Devices access to the SMB share on OMV
      chain=forward action=accept protocol=tcp dst-address=172.29.10.107 in-interface=HOME_DEVICES_VLAN out-interface=MANAGEMENT_VLAN dst-port=445 

19    ;;; drop everything else
      chain=forward action=drop connection-state=new log=yes log-prefix="FORWARD_DROP" 

20    chain=SYN-Protect action=accept tcp-flags=syn connection-state=new protocol=tcp limit=400,5 

21    chain=SYN-Protect action=drop tcp-flags=syn connection-state=new protocol=tcp 
Export:
# feb/11/2020 13:30:40 by RouterOS 6.46.3
# software id = GYLW-MC9Q
#
# model = RB4011iGS+
# serial number = AAAF0A95696C
/caps-man datapath
add local-forwarding=yes name=HOME_DEVICES_DATAPATH vlan-id=2720 vlan-mode=use-tag
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1_UPLINK
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] name=ether10_cAP
/interface vlan
add interface=BR1 name=CODEBREAKER_DEVICES_VLAN vlan-id=2820
add interface=BR1 name=CODEBREAKER_VM_VLAN vlan-id=2830
add interface=BR1 name=HOME_DEVICES_VLAN vlan-id=2720
add interface=BR1 name=HOME_VM_VLAN vlan-id=2730
add interface=BR1 name=MANAGEMENT_VLAN vlan-id=10
/caps-man security
add authentication-types=wpa-psk,wpa2-psk name=HOME_DEVICES_SECURITY
/caps-man configuration
add country=croatia datapath=HOME_DEVICES_DATAPATH name=HOME_DEVICES_CONFIGURATION security=HOME_DEVICES_SECURITY ssid=CODE
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=MANAGEMENT
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=MANAGEMENT_POOL ranges=172.29.10.200-172.29.10.254
add name=CODEBREAKER_DEVICES_POOL ranges=172.28.20.100-172.28.20.254
add name=HOME_DEVICES_POOL ranges=172.27.20.100-172.27.20.254
/ip dhcp-server
add address-pool=MANAGEMENT_POOL disabled=no interface=MANAGEMENT_VLAN name=MANAGEMENT_DHCP
add address-pool=CODEBREAKER_DEVICES_POOL disabled=no interface=CODEBREAKER_DEVICES_VLAN name=CODEBREAKER_DEVICES_DHCP
add address-pool=HOME_DEVICES_POOL disabled=no interface=HOME_DEVICES_VLAN name=HOME_DEVICES_DHCP
/system logging action
add name=forwardDrop target=memory
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=HOME_DEVICES_CONFIGURATION
/interface bridge port
add bridge=BR1 interface=ether2
add bridge=BR1 interface=ether3 pvid=10
add bridge=BR1 interface=sfp-sfpplus1
add bridge=BR1 interface=ether10_cAP
/ip neighbor discovery-settings
set discover-interface-list=MANAGEMENT
/ip settings
set tcp-syncookies=yes
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether2,ether10_cAP vlan-ids=10,2830,2820,2730,2720
/interface list member
add interface=MANAGEMENT_VLAN list=MANAGEMENT
add interface=BR1 list=LAN
add interface=ether1_UPLINK list=WAN
/ip address
add address=192.168.1.2/24 interface=ether1_UPLINK network=192.168.1.0
add address=172.29.10.1/24 interface=MANAGEMENT_VLAN network=172.29.10.0
add address=172.28.30.1/24 interface=CODEBREAKER_VM_VLAN network=172.28.30.0
add address=172.28.20.1/24 interface=CODEBREAKER_DEVICES_VLAN network=172.28.20.0
add address=172.27.20.1/24 interface=HOME_DEVICES_VLAN network=172.27.20.0
add address=172.27.30.1/24 interface=HOME_VM_VLAN network=172.27.30.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-server network
add address=172.27.20.0/24 dns-server=172.29.10.100,1.1.1.1 gateway=172.27.20.1
add address=172.28.20.0/24 dns-server=172.29.10.100,1.1.1.1 gateway=172.28.20.1
add address=172.29.10.0/24 dns-server=172.29.10.100,1.1.1.1 gateway=172.29.10.1
/ip dns
set servers=1.1.1.1
/ip firewall address-list
add address=172.29.10.0/24 comment="list of addresses to have internet access" list=INTERNET_ACCESS
add address=172.28.20.0/24 list=INTERNET_ACCESS
add address=172.28.30.0/24 list=INTERNET_ACCESS
add address=172.27.20.0/24 list=INTERNET_ACCESS
add address=172.27.30.0/24 list=INTERNET_ACCESS
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow access to Winbox from management network" dst-address=172.29.10.1 in-interface=MANAGEMENT_VLAN src-address=172.29.10.0/24
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=jump chain=forward comment="sYN Flood protect" connection-state=new jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=accept chain=forward comment="allow all from WAN DSTNATed" connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="allow access to the internet" out-interface-list=WAN src-address-list=INTERNET_ACCESS
add action=accept chain=forward comment="allow access to DNS server (tcp)" dst-address=172.29.10.100 dst-port=53 protocol=tcp
add action=accept chain=forward comment="allow access to DNS server (udp)" dst-address=172.29.10.100 dst-port=53 protocol=udp
add action=accept chain=forward comment="allow CODEBREAKER devices access to proxy server" dst-address=172.28.30.103 dst-port=80,443 in-interface=CODEBREAKER_DEVICES_VLAN out-interface=CODEBREAKER_VM_VLAN protocol=tcp
add action=accept chain=forward comment="allow Home Devices access to the SMB share on OMV" dst-address=172.29.10.107 dst-port=445 in-interface=HOME_DEVICES_VLAN out-interface=MANAGEMENT_VLAN protocol=tcp
add action=drop chain=forward comment="drop everything else" connection-state=new log=yes log-prefix=FORWARD_DROP
add action=accept chain=SYN-Protect connection-state=new limit=400,5 protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect connection-state=new protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1_UPLINK
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether1_UPLINK protocol=tcp to-addresses=172.29.10.109 to-ports=443
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1_UPLINK protocol=tcp to-addresses=172.29.10.109 to-ports=80
add action=dst-nat chain=dstnat dst-port=18180 in-interface=ether1_UPLINK protocol=tcp to-addresses=172.29.10.101 to-ports=18180
/ip route
add check-gateway=ping distance=1 gateway=192.168.1.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=172.29.10.0/24
set api disabled=yes
set winbox address=172.29.10.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=RB01
/system logging
add action=forwardDrop topics=firewall
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=MANAGEMENT
/tool mac-server mac-winbox
set allowed-interface-list=MANAGEMENT
/tool mac-server ping
set enabled=no
 
WeWiNet
Member Candidate
Member Candidate
Posts: 240
Joined: Thu Sep 27, 2018 4:11 pm

Re: Help me fix my crappy firewall

Tue Feb 11, 2020 6:52 pm

You allow "internet" on forward chain for INTERNET_ACCESS, which will let pass already everything pretty much (its not a problem by itself).
Thus the DNS rules afterwards won't be hit anymore.

Keep in mind the Mikrotik router DNS server 172.x.x.x needs an input chain to get DNS request.
But then also limit allowed source address to LAN or !WAN (to exclude access from WAN side into your DNS server)
(allows you to use DNS caching with remote access, to benefit from DNS cache).
WeWiNet

**
MTCNA
hapac2, map, hap-lite, ltap-mini, RB4011 (good!), Audience (better) :-) !!!
 
codebreaker
just joined
Topic Author
Posts: 7
Joined: Sat Jul 13, 2019 1:46 pm

Re: Help me fix my crappy firewall

Tue Feb 11, 2020 10:54 pm

DNS rules are getting hit. When I query my DNS server I can see counter increasing. The "allow internet" rule should only apply to those packets going from LAN to WAN. And from my testing it does just that. Could you elaborate on this please? Should I not configure the "internet access" like so?

Regarding router's DNS resolver, I don't use it (i have pihole + pdns(recursor) + pdns(authoritative)). But thank you for the reminder, because I wouldn't be able to figure it out even after a few hours of debugging. I'll write a rule but keep it disabled for future reference.
 
WeWiNet
Member Candidate
Member Candidate
Posts: 240
Joined: Thu Sep 27, 2018 4:11 pm

Re: Help me fix my crappy firewall

Wed Feb 12, 2020 11:46 am

Your DNS is also 1.1.1.1 and this is on the WAN side, so already allowed by the earlier rule.

I dont know what is hitting the forward DNS rule for 172.x.x.x, as the DNS server (if you use your router 172.x.x.x as DNS server) is
INPUT. Maybe log that rule for a moment and see if these are local DNS requests or it is something different.

You might want to put down on paper what you actually want to allow, how to do that etc.
Then you start your network and will see nothing works :-).
(at least this is how I started: allow established / related, nothing else...)
From there you start adding rules to allow things needed and make your network work.

I say this as your aspiration (which I think is good target) is to LOG all that is dropped (= You want to know exactly what goes one and
disallow anything suspicious etc.).
This means you will need to be hyper granular in your rules and setup and be very methodic.
Example: I don't let network devices ping the outside world (for this I use PING tool in routerOS :-))
I have a NAS that was rebooting every 15 minutes... Guess what, it was doing a PING to a specific server every here and then...
took me 2-3 days to figure that out. First thought device is broken...
Now I have a rule allowing that and only that device to PING (one specific ICMP code) to exactly one WAN IP.
It's work to maintain that, but I like it...
WeWiNet

**
MTCNA
hapac2, map, hap-lite, ltap-mini, RB4011 (good!), Audience (better) :-) !!!
 
codebreaker
just joined
Topic Author
Posts: 7
Joined: Sat Jul 13, 2019 1:46 pm

Re: Help me fix my crappy firewall

Wed Feb 12, 2020 1:06 pm

I have some trouble understanding you regarding the DNS. Let me explain a bit better.

I don't use my Mikrotik router as a DNS server. DNS server set (1.1.1.1) is for the Mikrorik router itself to be able to resolve dns queries.
/ip dns set servers=1.1.1.1 allow-remote-requests=no
allow-remote-requests it set to no, so that the router does not respond to DNS queries (these queries would be on the INPUT chain, but since I'm not using it, I've disable the rule on the chain).
I have a virtual machine (172.29.10.100) that hosts PowerDNS Authoritative server, PowerDNS Recursor and PiHole for ad blocking, resolving local domains and caching.

To allow my internal network to access my local DNS VM I have the following rules (FORWARD chain because the packets go through the router):
add action=accept chain=forward comment="allow access to DNS server (tcp)" dst-address=172.29.10.100 dst-port=53 protocol=tcp
add action=accept chain=forward comment="allow access to DNS server (udp)" dst-address=172.29.10.100 dst-port=53 protocol=udp
These rules are being hit:
Windows PC
IP: 172.27.20.104
PS C:\Users\User> date; nslookup google.com 172.29.10.100

12 February 2020 11:23:43
Server:  UnKnown
Address:  172.29.10.100

Non-authoritative answer:
Name:    google.com
Addresses:  2a00:1450:400d:805::200e
          172.217.19.110
          
Firewall log
11:23:43 firewall,info DNS forward: in:HOME_DEVICES_VLAN out:MANAGEMENT_VLAN, src-mac xx:xx:xx:xx:xx:xx, proto UDP, 172.27.20.104:63593->172.29.10.100:53, len 72 
11:23:43 firewall,info DNS forward: in:HOME_DEVICES_VLAN out:MANAGEMENT_VLAN, src-mac xx:xx:xx:xx:xx:xx, proto UDP, 172.27.20.104:63593->172.29.10.100:53, len 72 
11:23:43 firewall,info DNS forward: in:HOME_DEVICES_VLAN out:MANAGEMENT_VLAN, src-mac xx:xx:xx:xx:xx:xx, proto UDP, 172.27.20.104:63594->172.29.10.100:53, len 56 
11:23:43 firewall,info DNS forward: in:HOME_DEVICES_VLAN out:MANAGEMENT_VLAN, src-mac xx:xx:xx:xx:xx:xx, proto UDP, 172.27.20.104:63594->172.29.10.100:53, len 56 
11:23:43 firewall,info DNS forward: in:HOME_DEVICES_VLAN out:MANAGEMENT_VLAN, src-mac xx:xx:xx:xx:xx:xx, proto UDP, 172.27.20.104:63595->172.29.10.100:53, len 56 
11:23:43 firewall,info DNS forward: in:HOME_DEVICES_VLAN out:MANAGEMENT_VLAN, src-mac xx:xx:xx:xx:xx:xx, proto UDP, 172.27.20.104:63595->172.29.10.100:53, len 56
To my understanding, this is the correct way of configuration.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6224
Joined: Mon Jun 08, 2015 12:09 pm

Re: Help me fix my crappy firewall

Wed Feb 12, 2020 3:41 pm

Yes this is correct. Of course with the Established/Related rule in addition to that (to accept the replies).
And as you see it works, so why worry?
 
codebreaker
just joined
Topic Author
Posts: 7
Joined: Sat Jul 13, 2019 1:46 pm

Re: Help me fix my crappy firewall

Wed Feb 12, 2020 6:05 pm

It works, yes. But as I am not a networking guy, I'm wondering if it is correct and secure. :D

Who is online

Users browsing this forum: IPANetEngineer, wampir and 62 guests