Community discussions

MikroTik App
 
mur
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 69
Joined: Thu Feb 13, 2020 8:43 pm

How to block ports effectively?

Tue Mar 24, 2020 3:39 pm

Hi everyone,
By running Nmap on my Lubuntu distro in VM and targeting my Windows desktop PC, it seems that a few ports are open. They seem to be related to Windows services mostly, and some crappy things I haven't identified yet. I'd want now to block them.
Would a rule like this work for example?
ip firewall filter add chain=forward in-interface=bridge out-interface-list=WAN protocol=tcp dst-port=445 action=drop
Thanks
 
anav
Forum Guru
Forum Guru
Posts: 3661
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: How to block ports effectively?

Tue Mar 24, 2020 4:07 pm

Even destination ports are visible but CLOSED when doing port scans from the internet.
Why ports are showing as OPEN is very weird, perhaps if you allow ICMP??
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
mur
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 69
Joined: Thu Feb 13, 2020 8:43 pm

Re: How to block ports effectively?

Tue Mar 24, 2020 4:13 pm

Even destination ports are visible but CLOSED when doing port scans from the internet.
Why ports are showing as OPEN is very weird, perhaps if you allow ICMP??
I did port scan from my LAN (Lubuntu is on a VM in my own LAN although on "Host mode" in Vmware workstation pro)

I allow ICMP in input chain
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
Thanks
 
anav
Forum Guru
Forum Guru
Posts: 3661
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: How to block ports effectively?

Tue Mar 24, 2020 4:17 pm

try grc.com and their shields up tool to see what is visible from the internet.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
mur
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 69
Joined: Thu Feb 13, 2020 8:43 pm

Re: How to block ports effectively?

Tue Mar 24, 2020 5:15 pm

try grc.com and their shields up tool to see what is visible from the internet.
Ok, but I would like to drop requests from my LAN to Internet too, and understand if my rule above would be ok
Thanks
 
anav
Forum Guru
Forum Guru
Posts: 3661
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: How to block ports effectively?

Tue Mar 24, 2020 5:18 pm

How can I make that determination without seeing your config...................
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
mur
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 69
Joined: Thu Feb 13, 2020 8:43 pm

Re: How to block ports effectively?

Tue Mar 24, 2020 6:50 pm

How can I make that determination without seeing your config...................
I'd like to know whether my rule above is correct to just give it a try.
Thanks
 
Zacharias
Forum Guru
Forum Guru
Posts: 1757
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: How to block ports effectively?

Tue Mar 24, 2020 7:18 pm

The fact that you allow ICMP (1) in the input chain has nothing to do with the ports that appear as open...
Also, the rule in your first post, blocks what comes from inside your Lan and tries to go out to the internet with destination port TCP 445... So, it does not protect you from reaching that device through the internet.. you have to reverse the rule...
ip firewall filter add chain=forward in-interface-list=WAN protocol=tcp dst-port=445 action=drop
 
mkx
Forum Guru
Forum Guru
Posts: 3943
Joined: Thu Mar 03, 2016 10:23 pm

Re: How to block ports effectively?

Tue Mar 24, 2020 7:20 pm

No, it wouldn't work. bridge interface is typically originating interface for traffic generated by router itself. Which contradicts with chain=forward. But then, if you're filtering using out-interface-list (right thing to do), then most of the time that's enough (no need to use in-interface). The rest of rule seems OK to me.
BR,
Metod
 
mur
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 69
Joined: Thu Feb 13, 2020 8:43 pm

Re: How to block ports effectively?

Tue Mar 24, 2020 7:38 pm

The fact that you allow ICMP (1) in the input chain has nothing to do with the ports that appear as open...
Ok, I won't make any change to it.
Also, the rule in your first post, blocks what comes from inside your Lan and tries to go out to the internet with destination port TCP 445... So, it does not protect you from reaching that device through the internet.. you have to reverse the rule...
ip firewall filter add chain=forward in-interface-list=WAN protocol=tcp dst-port=445 action=drop
Blocking what tries to go out to internet would be my goal too.
To make a long story short, I don't want that service to communicate with outside, maybe a microsoft server.
I don't want it to reach my pc either. So, do I need to set two rules for that? Yours and mine?
Thanks
 
mur
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 69
Joined: Thu Feb 13, 2020 8:43 pm

Re: How to block ports effectively?

Tue Mar 24, 2020 7:39 pm

No, it wouldn't work. bridge interface is typically originating interface for traffic generated by router itself. Which contradicts with chain=forward. But then, if you're filtering using out-interface-list (right thing to do), then most of the time that's enough (no need to use in-interface). The rest of rule seems OK to me.
So, should I delete "in-interface=bridge"?
Thanks
 
Zacharias
Forum Guru
Forum Guru
Posts: 1757
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: How to block ports effectively?

Tue Mar 24, 2020 7:40 pm

i would use these two rules...
ip firewall filter add chain=forward in-interface-list=WAN protocol=tcp dst-port=445 action=drop
ip firewall filter add chain=forward out-interface-list=WAN protocol=tcp dst-port=445 action=drop
or you can simply not specify interface, so with one rule it will be dropped either coming from the Internet or going to the Internet...
 
mur
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 69
Joined: Thu Feb 13, 2020 8:43 pm

Re: How to block ports effectively?

Tue Mar 24, 2020 8:08 pm

i would use these two rules...
ip firewall filter add chain=forward in-interface-list=WAN protocol=tcp dst-port=445 action=drop
ip firewall filter add chain=forward out-interface-list=WAN protocol=tcp dst-port=445 action=drop
or you can simply not specify interface, so with one rule it will be dropped either coming from the Internet or going to the Internet...
good, thanks!
 
anav
Forum Guru
Forum Guru
Posts: 3661
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: How to block ports effectively?

Tue Mar 24, 2020 9:09 pm

Without a full config, its hard to say.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
mur
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 69
Joined: Thu Feb 13, 2020 8:43 pm

Re: How to block ports effectively?

Wed Mar 25, 2020 10:06 am

Without a full config, its hard to say.
ok

/ip firewall filter
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward dst-address-list=WAN src-address-list=LAN
add action=accept chain=input comment="defconf: accept established,related" connection-state=\
    established,related
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=\
    127.0.0.1
add action=accept chain=input comment="permetti OpenVPN" dst-port=1194 protocol=tcp
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related" connection-state=\
    established,related
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
    established,related
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=\
    !dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop all else" disabled=yes

Thanks
Last edited by mur on Wed Mar 25, 2020 10:37 am, edited 1 time in total.
 
Zacharias
Forum Guru
Forum Guru
Posts: 1757
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: How to block ports effectively?

Wed Mar 25, 2020 10:17 am

@mur do you know tht the Firewall rules (and not only) are checked sequentially ?
Please place the rules in a correct order, the wiki and some search will help you on that...
Or you can just reset to default and let the firewall as is and only add carefully...
 
mur
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 69
Joined: Thu Feb 13, 2020 8:43 pm

Re: How to block ports effectively?

Wed Mar 25, 2020 10:38 am

@mur do you know tht the Firewall rules (and not only) are checked sequentially ?
Please place the rules in a correct order, the wiki and some search will help you on that...
Or you can just reset to default and let the firewall as is and only add carefully...
I changed them. Are they ok now?
thanks

Who is online

Users browsing this forum: jamrobe, Majestic-12 [Bot] and 35 guests