Community discussions

MikroTik App
 
felodimul
just joined
Topic Author
Posts: 4
Joined: Wed Aug 12, 2020 5:59 pm

Why do most firewalls have Input rules first?

Thu Oct 15, 2020 6:06 pm

I have a few firewall filter questions.

1. Why do most firewalls have input rules first? Shouldn't they come after Forward rules, because there is so much more Forward traffic?

2. In the Forward chain (see below), we FastTrack established and related, and then Accept established and related. Why do we need both, and why do their byte and packet counters match exactly? Should FastTrack come before Accept, or after? It seems that when the Accept rule is above the FastTrack rule, the counters show much higher traffic for Accept than FastTrack. When FastTrack is first, the counters for both FastTrack and Accept are the same.

3. If the filters did not explicitly Drop Invalid, Drop Bogons, Drop All From WAN Not DSTNATed, etc., would they be dropped anyway by the "Drop All" rules at the end? Assuming we don't care about logging or counting these kinds of Drops, is it safe to get rid of these specific Drop rules, when you have a Drop All rule?

4. Other than doing a port scan using nmap from outside the network and inside, what can be done to test the firewall?
/ip firewall filter
add action=fasttrack-connection chain=forward comment="FastTrack established, related forward traffic" connection-state=\
    established,related
add action=accept chain=forward comment="Accept established, related forward traffic" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=accept chain=forward comment="Accept forward traffic from LAN to WAN" in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="Drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN
add action=drop chain=forward comment="Drop Bogons from WAN" in-interface-list=WAN src-address-list=Bogons
add action=drop chain=forward comment="Drop all other forward traffic"
add action=accept chain=input comment="Accept established, related input" connection-state=established,related
add action=drop chain=input comment="Drop invalid input" connection-state=invalid
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept LAN input" in-interface-list=LAN
add action=drop chain=input comment="Drop all other input"
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5380
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Why do most firewalls have Input rules first?

Thu Oct 15, 2020 6:36 pm

The input and forward chains are separate chains and thus it doesn't matter which is first. However most folks put them this way because they prefer to define access to the router first in the hierarchy of security and services and then move to the forward chain to define what the users on the LANS will be able to do. For obvious readiblity it makes sense not to mix the two chains up when making up the rules.
Most important is that ORDER is important WITHIN each chain.

Suggest you bone up on fast track functionality and you will answer your own questions.

Your last questions about drop are good!!.
I use drop all at the end of both chains to drop anything I havent explicity stated was allowed, so yes putting that rule in does negate the need for some default rules.
Tricky in the input chain as you need to add an ADMIN ACCESS to the router before dropping default rules.

The question you have posed that I cannot reasonably answer is.................... why do we still need drop invalid rule with a drop all last rule.
My general sense is that allowing the router to keep attempting to match an invalid packet/connection for longer than necessary may have some dangers??
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Sob
Forum Guru
Forum Guru
Posts: 6096
Joined: Mon Apr 20, 2009 9:11 pm

Re: Why do most firewalls have Input rules first?

Thu Oct 15, 2020 7:19 pm

1) It doesn't matter, forward and input are shown together, because it's all filter rules (you can also add additional chains and they will be shown too), but one packet will always go only in input or forward, never both.

2) Not everything can be fasttracked, but you still want it to pass. Plus I think some packets from fasttracked connection need to take regular path, to keep it alive (I'm not sure about details, but is should be somewhere in manual).

3) Packets can have invalid state, but they could still either match some following accept rule, and even if not, they would have to be tested against all of them (not too many in your case) before reaching the last drop rule. If you have default-drop firewall, you don't need "Drop all from WAN not DSTNATed" (it's from factory default-allow firewall), but the opposite, accept dstnated. That's if you have some forwarded ports, otherwise you don't need it at all. Blocking bogons, if you want to block also access to them, needs to be before accepting LAN->WAN. Or you can combine the rules and allow LAN->WAN only when destination doesn't belong to bogons.

4) Ask someone else to look at it. :)
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5380
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Why do most firewalls have Input rules first?

Thu Oct 15, 2020 8:23 pm

So Sob,
Do you use block bogons in your firewall rules? (of either the two methods not important just if you do)
If not why not?
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
felodimul
just joined
Topic Author
Posts: 4
Joined: Wed Aug 12, 2020 5:59 pm

Re: Why do most firewalls have Input rules first?

Thu Oct 15, 2020 8:48 pm

Thanks as always for the very educational replies!
 
Sob
Forum Guru
Forum Guru
Posts: 6096
Joined: Mon Apr 20, 2009 9:11 pm

Re: Why do most firewalls have Input rules first?

Thu Oct 15, 2020 10:08 pm

@anav: It depends. When it's something more important that deserves "proper" config, then yes, with the main motivation being leaking private subnets. Home config? Who cares. If there's packet with spoofed source from internet to router, it gets dropped anyway, because nothing is open on router. If there's some forwarded ports and it gets to internal server, there's nothing critical it could break. There's no autodestruction triggered by single udp packet from whitelisted addresses, or anything like that. :) And outgoing packets to wrong addresses? There shouldn't be any, and while it would be nice to filter them just in case, they should be filtered by ISP anyway. I may improve it in future, but so far it's not pressing matter.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5380
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Why do most firewalls have Input rules first?

Thu Oct 15, 2020 10:36 pm

Okay so no harm done by having it but then it doesnt really do much.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
aesmith
Frequent Visitor
Frequent Visitor
Posts: 70
Joined: Wed Mar 27, 2019 6:43 pm

Re: Why do most firewalls have Input rules first?

Thu Oct 15, 2020 10:38 pm

Who is online

Users browsing this forum: No registered users and 52 guests