Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Help checking Firewall

Post Reply
 
KelvinGradCelsius
just joined
Topic Author
Posts: 5
Joined: Mon Apr 13, 2020 2:20 pm

Help checking Firewall

Sun Jul 11, 2021 7:04 pm

Hello Mikrotik Forum Users,

if possible I'd like to get some feedback and tips regarding my current firewall setting.

LAN is either 5, which is empty but used to access the RouterBoard in cases something happened.
VLAN includes 4 VLAN-IDs 1 (Default), 10 (Main), 20 (Guest), 30 (VoIP). For the moment only 10 and 20 is in real use. An Unifi AC Point spans via multi-SSID two Wifi network separate by Vlan ID 10 and 20 for home use and guests.
WAN is the PPPoe client which is physically connected to either 1.

Would be great to get some input, if I'm on the right track or if I need to start over again. Thank you very much.
Code: Select all
# jul/11/2021 17:53:01 by RouterOS 6.46.5
# model = RB750Gr3
#
# FIREWALL Rules
#
# INPUT Chain
#
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop and log invalid" connection-state=invalid log=yes log-prefix=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: accept all coming from LAN" in-interface-list=LAN log-prefix=LAN
add action=drop chain=input comment="defconf: drop and log all not coming from VLAN" in-interface-list=!VLAN
#
# FORWARD Chain
#
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop and log invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="drop tries to reach not public addresses from VLAN" dst-address-list=not_in_internet in-interface-list=VLAN log=yes log-prefix=!public_from_LAN \
    out-interface-list=!VLAN
add action=drop chain=forward comment="defconf: drop and log all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix=\
    WAN_!DSTNATed
add action=drop chain=forward comment="drop incoming from internet which is not public IP" in-interface-list=WAN log=yes log-prefix=!public src-address-list=not_in_internet
#
# NAT masqerade
#
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
#
# Adresses NOT in internet
#
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
Grettings Christian
Last edited by KelvinGradCelsius on Thu Jul 15, 2021 8:50 pm, edited 1 time in total.
Top
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12001
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:
Contact rextended

Re: Help checking FIrewall

Sun Jul 11, 2021 8:24 pm

I do not see any form of prevention from internal spoofing or other type of attack.
Read my signature.
Top
 
KelvinGradCelsius
just joined
Topic Author
Posts: 5
Joined: Mon Apr 13, 2020 2:20 pm

Re: Help checking Firewall

Thu Jul 15, 2021 9:23 pm

Hey rextended,

thank you very much for the quick reply and the great tutorial in your signature. I think I understood the steps and have been able to integrate them in my firewall setting.

Would be really awsome, if you or somebody could take a quick look at the settings. I'm coming more from the hard- and software side of electrconics and have not being too deep into IT infrastructure settings. Anyway this is a private home setting.

For two things I have a question.
1. The "New TCP connection without SYN" there is one entry for input chain and one for the forward chain. In the text I read "This rule must go first on /ip firewall filter on forward section, ..." so really both entries have to be at the beginning of the forward section? Also the input chain rule?
2. The "Unused Protocol" section I let run for a couple of weeks, add step by step all protocols I need and use and then if I'm confident to have everything I put the drop rule to "disabled=No", correct?


Code: Select all
[@MikroTik] > ip firewall export
RouterOS 6.46.5
#
# model = RB750Gr3

################
## ADDRESS LISTS
################

/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add address=XXX.XXX.XXX.XXX/24 list=IP_used_on_LAN # VLAN 1
add address=XXX.XXX.XXX.XXX/24 list=IP_used_on_LAN # VLAN 10
add address=XXX.XXX.XXX.XXX/24 list=IP_used_on_LAN # VLAN 20
add address=XXX.XXX.XXX.XXX/24 list=IP_used_on_LAN # VLAN 30

################
## FIREWALL FILTER
################

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop and log invalid" connection-state=invalid log=yes log-prefix=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: accept all coming from LAN" in-interface-list=LAN log-prefix=LAN
add action=drop chain=input comment="defconf: drop and log all not coming from VLAN" in-interface-list=!VLAN
add action=drop chain=input comment="TCP non SYN scan attack input" connection-state=new protocol=tcp tcp-flags=!syn
add action=drop chain=forward comment="TCP non SYN scan attack forward" connection-state=new protocol=tcp tcp-flags=!syn
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop and log invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="drop tries to reach not public addresses from VLAN" dst-address-list=not_in_internet in-interface-list=VLAN log=yes log-prefix=!public_from_LAN out-interface-list=!VLAN
add action=drop chain=forward comment="defconf: drop and log all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix=WAN_!DSTNATed
add action=drop chain=forward comment="drop incoming from internet which is not public IP" in-interface-list=WAN log=yes log-prefix=!public src-address-list=not_in_internet

################
## FIREWALL NAT
################

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

################
## FIREWALL RAW
################

/ip firewall raw
add action=drop chain=prerouting comment="TCP invalid combination of flags attack (7 rules)" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,syn
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,rst
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,!ack
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,urg
add action=drop chain=prerouting protocol=tcp tcp-flags=syn,rst
add action=drop chain=prerouting protocol=tcp tcp-flags=rst,urg
add action=drop chain=prerouting comment="TCP Port 0 attack (2 rules)" protocol=tcp src-port=0
add action=drop chain=prerouting dst-port=0 protocol=tcp
add action=drop chain=prerouting comment="UDP Port 0 attack (2 rules)" protocol=udp src-port=0
add action=drop chain=prerouting comment="ICMP large packet attack" packet-size=1025-65535 protocol=icmp
add action=drop chain=prerouting comment="ICMP fragmentation attack" fragment=yes protocol=icmp
add action=drop chain=prerouting comment="SYN fragmented attack" fragment=yes protocol=tcp tcp-flags=syn
add action=drop chain=prerouting comment="IP option loose-source-routing" ipv4-options=loose-source-routing
add action=drop chain=prerouting comment="IP option strict-source-routing" ipv4-options=strict-source-routing
add action=drop chain=prerouting comment="IP option record-route" ipv4-options=record-route
add action=drop chain=prerouting comment="IP option router-alert" ipv4-options=router-alert
add action=drop chain=prerouting comment="IP option timestamp" ipv4-options=timestamp
add action=drop chain=prerouting comment="IP options left, except IP Stream used by the IGMP protocol" ipv4-options=any protocol=!igmp
add action=drop chain=prerouting comment="IP Spoofing protection from WAN" in-interface-list=WAN src-address-list=IP_used_on_LAN
add action=drop chain=prerouting comment="IP Spoofing protection from LAN" dst-address=!255.255.255.255 in-interface-list=VLAN src-address=!0.0.0.0 src-address-list=!IP_used_on_LAN
add action=log chain=prerouting log=yes log-prefix="Not TCP protocol" protocol=!tcp
add action=accept chain=prerouting protocol=icmp
add action=accept chain=prerouting protocol=igmp
add action=accept chain=prerouting protocol=tcp
add action=accept chain=prerouting protocol=udp
add action=accept chain=prerouting protocol=gre
add action=log chain=prerouting log=yes log-prefix="Not TCP protocol" protocol=!tcp
add action=drop chain=prerouting comment="Unused protocol protection" disabled=yes protocol=!tcp
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19323
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Help checking Firewall

Thu Jul 15, 2021 11:11 pm

I am a minimalist.
I consider most of what you have bloated crap and not necessary except for rare cases. KISS principle

This is all you need. from your list with some modifications.
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop and log invalid" connection-state=invalid log=yes log-prefix=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 (remove if not using capsman)
add action=allow chain=input interface-list=Management source-address-list=allowedAdminIPs @@@
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="drop all else" (not to be added until admin rules are in place otherwise will lock yourself out)

add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop and log invalid" connection-state=invalid log=yes log-prefix=invalid
add action=allow chain=forward comment="internet traffic" in-interface-list=VLAN out-interface-list=WAN ****
add action=allow chain=forward comment="allow port forwarding"
connection-nat-state=dstnat connection-state=new in-interface-list=WAN (disable or remove if not needed)
add action=drop chain=forward comment="drop all else"

**** or whatever interface list created that details which subnets are allowed internet access (LAN etc..)


@@@ Firewall address list consisting of admin IPs, desktop, laptop, ipad, smartphone.
Interface List "Management" is the subnet(s) that the admin wants to connect to the router from using the list of IPs identified in firewall address list, could be from multiple subnets for example.
Interface L:ist "Management" is also used to identify the Tools mac winmac server entry of interface allowed to access winbox.

Summary: All of the above effectively blocks all traffic to and for the router and wan to lan, lan to wan and lan to lan traffic not expressly permitted. Clean, simple, effective.
Top
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12001
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:
Contact rextended

Re: Help checking Firewall

Fri Jul 16, 2021 2:26 am

on firewall raw
remove first
add action=log chain=prerouting log=yes log-prefix="Not TCP protocol" protocol=!tcp
is duplicated

1) Thanks, each rule must be the first for each chain, the guide is not finished and the descriptions not revised.
Thanks to you now I fix that text.
2) you can finally enable that rule, but nothing lock out of winbox/webfig, etc. to disable again, if needed. Still logged.

READ TWO TIMES what @anav has wroted,
my rules prevent some DDoS and attack directed on perfectly valid connections,
but @anav help you to block "standard" undesiderered behaviors!!!

For example, if my rules are not in place, with default rule, no one can see internal compromised devices,
and your network can be a source of attack without problem, because the standard rules are protecting from undesired access, not undesidered traffic.
I hope I have explained well, I'm not english...

But remeber: the perfect firewall is: shut down internet.
Top
 
KelvinGradCelsius
just joined
Topic Author
Posts: 5
Joined: Mon Apr 13, 2020 2:20 pm

Re: Help checking Firewall

Sun Jul 18, 2021 5:49 pm

Hey guys,

thanks a lot for the help and clarification. This is my final setup.

I changed to the "Drop all" approach at the end. And only accept what is needed before. Fits more into my internal logic. Thanks anav. Beside from that I've added the raw rules I can truly follow. Thanks rextended.

All VLAN intercommunication is blocked except Guest VLAN to AV-Reiceiver, so guest are able to play spotify or something else directly from Guest Wlan. Would be great if you could have a final look and give me a hint if something turned the wrong way.

Code: Select all
################
## ADDRESS LISTS
################

/ip firewall address-list
add address=XXX.XXX.XXX.XXX/24 list=IP_used_on_LAN # VLAN 1
add address=XXX.XXX.XXX.XXX/24 list=IP_used_on_LAN # VLAN 10
add address=XXX.XXX.XXX.XXX/24 list=IP_used_on_LAN # VLAN 20
add address=XXX.XXX.XXX.XXX/24 list=IP_used_on_LAN # VLAN 30
add address=XX list=allowedAdminIPs
add address=XX list=allowedAdminIPs

################
## FIREWALL FILTER
################

/ip firewall filter

################
## INPUT CHAIN
################

add action=drop chain=input comment="TCP non SYN scan attack input" connection-state=new protocol=tcp tcp-flags=!syn
add action=accept chain=input comment="Accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="Drop and log invalid" connection-state=invalid log=yes log-prefix=invalid
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept all coming from unused Ether" in-interface-list="Ether_X" log-prefix=LAN
add action=accept chain=input comment="Accept Management IP to connect" in-interface-list=VLAN src-address-list=allowedAdminIPs
add action=accept chain=input comment="Accept LAN DNS queries-TCP" connection-state=new dst-port=53 in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Accept LAN DNS queries-UDP" connection-state=new dst-port=53 in-interface-list=VLAN protocol=udp
add action=drop chain=input comment="Drop all else"

################
## FORWARD CHAIN
################

add action=drop chain=forward comment="TCP non SYN scan attack forward" connection-state=new protocol=tcp tcp-flags=!syn
add action=accept chain=forward comment="Accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="Accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=Fasttrack connection-state=established,related
add action=accept chain=forward comment="Accept established, related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="Drop and log invalid" connection-state=invalid log=yes log-prefix=invalid
add action=accept chain=forward comment="Internet traffic" in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Accept port forwarding" connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="Accept Guest to Access AV-Receiver" dst-address=XX.XX.XX.XX in-interface="vlan20 Guest "
add action=accept chain=forward comment="Accept AV-Receiver to Access Guest" out-interface="vlan20 Guest " src-address=XX.XX.XX.XX
add action=drop chain=forward comment="Drop all else"

################
## FIREWALL NAT
################

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

################
## FIREWALL RAW
################

/ip firewall raw
add action=drop chain=prerouting comment="TCP invalid combination of flags attack (7 rules)" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,syn
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,rst
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,!ack
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,urg
add action=drop chain=prerouting protocol=tcp tcp-flags=syn,rst
add action=drop chain=prerouting protocol=tcp tcp-flags=rst,urg
add action=drop chain=prerouting comment="TCP Port 0 attack (2 rules)" protocol=tcp src-port=0
add action=drop chain=prerouting dst-port=0 protocol=tcp
add action=drop chain=prerouting comment="UDP Port 0 attack (2 rules)" protocol=udp src-port=0
add action=drop chain=prerouting dst-port=0 protocol=udp
add action=drop chain=prerouting comment="ICMP large packet attack" packet-size=1025-65535 protocol=icmp
add action=drop chain=prerouting comment="ICMP fragmentation attack" fragment=yes protocol=icmp
add action=drop chain=prerouting comment="SYN fragmented attack" fragment=yes protocol=tcp tcp-flags=syn
add action=drop chain=prerouting comment="IP option loose-source-routing" ipv4-options=loose-source-routing
add action=drop chain=prerouting comment="IP option strict-source-routing" ipv4-options=strict-source-routing
add action=drop chain=prerouting comment="IP option record-route" ipv4-options=record-route
add action=drop chain=prerouting comment="IP option router-alert" ipv4-options=router-alert
add action=drop chain=prerouting comment="IP option timestamp" ipv4-options=timestamp
add action=drop chain=prerouting comment="IP options left, except IP Stream used by the IGMP protocol" ipv4-options=any protocol=!igmp
add action=drop chain=prerouting comment="IP Spoofing protection from WAN" in-interface-list=WAN src-address-list=IP_used_on_LAN
add action=drop chain=prerouting comment="IP Spoofing protection from VLAN" dst-address=!255.255.255.255 in-interface-list=VLAN src-address=!0.0.0.0 src-address-list=!IP_used_on_LAN
Top
Post Reply

Who is online

Users browsing this forum: Abidjan, GPH, llamajaja and 45 guests
  4. RouterOS
  5. Beginner Basics