Community discussions

MikroTik App
 
garymikrotik
just joined
Topic Author
Posts: 11
Joined: Fri Jul 02, 2021 6:27 pm

firewall rules questions

Fri Jul 23, 2021 8:38 pm

Hello,

I just got a RB750GR3 and am in the process of getting it configured prior to replacing my current router.

I have questions about the firewall rules listed in https://wiki.mikrotik.com/wiki/Manual:S ... r#Firewall.
1. Is the syntax still valid for ROS v6.48.3(stable)?
2. Are the rules meant to add additional rules or replace the default rules?
3. Knowing that firewall rules are order dependent and there is no discussion about inserting or merging the rules into the default rules, am I correct in thinking that I have to figure out where in the chain the rules needs to go?

Regards,
Gary
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: firewall rules questions  [SOLVED]

Sat Jul 24, 2021 5:37 pm

Hi Gary,
The default rules are simplified to ensure a new user can just login in and start working right away.
If you want to start configuring the router and the firewall rules, then the link is not bad but needs a bit of work.
In general the default rules allow all traffic to pass except stuff it blocks.

The link and most folks prefer to change that around and state, we will allow only traffic we want and block the rest.
So basically one has to do the following.

1. stop FULL user access to the router on the input chain (input chain is traffic to and fro the router itself).
2. only allow the admin full access to the router on the input chain
3. allow users access to needed services only (vice full access).
4. lastly put a drop all else rule in the input chain.

The tricky part is step 2,
Basically if the admin sets up a management subnet then one can use that subnet as a parameter, effectively blocking everyone else.
If like most of us we have a shared home LAN then you will need to refine home users to the admin using a source address or source address list.
If you have multiple admin devices (laptop, desktop, ipad, smartphone used to configure the devices then you wil need a source address list.
If you want to access the router from mutliple devices AND from various subnets (not just management or home lan) then you need open up the interface allowed as well.

examples...
add chain=input action=accept in-interface-list=management (where only admin uses a subnet you could state the subnet or make an interface list entry - my preference)
add chain=input action=accept in-interface=homelan source-address=ip_of admin_desktop (where admin is on homelan with other users and only uses one device)
add chain=input action=accept in-interface=homelan source-address-list=adminaccess (where admin access includes IPs of desktop, laptop, ipad, smartphone of admin etc.)
add chain=input action=accept in-interface-list=LAN source address-list=adminaccess (where admin wants to access router from various subnets).

To allow users access to services, typical example is DNS services.
dd action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp

Finally, ensure the last rule is a drop all rule.
add chain=input action=drop comment="drop all else"

In the forward chain, the same type of logic applies.
We want to move to block everything and state only whats allowed.
So we modify the complex block WAN and port forwarding dual purposed rule and simply state allow port forwarding.
Since the default allows all traffic including LAN to WAN and we are going to block all traffic, then we need to create an allow internet rule.

So the single rule becomes in effect 3 rules
.add action=accept chain=forward comment="Allow Port Forwarding" connection-nat-state=dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="allow LANS to WAN " \
in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="drop all else"


That is all you really need to do keeping all the other default rules as they are valid.
input chain
established related....
block invalid
icmp

And in the Forward chain
ipsec in
ipsec out
fast track
established related
block invalid

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
The one last thing to comment on is you will see a long list of addresses NOT-IN-INTERNET on the link to MT
Those are IP addresses that are not legitimate public IP addresses and so those ones would never be upon a request heading outbound normally.
Not sure or how or why a person or a bot that infected a PC would attempt to do that but it appears that MT staff want to block such traffic in the firewall rules.

But we can entertain that type of rule if you want.
This would simply be a drop rule for that firewall address list used as a destination list and it would have to go right before the allow full internet access rule.

add action=drop chain=forward in-interface-list=LAN dst-address-list=Not_In_internet
add action=accept chain=forward comment="allow LANS to WAN " \
in-interface-list=LAN out-interface-list=WAN

The caution I have here is to look closely at your private subnets on your LAN and if any coincide (like 192.168.0.1 etc.) then you would have to disable that firewall list entry.)
++++++++++++++++++++++++++++++++++++++++++++

Final word, more important than that link addition is ensuring you set RP filter Loose in your settings. Not sure what the default is but it is found
under IP Settings. RP Filter!

Who is online

Users browsing this forum: No registered users and 42 guests