Community discussions

MikroTik App
 
eryx
just joined
Topic Author
Posts: 1
Joined: Sat Jul 24, 2021 8:17 am

Which FW rule permits 'services'

Sat Jul 24, 2021 8:27 am

Hello,

I currently have more or less vanilla firewall rule setup on a MT device and I am trying to understand how 'services' like, say, winbox are permitted.
I see that there is an 'established' connection in the FW -> Connection table when winbox is running:
192.168.88.30:55928 - > 192.168.88.1:8291
The way I understand netfilter is that this means that the connection was accepted by some rule when the connection was 'new', however I cannot find a corresponding rule in the FW INPUT chain.

I believe the only INPUT chain rule in vanilla MT FW config is to allow 'related' and 'established' conns, and perhaps an ICMP rule, however in practice I see that whatever is defined under IP->Services is allowed from the LAN interface. Could someone explain to me where is the corresponding INPUT rule for the 'services' to be accepted by the firewall?

Thank you,
Eryx
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Which FW rule permits 'services'

Sat Jul 24, 2021 5:05 pm

Hi eryx.

Input chain is for traffic TO/FRO the router. This includes all services the router can perform
DNS, NTP, etc.

Winbox is a router service but does not need to be stated specifically in the input chain rule.
Most put something that allows the admin full access to the router on the input chain such as

add chain=input action=accept in-interface-list=managment source-address-list=adminaccess

where
a. the in-interface-list can be the one the admin resides upon (could be the home LAN for example) is optional if one has a source address list
b. the source address list which describes all static LANIP the admin will use to access the router (laptop, desktop, ipad, smartphone) and this could be from several subnets.....

Thusly, ONLY the admin has full access to the router
The default rule that most MT routers come with, is already configured with for simplicity sake, to allow users full access - so the narrowing of focus is a good security measure but then one has to ensure required services are still provided by additional rules in the input chain.
allow DNS to all LAN users for example.
Then put in a last rule in the input chain of DROP all else.
In this way no traffic to or from the router can occur if you have not expressly allowed it.


The forward chain is all traffic that goes ACROSS The router and this is LAN to WAN, WAN to LAN and LAN to LAN.

Recommend changing the winbox port to something else other than the deafult 12450 for example.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Which FW rule permits 'services'

Sat Jul 24, 2021 5:10 pm

in Winbox, you have IP SERVICES.
Here you can turn ON or OFF services the router provides and some additional settings.
However you still have to use the input chain to allow LAN users access to those services.

Under firewall rules you can find Service Ports which you can disable or enable and assign different ports.
There is no overlap between the two different areas except ftp.

I would assume some of these other ports are for other services the router provides via other menu settings.
In all cases I believe that one still has to create input chain rules to provide services to LAN users....................
 
akakua
newbie
Posts: 49
Joined: Mon Apr 06, 2020 4:52 pm

Re: Which FW rule permits 'services'

Sat Jul 24, 2021 5:42 pm

/ip firewall filter add action=drop chain=input comment="Input drop all not coming from LAN" in-interface-list=!LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Which FW rule permits 'services'

Sat Jul 24, 2021 5:46 pm

/ip firewall filter add action=drop chain=input comment="Input drop all not coming from LAN" in-interface-list=!LAN
A rule without context is not much help.
For the OP this is the rule that would have been matched.
It basically states dop any traffic that is NOT coming from the LAN. In effect drop all wan to router traffic and allow LAN to router traffic.
So when you select winbox function (which is a router service) it would have been matched against the above rule and permitted.

Once traffic matches a rule it no longer is assessed against any other rules.

The above rule is simplified to ensure the new user can safely reach the router and a similar rule in the forward chain for the new user to safely reach the internet.
 
akakua
newbie
Posts: 49
Joined: Mon Apr 06, 2020 4:52 pm

Re: Which FW rule permits 'services'

Sat Jul 24, 2021 7:31 pm

A rule without context is not much help.
Questions - "Which FW rule permits 'services'" and "Could someone explain to me where is the corresponding INPUT rule for the 'services' to be accepted by the firewall?"
Answer - "/ip firewall filter add action=drop chain=input comment="Input drop all not coming from LAN" in-interface-list=!LAN"
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Which FW rule permits 'services'

Sat Jul 24, 2021 8:21 pm

The question is missing where services should be reachable, on WAN or on LAN,
That rule can't be the answer because do not permit services from WAN and do not block services from LAN (ignoring other rules)

I do not wrote accept from LAN, I wrote do not block services from LAN.
Very big difference.


Better description is: NO ONE RULE ACCEPT, this rule simply DO NOT DROP.

The best firewall is deny all except what is wanted, less rules than accept all and try to deny everything... and everytime something is missing ...
 
Emil66
Frequent Visitor
Frequent Visitor
Posts: 62
Joined: Tue Aug 28, 2018 2:09 am

Re: Which FW rule permits 'services'

Sat Jul 24, 2021 9:40 pm

The firewall in RouterOS is default-allow. The underlying Linux kernel can set a different default policy per chain, but this is not exposed in RouterOS. So any packet which makes it to the end of a chain is accepted. The rule which is responsible for "allowing" services on the router to be accessed is any rule which doesn't drop or reject these connections. The rule which would drop them is the one @akakua cited, but it has an exception. It's part of the default configuration and there it is the last rule in the input chain. It drops all incoming connections, except those coming from an interface that is in the LAN interface-list. That means a new connection from a LAN interface isn't filtered out and that means it's allowed. You could replace that rule by one rule which allows incoming connections from LAN and another rule which drops all incoming connections. That would make the intention more explicit.

If you want to make the firewall reject everything by default, then add a rule which drops/rejects everything to the end of the INPUT and FORWARD chains, but don't forget to allow yourself access to the router before that rule or you'll shut yourself out.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Which FW rule permits 'services'

Sat Jul 24, 2021 10:15 pm

A rule without context is not much help.
Questions - "Which FW rule permits 'services'" and "Could someone explain to me where is the corresponding INPUT rule for the 'services' to be accepted by the firewall?"
Answer - "/ip firewall filter add action=drop chain=input comment="Input drop all not coming from LAN" in-interface-list=!LAN"
To answer the question more clearly, that rule is one of the few rules that has a blocking nature in the input chain (traffic to or from the router).
Correct in that its a default rule to safely allow the new admin the ability to access and configure the router and all users to have access to all the services that are provided by the router.
However it is weak in terms of firewall rules overall because it blocs WAN to router, but allows ALL LAN to router and clearly we dont need to have every user have full access to the router.
We should only give the admin full access tot he router and the rest of the users only need access to the services.

Hence
add action=drop chain=input comment="Input drop all not coming from LAN" in-interface-list=!LAN"

Becomes:
add action=accept chain=input source-address-list=adminaccess ( only admin can access router for config purposes)
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \ (services for all users)
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="drop all else" (drop all other traffic)

note: adminaccess is done in firewall address lists... and uses statically assigned DHCP leases.
add IPof admin desktop list=adminaccess
add IPof admin laptop list=adminaccess
add IPof admin ipad list=adminaccess
add IPof admin smartphone list=adminaccess

So to reiterate.
Rextended is bang on, much better to have drop all else rules at the end of the input chain (and forward chain) because is cleaner/efficient and if there is something that should be blocked we dont know about, the rules do that for us for the most part.

Emil66 is also bang on, one has to be careful when placing the drop all rule in the input chain because if done before you have a proper access rule for the Admin in place and firewall address list if using one, then you will be locked out of the router and will have to reset it from scratch.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Which FW rule permits 'services'

Sun Jul 25, 2021 12:07 am

Really.... not..., if MAC access (winbox/telnet) is keeped active on LAN side (better if one port is leaved as MGMT ethernet)
[or using CLI on console/serial port]
Firewall work on layer 3, MAC on layer 2, only misconfigured layer 2 bridge/vlan/ethernet/802.1x etc. can lock the device (console/serial port apart)

Who is online

Users browsing this forum: Google [Bot] and 40 guests