Community discussions

MUM Europe 2020
 
bigguns
Member Candidate
Member Candidate
Topic Author
Posts: 238
Joined: Thu Apr 01, 2010 9:03 am

Firewall - securing the RB - can someone look at my rules

Fri May 28, 2010 7:05 pm

Hi there,

Im trying to secure my RB, and I would very grateful if someone could look at the following rules and tell me if these are ok, or if I need more to secure it.

Thanks:

[admin@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; log invalid connections
chain=input action=log connection-state=invalid log-prefix="INVALID"

1 X ;;; ICMP Accept
chain=input action=accept protocol=icmp

2 ;;; accept established connections
chain=input action=accept connection-state=established

3 ;;; accept related connections
chain=input action=accept connection-state=related

4 ;;; accept hosts from lan
chain=input action=accept src-address-list=lan_list

5 ;;; accept hosts from trusted list
chain=input action=accept src-address-list=trusted_list

6 ;;; port knock stage 1
chain=input action=add-src-to-address-list protocol=tcp
address-list=knock_list address-list-timeout=15s dst-port=60000

7 ;;; port knock stage 2
chain=input action=add-src-to-address-list protocol=tcp
src-address-list=knock_list address-list=trusted_list
address-list-timeout=15m dst-port=40000

8 ;;; Drop FTP Brute Forcers
chain=input action=drop protocol=tcp src-address-list=ftp_blacklist
dst-port=21

9 chain=output action=accept protocol=tcp content=530 Login incorrect
dst-limit=1/1m,9,dst-address/2m

10 chain=output action=add-dst-to-address-list protocol=tcp
address-list=ftp_blacklist address-list-timeout=3h
content=530 Login incorrect

11 ;;; Drop SSH Brute Forcers
chain=input action=drop protocol=tcp src-address-list=ssh_blacklist
dst-port=22

12 chain=input action=add-src-to-address-list connection-state=new
protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3
address-list-timeout=1m dst-port=22

13 chain=input action=add-src-to-address-list connection-state=new
protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2
address-list-timeout=1m dst-port=22

14 chain=input action=add-src-to-address-list connection-state=new
protocol=tcp address-list=ssh_stage1 address-list-timeout=1m dst-port=22

15 chain=input action=add-src-to-address-list connection-state=new
protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist
address-list-timeout=1w3d dst-port=22

16 ;;; drop invalid connections
chain=input action=drop connection-state=invalid

17 ;;; drop everything else
chain=input action=drop
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: Firewall - securing the RB - can someone look at my rule

Sat May 29, 2010 9:37 am

It's hard to give a real answer without knowing how the router is used. What services are you running? What is your security policy? If you are running just FTP and SSH on the router your ruleset it probably sufficient, though use of a VPN rather than port knocking may be preferable. Also, you are only protecting the router itself and aren't protecting any of the networks behind it from the Internet, or the Internet from potentially malicious clients behind your router. Whether either would be necessary would also depend on your security policy.
 
bigguns
Member Candidate
Member Candidate
Topic Author
Posts: 238
Joined: Thu Apr 01, 2010 9:03 am

Re: Firewall - securing the RB - can someone look at my rule

Sat May 29, 2010 6:40 pm

Hi thanks for your reply.

To be honest I'm moving from a D-Link 655 - where I'm used to that just protecting the computer behide it.

Given the current rule set, is this achieve the same thing or is there more I need?
I would like to fully secure what I can.
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: Firewall - securing the RB - can someone look at my rule

Sat May 29, 2010 7:29 pm

You are not protecting the network behind the router at all. Traffic in the input chain is for the router itself. Traffic through the router is in the forward chain. At the very least you want to accept all traffic in the forward chain that is established or related, then all traffic with an in-interface that connects to the LAN, and then drop everything else.

The wiki has many firewall examples including protecting the network behind the router and they include those rules.
 
Pilgrim
Member Candidate
Member Candidate
Posts: 265
Joined: Sun Mar 30, 2008 1:04 pm

Re: Firewall - securing the RB - can someone look at my rule

Sun May 30, 2010 12:02 am

To make a very basic protection of your LAN you may use something like this. Rule 4 is disabled here and can be enabled if you want to log unwanted traffic to your LAN. If you have any ftp or other server that should be accessable from outside your lan then you need to add a rule to accept this traffic and route it to the right IP on your lan using dst-nat.

0 chain=forward action=drop connection-state=invalid

1 chain=forward action=accept connection-state=established

2 chain=forward action=accept connection-state=related

3 chain=forward action=accept connection-state=new src-address=192.168.0.0/24

4 X chain=forward action=log src-address=!192.168.0.0/24 dst-address=192.168.0.0/24 log-prefix="UNWANTED"

5 chain=forward action=drop src-address=!192.168.0.0/24 dst-address=192.168.0.0/24
 
bigguns
Member Candidate
Member Candidate
Topic Author
Posts: 238
Joined: Thu Apr 01, 2010 9:03 am

Re: Firewall - securing the RB - can someone look at my rule

Mon May 31, 2010 12:43 am

Thank you for your inputs on this.
I've started creating more rules to protect the systems.

But looking at the 5 rules below this one:
5 chain=forward action=drop src-address=!192.168.0.0/24 dst-address=192.168.0.0/24

Seems to block all traffic for some reason when used; any idea why?
 
rmichael
Forum Veteran
Forum Veteran
Posts: 718
Joined: Sun Mar 08, 2009 11:00 pm

Re: Firewall - securing the RB - can someone look at my rule

Mon May 31, 2010 1:40 am

Thank you for your inputs on this.
I've started creating more rules to protect the systems.

But looking at the 5 rules below this one:
5 chain=forward action=drop src-address=!192.168.0.0/24 dst-address=192.168.0.0/24

Seems to block all traffic for some reason when used; any idea why?
Forward chain applies to incoming and outgoing traffic. Your rule says drop everything with source other that 192.168.0.x. Returning traffic will have, most likely, public IP as a src and 192.168.0.x for destination - and as you can see will qualify for drop action.
 
bigguns
Member Candidate
Member Candidate
Topic Author
Posts: 238
Joined: Thu Apr 01, 2010 9:03 am

Re: Firewall - securing the RB - can someone look at my rule

Mon May 31, 2010 1:42 am

Thanks for clearing that up - I was reading it wrong, and now I see the issue with that.
 
bigguns
Member Candidate
Member Candidate
Topic Author
Posts: 238
Joined: Thu Apr 01, 2010 9:03 am

Re: Firewall - securing the RB - can someone look at my rule

Mon May 31, 2010 2:54 am

On another topic relating to firewall rules.
Saying if I goto my router(10.10.10.10) (without port knocking rules enabled) -I can see the webpage interface for the unit.
Is it possible to redirect any hits to 10.10.10.10 to something like 10.10.10.10/home.html?

Basically on my hotspot router, I'm trying to redirect all hits to the main signup page, should someone attempt to goto the public ip.

Thanks
 
rmichael
Forum Veteran
Forum Veteran
Posts: 718
Joined: Sun Mar 08, 2009 11:00 pm

Re: Firewall - securing the RB - can someone look at my rule

Mon May 31, 2010 4:43 am

Mikrotik offers Branding Maker to some people which allows you to replace that page with your own. Send email to support to inquire.
Last edited by rmichael on Mon May 31, 2010 6:11 pm, edited 1 time in total.
 
Pilgrim
Member Candidate
Member Candidate
Posts: 265
Joined: Sun Mar 30, 2008 1:04 pm

Re: Firewall - securing the RB - can someone look at my rule

Mon May 31, 2010 8:39 am

@bigguns

Setting up the firewall you can choose different approaches e.g. "allow everything and then block what you don't want" - or - "block everything that you have not explicitly allowed" and the rule set above is for the last one - "block everything that you have not explicitly allowed"

Rule no. 1, 2 and 3 will allow all connections initiated from inside your LAN (assuming here that your lan is 192.168.0.xxx) and rule no. 5 is to drop all traffic to your LAN not allowed in line 1, 2 and 3 (or any previous lines you may add before the rule in line 5) note the "!" sign. The rule is saying drop all packages which is NOT from 192.168.0.0/24 to your your lan i.e. all traffic from outside your lan not allowed by rule 1, 2 and 3 will be dropped. any traffic inside your inside your lan will not be affected by rule 5 - and any package accepted by line 1, 2 or 3 will of course pass and will not be forwarded to line 5.

Returning traffic will have the connection-state "established" and will be accepted by rule 1.

rgs Pilgrim
 
bigguns
Member Candidate
Member Candidate
Topic Author
Posts: 238
Joined: Thu Apr 01, 2010 9:03 am

Re: Firewall - securing the RB - can someone look at my rule

Mon May 31, 2010 12:05 pm

Mikrotik offers Branding Maker to some people which enables you to replace that page with your own. Send email to support to inquire.
Is there no way to just to redirect any hits to that area to another area? I don't need to remove the branding, just make sure users are getting to the page they need - i.e. the hotspot page.

I've tried settings a few rules, but it doesn't allow text to be entered, only IP addresses - which is where I'm stuck.

Who is online

Users browsing this forum: No registered users and 33 guests