Community discussions

 
User avatar
lapsio
Member
Member
Topic Author
Posts: 470
Joined: Wed Feb 24, 2016 5:19 pm

"New" default firewall config in ROS - why ipsec is default allowed?

Mon Nov 27, 2017 11:54 am

It might be a bit outdated question but for sure not too much as interface lists are still relatively new feature... anyways: Why new default ROS firewall config accepts by default ipsec wat??? it makes me feel really uncomfortable... And why default accept untracked connections - is there some technical detail that makes such action implicit or are there other reasons to do so? In case of ipv4 it doesn't seem so bad as it seems to be integrated with ROS ipsec policies management but for ipv6 - it seems to simply forward generic AH/ESP/IKE packets just like that... really?... Am I missing something or it smells like some easy-backdoor feature for anyone with access to machine with public IP? I don't know what to think about it and it makes me a bit confused and slightly worried.
MTCNA, MTCRE, MTCINE
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24188
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: "New" default firewall config in ROS - why ipsec is default allowed?

Mon Nov 27, 2017 11:58 am

post the config that shows what you described.
maybe you enabled VPN in QuickSet?
No answer to your question? How to write posts
 
User avatar
lapsio
Member
Member
Topic Author
Posts: 470
Joined: Wed Feb 24, 2016 5:19 pm

Re: "New" default firewall config in ROS - why ipsec is default allowed?

Mon Nov 27, 2017 1:14 pm

It's RB750G. Probably not updated since it arrived. Today I took it from our closet full of mikrotik devices because we sent like two dozens of RB950's to our clients for PoC installations and we simply ran out of "new" RBs so I had to resurrect some ancient junk. It had ROS v5 I don't remember which one exactly. As it had some unknown config I performed reset to factory settings, then upgraded. It installed 6.37. So I had to upgrade it again. Probably due to huge leap default config looked a bit derpy (stateless firewall with only 3 accept chains entries) so I performed factory reset once again and this is what I noticed:
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/16
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
It's right after factory reset. I certainly doubt this router ever had IPSec even enabled. I got almost the same result with RB750GL except for that it didn't have ipv6 package enabled by default however that GL already had some 6.x installed when I attempted to upgrade and reset it.
MTCNA, MTCRE, MTCINE
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5931
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: "New" default firewall config in ROS - why ipsec is default allowed?

Fri Dec 01, 2017 6:07 pm

Ipsec is accepted by RFC 6092 recommendations:
"
IPsec transport and tunnel modes are explicitly secured by
definition, so this document recommends that the DEFAULT operating
mode permit IPsec. To facilitate the use of IPsec in support of IPv6
mobility, the Internet Key Exchange (IKE) protocol [RFC5996] and the
Host Identity Protocol (HIP) [RFC5201] should also be permitted in
the DEFAULT operating mode.
"

Untracked was added also in relation to IPSec, in case when ipsec generates RAW rules automatically.
Another reason why those firewall rules exist in default firewall is because many users have hard time understanding how to set up firewall properly in combination with iPSec tunnels.
 
User avatar
lapsio
Member
Member
Topic Author
Posts: 470
Joined: Wed Feb 24, 2016 5:19 pm

Re: "New" default firewall config in ROS - why ipsec is default allowed?

Fri Dec 01, 2017 7:02 pm

Ipsec is accepted by RFC 6092 recommendations:
...
Untracked was added also in relation to IPSec, in case when ipsec generates RAW rules automatically.
...
Ok sounds legit for ipv4. However ipv6 variant allows to pass arbitrary traffic through ports 500 and 4500 even if there's no IPSec enabled on router. I mean, my point is that ipv4 variant is correlated with actual mtk ipsec config and it's cool, while ipv6 simply allows ports which may not be actual ports used by ipsec and may be easily exploited if there's no ipsec server running anywhere. I'm not using ipv6 anywhere due to many security concerns and my insignificant experience with it yet, but situations like those don't make me any more convinced to enabling ipv6...

Though it's really nice that you're adding ipv6 address blacklist by def. I think you could also include list of bogon ipv4 addresses (for example one that is listed on your wiki). I always really appreciated educational value of mikrotik devices as by making everything so explicit as it really allows user to learn how everything works. Not some single button enable bullshit magic without any understanding of topic in the first place.
MTCNA, MTCRE, MTCINE

Who is online

Users browsing this forum: MSN [Bot] and 9 guests