Community discussions

MikroTik App
 
User avatar
amt
Long time Member
Long time Member
Topic Author
Posts: 527
Joined: Fri Jan 16, 2015 2:05 pm

firewall advice to pppoe_client customers

Wed Mar 21, 2018 1:38 pm

Hi All,
our client devices connected with PPPoE got attacked and many of our devices became useless. Do you have any suggestions for firewall rules that can be used to take precautions?

Thanks lot
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6111
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: firewall advice to pppoe_client customers

Wed Mar 21, 2018 1:46 pm

Default firewall rules in latest versions already have protection in such setups.
 
User avatar
amt
Long time Member
Long time Member
Topic Author
Posts: 527
Joined: Fri Jan 16, 2015 2:05 pm

Re: firewall advice to pppoe_client customers

Wed Mar 21, 2018 2:04 pm

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
is that enoguh ? i will just change wan interface to pppoe_client and lan is ether ?
Last edited by amt on Wed Mar 21, 2018 2:30 pm, edited 2 times in total.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6111
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: firewall advice to pppoe_client customers

Wed Mar 21, 2018 2:27 pm

WAN and LAN are interface lists. You just need to edit WAN interface list.
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1127
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: firewall advice to pppoe_client customers

Wed Mar 21, 2018 2:28 pm

Basic one but usable, of course you need to change the in-interface to match your pppoe client interface name (pppoe_out1 is the default);
/ip firewall filter
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related in-interface=pppoe-out1
add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related in-interface=pppoe-out1
add action=drop chain=forward comment="DROP invalid" connection-state=invalid in-interface=pppoe-out1
add action=drop chain=input comment="DROP invalid" connection-state=invalid in-interface=pppoe-out1
add action=accept chain=forward comment="ACCEPT DST-NAT'D" connection-nat-state=dstnat in-interface=pppoe-out1
add action=accept chain=input comment="ACCEPT ICMP" in-interface=pppoe-out1 protocol=icmp
add action=drop chain=input comment="DROP ALL" in-interface=pppoe-out1
add action=drop chain=forward comment="DROP ALL" in-interface=pppoe-out1
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
User avatar
amt
Long time Member
Long time Member
Topic Author
Posts: 527
Joined: Fri Jan 16, 2015 2:05 pm

Re: firewall advice to pppoe_client customers

Wed Mar 21, 2018 2:30 pm

WAN and LAN are interface lists. You just need to edit WAN interface list.
Thanks mrz,

also I would like to add this rules also but Im not sure the order of the rules, can i add this rule end of the default config ? or
/ip firewall 
address-list add address=10.10.2.10 comment="Admin Network" list=admin
/ip firewall filter 
add action=accept chain=forward comment="SecureConnection For Admin" src-address-list=admin
add action=drop chain=input comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=tcp
add action=drop chain=input comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=udp
add action=drop chain=forward comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=tcp
add action=drop chain=forward comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=udp
 
User avatar
amt
Long time Member
Long time Member
Topic Author
Posts: 527
Joined: Fri Jan 16, 2015 2:05 pm

Re: firewall advice to pppoe_client customers

Wed Mar 21, 2018 2:53 pm

Basic one but usable, of course you need to change the in-interface to match your pppoe client interface name (pppoe_out1 is the default);
/ip firewall filter
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related in-interface=pppoe-out1
add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related in-interface=pppoe-out1
add action=drop chain=forward comment="DROP invalid" connection-state=invalid in-interface=pppoe-out1
add action=drop chain=input comment="DROP invalid" connection-state=invalid in-interface=pppoe-out1
add action=accept chain=forward comment="ACCEPT DST-NAT'D" connection-nat-state=dstnat in-interface=pppoe-out1
add action=accept chain=input comment="ACCEPT ICMP" in-interface=pppoe-out1 protocol=icmp
add action=drop chain=input comment="DROP ALL" in-interface=pppoe-out1
add action=drop chain=forward comment="DROP ALL" in-interface=pppoe-out1
Thanks Steveocee for your help.
I think the difference between the mikrotik default firewall config and your firewall is that foward chain . mikrotik default firewall rules not used foward chain.
add action=accept chain=forward comment="ACCEPT DST-NAT'D" connection-nat-state=dstnat in-interface=pppoe-out1 
the rule above for port fowarding ?

if I want to make it more secure and give access to only some special ip's to not get attack to customers what can I do ? cause our equipment s which has public ip on their wan interface affected from attack and became unusable
so I thought I would add these rules too;
/ip firewall 
address-list add address=10.10.2.10 comment="Admin Network" list=admin
/ip firewall filter 
add action=accept chain=forward comment="SecureConnection For Admin" src-address-list=admin
add action=drop chain=input comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=tcp
add action=drop chain=input comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=udp
add action=drop chain=forward comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=tcp
add action=drop chain=forward comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=udp
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1127
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: firewall advice to pppoe_client customers

Thu Mar 22, 2018 11:19 am

Thanks Steveocee for your help.
I think the difference between the mikrotik default firewall config and your firewall is that foward chain . mikrotik default firewall rules not used foward chain.
I generally use both forward and input in tandem, same rules for each. It just adds some extra assurance for your clients behind the router.

add action=accept chain=forward comment="ACCEPT DST-NAT'D" connection-nat-state=dstnat in-interface=pppoe-out1
the rule above for port fowarding ?
Yes, this makes it so that you don't have to add separate rules for each port forward you add.

if I want to make it more secure and give access to only some special ip's to not get attack to customers what can I do ? cause our equipment s which has public ip on their wan interface affected from attack and became unusable
so I thought I would add these rules too;
/ip firewall 
address-list add address=10.10.2.10 comment="Admin Network" list=admin
/ip firewall filter 
add action=accept chain=forward comment="SecureConnection For Admin" src-address-list=admin
add action=drop chain=input comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=tcp
add action=drop chain=input comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=udp
add action=drop chain=forward comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=tcp
add action=drop chain=forward comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=udp
You don't need those specific rules. A simple drop all would suffice as long as you have an allow established and related at the top.
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
User avatar
amt
Long time Member
Long time Member
Topic Author
Posts: 527
Joined: Fri Jan 16, 2015 2:05 pm

Re: firewall advice to pppoe_client customers

Thu Mar 22, 2018 2:52 pm

Many Many Thanks Steveocee...

here is last one..
/interface list add name=WAN
/interface list add name=LAN
/interface list member add interface=[/interface ethernet find] list=LAN
/interface list member add interface=[/interface pppoe-client find] list=WAN
/ip firewall address-list add address=10.10.10.30 comment="Admin" list=secureAdmin
/ip firewall filter
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related in-interface-list=WAN
add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related in-interface-list=WAN
add action=drop chain=forward comment="DROP invalid" connection-state=invalid in-interface-list=WAN
add action=drop chain=input comment="DROP invalid" connection-state=invalid in-interface-list=WAN
add action=accept chain=input comment="SecureConnection For Admin" src-address-list=admin
add action=accept chain=forward comment="SecureConnection For Admin" src-address-list=admin
add action=accept chain=forward comment="ACCEPT DST-NAT'D" connection-nat-state=dstnat in-interface-list=WAN
add action=accept chain=input comment="ACCEPT ICMP" in-interface-list=WAN protocol=icmp
/ip firewall filter add action=drop chain=input comment="drop connection for admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp
/ip firewall filter add action=drop chain=input comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp
/ip firewall filter add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp
/ip firewall filter add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp
add action=drop chain=input comment="DROP ALL" in-interface-list=WAN
add action=drop chain=forward comment="DROP ALL" in-interface-list=WAN
/ip service disable telnet,ftp,www,api,api-ssl
/ip service set ssh port=2200
/ip service set address=10.10.10.30 [/ip service find]
/user set address=10.10.10.30 [/user find]
/tool bandwidth-server set enabled=no 
/ip dns set allow-remote-requests=no
/ip proxy set enabled=no
/ip socks set enabled=no
/ip upnp set enabled=no
/ip cloud set ddns-enabled=no update-time=no
/ip ssh set strong-crypto=yes
/ip ssh set host-key-size=4096 strong-crypto=yes
/ip settings set rp-filter=strict
/ip firewall service-port disable [/ip firewall service-port find]
I think this is enough for protect customer device and internet. do i need add port scanner rules also ?

Thanks a lot.
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1789
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: firewall advice to pppoe_client customers

Thu Mar 22, 2018 4:43 pm

I will suggest you remove the in-interface on the following rules.
/ip firewall filter
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related in-interface-list=WAN
add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related in-interface-list=WAN
add action=drop chain=forward comment="DROP invalid" connection-state=invalid in-interface-list=WAN
add action=drop chain=input comment="DROP invalid" connection-state=invalid in-interface-list=WAN

add action=drop chain=input comment="DROP ALL" in-interface-list=WAN
add action=drop chain=forward comment="DROP ALL" in-interface-list=WAN
MTCNA, MTCTCE, MTCRE & MTCINE
 
User avatar
amt
Long time Member
Long time Member
Topic Author
Posts: 527
Joined: Fri Jan 16, 2015 2:05 pm

Re: firewall advice to pppoe_client customers

Fri Mar 23, 2018 11:53 am

I will suggest you remove the in-interface on the following rules.
/ip firewall filter
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related in-interface-list=WAN
add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related in-interface-list=WAN
add action=drop chain=forward comment="DROP invalid" connection-state=invalid in-interface-list=WAN
add action=drop chain=input comment="DROP invalid" connection-state=invalid in-interface-list=WAN

add action=drop chain=input comment="DROP ALL" in-interface-list=WAN
add action=drop chain=forward comment="DROP ALL" in-interface-list=WAN
Hi CZFan thank you very much for your help and support.. I combined Steveocee advice and yours and here is result :) I hope this will help me to secure connection for Cpe and customer. thank you and Steveocee again.
/interface list add name=WAN
/interface list add name=LAN
/interface list member add interface=[/interface ethernet find] list=LAN
/interface list member add interface=[/interface pppoe-client find] list=WAN
/ip firewall address-list add address=10.10.10.30 comment="Admin" list=secureAdmin
/ip firewall filter
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related
add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related
add action=drop chain=forward comment="DROP invalid" connection-state=invalid 
add action=drop chain=input comment="DROP invalid" connection-state=invalid 
add action=accept chain=input comment="SecureConnection For Admin" src-address-list=admin
add action=accept chain=forward comment="SecureConnection For Admin" src-address-list=admin
add action=accept chain=forward comment="ACCEPT DST-NAT'D" connection-nat-state=dstnat in-interface-list=WAN
add action=accept chain=input comment="ACCEPT ICMP" in-interface-list=WAN protocol=icmp
/ip firewall filter add action=drop chain=input comment="drop connection for admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp
/ip firewall filter add action=drop chain=input comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp
/ip firewall filter add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp
/ip firewall filter add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp
add action=drop chain=input comment="DROP ALL" 
add action=drop chain=forward comment="DROP ALL" 
/ip service disable telnet,ftp,www,api,api-ssl
/ip service set ssh port=2200
/ip service set address=10.10.10.30 [/ip service find]
/user set address=10.10.10.30 [/user find]
/tool bandwidth-server set enabled=no 
/ip dns set allow-remote-requests=no
/ip proxy set enabled=no
/ip socks set enabled=no
/ip upnp set enabled=no
/ip cloud set ddns-enabled=no update-time=no
/ip ssh set strong-crypto=yes
/ip ssh set host-key-size=4096 strong-crypto=yes
/ip settings set rp-filter=strict
/ip firewall service-port disable [/ip firewall service-port find]
 
mkx
Forum Guru
Forum Guru
Posts: 4634
Joined: Thu Mar 03, 2016 10:23 pm

Re: firewall advice to pppoe_client customers

Fri Mar 23, 2018 12:00 pm

Assuming your pppoe runs on top of some ethernet interface (presumably ether1), is it safe to add all ether interfaces to LAN list? I'd leave that particular one out. If pppoe runs on top of sfp1 interface then your config is OK.
BR,
Metod
 
User avatar
amt
Long time Member
Long time Member
Topic Author
Posts: 527
Joined: Fri Jan 16, 2015 2:05 pm

Re: firewall advice to pppoe_client customers

Fri Mar 23, 2018 12:09 pm

Assuming your pppoe runs on top of some ethernet interface (presumably ether1), is it safe to add all ether interfaces to LAN list? I'd leave that particular one out. If pppoe runs on top of sfp1 interface then your config is OK.
Hi Mkx thanks for your answer

all customer devices are SXT or LHG and they have only one Ethernet, I will try to put these firewall rules with program to more than 1 device at same time over telnet. So I prefer to use this method because some times technicians changes Ethernet interface name like Home or DVR, or some time they change pppoe_client name like internet.

Thanks
 
solar77
Long time Member
Long time Member
Posts: 570
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: firewall advice to pppoe_client customers

Fri Mar 23, 2018 12:33 pm

Should drop invalid be in front of accept connected and established? It seems better if you get rid of the invalid packet first so it won't flow down the rest of the filter rules.
MTCNA MTCTCE UEWA
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5129
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: firewall advice to pppoe_client customers

Fri Mar 23, 2018 1:37 pm

Good question SOLAR!! One that bugs me daily.
My logic, twisted as it is, tells me its best to match the majority of packets soonest and thus one would expect that is the case for legitimate traffic.
The 'bad' traffic is in the minority and thus it can be handled after.

Put in another way, why force good traffic (the majority of traffic) to be compared to drop rules first....................
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6111
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: firewall advice to pppoe_client customers

Fri Mar 23, 2018 1:39 pm

Order should be
established,related first
then drop invalid.

Due to reasons anav already mentioned.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5129
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: firewall advice to pppoe_client customers

Fri Mar 23, 2018 1:49 pm

The functionality that is used to get rid of traffic before Filter Rules is the application of RAW rules.
This assumes no connection and thus no inspection of the traffic to see if it matches filter parameters and thus is not the place for the filter rules noted previously, but is an excellent place for address lists that the OP wants blocked..........

examples, country block, blacklist block, etc.........

It also appears common to 'catch' incoming traffic that is illegitimate, drop it but also capture the source address, and add this address to a temporary list 24 hr for example,
The address list created is then applied in a RAW rule, so that such traffic is not even seen at the connections point from thereonin for at least 24 hours.
Its this kind of approach, that I find, in a nerdy way, freakin kewl! In SteveO vernacular, almost a woody!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
amt
Long time Member
Long time Member
Topic Author
Posts: 527
Joined: Fri Jan 16, 2015 2:05 pm

Re: firewall advice to pppoe_client customers

Fri Mar 23, 2018 2:26 pm

So I can start to use these rules :)
 
User avatar
amt
Long time Member
Long time Member
Topic Author
Posts: 527
Joined: Fri Jan 16, 2015 2:05 pm

Re: firewall advice to pppoe_client customers

Fri Mar 23, 2018 3:03 pm

I will suggest you remove the in-interface on the following rules.
/ip firewall filter
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related in-interface-list=WAN
add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related in-interface-list=WAN
add action=drop chain=forward comment="DROP invalid" connection-state=invalid in-interface-list=WAN
add action=drop chain=input comment="DROP invalid" connection-state=invalid in-interface-list=WAN

add action=drop chain=input comment="DROP ALL" in-interface-list=WAN
add action=drop chain=forward comment="DROP ALL" in-interface-list=WAN
Hi CZFan
when remove in interface from Drop All customer cant accesses to internet.
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1789
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: firewall advice to pppoe_client customers

Fri Mar 23, 2018 3:24 pm

I will suggest you remove the in-interface on the following rules.
/ip firewall filter
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related in-interface-list=WAN
add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related in-interface-list=WAN
add action=drop chain=forward comment="DROP invalid" connection-state=invalid in-interface-list=WAN
add action=drop chain=input comment="DROP invalid" connection-state=invalid in-interface-list=WAN

add action=drop chain=input comment="DROP ALL" in-interface-list=WAN
add action=drop chain=forward comment="DROP ALL" in-interface-list=WAN
Hi CZFan
when remove in interface from Drop All customer cant accesses to internet.

Add rules for and place above drop rules - This is to allow only new connection from inside to outside, not the other way around:

Allow, forward chain, connection-state=new, in-interface-list=LAN (To access internet)
Allow, input chain, connection-state=new, in-interface-list=LAN (to access Router for DNS, Management, etc)
MTCNA, MTCTCE, MTCRE & MTCINE
 
User avatar
amt
Long time Member
Long time Member
Topic Author
Posts: 527
Joined: Fri Jan 16, 2015 2:05 pm

Re: firewall advice to pppoe_client customers

Fri Mar 23, 2018 4:25 pm

I will suggest you remove the in-interface on the following rules.
/ip firewall filter
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related in-interface-list=WAN
add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related in-interface-list=WAN
add action=drop chain=forward comment="DROP invalid" connection-state=invalid in-interface-list=WAN
add action=drop chain=input comment="DROP invalid" connection-state=invalid in-interface-list=WAN

add action=drop chain=input comment="DROP ALL" in-interface-list=WAN
add action=drop chain=forward comment="DROP ALL" in-interface-list=WAN
Hi CZFan
when remove in interface from Drop All customer cant accesses to internet.

Add rules for and place above drop rules - This is to allow only new connection from inside to outside, not the other way around:

Allow, forward chain, connection-state=new, in-interface-list=LAN (To access internet)
Allow, input chain, connection-state=new, in-interface-list=LAN (to access Router for DNS, Management, etc)
okay rules should be like that if i understand correctly
/ip firewall filter 
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related
add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related
add action=drop chain=forward comment="DROP invalid" connection-state=invalid 
add action=drop chain=input comment="DROP invalid" connection-state=invalid 
add action=accept chain=input comment="SecureConnection For Admin" src-address-list=admin
add action=accept chain=forward comment="SecureConnection For Admin" src-address-list=admin
add action=accept chain=forward comment="ACCEPT DST-NAT'D" connection-nat-state=dstnat in-interface-list=WAN
add action=accept chain=input comment="ACCEPT ICMP" in-interface-list=WAN protocol=icmp
add action=drop chain=input comment="drop connection for admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp
add action=drop chain=input comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp
add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp
add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp
add action=accept chain=forward comment="ACCEPT New" connection-state=new in-interface-list=LAN
add action=accept chain=input comment="ACCEPT New" connection-state=new in-interface-list=LAN
add action=drop chain=input comment="DROP ALL" 
add action=drop chain=forward comment="DROP ALL" 

 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1789
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: firewall advice to pppoe_client customers

Fri Mar 23, 2018 4:29 pm

Order should be
established,related first
then drop invalid.

Due to reasons anav already mentioned.

The other side of this coin is router resources are held up by unwanted/invalid packets (although in normal conditions will be minimal, but I assume can change at anytime by virus, etc) traversing through the FW rules
MTCNA, MTCTCE, MTCRE & MTCINE
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1789
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: firewall advice to pppoe_client customers

Fri Mar 23, 2018 4:38 pm

Why do you want this rule? Except if needed for monitoring, ICMP traffic will work just fine if initiated from inside, and then the following will be allowed by established, related rule without rule below
add action=accept chain=input comment="ACCEPT ICMP" in-interface-list=WAN protocol=icmp
Then these rules, how are you going to manage the router, i.e. config changes?
add action=drop chain=input comment="drop connection for admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp
add action=drop chain=input comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp
add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp
add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp
MTCNA, MTCTCE, MTCRE & MTCINE
 
User avatar
amt
Long time Member
Long time Member
Topic Author
Posts: 527
Joined: Fri Jan 16, 2015 2:05 pm

Re: firewall advice to pppoe_client customers

Fri Mar 23, 2018 4:56 pm

Why do you want this rule? Except if needed for monitoring, ICMP traffic will work just fine if initiated from inside, and then the following will be allowed by established, related rule without rule below
add action=accept chain=input comment="ACCEPT ICMP" in-interface-list=WAN protocol=icmp
I removed it.
Then these rules, how are you going to manage the router, i.e. config changes?
add action=drop chain=input comment="drop connection for admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp
add action=drop chain=input comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp
add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp
add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp
for these rules I add this rule below, so I thought that only admin can manage the router other's will be doped.
/ip firewall 
address-list add address=10.10.2.10 comment="Admin Network" list=admin
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1789
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: firewall advice to pppoe_client customers

Fri Mar 23, 2018 5:08 pm

add action=drop chain=input comment="drop connection for admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp
add action=drop chain=input comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp
add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp
add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp
for these rules I add this rule below, so I thought that only admin can manage the router other's will be doped.
/ip firewall 
address-list add address=10.10.2.10 comment="Admin Network" list=admin
[/quote]


Ok, rather change above rules then and add src-address-list=!admin, the exclamation mark means "not" i.e.
add action=drop chain=input src-address-list=!admin comment="drop connection for admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp
MTCNA, MTCTCE, MTCRE & MTCINE
 
User avatar
amt
Long time Member
Long time Member
Topic Author
Posts: 527
Joined: Fri Jan 16, 2015 2:05 pm

Re: firewall advice to pppoe_client customers

Fri Mar 23, 2018 5:33 pm

add action=drop chain=input comment="drop connection for admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp
add action=drop chain=input comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp
add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp
add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp
for these rules I add this rule below, so I thought that only admin can manage the router other's will be doped.
/ip firewall 
address-list add address=10.10.2.10 comment="Admin Network" list=admin

Ok, rather change above rules then and add src-address-list=!admin, the exclamation mark means "not" i.e.
add action=drop chain=input src-address-list=!admin comment="drop connection for  admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp
[/quote]
Yesy certainly..
 
User avatar
amt
Long time Member
Long time Member
Topic Author
Posts: 527
Joined: Fri Jan 16, 2015 2:05 pm

Re: firewall advice to pppoe_client customers  [SOLVED]

Mon Mar 26, 2018 12:14 pm

Great thanks to everyone for their helps...

Who is online

Users browsing this forum: benoitc, Google [Bot], ncats, rafaelwzs, rogerlie, Znevna and 105 guests