Community discussions

 
thebombdig
just joined
Topic Author
Posts: 14
Joined: Tue Apr 17, 2018 1:28 pm

firewall deny any any

Tue Apr 17, 2018 4:46 pm

Hi I wanted to know if there is an option with the firewall to add the equivalent of a deny an any at the bottom of the rule like on a cisco or a checkpoint firewall.
As I tried to add one at the bottom of the rule base and it blocked all traffic in and out of the firewall instead of letting all the other traffic that matched the rules above through.

I added a rule below on version (6.34.1)

chain=input action=drop src-address=dst-address=log=yeslog=yes
 
sindy
Forum Guru
Forum Guru
Posts: 3809
Joined: Mon Dec 04, 2017 9:19 pm

Re: firewall deny any any

Tue Apr 17, 2018 6:34 pm

Hi I wanted to know if there is an option with the firewall to add the equivalent of a deny an any at the bottom of the rule like on a cisco or a checkpoint firewall.
The equivalent of
deny any any
is
action=drop
without any additional conditions (the
any, any
is implicit, i.e. you only need to define the
src-address
and/or
dst-address
if you need that the rule only applies on something more specific than
any
). However, you have to deal separately with traffic towards the Mikrotik itself (
chain=input
) and with the traffic forwarded by the Mikrotik (
chain=forward
).
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
thebombdig
just joined
Topic Author
Posts: 14
Joined: Tue Apr 17, 2018 1:28 pm

Re: firewall deny any any

Wed Apr 18, 2018 10:36 am

Hi Sindy

So if I was to put in a Action=drop chain=input at the bottom of the rules this would achieve that same thing as a deny any any. Also I just wanted to check:
(chain=input) is this for all traffic coming in to an interface of the router. and
(chain=forward) are for all those that originated from inside the router i.e. like when you do a (check update) for the latest software version.
 
sindy
Forum Guru
Forum Guru
Posts: 3809
Joined: Mon Dec 04, 2017 9:19 pm

Re: firewall deny any any

Wed Apr 18, 2018 4:49 pm

Hi Sindy

So if I was to put in a Action=drop chain=input at the bottom of the rules this would achieve that same thing as a deny any any. Also I just wanted to check:
(chain=input) is this for all traffic coming in to an interface of the router. and
(chain=forward) are for all those that originated from inside the router i.e. like when you do a (check update) for the latest software version.
Not exactly:
  • chain=input
    handles packets which end up at one of router's own IP addresses (after eventual dst-nat, so the packet's dst-address may have been a different one than router's own when it has arrived to in-interface, but the dst-nat changed that)
  • chain=forward
    handles packets forwarded between router's interfaces (after eventual dst-nat, so the packet's dst-address may have been one of router's own ones when it has arrived to in-interface, but the dst-nat changed that)
  • chain=output
    handles packets sent by the router itself.
More details on how the firewall works are in the manual and in this turbo-introduction.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1736
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: firewall deny any any

Wed Apr 18, 2018 6:16 pm

Hi I wanted to know if there is an option with the firewall to add the equivalent of a deny an any at the bottom of the rule like on a cisco or a checkpoint firewall.
As I tried to add one at the bottom of the rule base and it blocked all traffic in and out of the firewall instead of letting all the other traffic that matched the rules above through.

I added a rule below on version (6.34.1)

chain=input action=drop src-address=dst-address=log=yeslog=yes

you need to create allow rules at the top of the rule set for established and related traffic, in forward, input. output chains
 
thebombdig
just joined
Topic Author
Posts: 14
Joined: Tue Apr 17, 2018 1:28 pm

Re: firewall deny any any

Thu Apr 19, 2018 11:27 am

Hi
I just noticed this morning Im getting someone trying to log in to the router via the bandwidth-test as well as wia web. I didn't know that bandwidth-test had an external port to connect to from the outside. If so how do it block it.

/command Use command at the base level
apr/18/2018 20:03:46 system,error,critical login failure for user admin from 217.61.23.201 via web
apr/18/2018 20:03:48 system,error,critical login failure for user admin from 217.61.23.201 via web
apr/18/2018 20:03:49 system,error,critical login failure for user admin from 217.61.23.201 via web
apr/18/2018 20:03:50 system,error,critical login failure for user admin from 217.61.23.201 via web
apr/19/2018 03:19:47 system,error,critical login failure for user admin via bandwidth-test
apr/19/2018 04:16:49 system,error,critical login failure for user admin via bandwidth-test
 
JB172
Member
Member
Posts: 303
Joined: Fri Jul 24, 2015 3:12 pm
Location: AWMN

Re: firewall deny any any

Thu Apr 19, 2018 1:07 pm

Hi,
You can disable bandwidth-test option from Tools -> Bandwith Test server
The default port is udp 2000. Check and this https://wiki.mikrotik.com/wiki/Manual:T ... width_Test

Who is online

Users browsing this forum: Google [Bot] and 88 guests