Community discussions

MikroTik App
  4. RouterOS
  5. General

firewall deny any any

Post Reply
 
thebombdig
just joined
Topic Author
Posts: 14
Joined: Tue Apr 17, 2018 1:28 pm

firewall deny any any

Tue Apr 17, 2018 4:46 pm

Hi I wanted to know if there is an option with the firewall to add the equivalent of a deny an any at the bottom of the rule like on a cisco or a checkpoint firewall.
As I tried to add one at the bottom of the rule base and it blocked all traffic in and out of the firewall instead of letting all the other traffic that matched the rules above through.

I added a rule below on version (6.34.1)

chain=input action=drop src-address=dst-address=log=yeslog=yes

Code: Select all

Top
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: firewall deny any any

Tue Apr 17, 2018 6:34 pm

Hi I wanted to know if there is an option with the firewall to add the equivalent of a deny an any at the bottom of the rule like on a cisco or a checkpoint firewall.
The equivalent of
Code: Select all
deny any any
is
Code: Select all
action=drop
without any additional conditions (the
Code: Select all
any, any
is implicit, i.e. you only need to define the
Code: Select all
src-address
and/or
Code: Select all
dst-address
if you need that the rule only applies on something more specific than
Code: Select all
any
). However, you have to deal separately with traffic towards the Mikrotik itself (
Code: Select all
chain=input
) and with the traffic forwarded by the Mikrotik (
Code: Select all
chain=forward
).
Top
 
thebombdig
just joined
Topic Author
Posts: 14
Joined: Tue Apr 17, 2018 1:28 pm

Re: firewall deny any any

Wed Apr 18, 2018 10:36 am

Hi Sindy

So if I was to put in a Action=drop chain=input at the bottom of the rules this would achieve that same thing as a deny any any.

Code: Select all

Also I just wanted to check:
(chain=input) is this for all traffic coming in to an interface of the router. and
(chain=forward) are for all those that originated from inside the router i.e. like when you do a (check update) for the latest software version.
Top
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: firewall deny any any

Wed Apr 18, 2018 4:49 pm

Hi Sindy

So if I was to put in a Action=drop chain=input at the bottom of the rules this would achieve that same thing as a deny any any.

Code: Select all

Also I just wanted to check:
(chain=input) is this for all traffic coming in to an interface of the router. and
(chain=forward) are for all those that originated from inside the router i.e. like when you do a (check update) for the latest software version.
Not exactly:
  • Code: Select all
    chain=input
    handles packets which end up at one of router's own IP addresses (after eventual dst-nat, so the packet's dst-address may have been a different one than router's own when it has arrived to in-interface, but the dst-nat changed that)
  • Code: Select all
    chain=forward
    handles packets forwarded between router's interfaces (after eventual dst-nat, so the packet's dst-address may have been one of router's own ones when it has arrived to in-interface, but the dst-nat changed that)
  • Code: Select all
    chain=output
    handles packets sent by the router itself.
More details on how the firewall works are in the manual and in this turbo-introduction.
Top
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 3007
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:
Contact chechito

Re: firewall deny any any

Wed Apr 18, 2018 6:16 pm

Hi I wanted to know if there is an option with the firewall to add the equivalent of a deny an any at the bottom of the rule like on a cisco or a checkpoint firewall.
As I tried to add one at the bottom of the rule base and it blocked all traffic in and out of the firewall instead of letting all the other traffic that matched the rules above through.

I added a rule below on version (6.34.1)

chain=input action=drop src-address=dst-address=log=yeslog=yes

Code: Select all


you need to create allow rules at the top of the rule set for established and related traffic, in forward, input. output chains
Top
 
thebombdig
just joined
Topic Author
Posts: 14
Joined: Tue Apr 17, 2018 1:28 pm

Re: firewall deny any any

Thu Apr 19, 2018 11:27 am

Hi
I just noticed this morning Im getting someone trying to log in to the router via the bandwidth-test as well as wia web. I didn't know that bandwidth-test had an external port to connect to from the outside. If so how do it block it.

/command Use command at the base level
apr/18/2018 20:03:46 system,error,critical login failure for user admin from 217.61.23.201 via web
apr/18/2018 20:03:48 system,error,critical login failure for user admin from 217.61.23.201 via web
apr/18/2018 20:03:49 system,error,critical login failure for user admin from 217.61.23.201 via web
apr/18/2018 20:03:50 system,error,critical login failure for user admin from 217.61.23.201 via web
apr/19/2018 03:19:47 system,error,critical login failure for user admin via bandwidth-test
apr/19/2018 04:16:49 system,error,critical login failure for user admin via bandwidth-test
Top
 
JB172
Member
Member
Posts: 304
Joined: Fri Jul 24, 2015 3:12 pm
Location: AWMN

Re: firewall deny any any

Thu Apr 19, 2018 1:07 pm

Hi,
You can disable bandwidth-test option from Tools -> Bandwith Test server
The default port is udp 2000. Check and this https://wiki.mikrotik.com/wiki/Manual:T ... width_Test
Top
Post Reply

Who is online

Users browsing this forum: alixviral, Bing [Bot], jaclaz and 210 guests
  4. RouterOS
  5. General