firewall rules

lrn23 · Mon Jan 07, 2019 11:15 am

Hello,
I'm still learning and I'm not sure if I'm configuring firewall on RB correctly. I was reading the manual, forum and examples on the web. I used one configuration I found on the web as a template. I made some changes and implemented few suggestions. I want to use this configuration in RB which would be in a gateway role. There would be one WAN interface connected to the internet and other interfaces in brigde connected to local network. I need to allow and forward few ports, but that's all. I would like to kindly ask you to check my configuration if there is something wrong. Thank you very much!

######################################################################
# Setup address lists

/ip firewall address-list
add address=0.0.0.0/8 comment="RFC 1122 \"This host on this network\"" disabled=yes list=bogons
add address=10.0.0.0/8 comment="RFC 1918 (Private Use IP Space)" disabled=no list=bogons
add address=100.64.0.0/10 comment="RFC 6598 (Shared Address Space)" disabled=no list=bogons
add address=127.0.0.0/8 comment="RFC 1122 (Loopback)" disabled=no list=bogons
add address=169.254.0.0/16 comment="RFC 3927 (Dynamic Configuration of IPv4 Link-Local Addresses)" disabled=no list=bogons
add address=172.16.0.0/12 comment="RFC 1918 (Private Use IP Space)" disabled=no list=bogons
add address=192.0.0.0/24 comment="RFC 6890 (IETF Protocol Assingments)" disabled=no list=bogons
add address=192.0.2.0/24 comment="RFC 5737 (Test-Net-1)" disabled=no list=bogons
add address=192.168.0.0/16 comment="RFC 1918 (Private Use IP Space)" disabled=no list=bogons
add address=198.18.0.0/15 comment="RFC 2544 (Benchmarking)" disabled=no list=bogons
add address=198.51.100.0/24 comment="RFC 5737 (Test-Net-2)" disabled=no list=bogons
add address=203.0.113.0/24 comment="RFC 5737 (Test-Net-3)" disabled=no list=bogons
add address=224.0.0.0/4 comment="RFC 5771 (Multicast Addresses) - Will affect OSPF, RIP, PIM, VRRP, IS-IS, and others. Use with caution.)" disabled=yes list=bogons
add address=240.0.0.0/4 comment="RFC 1112 (Reserved)" disabled=no list=bogons
add address=192.31.196.0/24 comment="RFC 7535 (AS112-v4)" disabled=no list=bogons
add address=192.52.193.0/24 comment="RFC 7450 (AMT)" disabled=no list=bogons
add address=192.88.99.0/24 comment="RFC 7526 (Deprecated (6to4 Relay Anycast))" disabled=no list=bogons
add address=192.175.48.0/24 comment="RFC 7534 (Direct Delegation AS112 Service)" disabled=no list=bogons
add address=255.255.255.255 comment="RFC 919 (Limited Broadcast)" disabled=no list=bogons

add list=local-addr address=192.168.0.0/16 comment="my local network, all NATed"

######################################################################
# Setup NAT

/ip firewall nat

# Setup srcnat
add chain=srcnat action=masquerade out-interface=WAN

# Setup dstnat
add chain=dstnat in-interface=WAN dst-port=8000 action=dst-nat protocol=tcp to-addresses=192.168.50.200 to-ports=8000

######################################################################
# Setup firewall rules

/ip firewall mangle
add chain=prerouting in-interface=WAN dst-address-list=local-addr action=mark-packet new-packet-mark=nat-traversal passthrough=no comment="Detect NAT Traversal"

/ip firewall filter 

add chain=output connection-state=established action=accept comment="Allow established connections"
add chain=output connection-state=related action=accept comment="Allow related connections"
add chain=output connection-state=invalid action=jump jump-target=drop comment="Drop invalid connections"

add chain=forward action=jump jump-target=sanity-check comment="Sanity Check Forward"
add chain=sanity-check packet-mark=nat-traversal action=jump jump-target=drop comment="Deny illegal NAT traversal"
add chain=sanity-check protocol=tcp psd=20,3s,3,1 action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d disabled=yes comment="Block port scans"
add chain=sanity-check protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d comment="Block TCP Null scan"
add chain=sanity-check protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d comment="Block TCP Xmas scan"
add chain=sanity-check protocol=tcp tcp-flags=!fin,!syn,!rst,!ack action=jump jump-target=drop comment="TCP flags and Port 0 attacks"
add chain=sanity-check protocol=tcp src-address-list=blocked-addr action=jump jump-target=drop comment="Drop addresses from blocked-addr list"
add chain=sanity-check protocol=tcp tcp-flags=fin,syn action=jump jump-target=drop comment="Drop TCP SYN+FIN"
add chain=sanity-check protocol=tcp tcp-flags=fin,rst action=jump jump-target=drop comment="Drop TCP FIN+RST"
add chain=sanity-check protocol=tcp tcp-flags=fin,!ack action=jump jump-target=drop comment="Drop TCP FIN+!ACK"
add chain=sanity-check protocol=tcp tcp-flags=fin,urg action=jump jump-target=drop comment="Drop TCP FIN+URG"
add chain=sanity-check protocol=tcp tcp-flags=syn,rst action=jump jump-target=drop comment="Drop TCP SYN+RST"
add chain=sanity-check protocol=tcp tcp-flags=rst,urg action=jump jump-target=drop comment="Drop TCP RST+URG"
add chain=sanity-check protocol=tcp src-port=0 action=jump jump-target=drop comment="Drop port 0 src,TCP"
add chain=sanity-check protocol=tcp dst-port=0 action=jump jump-target=drop comment="Drop port 0 dst,TCP"
add chain=sanity-check protocol=udp src-port=0 action=jump jump-target=drop comment="Drop port 0 src,UDP"
add chain=sanity-check protocol=udp dst-port=0 action=jump jump-target=drop comment="Drop port 0 src,UDP"
add chain=sanity-check connection-state=invalid action=jump jump-target=drop comment="Dropping invalid connections at once"
add chain=sanity-check connection-state=established action=accept comment="Accepting already established connections"
add chain=sanity-check connection-state=related action=accept comment="Also accepting related connections"
add chain=sanity-check dst-address-type=broadcast,multicast action=jump jump-target=drop comment="Drop all traffic that goes to multicast or broadcast addresses"
add chain=sanity-check in-interface=LANbridge dst-address-list=bogons dst-address-type=!local action=jump jump-target=drop comment="Drop illegal destination addresses"
add chain=sanity-check in-interface=LANbridge src-address-list=!local-addr action=jump jump-target=drop comment="Drop everything that goes from local interface but not from local address"
add chain=sanity-check in-interface=WAN src-address-list=bogons action=jump jump-target=drop comment="Drop illegal source addresses"
add chain=sanity-check src-address-type=broadcast,multicast action=jump jump-target=drop comment="Drop all traffic that comes from multicast or broadcast addresses"

add chain=input src-address-type=local dst-address-type=local action=accept comment="Allow local traffic (between router applications)"
add chain=input in-interface=LANbridge dst-address=255.255.255.255 dst-port=5678 protocol=udp action=accept comment="Allow The Router to be visible via Neighbor Discovery to WinBox"
add chain=input action=jump jump-target=sanity-check comment="Sanity Check"
add chain=input dst-address-type=!local action=jump jump-target=drop comment="Dropping packets not destined to the router itself, including all broadcast traffic"
add chain=input protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept comment="Allow pings, but at a very limited rate (5 packets per sec)"
add chain=input in-interface=LANbridge action=jump jump-target=local-services comment="Allowing some services to be accessible from the local network"
add chain=input in-interface=WAN action=jump jump-target=public-services comment="Allowing some services to be accessible from the Internet"
add chain=input action=jump jump-target=drop comment="jump -> drop"

add chain=local-services protocol=tcp dst-port=22 action=accept comment="SSH (22/TCP)"
add chain=local-services protocol=udp dst-port=53 action=accept comment="DNS"
add chain=local-services protocol=tcp dst-port=53 action=accept comment="DNS"
add chain=local-services protocol=tcp dst-port=8844 action=accept disabled=no comment="Winbox (8844/TCP)"

add chain=local-services action=accept disabled=no dst-port=123 protocol=udp comment=NTP
add chain=local-services action=accept disabled=no dst-port=5678 protocol=udp comment="Neighbor discovery"
add chain=local-services action=log disabled=no comment="Temporary logging to check for things we should not drop"
add chain=local-services action=drop disabled=yes comment="DROP EVERYTHING | check twice before enabling this"

add chain=public-services protocol=tcp dst-port=8000 action=accept disabled=no comment="DVR/NVR"
add chain=public-services protocol=tcp dst-port=8844 action=accept disabled=no comment="Winbox (8844/TCP)"
add chain=public-services action=log  disabled=no comment="Temporary logging to check for things we should not drop"
add chain=public-services action=drop disabled=yes comment="DROP EVERYTHING | check the log twice before enabling this"

add chain=drop action=log disabled=no comment="Temporary logging if we need to see what is actually dropped"
add chain=drop action=drop disabled=yes comment="DROP EVERYTHING | check the log twice before enabling this"

anav · Mon Jan 07, 2019 4:07 pm

What mikrotik unit do you have and what version of firmware.
That is the most bizarre setup I have seen, can you point us to the source of that setup??
If the sources you are using are older than 2017 throw them out the window, at least for a basic start to a setup.

lrn23 · Tue Jan 08, 2019 10:21 am

I have few RB750Gr3 RBs with the latest fw (6.43.

. I would like to use them as gateways.

Sources:
https://wiki.mikrotik.com/wiki/NetworkP ... irewalling (not available anymore, but it's available here: http://mikrotik.net.pl/wiki/NetworkPro_w_firewallu)
https://wiki.mikrotik.com/wiki/Dmitry_on_firewalling (not available anymore)
viewtopic.php?t=83387

Yes, the're quite old. What should I use for inspiration how this should be done?

I really appreciate any help. Thank you!

mkx · Tue Jan 08, 2019 11:14 am

What is your use case?

Quite probably it's nothing special and default mode fits fine. Perform reset to factory default settings and only change things you know you should change. Mind that default FW settings are decent to protect your router and your LAN from evil internet. If you're on the paranoid side, then you might want to add restrictions to protect internet from evil LAN users though.

lrn23 · Tue Jan 08, 2019 12:08 pm

I want to use these RBs in small corporate branches as gateways. There are not so many employees, but the network should be well protected. I only need to allow and forward few ports on RB because of NVR and electronic security system. Beside this, there would be only DHCP server and few DNS static records set on RB. These branches will be connected via site2site IPsec to the headquaters in the future, because there is a need to manage devices in that area remotely.

mkx · Tue Jan 08, 2019 12:11 pm

I only need to allow and forward few ports on RB because of NVR and electronic security system.

Forward from WAN to LAN ... or limit connections from LAN to WAN?

If the former, then start with default setup and add needed forwardings. Also for the rest of duties default is a good basis.
If the later, then you can again start from default, but construct a few restrictive rules for traffic direction from LAN to WAN (default config allows everything in this direction).

lrn23 · Tue Jan 08, 2019 2:47 pm

Forward from WAN to LAN. Because of the access to the NVR.

This is default firewall configuration:

/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1

So you say, this is all I need? I only have to add dstnat rules and that's all? Having address lists and checking bogon IPs is nonsense? Or other things like trying to block port scans?
Also suggestions in this thread are not up to date? - viewtopic.php?t=83387

mkx · Tue Jan 08, 2019 4:07 pm

Hmmm .. which ROS version? Recent ROS versions operate with interface lists, so firewall rules would refer to in-interface-list=WAN instead of in-interface=ether1.

Never the less, the above is quite sane default FW config that doesn't allow any WAN connectivity to router and no WAN connectivity towards LAN if connections are not NAT-ed explicitly.

If you need to do some port forwarding, you do it in /ip firewall nat ... but make sure you limit connectivity to those ports somehow - you can use some filters to limit access to few select WAN addresses.

Checking bogon IPs doesn't make much sense if you have general drop all rule. Which defends your LAN from evil internet. Default FW doesn't prevent bogons from pesering poor internet so if you want to defend internet from evil yourself, you may add those bogons filtering and what not. Port scanning might add tiny bit of security, but it isn't guaranteed. It assumes that attacker will try some random (in your setup that is) ports before knocking on a port which is open in your setup. And listing and banning port knockers aims at preventing a port knocker to access otherwise allowed service. Some other rules might be non-issue ... for example the rule which drops packets with both SYN and FIN bits set. Those should be marked as invalid and droped by more general rule anyway...

Again, the suggestions make sense as they add tiny bit of security. However, you have to understand what they do not to block yourself without expecting it.

R1CH · Tue Jan 08, 2019 5:20 pm

A default drop is generally much better than adding lots of other rules for port scans, address filters, weird TCP flags etc. On embedded devices like routerboards you have limited CPU time, having lots of filter rules running on each packet opens you up to a resource exhaustion DoS.

anav · Tue Jan 08, 2019 6:07 pm

The ones in red would be what I would remove and replaced in blue plus comments and additions.

/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp (optional)
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=input comment="Drop all invalid packets" connection-state=invalid
add action=accept chain=input comment="Allow ADMIN to Router" \
in-interface-list=LAN src-address-list=adminaccess (make a firewall address list of IPs that you want to use to access the router)
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=drop chain=input comment="drop all else"

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=forward comment="allow port forwarding" connection-nat-state=dstnat (only required if you will be port forwarding)
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1
add action=drop chain=forward comment="Drop all else"

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
Add any needed port forwarding rules here.

The other thing to think about is DNS.
But that could be a next step.

add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" dst-port=\
53 in-interface-list=LAN protocol=tcp

Also to allow LAN to WAN traffic...........
add action=accept chain=forward comment="ENABLE LAN to WAN" in-interface=\
"nameofyourbridge" log-prefix="ALLOWED LAN 2 WAN TRAFFIC" out-interface-list=WAN \

lrn23 · Wed Jan 09, 2019 1:43 pm

Hmmm .. which ROS version? Recent ROS versions operate with interface lists, so firewall rules would refer to in-interface-list=WAN instead of in-interface=ether1.

Yes, you're right. I forgot to update new RB before exporting configuration.
Thank you for explanation.

lrn23 · Wed Jan 09, 2019 1:45 pm

A default drop is generally much better than adding lots of other rules for port scans, address filters, weird TCP flags etc. On embedded devices like routerboards you have limited CPU time, having lots of filter rules running on each packet opens you up to a resource exhaustion DoS.

Ok, I get it. Thank you!

lrn23 · Wed Jan 09, 2019 2:06 pm

2 anav: Thank you! I have one question. Isn't better to use this single rule:

add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1

Insted of these 3 rules when I need to forward ports frow WAN to LAN?

add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat (only required if you will be port forwarding)
add action=accept chain=forward comment="ENABLE LAN to WAN" in-interface=bridge log-prefix="ALLOWED LAN 2 WAN TRAFFIC" out-interface-list=WAN
add action=drop chain=forward comment="Drop all else"

mkx · Wed Jan 09, 2019 4:16 pm

The two possibilities are not actually the same. Which one is better depends on needs.

The first possibility drops all connections from WAN (router's ingress port is ether1) towards anywhere (router's egress port is not limited and can be any port, including ether1) which are not implicitly allowed by DST-NAT rules. All other connections (including any LAN to WAN) are implicitly allowed.

The second possibility first explicitly allows connections allowed by DST-NAT rules. Then it allows connections with (router's) ingress port bridge (that includes all physical interfaces which are members of said bridge, including wireless, various PPP tunels, etc.) and with egress port which is member of WAN interface list. At the end it explicitly drops all other connections.

At first sight they might seem the same. But consider the case where you have more than one LAN subnet. The first possibility does not care about inter-subnet connections (so unlimited inter-subnet connectivity is allowed), neither it cares about potential limitations of internet availability to different subnets. The second possibility blocks inter-subnet connections and only allows internet access to one particular LAN subnet - the one to which bridge interface belongs to (i.e. bridge interface has an IP address, belonging to one of subnets, acting as default gateway for that subnet. Other subnets might end up on vlan interface or another bridge with different name).

anav · Wed Jan 09, 2019 5:02 pm

to add to what MKX stated.
I have a DMZ LAN setup on my router using etherport 4, which is not on the bridge.
My rules prevent the router from allowing cross talk between my bridge traffic (vlans and normal LAN) and the DMZ LAN.
I also have VLANs on the bridge.
To allow them access to internet traffic I also make VLAN to WAN rules.

As i stated I like the clean simplicity of the last rule being drop all.
Then it become crystal clear that anything I want to allow simply has to be added before the rule.

lrn23 · Thu Jan 10, 2019 11:41 am

Thank you guys for clarification! The second approach looks better even from future config modification point of view. I'll use that one. So I think this would be my configuration:

/ip firewall nat
add chain=srcnat action=masquerade ipsec-policy=out,none out-interface-list=WAN comment="masquerade"
add chain=dstnat in-interface=WAN dst-port=8500 action=dst-nat protocol=tcp to-addresses=192.168.1.200 to-ports=8500 comment="dstnat NVR"

/ip firewall filter

# Input
add action=accept chain=input connection-state=established,related,untracked comment="accept established,related,untracked"
add action=drop chain=input connection-state=invalid comment="drop invalid"
add action=accept chain=input protocol=icmp comment="Accept ICMP"
add action=accept chain=input in-interface-list=WAN src-address-list=adminaccess protocol=tcp dst-port=8555 comment="Allow Winbox (8555/TCP) on WAN for adminaccess address list"
add action=accept chain=input in-interface-list=LAN protocol=tcp dst-port=8555 comment="Allow Winbox (8555/TCP) on LAN"
add action=accept chain=input dst-port=53 protocol=udp in-interface-list=LAN comment="Allow LAN DNS queries - UDP"
add action=accept chain=input dst-port=53 protocol=tcp in-interface-list=LAN comment="Allow LAN DNS queries - TCP"
add action=drop chain=input comment="Drop all input"

# Forward
add action=accept chain=forward ipsec-policy=in,ipsec comment="Accept in ipsec policy"
add action=accept chain=forward ipsec-policy=out,ipsec comment="Accept out ipsec policy"
add action=fasttrack-connection chain=forward connection-state=established,related comment="Fasttrack"
add action=accept chain=forward connection-state=established,related,untracked comment="Accept established,related, untracked"
add action=drop chain=forward connection-state=invalid comment="Drop invalid"
add action=accept chain=forward connection-nat-state=dstnat comment="Allow port forwarding"
add action=accept chain=forward in-interface-list=LAN log-prefix="ALLOWED LAN 2 WAN TRAFFIC" out-interface-list=WAN comment="Enable LAN to WAN" 
add action=drop chain=forward comment="Drop all"

It's the configuration from the latest firmware version modified as suggested. There are some default ipsec rules I left there, because I want to set up ipsec site to site tunnel as soon as possible so I could close WAN winbox port. I need to manage that device remotely and devices behind it too. Maybe I could set up at least site to site tunnel with passphrase which is working for me instead of opening that port even though it's access is limited to few IP addresses. I want to use site to site tunnel with certificates, but I have problems to make it work with Kerio Control firewall.

mkx · Thu Jan 10, 2019 1:20 pm

Your latest config looks sane to me.

anav · Thu Jan 10, 2019 2:36 pm

The only thing that concerns me is that you have two rules in input for WINBOX access.
I think you may have gotten mixed up on this.

Basically its allow whatever lanips you wish (think you will use to access winbox) to have to be able to access winbox.

input, allow, source-address-list (of LANIPs), in-interface=LAN or possibly homebridge etc..........
There is nothing wrong with stating the whole LAN, but that would include anybody on a VLAN such as those using guest wifi etc.....
Better to narrow it down at least to a subnet (home users, NO guests)
By the way I am hoping that you have listed a false number for your WINBOX access as that is not something to advertise

Where I take concern is the first rule. It seems here you have allowed external wan access to your winbox without any encryption.
Suggesting any external access to WINBOX use a port knocking technique AT A MINIMUM, and better use VPN to gain access tot he router and then get to the WInbox from there.

lrn23 · Fri Jan 11, 2019 2:58 pm

2 mkx: ok, thank you!

2 anav: Yes, you're right. I should tighten those WinBox rules. There should be no guests on LAN, but I could limit access to RB on one IP address for example. In case of WAN interface, this should be only temporary solution. Buť it's true, it doesn't take so long to configure VPN. I was finally able to establish site2site IPsec tunnel using certificates yesterday, so I could limit it to access only via IPsec tunnel.

So please, do you have any recommendations how to deal with IPsec site2site in case of firewall? Can I somehow target traffic going in/out of IPsec tunnel? Or I have only one possibility and that's targetting traffic using network subnets?

And yes, it's fake WinBox port

firewall rules

firewall rules

Re: firewall rules

Re: firewall rules

Re: firewall rules

Re: firewall rules

Re: firewall rules

Re: firewall rules

Re: firewall rules

Re: firewall rules

Re: firewall rules

Re: firewall rules

Re: firewall rules

Re: firewall rules

Re: firewall rules

Re: firewall rules

Re: firewall rules

Re: firewall rules

Re: firewall rules

Re: firewall rules

Who is online