Since we are a vendor of sorts, we require our PC to be scanned by a PCI compliance company. For some reason the scan keeps failing and I am not sure why.
They gave me a couple of IP addresses that the scan will originate from.
So my question revolves around the best way to view traffic on the router. I really only know of Torch, but I am not sure if that shows me traffic that the firewall blocks. I want to be able to see if the scan is reaching the router and being blocked for some reason.
At this point I am not sure if the firewall is the cause or not. We actually have had a PCI scan from another company that worked just fine. So hopefully someone can tell me how to view traffic before the firewall.
Thanks
Re: Viewing network traffic question
With packet sniffer (/tools sniffer) you can capture any packet data that arrives / leaves an interface, before any / after all respectively, processing has happened to it.
(And for completeness, anything that's allowed can be viewed in connection tracking)
(And for completeness, anything that's allowed can be viewed in connection tracking)
Re: Viewing network traffic question
Just to be clear, since now I have seen the traffic from the PCI scan, if I look at the connections and that IP address from the PCI scan is not there, it is being blocked by the firewall?
The only thing I have tried so far is just going into the firewall rules and did a simple chain forward, action accept on the souce IP. And I put it near the top of the firewall rules.
Is there a better way to make sure traffic from the PCI scan makes it through the firewall?
The only thing I have tried so far is just going into the firewall rules and did a simple chain forward, action accept on the souce IP. And I put it near the top of the firewall rules.
Is there a better way to make sure traffic from the PCI scan makes it through the firewall?
Re: Viewing network traffic question
I thought the purpose of the PCI Compliance scan was to check for open ports and predictive PAT. They'll check for things such downgrade attacks on servers you may have exposed to the internet. Some routers will have security where it detects and blocks port scanners. They want you to disable that type of feature for their IPs so they can scan, discover, and test any ports you have forwarded. That's why they give you their IPs.
The rest will be a questionnaire, or maybe they'll want you to run software on a PC internally that checks your system and firewall. For payment terminals, I usually split off a port on the Mikrotik. Put it on it's own LAN and add firewall rules to disallow traffic between the two LANs. If you store credit cards anywhere on a computer, the questionnaire becomes quite involved.
The rest will be a questionnaire, or maybe they'll want you to run software on a PC internally that checks your system and firewall. For payment terminals, I usually split off a port on the Mikrotik. Put it on it's own LAN and add firewall rules to disallow traffic between the two LANs. If you store credit cards anywhere on a computer, the questionnaire becomes quite involved.
Re: Viewing network traffic question
Yes Van9018, that is correct. The part of the scan is failing because it says it can't reach the PC. We use a PC for payment and such, not a terminal like you would see at a gas station.
Sooo, right now I am trying to make sure that based on the IP addresses the company gave me I can allow that traffic through. I am OK with the general network stuff, just not so good with firewall settings. I just need a simple "traffic from this IP can go through" rule.
Thanks all!
Sooo, right now I am trying to make sure that based on the IP addresses the company gave me I can allow that traffic through. I am OK with the general network stuff, just not so good with firewall settings. I just need a simple "traffic from this IP can go through" rule.
Thanks all!
-
-
AlainCasault
Trainer
- Posts: 632
- Joined:
- Location: Prévost, QC, Canada
- Contact:
Re: Viewing network traffic question
Hello Nazralte,
1st thing to do is make sure your catch-all rules log traffic reaching them.
As you indicate not being so good w/ firewalls, I'll give you more information, hoping I'm not treating you like a child
Catch-all rules just drop and log whatever was not processed by the previous rules, thus the name. These last two rules should be like:
Then, open the LOG window, redo a test and you'll see if traffic from the PCI company is being droped. You'll also get some basic info from dropped traffic like src and dst IP addresses, protocol and port.
You may need to freeze the log display to have time to write it down. Worst case, open a CLI window and use /log print.
Once you have the traffic caracteristics (if traffic is being dropped), you can now write rules that will allow said traffic.
Cheers,
1st thing to do is make sure your catch-all rules log traffic reaching them.
As you indicate not being so good w/ firewalls, I'll give you more information, hoping I'm not treating you like a child
Catch-all rules just drop and log whatever was not processed by the previous rules, thus the name. These last two rules should be like:
Code: Select all
Chain=input
In-interface= <WAN port>
Action=Drop
Log=yes
Log-prefix="catch-all-in"
Chain=forward
In-interface= <WAN port>
Action=Drop
Log=yes
Log-prefix="catch-all-fwd"Then, open the LOG window, redo a test and you'll see if traffic from the PCI company is being droped. You'll also get some basic info from dropped traffic like src and dst IP addresses, protocol and port.
You may need to freeze the log display to have time to write it down. Worst case, open a CLI window and use /log print.
Once you have the traffic caracteristics (if traffic is being dropped), you can now write rules that will allow said traffic.
Cheers,
Re: Viewing network traffic question
OK, after getting a scan done today while running packet sniffer I saw two things. First, under packets, I did see traffic from the PCI scan. It shows up multiple times because it tries multiple ports, but they are trying to go to the correct destination IP address.
Second thing is I looked at connections, and the same IP traffic from the PCI scan was there as well. The bytes however was 0/0. Not sure if this means that a connection was made or not.
Also, I did try making a firewall and nat rule to allow the traffic, but it didn't look like there was any traffic there either.
If this doesn't mean much of anything, then I will proceed to implement the catch-all rule next week and see.
Thanks again for the help
Second thing is I looked at connections, and the same IP traffic from the PCI scan was there as well. The bytes however was 0/0. Not sure if this means that a connection was made or not.
Also, I did try making a firewall and nat rule to allow the traffic, but it didn't look like there was any traffic there either.
If this doesn't mean much of anything, then I will proceed to implement the catch-all rule next week and see.
Thanks again for the help
Re: Viewing network traffic question
To do this, you can create a NAT rule. In Winbox, it's under IP > Firewall, click the NAT tab.I just need a simple "traffic from this IP can go through" rule.
Create Rule: chain=dst-nat, src-ip=<Scanner IP>, in-interface=ether1, action=dst-nat, to-address=<IP of internal PC>
You can create a 2nd rule for the second IP, or instead use an address list.