Community discussions

MikroTik App
  4. RouterOS
  5. General

Newbie Firewall help.

Post Reply
 
razza
just joined
Topic Author
Posts: 10
Joined: Sat Aug 25, 2012 1:37 pm

Newbie Firewall help.

Sun Dec 13, 2020 9:04 pm

Why is the rule:
Code: Select all
add action=drop chain=forward connection-state=new connection-type="" \
    dst-address=192.168.10.140 in-interface=ether2 log=yes out-interface=\
    ether1
Not stopping an SSH connection from 192.168.86.2 (ether2) to 192.168.10.140 (ether1)?

If I disable the forward all rule:
Code: Select all
add action=accept chain=forward connection-state=new in-interface=ether2 \
    out-interface=ether1
It stops connecting along with everything else.

Complete ruleset:
Code: Select all
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=input comment="Drop Invalid" connection-state=invalid
add action=drop chain=forward connection-state=new connection-type="" \
    dst-address=192.168.10.140 in-interface=ether2 log=yes out-interface=\
    ether1
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Winbox accept" dst-port=8291 \
    in-interface=ether1 protocol=tcp src-address=192.168.10.10-192.168.10.254
add action=accept chain=input connection-state=new dst-port=8291 \
    in-interface=ether2 protocol=tcp src-address=192.168.86.2
add action=drop chain=input comment="Drop all NOT coming from Ether1" \
    disabled=yes in-interface=!ether1
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="RDP (Any)  to 192.168.86.2" \
    connection-state=new dst-address=192.168.86.2 in-interface=ether1 \
    out-interface=ether2 protocol=tcp
add action=accept chain=forward connection-state=new in-interface=ether2 \
    out-interface=ether1
add action=drop chain=forward comment="Drop New" connection-state=new
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=ether1
Thanks in advance :-)
Top
 
razza
just joined
Topic Author
Posts: 10
Joined: Sat Aug 25, 2012 1:37 pm

Re: Newbie Firewall help.

Sun Dec 13, 2020 9:20 pm

I was doing all the config in Winbox. When I posted here I noticed the connection-type="" part. Removing that fixed it.
I am kinda surprised that broke the rule. Would love to know why please.

Original rule
Code: Select all
add action=drop chain=forward connection-state=new connection-type="" \
    dst-address=192.168.10.140 in-interface=ether2 log=yes out-interface=\
    ether1
Top
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Newbie Firewall help.

Sun Dec 13, 2020 9:33 pm

I'd say because connection-type="" doesn't match on any of the possible values of connection-type (new, established, related, untracked, invalid).

Other than that, have a look what stateful firewall means and how it works. Basically all the filter rules should be placed after the initial "accept untracked,established,related" and "drop invalid" ones in each chain, because only connection-state=new packets get past those two rules. So the decision whether to allow or not the whole connection is made once, using those rules handling new packets, and packets belonging to accepted connections are then handled by a single rule (accept established,related,untracked). And you don't need to match on connection-state=new (which also consumes a small bit of CPU).
Top
 
razza
just joined
Topic Author
Posts: 10
Joined: Sat Aug 25, 2012 1:37 pm

Re: Newbie Firewall help.

Sun Dec 13, 2020 10:21 pm

It's connection-type not connection-state.
Top
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Newbie Firewall help.

Sun Dec 13, 2020 10:32 pm

I've misread that (because connection-type is rarely used), but it's the same case. "" doesn't match any value of connection-type so the rule as a whole never matches.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19371
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Newbie Firewall help.

Sun Dec 13, 2020 10:42 pm

Unplug your router from the internet it is in a very unsafe condition.
You have given access to your winbox port to the whole world.
Assuming ether1 is your WAN port......
The source addresses you put in there are no protection.
Only use VPN tunnel to config the router from external locations.

add action=accept chain=input comment="Winbox accept" dst-port=8291 \
in-interface=ether1 protocol=tcp src-address=192.168.10.10-192.168.10.254
Top
 
razza
just joined
Topic Author
Posts: 10
Joined: Sat Aug 25, 2012 1:37 pm

Re: Newbie Firewall help.

Sun Dec 13, 2020 11:06 pm

Thanks Sindy.

Anav, it's sitting in a private network. Worry not :-)
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19371
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Newbie Firewall help.

Mon Dec 14, 2020 7:41 pm

phew!!! Happy routing LOL.
Top
Post Reply

Who is online

Users browsing this forum: Ahrefs [Bot], Google [Bot] and 162 guests
  4. RouterOS
  5. General