Community discussions

MikroTik App
 
karentom
newbie
Topic Author
Posts: 34
Joined: Fri Dec 30, 2011 12:51 pm

firewall filter - missing packets and bytes

Tue Jan 03, 2012 6:54 pm

I added this firewall filter action to see all addresses that try to establish udp connection to the mikrotik udp port 500

/ip firewall filter
add action=add-src-to-address-list address-list=important \
address-list-timeout=1d chain=input disabled=no dst-port=500 \
in-interface=pppoe-out1 protocol=udp src-port=500

and the problem is that today I found tree different ip addresses in address list = "important" but in the same time through Winbox Firewall/Filter rules I can see that bytes are 0B (zero) and packets are also 0 (zero) indicating that no traffic was related to that action.

How is that possible? That some filter rule added some addresses to specified address list and in the same time that it indicates 0 (zero) traffic and 0 (zero) packets?

Please provide some comments because this is serious security issue from my perspective. tnx!

I have version 5.9 at the moment - I can not replicate this problem because when I try to establish connection (IKE) from my pc, mikrotik firewall rule indicates packets and bytes as it should, as it it expected.
 
karentom
newbie
Topic Author
Posts: 34
Joined: Fri Dec 30, 2011 12:51 pm

Re: firewall filter - missing packets and bytes

Wed Jan 04, 2012 6:02 pm

I use mikrotik for several years (two instances: one in my office (dedicated server) and other at home (RB433)) and I never saw this happened until now.
Can someone from MT support comment if this is possible - that some filter rule is triggered and it executes his function (add-src-to-address-list) and that no traffic is registered on that rule - 0 bytes 0 packets? And that happened 3 times in one day (3 different unknown public IP addresses added to address list without traffic and packets shown).
Is this possible or it is a bug?
 
karentom
newbie
Topic Author
Posts: 34
Joined: Fri Dec 30, 2011 12:51 pm

Re: firewall filter - missing packets and bytes

Fri Jan 13, 2012 1:09 am

Can someone please provide some thoughts.
Is it possible that firewall filter rule is triggered and in the same time that traffic is shown as zero (0) on that rule??

I think that this is security hole and possible bug!?

Any kind of support would be very appreciated!
 
User avatar
nest
Forum Veteran
Forum Veteran
Posts: 822
Joined: Tue Feb 27, 2007 1:52 am
Location: UK
Contact:

Re: firewall filter - missing packets and bytes

Fri Jan 13, 2012 2:35 am

Please post your complete exported firewall config and we might then see how this is happening?
 
karentom
newbie
Topic Author
Posts: 34
Joined: Fri Dec 30, 2011 12:51 pm

Re: firewall filter - missing packets and bytes

Sat Jan 14, 2012 2:08 am

Thank you in advance!!

Here it is, very simple:

/ip firewall filter
add action=add-src-to-address-list address-list=importantad address-list-timeout=1d chain=input disabled=no dst-port=500 in-interface=pppoe-out protocol=udp src-port=500
add action=accept chain=input disabled=no in-interface=pppoe-out protocol=ipsec-esp
add action=accept chain=input disabled=no dst-port=500 in-interface=pppoe-out protocol=udp src-port=500
add action=accept chain=input disabled=no dst-port=1701 in-interface=pppoe-out protocol=udp src-port=1701
add action=drop chain=input disabled=no in-interface=pppoe-out
add action=drop chain=forward connection-state=new disabled=no in-interface=pppoe-out
 
User avatar
nest
Forum Veteran
Forum Veteran
Posts: 822
Joined: Tue Feb 27, 2007 1:52 am
Location: UK
Contact:

Re: firewall filter - missing packets and bytes

Sat Jan 14, 2012 2:30 am

So, no config in NAT or Mangle firewall rules, just filter?

( Thanks for the karma :-) )
 
karentom
newbie
Topic Author
Posts: 34
Joined: Fri Dec 30, 2011 12:51 pm

Re: firewall filter - missing packets and bytes

Sat Jan 14, 2012 2:36 am

oh, thought that it is not importnat, there is a nat rule just to reach internet

/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out src-address=192.168.X.X/24

Thought that only Filter is important because the first rule in Filter (action=add-src-to-address-list) was triggered 3 times for 3 different outside ip addresses and no traffic was shown(visible) in Winbox
 
User avatar
nest
Forum Veteran
Forum Veteran
Posts: 822
Joined: Tue Feb 27, 2007 1:52 am
Location: UK
Contact:

Re: firewall filter - missing packets and bytes

Sat Jan 14, 2012 2:56 am

I would be interested to see what happens when you add logging to the rules immediately before your first rule.
/ip firewall filter
add action=log chain=input disabled=no dst-port=500 in-interface=pppoe-out protocol=udp src-port=500
 
karentom
newbie
Topic Author
Posts: 34
Joined: Fri Dec 30, 2011 12:51 pm

Re: firewall filter - missing packets and bytes

Sat Jan 14, 2012 3:16 am

Yes, that could be interested.

From that day when I saw this wired behavior (those 3 addresses in address list and in the same time no traffic in the rule) I was tryeing to replicate that situation but every time when I connect with vpn L2tp/IPsec, traffic is normally shown as expected, but those 3 addresses definitely triggered this rule and traffic was not shown).

I can only add action=log as you suggest and wait and wait...hopefully to happen again.

Just to confirm: This behavior, that I described, is wired? Isn't it? Filter rule triggered and executed - in the same time no traffic shown?
 
User avatar
nest
Forum Veteran
Forum Veteran
Posts: 822
Joined: Tue Feb 27, 2007 1:52 am
Location: UK
Contact:

Re: firewall filter - missing packets and bytes

Sat Jan 14, 2012 1:57 pm

Wierd? Yes, Security hole? No. A "feature". Probably! :-)

Who is online

Users browsing this forum: araqiel, Bing [Bot], pe1chl and 76 guests