Community discussions

MikroTik App
  4. RouterOS
  5. General

Building secure firewall

Post Reply
 
rado3105
Member
Member
Topic Author
Posts: 492
Joined: Sat Jan 12, 2008 11:45 pm

Building secure firewall

Fri Aug 23, 2013 5:53 pm

Here is my firewall, I am still working on it. I would like to share it and hear your opinions, what to change, what is missing...ether1 is internet....
0 ;;; Drop invalid connections
chain=input action=drop connection-state=invalid

1 ;;; Port scanners to list
chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1
address-list=port scanners address-list-timeout=2w

2 ;;; NMAP FIN Stealth scan
chain=input action=add-src-to-address-list
tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
address-list=port scanners address-list-timeout=2w

3 ;;; SYN/FIN scan
chain=input action=add-src-to-address-list tcp-flags=fin,syn protocol=tcp
address-list=port scanners address-list-timeout=2w

4 ;;; SYN/RST scan
chain=input action=add-src-to-address-list tcp-flags=syn,rst protocol=tcp
address-list=port scanners address-list-timeout=2w

5 ;;; FIN/PSH/URG scan
chain=input action=add-src-to-address-list
tcp-flags=fin,psh,urg,!syn,!rst,!ack protocol=tcp
address-list=port scanners address-list-timeout=2w

6 ;;; ALL/ALL scan
chain=input action=add-src-to-address-list
tcp-flags=fin,syn,rst,psh,ack,urg protocol=tcp address-list=port scanners
address-list-timeout=2w

7 ;;; NMAP NULL scan
chain=input action=add-src-to-address-list
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
address-list=port scanners address-list-timeout=2w

8 ;;; dropping port scanners
chain=input action=drop src-address-list=port scanners

9 ;;; suppress DoS attack
chain=input action=tarpit protocol=tcp src-address-list=black_list
connection-limit=3,32

10 ;;; detect DoS
chain=input act
address-list=black_list address-list-timeout=1d in-interface=ether1
connection-limit=10,32

11 ;;; DOS attack protection(50 connections/ip)
chain=input action=add-src-to-address-list protocol=tcp
address-list=black_list address-list-timeout=1d connection-limit=50,32

12 ;;; drop ssh brute forcers
chain=input action=drop protocol=tcp src-address-list=ssh_blacklist
dst-port=22

13 chain=input action=add-src-to-address-list connection-state=new protocol=tc>
src-address-list=ssh_stage3 address-list=ssh_blacklist
address-list-timeout=1w3d dst-port=22

14 chain=input action=add-src-to-address-list connection-state=new protocol
src-address-list=ssh_stage2 address-list=ssh_stage3
address-list-timeout=1m dst-port=22

15 chain=input action=add-src-to-address-list connection-state=new protocol
src-address-list=ssh_stage1 address-list=ssh_stage2
address-list-timeout=1m dst-port=22

16 chain=input action=add-src-to-address-list connection-state=new protocol
address-list=ssh_stage1 address-list-timeout=1m dst-port=22

17 ;;; drop ssh brute downstream
chain=forward action=drop protocol=tcp src-address-list=ssh_blacklist
dst-port=22

18 ;;; Allow Broadcast Traffic
chain=input action=accept dst-address-type=broadcast

19 ;;; smtp(e-mail)
chain=input action=accept protocol=tcp in-interface=ether1 src-port=25

20 ;;; vpn(gre)
chain=input action=accept protocol=gre in-interface=ether1

21 ;;; ping
chain=input action=accept protocol=icmp in-interface=ether1

22 ;;; tcp ports
chain=input action=accept protocol=tcp in-interface=ether1
dst-port=22,25,53,1723,2000,7780,8291

23 ;;; udp ports
chain=input action=accept protocol=udp in-interface=ether1 dst-port=53

24 ;;; drop everything else
chain=input action=drop in-interface=ether1
Top
 
rado3105
Member
Member
Topic Author
Posts: 492
Joined: Sat Jan 12, 2008 11:45 pm

Re: Building secure firewall

Thu Aug 29, 2013 1:10 am

Code: Select all
0   ;;; Drop invalid connections
     chain=input action=drop connection-state=invalid 

 1   ;;; Port scanners to list 
     chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 
     address-list=port scanners address-list-timeout=2w 

 2   ;;; NMAP FIN Stealth scan
     chain=input action=add-src-to-address-list 
     tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp 
     address-list=port scanners address-list-timeout=2w 

 3   ;;; SYN/FIN scan
     chain=input action=add-src-to-address-list tcp-flags=fin,syn protocol=tcp 
     address-list=port scanners address-list-timeout=2w 

 4   ;;; SYN/RST scan
     chain=input action=add-src-to-address-list tcp-flags=syn,rst protocol=tcp 
     address-list=port scanners address-list-timeout=2w 

 5   ;;; FIN/PSH/URG scan
     chain=input action=add-src-to-address-list 
     tcp-flags=fin,psh,urg,!syn,!rst,!ack pr address-list=port scanners address-list-timeout=2w 

 6   ;;; ALL/ALL scan
     chain=input action=add-src-to-address-list 
     tcp-flags=fin,syn,rst,psh,ack,urg protocol=tcp address-list=port scanners 
     address-list-timeout=2w 

 7   ;;; NMAP NULL scan
     chain=input action=add-src-to-address-list 
     tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp 
     address-list=port scanners address-list-timeout=2w 

 8   ;;; dropping port scanners
     chain=input action=drop src-address-list=port scanners 

 9   ;;; suppress DoS attack
     chain=input action=tarpit protocol=tcp src-address-list=black_list 
     connection-limit=3,32 

10   ;;; detect DoS attack(10 connections/ip from internet)
     chain=input action=add-src-to-address-list protocol=tcp 
     address-list=black_list address-list-timeout=1d in-interface=ether1 
     connection-limit=10,32 
 11   ;;; DOS attack protection(50 connections/ip)
     chain=input action=add-src-to-address-list protocol=tcp 
     address-list=black_list address-list-timeout=1d connection-limit=50,32 

12   ;;; drop ssh brute forcers
     chain=input action=drop protocol=tcp src-address-list=ssh_blacklist 
     dst-port=22 

13   chain=input action=add-src-to-address-list connection-state=new protocol=tc>
     src-address-list=ssh_stage3 address-list=ssh_blacklist 
     address-list-timeout=1w3d dst-port=22 

14   chain=input action=add-src-to-address-list connection-state=new protocol=tc>
     src-address-list=ssh_stage2 address-list=ssh_stage3 
     address-list-timeout=1m dst-port=22 

15   chain=input action=add-src-to-address-list connection-state=new protocol=tc>
     src-address-list=ssh_stage1 address-list=ssh_stage2 
     address-list-timeout=1m dst-port=22 

16   chain=input action=add-src-to-address-list connection-state=new protocol=tc>
     address-list=ssh_stage1 address-list-timeout=1m dst-port=22 

17   ;;; drop ssh brute downstream
     chain=forward action=drop protocol=tcp src-address-list=ssh_blacklist 
     dst-port=22 

18   ;;; Allow Broadcast Traffic
     chain=input action=accept dst-address-type=broadcast 

19   ;;; smtp(e-mail)
     chain=input action=accept protocol=tcp src-port=25 

20   ;;; vpn(gre)
     chain=input action=accept protocol=gre 

21   ;;; ping
     chain=input action=accept protocol=icmp 

22   ;;; tcp ports
     chain=input action=accept protocol=tcp dst-port=22,25,1723,2000,7780,8291 

23   ;;; allow estabilished connections
     chain=input action=accept connection-state=established 

24   ;;; drop everything else
     chain=input action=drop in-interface=ether1
What do you think, is that secure enough?
Top
 
AlArenal
Member Candidate
Member Candidate
Posts: 131
Joined: Thu Aug 01, 2013 5:24 pm
Location: Iserlohn, Germany

Re: Building secure firewall

Thu Aug 29, 2013 10:12 am

Security isn't an absolute thing - as long as you don't power off every network device and computer.

"Secure enough" depends solely on your specific requirements - which we cannot know. You may have to rethink your ruleset at least when the first user complains about something not working right. And there may always be someone more clever than you who knows how to get around your restrictions to achieve things you intended to block.
Top
 
VARELA
newbie
Posts: 49
Joined: Mon Jan 14, 2008 12:39 pm

Re: Building secure firewall

Thu Aug 29, 2013 10:27 am

Do you understand differences in chains (input,forward)?
There are many unnecessary rules. 19? 20? 21? 22?
Maybe better accept access for ssh or icmp or another services from trusted network?
Try to disable unused services in "/ip service".
Top
 
AlArenal
Member Candidate
Member Candidate
Posts: 131
Joined: Thu Aug 01, 2013 5:24 pm
Location: Iserlohn, Germany

Re: Building secure firewall

Thu Aug 29, 2013 10:37 am

Maybe better accept access for ssh or icmp or another services from trusted network?
That's an example why I said we can't judge because we don't know the requirements. Is the box always administered locally via console port he won't need ssh and telnet. Otherwise he's pretty much locking himself out if he ever has to remotely work on the shell.
Top
 
rado3105
Member
Member
Topic Author
Posts: 492
Joined: Sat Jan 12, 2008 11:45 pm

Re: Building secure firewall

Fri Aug 30, 2013 9:44 pm

Do you understand differences in chains (input,forward)?
There are many unnecessary rules. 19? 20? 21? 22?
Maybe better accept access for ssh or icmp or another services from trusted network?
Try to disable unused services in "/ip service".
I connect to local network using vpn in this gateway. I ping this router from internet to check if it is online...and when is down send sms....from other device in network...
25 is needed to send emails from this device....

I was just curious if order is good, and also if there is something other to do it more secure...
Top
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Building secure firewall

Sun Sep 01, 2013 5:11 am

If you have one port for WAN and another for LAN (or logical) it is not too hard to work out a secure solution. Like an onion we will start with a layer and add or remove features as we move through the layers. Note that I prefer to use interfaces instead of IP addressing because those can be spoofed.

Option 1: Router and internal network protection
Goals:
. Disallow anything originating from the WAN (ether1).
. Allow anything originating from the LAN (ether2) to setup and receive packets coming back to it.
. Allow ICMP (ping) from the WAN.
Notes:
This is a standard secure setup. However, it does not allow for internal servers. It also trusts internal clients to be nice and to not be in a hacked state. Suitable for a SOHO network.

ros code

#Router and internal network protection, no internal servers, LAN is friendly
/ip firewall filter
add chain=input   action=drop   connection-state=invalid                      comment="Disallow weird packets" 
add chain=input   action=accept connection-state=new         in-interface=LAN comment="Allow LAN access to router and Internet"
add chain=input   action=accept connection-state=established                  comment="Allow connections that originated from LAN"
add chain=input   action=accept connection-state=related                      comment="Allow connections that originated from LAN"
add chain=input   action=accept protocol=icmp                                 comment="Allow ping ICMP from anywhere"
add chain=input   action=drop                                                 comment="Disallow anything from anywhere on any interface" 
add chain=forward action=drop   connection-state=invalid                      comment="Disallow weird packets" 
add chain=forward action=accept connection-state=new         in-interface=LAN comment="Allow LAN access to router and Internet"
add chain=forward action=accept connection-state=established                  comment="Allow connections that originated from LAN"
add chain=forward action=accept connection-state=related                      comment="Allow connections that originated from LAN"
add chain=forward action=drop                                                 comment="Disallow anything from anywhere on any interface"
Option 2: Allowing for internal servers
Goals:
. Masquerade and allow for internal servers.
Notes:
Uses "Port mapping" technique.

ros code

# Port Forward (map) to an internal LAN server. Note that you'll need to move the
# last line via the GUI to be above DROP rules. If you're using the one above
# place it above the last line: "add chain=forward action=drop"
/ip address         add address=1.2.3.4/24 interface=WAN                                                    comment="Set public IP of router to a public interface"
/ip firewall nat    add chain=srcnat  action=masquerade out-interface=WAN                                   comment="Turn on masquerading"
/ip firewall nat    add chain=dstnat  action=dst-nat protocol=tcp to-address=1.2.3.4 dst-port=80 to-port=80 comment="Create an incoming port map rule"
/ip firewall filter add chain=forward action=accept  protocol=tcp dst-port=80                               comment="Add a filter exception for port mapped server"
Option 3: Stop bad outgoing traffic
Goals:
. Filter certain connections, ports, and packet types from leaving the LAN to the WAN.
Notes:
When I get time.

Option 4: Stop trusting the internal network
Goals:
. While still allowing for router supplied services (DHCP, DNS, etc.). Disallow anything else.
. Only allow LAN access to the router console from a single trusted client. Disallow all others.
. Segment the LAN clients from each other. They're all crazy anyway.
Notes:
When I get time.
Last edited by pcunite on Wed Sep 04, 2013 5:06 pm, edited 1 time in total.
Top
 
jaytcsd
Member
Member
Posts: 332
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:
Contact jaytcsd

Re: Building secure firewall

Mon Sep 02, 2013 2:46 am

I used the rules on the demo router as a start.

demo2.mt.lv

I added chain=input action=drop protocol=tcp dst-port=0-65535 port=""
to avoid port scans.
Top
Post Reply

Who is online

Users browsing this forum: Bing [Bot], simtj and 156 guests
  4. RouterOS
  5. General