Community discussions

 
sorinp
newbie
Topic Author
Posts: 31
Joined: Mon Dec 23, 2013 3:55 pm

Firewall is broken in v6.20

Mon Oct 13, 2014 2:24 pm

Issue:
Firewall is broken in v6.20

Description:
After disabling/deleting a rule, the firewall still allows traffic (that matches that rule) to pass.

Versions affected:
Just upgraded from 6.17 (good firewall behavior) to 6.20 (that exhibited this abnormal behavior).
Don't know if other versions in between are affected.

How to reproduce:
1) Add a rule to the firewall.
2) Test the rule, check if traffic passes or not, verify the packet count.
3) Disable the rule (or delete the rule).
4) Traffic corresponding to the previously deleted rule still passes through the firewall.

Notes:
Apparently the abnormal behavior stops if you reboot the router.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: Firewall is broken in v6.20

Mon Oct 13, 2014 2:44 pm

it is important what rule and what the rest of the firewall contains.

If you accept some connection and have other rule that accepts established connections - of course everything will work. Because you configured this that way.

Clear connections and see if your claim still holds true. (or reboot the router)
 
sorinp
newbie
Topic Author
Posts: 31
Joined: Mon Dec 23, 2013 3:55 pm

Re: Firewall is broken in v6.20

Mon Oct 13, 2014 3:16 pm

All rules are default from RouterOS installing process. I only changed the comments section.
My rules are: 2,3 from Filter section and 2,3 from NAT section
If I disable/delete rule 3 anyone from outside can connect on that port.
If I reboot the router this stops, but I don't find it to be normal behavior, and it was not present in v6.17.

/ip firewall filter
1)add action=drop chain=input comment="Deny ICMP PING requests" protocol=icmp
2) add chain=input comment="Allow SSH traffic" dst-port=22 in-interface=ether1-gateway protocol=tcp
3) add chain=input comment="Allow RDP traffic" dst-port=3389 in-interface=ether1-gateway protocol=tcp

add chain=input comment="Accept Established connections" connection-state=established in-interface=ether1-gateway
add chain=input comment="Accept Related connections" connection-state=related in-interface=ether1-gateway
add action=drop chain=input comment="Drop anything else coming from Internet" in-interface=ether1-gateway
add chain=forward comment="Accept and forward Established connections" connection-state=established
add chain=forward comment="Accept and forward Related connections" connection-state=related
add action=drop chain=forward comment="Drop forwarded invalid connections" connection-state=invalid


/ip firewall nat
1) add action=masquerade chain=srcnat out-interface=ether1-gateway
2) add action=dst-nat chain=dstnat comment="Forward SSH traffic to the router" dst-port=22 protocol=tcp to-addresses=10.1.1.1 to-ports=22
3) add action=dst-nat chain=dstnat comment="Forward RDP traffic to the Server" dst-port=3389 protocol=tcp to-addresses=10.1.1.13 to-ports=3389


10.1.1.1 is the Mikrotik router
10.1.1.13 is a server inside the LAN behind the router
 
jarda
Forum Guru
Forum Guru
Posts: 7604
Joined: Mon Oct 22, 2012 4:46 pm

Re: Firewall is broken in v6.20

Mon Oct 13, 2014 8:02 pm

Have you tried what janisk wrote?
 
sorinp
newbie
Topic Author
Posts: 31
Joined: Mon Dec 23, 2013 3:55 pm

Re: Firewall is broken in v6.20

Tue Oct 14, 2014 11:01 am

Yes I have tried rebooting the router after disabling the Filter rule No. 3, and I am still able to connect from any IP address.
 
leonset
Member Candidate
Member Candidate
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: Firewall is broken in v6.20

Tue Oct 14, 2014 6:00 pm

If I understand what you are trying to do, your rules are wrong. Check the packet flow in the Wiki, specially the first and third drawings:

http://wiki.mikrotik.com/wiki/Manual:Packet_Flow

Basically, dstnat rules are procesed before ip filter. That make your "input" rules useless, because packets will be dstnat'ed to your server so they will never match your input chain, but go directly to the forward one. BTW, you don't have any rule in forward to drop those packets.

If you check the packet counters of any given rule, you'll be able to see if any packet matches it.

Of course, I may be wrong...
 
sorinp
newbie
Topic Author
Posts: 31
Joined: Mon Dec 23, 2013 3:55 pm

Re: Firewall is broken in v6.20

Wed Oct 15, 2014 11:59 am

Ok, your statement applies for the IP filter No. 3 (the RDP connection). But for the IP filter No. 2 (the SSH one) this doesn't apply.
In fact, being a connection to the router, it seems I don't need any NAT rule, as the router seems to listen on port 22 on all its IP addresses (be it internal or external).
So for port 22 connectivity I only need rule No. 2 in the INPUT chain, and no rule in NAT.

You were saying that I don't have any rule in forward chain to drop packets. There is one default rule to drop connections with "invalid" state.

/ip firewall filter
add action=drop chain=forward comment="Drop forwarded invalid connections" connection-state=invalid

Were you talking about this one from above, or you meant that I should have something like this below, placed after all rules in forward chain?

/ip firewall filter
add action=drop chain=forward

Thank you.
 
leonset
Member Candidate
Member Candidate
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: Firewall is broken in v6.20

Wed Oct 15, 2014 12:45 pm

Ok, your statement applies for the IP filter No. 3 (the RDP connection). But for the IP filter No. 2 (the SSH one) this doesn't apply.
In fact, being a connection to the router, it seems I don't need any NAT rule, as the router seems to listen on port 22 on all its IP addresses (be it internal or external).
So for port 22 connectivity I only need rule No. 2 in the INPUT chain, and no rule in NAT.
That's correct. No need to nat anything because packets to router ip's will be passed through input filter. You can specify which networks/Ip's each service is available from in Winbox IP/Services menu.
You were saying that I don't have any rule in forward chain to drop packets. There is one default rule to drop connections with "invalid" state.

/ip firewall filter
add action=drop chain=forward comment="Drop forwarded invalid connections" connection-state=invalid

Were you talking about this one from above, or you meant that I should have something like this below, placed after all rules in forward chain?

/ip firewall filter
add action=drop chain=forward
TCP comunications must go through some given steps. If some connection do not follow them for any reason, it becomes an "invalid" connection. But, you are trying to "block any connection not specifically allowed before, even if they are valid connections". For that, you need to put a last forward rule as you said:

/ip firewall filter add action=drop chain=forward

Make sure this is the last rule!!

Regards
 
sorinp
newbie
Topic Author
Posts: 31
Joined: Mon Dec 23, 2013 3:55 pm

Re: Firewall is broken in v6.20

Wed Oct 15, 2014 6:50 pm

TCP comunications must go through some given steps. If some connection do not follow them for any reason, it becomes an "invalid" connection. But, you are trying to "block any connection not specifically allowed before, even if they are valid connections". For that, you need to put a last forward rule as you said:

/ip firewall filter add action=drop chain=forward

Make sure this is the last rule!!
If I add this rule (as the last forward rule), then no machine from my LAN is able to access the Internet. So I suppose I should not add it at all. :)
 
leonset
Member Candidate
Member Candidate
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: Firewall is broken in v6.20

Thu Oct 16, 2014 9:26 am

So I suppose you still have a lot to learn about how firewalls work... no offense intended :)

http://wiki.mikrotik.com/wiki/Firewall
 
sorinp
newbie
Topic Author
Posts: 31
Joined: Mon Dec 23, 2013 3:55 pm

Re: Firewall is broken in v6.20

Thu Oct 16, 2014 12:19 pm

Yes, that might be true, but I doubt it (in the current context), because adding that rule was not my idea (it was yours).
So if you say that implementing your idea makes me look bad, then probably you've got bad intentions or you don't know too much about firewalls, or you just want to test me. :)
Care to elaborate on this?
Thanks.
 
leonset
Member Candidate
Member Candidate
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: Firewall is broken in v6.20

Thu Oct 16, 2014 12:41 pm

Care to elaborate on this?
Already did so!
Just take some time to read some or all of the firewall related pages in the Wiki (I gave you the link in my previous post). I'm sure you will find there most answers to your doubts.

Good luck
 
User avatar
nickshore
Member
Member
Posts: 473
Joined: Thu Mar 03, 2005 4:14 pm
Location: Suffolk, UK.
Contact:

Re: Firewall is broken in v6.20

Thu Oct 16, 2014 3:02 pm

A normal set of rules in your forward chain might be as follows:
/ip firewall filter
add chain=forward comment=Established connection-state=established action=accept
add chain=forward comment=Related connection-state=related action=accept
add chain=forward comment="New from local bridge" connection-state=new in-interface=localbridge action=accept
add chain=forward limit=3,5 protocol=icmp action=accept
add action=drop chain=forward
Note the rule which allows traffic which starts from the localbridge - or could be an ethernet for your LAN.

Hope that helps
Nick
Nick Shore MTCNA MTCWE MTCRE MTCINE MTCTCE
LinITX.com - MultiThread Consultants
Get your MikroTik RBs and Training: http://linitx.com/brand/mikrotik
Official UK MikroTik Distributor
IRC chan: #routerboard on irc.z.je (IPv4 and IPv6)
 
sorinp
newbie
Topic Author
Posts: 31
Joined: Mon Dec 23, 2013 3:55 pm

Re: Firewall is broken in v6.20

Thu Oct 16, 2014 3:21 pm

Thank you Nick.

I see what you mean. In fact the rules 3,4 and 5 from your list are missing from a standard RouterOS deployment.
Instead RouterOS is adding in the forward chain a rule for dropping connections with invalid state, like this:
add action=drop chain=forward connection-state=invalid
I'm just wondering why add these 3 additional rules in the forward chain if my outbound traffic from the LAN works just fine with the default ones from the RouterOS deployment?
add chain=forward connection-state=new action=accept in-interface=localbridge
add chain=forward limit=3,5 protocol=icmp action=accept
add action=drop chain=forward
Thanks.
 
User avatar
nickshore
Member
Member
Posts: 473
Joined: Thu Mar 03, 2005 4:14 pm
Location: Suffolk, UK.
Contact:

Re: Firewall is broken in v6.20

Thu Oct 16, 2014 3:48 pm

The 3 rules you say you have in the forward chain are
add chain=forward comment="Accept and forward Established connections" connection-state=established
add chain=forward comment="Accept and forward Related connections" connection-state=related
add action=drop chain=forward comment="Drop forwarded invalid connections" connection-state=invalid
These allow packets which belong to established and related connections and drop packets which are invalid.
(invalid doesn't mean all of the rest of the traffic)



*** However there is no further drop rule and therefore all traffic is allowed. ***



In order to stop that you can add a general drop rule:
add action=drop chain=forward
But as you discovered that stops any connections from starting from your LAN to the internet.

So you then need to have rules before the drop rule which allow traffic eg
add chain=forward connection-state=new action=accept in-interface=localbridge
add chain=forward limit=3,5 protocol=icmp action=accept

Hope that makes sense
Nick
Nick Shore MTCNA MTCWE MTCRE MTCINE MTCTCE
LinITX.com - MultiThread Consultants
Get your MikroTik RBs and Training: http://linitx.com/brand/mikrotik
Official UK MikroTik Distributor
IRC chan: #routerboard on irc.z.je (IPv4 and IPv6)
 
sorinp
newbie
Topic Author
Posts: 31
Joined: Mon Dec 23, 2013 3:55 pm

Re: Firewall is broken in v6.20

Thu Oct 16, 2014 4:04 pm

Thank you Nick.
I've understood perfectly your rules before your last post.
In fact I was more interested to understand what is the reasoning behind those 3 rules. I mean, they are applied on connections originating from inside my LAN (behind the router). So, basically why would I want to restrict my outbound traffic and drop packets that want to go out ? What's the reason behind this?

I'm more interested to prevent (some) incoming traffic from getting in, than preventing local traffic from getting out (considering I have no machines inside the LAN that are infected with bots, worms or other nasty "software").

Thank you.
 
User avatar
nickshore
Member
Member
Posts: 473
Joined: Thu Mar 03, 2005 4:14 pm
Location: Suffolk, UK.
Contact:

Re: Firewall is broken in v6.20

Thu Oct 16, 2014 4:38 pm

It is good practice to drop all traffic, and then add rules in to allow good traffic.
Nick Shore MTCNA MTCWE MTCRE MTCINE MTCTCE
LinITX.com - MultiThread Consultants
Get your MikroTik RBs and Training: http://linitx.com/brand/mikrotik
Official UK MikroTik Distributor
IRC chan: #routerboard on irc.z.je (IPv4 and IPv6)
 
sorinp
newbie
Topic Author
Posts: 31
Joined: Mon Dec 23, 2013 3:55 pm

Re: Firewall is broken in v6.20

Thu Oct 16, 2014 5:43 pm

It is good practice to drop all traffic, and then add rules in to allow good traffic.
Ok Nick. Thanks a lot for your answers.

Who is online

Users browsing this forum: MSN [Bot] and 110 guests