Community discussions

MikroTik App
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Tue Mar 25, 2014 11:11 pm

search tag # rextended firewall raw rules

Added 2021-07-06:
compared from 2014 version i have added a lot more things
I am not done, I add more next days.
WORK IN PROGRESS

I appreciate any suggestions, and also positive comments, if any...

Thanks BartoszP, I actualize the rules when I can
viewtopic.php?f=9&t=83387#p482224
************************************************


When you set on firewall one rule like the default:
add action=drop connection-state=invalid
you really not block any malicious connection or packet.
The drop invalid rule simply drop any package or connection if are not finded any match on "connection tracking".

The following rules block all forged or incorrect packages, instead.
This rule are based on how the TCP and UDP packages must be written to be valid on RFC rules.
Any comment like "UDP Port 0 are used with some load balancers" we do not matter, do not follow the RFC rules and not used from MikroTik.
boen_robot explain more:
viewtopic.php?f=9&t=83387&p=417864#p460244

That rules must be set on "/firewall raw", on this way do not interfere how regular default "/firewall filter" works.

Warning: those rules do not replace, but must be used at least with default "/firewall filter" rules.

/ip firewall raw
add action=drop chain=prerouting comment="TCP invalid combination of flags attack (7 rules)" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,syn
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,rst
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,!ack
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,urg
add action=drop chain=prerouting protocol=tcp tcp-flags=syn,rst
add action=drop chain=prerouting protocol=tcp tcp-flags=rst,urg
add action=drop chain=prerouting comment="TCP Port 0 attack (2 rules)" protocol=tcp src-port=0
add action=drop chain=prerouting dst-port=0 protocol=tcp
add action=drop chain=prerouting comment="UDP Port 0 attack (2 rules)" protocol=udp src-port=0
add action=drop chain=prerouting dst-port=0 protocol=udp
Why is better "drop" than a (lost CPU time and generate useless traffic with) "reject"
Again thanks to boen_robot for explain:
viewtopic.php?f=9&t=83387&p=417380#p467921


Large ICMP and ICMP fragmentation (Ping of Death)
Warning: this two rules can break the Path MTU Discovery (PMTUD), use only if your device are sensible to "Large ICMP" or "Ping of Death" attack.
On doubt, do not use at all!!!
/ip firewall raw
add action=drop chain=prerouting comment="Protecting device crash when size > 1024" packet-size=1025-1600 protocol=icmp disabled=yes
add action=drop chain=prerouting comment="ICMP large packet attack" packet-size=1601-65535 protocol=icmp
add action=drop chain=prerouting comment="ICMP fragmentation attack" fragment=yes protocol=icmp


SYN fragmented attack
/ip firewall raw
add action=drop chain=prerouting comment="SYN fragmented attack" fragment=yes protocol=tcp tcp-flags=syn


Protected Zone (protect against Teardrop Attack and others)
Some type of attacks use IP packet fragmentation.
Some packet fragmentation can be wanted or needed.
For create "Protected Zones" from IP Fragmented Attack, use one or both of this

Create one interface list of protected Interfaces:
/interface list
add name=fragment_protected_interface
/ip firewall raw
add action=drop chain=prerouting comment="Fragment attack Interface Protection" fragment=yes in-interface-list=fragment_protected_interface

Create one address list of protected IPs:
/ip firewall address-list
add address=2.3.4.5 list=fragment_protected_IP
/ip firewall raw
add action=drop chain=prerouting comment="Fragment attack IP Protection" fragment=yes dst-address-list=fragment_protected_IP


IP Options attacks
Attack made with normally unused (or misused) IPv4 flag options.
/ip firewall raw
add action=drop chain=prerouting comment="IP option loose-source-routing" ipv4-options=loose-source-routing
add action=drop chain=prerouting comment="IP option strict-source-routing" ipv4-options=strict-source-routing
add action=drop chain=prerouting comment="IP option record-route" ipv4-options=record-route
add action=drop chain=prerouting comment="IP option router-alert" ipv4-options=router-alert
add action=drop chain=prerouting comment="IP option timestamp" ipv4-options=timestamp
add action=drop chain=prerouting comment="IP options left, except IP Stream used by the IGMP protocol" ipv4-options=any protocol=!igmp


IP Spoofing (prevent LAND Attack and others)
All ISPs should do this and 95% of DDoS attacks wouldn't exist ...

The default configuration have two interface list for WAN and for LAN:
/interface list
add name=WAN
add name=LAN

Defining one or more IP list of IP used on LOCAL side of network (can be also Public IPs):
/ip firewall address-list
add address=192.168.88.0/24 list=IP_used_on_LAN

We do not expect Internal IP incoming from WAN or from Internal LAN incoming other IP than the IP_used_on_LAN
/ip firewall raw
add action=drop chain=prerouting comment="IP Spoofing protection from WAN" in-interface-list=WAN src-address-list=IP_used_on_LAN
add action=drop chain=prerouting comment="IP Spoofing protection from LAN" in-interface-list=LAN src-address-list=!IP_used_on_LAN \
    src-address=!0.0.0.0 dst-address=!255.255.255.255
src-address=!0.0.0.0 and dst-address=!255.255.255.255 prevent to block services on LAN like DHCP Server (src 0.0.0.0 -> dst 255.255.255.255)



Unused Protocol
Removing unassigned protocol is not feasible easily, because on protocol filed accept only one number, not interval
The protocol from 144 to 255 are unassigned https://www.iana.org/assignments/protoc ... bers.xhtml
But on real use not all 144 protocols are used, for example on 95% of cases only 1 ICMP, 6 TCP and 17 UDP.
We can not set a rule like drop protocol=144-255 because is unsupported, we can accept all used, and drop the others.
This rules must be put at THE END!!!
/ip firewall raw
add action=accept chain=prerouting protocol=icmp
add action=accept chain=prerouting protocol=igmp
add action=accept chain=prerouting protocol=tcp
add action=accept chain=prerouting protocol=udp
add action=accept chain=prerouting protocol=gre
add action=log chain=prerouting log=yes log-prefix="Not TCP protocol" protocol=!tcp
add action=drop chain=prerouting comment="Unused protocol protection" disabled=yes protocol=!tcp
The last rule is disabled on purpose, first add all protocol you use (for example 47 GRE for pptp, EoIP etc.) before you enable it
Accept pass to next /firewall filter section, do not accept directly the packet.


New TCP connection without SYN
New TCP connection must start with packet with SYN flag
If the SYN on first packet are not present, is an attack or scan for sure...
Each rule must go first on /ip firewall filter on respective input and forward section, do not work on raw, because need connection-tracking for work.
/ip firewall filter
add action=drop chain=input connection-state=new protocol=tcp tcp-flags=!syn comment="TCP non SYN scan attack input"
add action=drop chain=forward connection-state=new protocol=tcp tcp-flags=!syn comment="TCP non SYN scan attack forward"


If anyone find a bug, please report.
Thanks.
Last edited by rextended on Tue Jul 27, 2021 10:57 am, edited 71 times in total.
 
efaden
Forum Guru
Forum Guru
Posts: 1711
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: How to ***really*** block invalid TCP and UDP packet

Tue Mar 25, 2014 11:58 pm

Thanks

Sent from my SCH-I545 using Tapatalk
 
efaden
Forum Guru
Forum Guru
Posts: 1711
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: How to ***really*** block invalid TCP and UDP packet

Wed Mar 26, 2014 12:06 am

When you set on firewall one rule like:
add action=drop connection-state=invalid
you really not block any malicious connection or package.

This rule simply drop any package or connection if are not finded any match on connection tracking.

The following rule block all forged or incorrect packages, instead.
This rule are based on how the TCP and UDP packages must be written to be valid on RFC rules.

These are the rules.
That rules must the first rules for each chain.

On input chain we suppose that the router is already protected from other rules.
There are no reason to put the extended rules also on output chain, we suppose RouterOS generate only standard packet.
/ip firewall filter
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input connection-state=invalid
add action=drop chain=forward comment="TCP flags and Port 0 attacks" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=forward protocol=tcp tcp-flags=fin,syn
add action=drop chain=forward protocol=tcp tcp-flags=fin,rst
add action=drop chain=forward protocol=tcp tcp-flags=fin,!ack
add action=drop chain=forward protocol=tcp tcp-flags=fin,urg
add action=drop chain=forward protocol=tcp tcp-flags=syn,rst
add action=drop chain=forward protocol=tcp tcp-flags=rst,urg
add action=drop chain=forward protocol=tcp src-port=0
add action=drop chain=forward dst-port=0 protocol=tcp
add action=drop chain=forward protocol=udp src-port=0
add action=drop chain=forward dst-port=0 protocol=udp
add action=accept chain=forward connection-state=established
add action=accept chain=forward connection-state=related
add action=drop chain=forward connection-state=invalid
add action=accept chain=output connection-state=established
add action=accept chain=output connection-state=related
add action=drop chain=output connection-state=invalid
IF ANYONE USE MY IDEA OR THIS RULES, PLEASE ADD KARMA.
THANKS TO ALL.


If anyone find a bug, please report.
Thanks.
Why are the only on the forward chain?
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: How to ***really*** block invalid TCP and UDP packet

Wed Mar 26, 2014 12:11 am

Why are the only on the forward chain?
Because output chain are generated by RouterOS services, are indipendent from all the other sources, we suppose all output are good,
and the input chain is directed only INSIDE a RouterOS services. I lock/protect from unwanted access all routeros services on input [from internet].

Only the forward traffic go from clients to internet and vice-versa.

For more info:
http://wiki.mikrotik.com/wiki/Manual:Packet_Flow
packet flow inside routeros.
 
drank
just joined
Posts: 19
Joined: Sun Mar 02, 2014 1:50 pm
Location: Sofia, Bulgaria

Re: How to ***really*** block invalid TCP and UDP packet

Wed Mar 26, 2014 8:40 am

Isn't it easier to switch to a "default deny" policy and then just open whatever is needed, instead of trying to cover all possible incoming packet scenarios in a "default accept" policy?

Or is there a benefit to it that I am missing?

Thank you and best regards
My setup: RB951G-2HnD, RouterOS v6.10
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: How to ***really*** block invalid TCP and UDP packet

Wed Mar 26, 2014 9:34 am

Isn't it easier to switch to a "default deny" policy and then just open whatever is needed, instead of trying to cover all possible incoming packet scenarios in a "default accept" policy?

Or is there a benefit to it that I am missing?

Thank you and best regards
Default deny on Input is ok,
but on forward chain can not cover all possible scenery.
(On output chain "default deny" not matter)

On "Default Deny" mode [the best way] some rules can be breaked, can accept legit destination, but not check if some packed are "bad"...

The only way to be sure to deny all must be denied, is block all literally...


My rules here are for policy integration, not for substitution of all rules :)
 
drank
just joined
Posts: 19
Joined: Sun Mar 02, 2014 1:50 pm
Location: Sofia, Bulgaria

Re: How to ***really*** block invalid TCP and UDP packet

Thu Mar 27, 2014 8:52 am

Aha, I got it. So in "default deny" you open what you need and on top of that you additionally stop malformed/illegal packets (which would otherwise travel through the router if you wouldn't add these additional protocol inspection rules).

Thank you for the explanation.

Best regards.
My setup: RB951G-2HnD, RouterOS v6.10
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: How to ***really*** block invalid TCP and UDP packet

Thu Mar 27, 2014 6:16 pm

Aha, I got it. So in "default deny" you open what you need and on top of that you additionally stop malformed/illegal packets (which would otherwise travel through the router if you wouldn't add these additional protocol inspection rules).

Thank you for the explanation.

Best regards.
Exactly!

Thanks.
Last edited by rextended on Tue Jul 06, 2021 5:37 pm, edited 1 time in total.
 
dadaniel
Member Candidate
Member Candidate
Posts: 188
Joined: Fri May 14, 2010 11:51 pm

Re: How to ***really*** block invalid TCP and UDP packet

Thu Apr 10, 2014 5:51 pm

The only rule that get hits is

add action=drop chain=forward dst-port=0 protocol=tcp

in my case. 12 Packets in the last 7h.
 
User avatar
bajodel
Long time Member
Long time Member
Posts: 548
Joined: Sun Nov 24, 2013 8:30 am
Location: Italy

Re: How to ***really*** block invalid TCP and UDP packet

Mon Apr 14, 2014 12:13 pm

thanks rextended, I'd like to give you karma ..but I'm still unable to :-(
edit now I can :)
 
coylh
Member Candidate
Member Candidate
Posts: 160
Joined: Tue Jul 12, 2011 12:11 am

Re: How to ***really*** block invalid TCP and UDP packet

Sun May 25, 2014 5:21 pm

Here's what I get after about a month.
You do not have the required permissions to view the files attached to this post.
 
Alupis
just joined
Posts: 16
Joined: Wed Feb 29, 2012 6:30 pm

Re: How to ***really*** block invalid TCP and UDP packet

Wed Nov 12, 2014 8:46 am

i like this. very similar to the default firewall rules i use whenever setting up a new linux box.
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: How to ***really*** block invalid TCP and UDP packet

Wed Nov 12, 2014 3:33 pm

i like this. very similar to the default firewall rules i use whenever setting up a new linux box.
thanks!
 
User avatar
Maggiore81
Member
Member
Posts: 395
Joined: Sun Apr 15, 2012 12:10 pm
Location: Italy
Contact:

Re: How to ***really*** block invalid TCP and UDP packet

Sat Dec 13, 2014 8:48 am

Hmmm. I implemented them too. But is it really useful to drop port 0 ?

There are differents views on the matter!
Dott. Elia Spadoni
---
Network Administrator
MTCNA, MTCRE, MTCTCE, MTCINE, MTCWE, MTCSE
Spadhausen Internet Provider
Ravenna, ITALY
http://www.spadhausen.com
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2411
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: How to ***really*** block invalid TCP and UDP packet

Sat Dec 13, 2014 4:33 pm

Hmmm. I implemented them too. But is it really useful to drop port 0 ?

There are differents views on the matter!
I'm not aware of those "different views"... Only of a few facts...

As far as "outsiders going in" - If your router can be reached by multiple public IPs (that it then forwards to different other devices), dropping port 0 will minimize the effectiveness of a potential (D)DoS attack on your other devices, instead letting your router take the hit. If your router can be accessed from only a single public IP (and your client devices are in a private network), then dropping port 0 will happen anyway, with or without those rules, so it doesn't hurt to have it, at least so that you can see with the counter how much packets like that are you getting.

And as far as "insiders going out" - Dropping port 0 helps to make sure your devices are not originators of such (D)DoS attacks. The rules above could potentially be tweaked to also log offenders from your network, and perhaps even automatically block their entire internet connection on a certain threshold, forcing your clients to fix their devices (which probably have Trojans if they're doing that).


The only "different view" I can see here is whether it's worth sacrificing your router to shield your clients' devices from incoming attacks. If you have multiple ISPs, you can always just temporarily disable the interface of the ISP from which port 0 packets are coming, in turn keeping your router alive AND keeping your clients blissfully ignorant that there's even a problem. If you don't have multiple ISPs though, making the call is a little tougher. You are making a bet as to whether an attacker will make a large scale attack on all of your public IPs at once. If so, taking the hit is worth it, but if only one IP is attacked, it probably isn't.
PEAR2_Net_RouterOS(1.0.0b6) - My API client in PHP
(Rate my posts? If you want... no pressure...)
 
amigo3900
just joined
Posts: 17
Joined: Fri Oct 15, 2010 10:46 am
Location: Richards Bay South Africa
Contact:

Re: How to ***really*** block invalid TCP and UDP packet

Wed Dec 31, 2014 10:09 am

Thank you so much for this advice. Karma is given!

Could you please advise on how to tweak? :

"And as far as "insiders going out" - Dropping port 0 helps to make sure your devices are not originators of such (D)DoS attacks. The rules above could potentially be tweaked to also log offenders from your network, and perhaps even automatically block their entire internet connection on a certain threshold, forcing your clients to fix their devices (which probably have Trojans if they're doing that)."

Thanking you

Hennie
 
rado3105
Member
Member
Posts: 493
Joined: Sat Jan 12, 2008 11:45 pm

Re: How to ***really*** block invalid TCP and UDP packet

Sun Feb 08, 2015 6:44 pm

Is it not better to use reject instead of drop?
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2411
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: How to ***really*** block invalid TCP and UDP packet

Mon Feb 09, 2015 12:15 am

Is it not better to use reject instead of drop?
From a security standpoint, it's better to drop instead of reject.

"Reject" will notify the other end that they've been declined access, making the attacker aware of the presence of the rule, and implicitly, the presence of your device (in that "it's online"). Furthermore, in a DDoS prevention case, sending ANY packet (even a single ICMP packet) per attempted connection means you're doing more load on the network, meaning it takes less coordinated devices to take you down.

"Drop" will not notify the attacker about the rejection, in that it will not send anything. Without further information and/or prior knowledge, the attacker wouldn't know if your device is offline, doesn't exist at all, or exists, but has a rule for dropping the packet. And also, since there's no packets going back on the line, it would take more incoming packets before the uplink goes down.


"Reject" is useful for routers inside larger networks for debugging purposes, but not so much for "edge" routers (i.e. those connected directly to the internet).
PEAR2_Net_RouterOS(1.0.0b6) - My API client in PHP
(Rate my posts? If you want... no pressure...)
 
elmakong
just joined
Posts: 4
Joined: Fri Nov 08, 2013 5:39 am

Re: How to ***really*** block invalid TCP and UDP packet

Fri May 15, 2015 3:17 pm

i test this rule. and merge some accept rules to one...connection state established, related....is there any difference?
using winbox to add rule
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2050
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: How to ***really*** block invalid TCP and UDP packet

Fri May 15, 2015 6:00 pm

Do not forget TARPIT for TCP data. What does it do ?
basically for bad connections, will keep a connection open until it times out (12-24 minutes depending on the client). With most brute force attacks running as a loop through a list of user names and passwords, keeping the connection open that long increases the attack time by enough that the bad guys will either give up or produce no useful result.
http://en.wikipedia.org/wiki/Tarpit_%28 ... el_tarpits
http://www.symantec.com/connect/article ... ms-tarpits
Last edited by BartoszP on Wed May 20, 2015 5:13 pm, edited 1 time in total.
Real admins use real keyboards.
To quote or not to quote, there is the topic: viewtopic.php?f=2&t=168474
 
TomosRider
Member Candidate
Member Candidate
Posts: 204
Joined: Thu Nov 20, 2014 1:51 pm

Re: How to ***really*** block invalid TCP and UDP packet

Wed May 20, 2015 4:29 pm

Nice topic. Will give these rules a shot...:)
 
RackKing
Member
Member
Posts: 381
Joined: Wed Oct 09, 2013 1:59 pm

Re: How to ***really*** block invalid TCP and UDP packet

Sun Jun 14, 2015 5:59 pm

So I understand these rules would be in addition to existing firewall rules - as somewhat of a newbie, in a home environment would I simply add these to the standard Mikrotik home config they recommend?

/ip firewall filter
add chain=input connection-state=established action=accept
add chain=input connection-state=related action=accept
add chain=input connection-state=invalid action=drop
add action=drop chain=forward comment="TCP flags and Port 0 attacks" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=forward protocol=tcp tcp-flags=fin,syn
add action=drop chain=forward protocol=tcp tcp-flags=fin,rst
add action=drop chain=forward protocol=tcp tcp-flags=fin,!ack
add action=drop chain=forward protocol=tcp tcp-flags=fin,urg
add action=drop chain=forward protocol=tcp tcp-flags=syn,rst
add action=drop chain=forward protocol=tcp tcp-flags=rst,urg
add action=drop chain=forward protocol=tcp src-port=0
add action=drop chain=forward dst-port=0 protocol=tcp
add action=drop chain=forward protocol=udp src-port=0
add action=drop chain=forward dst-port=0 protocol=udp
add chain=input in-interface=inside action=accept
add chain=input action=drop
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward in-interface=inside action=accept
add action=accept chain=output connection-state=established
add action=accept chain=output connection-state=related
add action=drop chain=output connection-state=invalid

Does something like that work? does someone have a home router config they would post that includes these more locked down rules?

Thanks
 
RackKing
Member
Member
Posts: 381
Joined: Wed Oct 09, 2013 1:59 pm

Re: How to ***really*** block invalid TCP and UDP packet

Tue Jun 16, 2015 9:29 pm

Anyone?
 
User avatar
amt
Long time Member
Long time Member
Posts: 527
Joined: Fri Jan 16, 2015 2:05 pm

Re: How to ***really*** block invalid TCP and UDP packet

Fri Jun 17, 2016 2:46 pm

When you set on firewall one rule like:
add action=drop connection-state=invalid
you really not block any malicious connection or package.

This rule simply drop any package or connection if are not finded any match on connection tracking.

The following rule block all forged or incorrect packages, instead.
This rule are based on how the TCP and UDP packages must be written to be valid on RFC rules.

These are the rules.
That rules must the first rules for each chain.

On input chain we suppose that the router is already protected from other rules.
There are no reason to put the extended rules also on output chain, we suppose RouterOS generate only standard packet.
/ip firewall filter
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input connection-state=invalid
add action=drop chain=forward comment="TCP flags and Port 0 attacks" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=forward protocol=tcp tcp-flags=fin,syn
add action=drop chain=forward protocol=tcp tcp-flags=fin,rst
add action=drop chain=forward protocol=tcp tcp-flags=fin,!ack
add action=drop chain=forward protocol=tcp tcp-flags=fin,urg
add action=drop chain=forward protocol=tcp tcp-flags=syn,rst
add action=drop chain=forward protocol=tcp tcp-flags=rst,urg
add action=drop chain=forward protocol=tcp src-port=0
add action=drop chain=forward dst-port=0 protocol=tcp
add action=drop chain=forward protocol=udp src-port=0
add action=drop chain=forward dst-port=0 protocol=udp
add action=accept chain=forward connection-state=established
add action=accept chain=forward connection-state=related
add action=drop chain=forward connection-state=invalid
add action=accept chain=output connection-state=established
add action=accept chain=output connection-state=related
add action=drop chain=output connection-state=invalid
IF ANYONE USE MY IDEA OR THIS RULES, PLEASE ADD KARMA.
THANKS TO ALL.


If anyone find a bug, please report.
Thanks.
Hi,
can i use it for ddos ? can it handle for ddos attack ?

Thanks
 
soamz
Member
Member
Posts: 431
Joined: Thu Mar 19, 2015 7:19 am

Re: How to ***really*** block invalid TCP and UDP packet

Sat Jul 30, 2016 11:08 am

So whats the final version of code to add ?
 
chuky0
newbie
Posts: 27
Joined: Thu Apr 20, 2017 7:49 pm

Re: How to ***really*** block invalid TCP and UDP packet

Sun May 28, 2017 8:52 am

Should these be used for ipv6 filter as well?
 
hlev80
just joined
Posts: 13
Joined: Mon Jan 01, 2018 12:34 am

Re: How to ***really*** block invalid TCP and UDP packet

Tue Jan 02, 2018 1:32 am

add action=drop chain=forward protocol=tcp tcp-flags=fin,!ack
Why is this rule there?
As I read it, it drops TCP FIN packets on the forward chain in both directions, doesn't it? If so, why is that desirable?
 
MichalPospichal
just joined
Posts: 16
Joined: Sun Feb 04, 2018 11:27 pm
Location: Czech Republic

Re: How to ***really*** block invalid TCP and UDP packet

Sat Mar 03, 2018 10:06 pm

add action=drop chain=forward protocol=tcp tcp-flags=fin,!ack
Why is this rule there?
As I read it, it drops TCP FIN packets on the forward chain in both directions, doesn't it? If so, why is that desirable?
I think the correct interpretation of the rule is "Drop if TCP FIN AND is NOT ACK
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8393
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to ***really*** block invalid TCP and UDP packet

Sat Mar 03, 2018 11:06 pm

Can we, or better......... SHOULD we move any of your rules into RAW vice Filter??? If so which ones? and why> and if not, why not??
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
Nollitik
Member Candidate
Member Candidate
Posts: 240
Joined: Tue Dec 07, 2010 8:16 am

Re: How to ***really*** block invalid TCP and UDP packet

Sun Mar 04, 2018 7:19 pm

Is there such a thing as port 0 UDP? I thought UDP ports are 1025 - 65535, although this throws a monkey wrench: https://en.wikipedia.org/wiki/List_of_T ... rt_numbers

Ports 1 - 1024 are privilege ports and is always source ports...never destination ports.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8393
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to ***really*** block invalid TCP and UDP packet

Mon Mar 05, 2018 1:48 am

Nollitick, google is your friend if you want to learn about TCP and UDP packets.
This thread is about blocking TCP and UDP.

Ex....
Security Activity Bulletin
TCP/IP and UDP Network Traffic with a Source Port of 0

Summary
Malformed TCP/IP and UDP network traffic may have a source port of 0. TCP and UDP port 0 is a reserved port and should not normally be assigned. Traffic with this configuration may indicate malicious or abnormal activity. Intrusion detection or intrusion prevention devices may detect and/or block such traffic using signatures. Administrators should be aware that ongoing transmissions of TCP/IP and UDP packets with a source port of 0 could indicate ongoing attacks, such as spoofing or an attempt to identify a targeted host's operating system.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
Nollitik
Member Candidate
Member Candidate
Posts: 240
Joined: Tue Dec 07, 2010 8:16 am

Re: How to ***really*** block invalid TCP and UDP packet

Mon Mar 05, 2018 3:42 am

Nollitick, google is your friend if you want to learn about TCP and UDP packets.
This thread is about blocking TCP and UDP.

Ex....
Security Activity Bulletin
TCP/IP and UDP Network Traffic with a Source Port of 0

Summary
Malformed TCP/IP and UDP network traffic may have a source port of 0. TCP and UDP port 0 is a reserved port and should not normally be assigned. Traffic with this configuration may indicate malicious or abnormal activity. Intrusion detection or intrusion prevention devices may detect and/or block such traffic using signatures. Administrators should be aware that ongoing transmissions of TCP/IP and UDP packets with a source port of 0 could indicate ongoing attacks, such as spoofing or an attempt to identify a targeted host's operating system.
Thank you Anav for the tip...I believe the router should recognize that port 0 is not a valid port and drops the traffic as others have said. I won't include those (TCP or UDP).
 
User avatar
Nollitik
Member Candidate
Member Candidate
Posts: 240
Joined: Tue Dec 07, 2010 8:16 am

Re: How to ***really*** block invalid TCP and UDP packet

Tue Mar 06, 2018 5:53 am

Well. I decided to implement all the rules despite having a PFSense machine with Suricata and Snort in front of the Mikrotik...will now add karma to OP...thank you! Oh...could not find the karma button
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1069
Joined: Tue Oct 11, 2005 4:53 pm

Re: How to ***really*** block invalid TCP and UDP packet

Tue Mar 06, 2018 1:45 pm

I am not sure blocking traffic with port 0 is wise.

As far as I know, when the payload of a message is too large to fit in a TCP/UDP packet (see MTU), then it gets split into multiple packets (ie: fragmented packets).
The first packet contains the TCP/UDP headers with the source/dest ports but the next fragmented packets do not contain the real ports but port 0.

So as far as I understand it, dropping traffic with source/dest port 0, you might as well drop legit traffic that simply didn't fit in single packets and had to get fragmented into multiple ones.
But, if PMTUd works properly on both ends, then theoretically there shouldn't be a problem with dropping this traffic.

Granted, many DDoS attacks use this fragmentation method to probably bypass firewalls or generally make it harder to drop without dropping legit traffic.

Edit: A way better explanation on port 0 that I remembered myself about it. http://www.lovemytool.com/blog/2013/08/ ... cleod.html
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8393
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How to ***really*** block invalid TCP and UDP packet

Wed Mar 07, 2018 4:36 pm

Still waiting from the OP, conveniently does not have an IM LOL, to state which of his rules make sense to put in RAW filtering?????????????
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
pe1chl
Forum Guru
Forum Guru
Posts: 7733
Joined: Mon Jun 08, 2015 12:09 pm

Re: How to ***really*** block invalid TCP and UDP packet

Wed Mar 07, 2018 5:13 pm

Wouldn't it be much easier to just block all packets with the EVIL bit set according to RFC3514?
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: How to ***really*** block invalid TCP and UDP packet

Mon Jun 11, 2018 6:26 pm

Still waiting from the OP, conveniently does not have an IM LOL, to state which of his rules make sense to put in RAW filtering?????????????
When I wrote the post, "raw" did not exist at that time.
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: How to ***really*** block invalid TCP and UDP packet

Mon Jun 11, 2018 6:34 pm

Wouldn't it be much easier to just block all packets with the EVIL bit set according to RFC3514?
You have read all RFC3514? It's a joke...
"Attack program must set evil bit"... :shock:
 
George90
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Mon Sep 27, 2010 4:50 am

Re: How to ***really*** block invalid TCP and UDP packet

Fri Aug 31, 2018 6:37 am

I have a problem with droping invalid packets rule (forward).
Sometimes drop packets from VPN clients, sometimes doesn't.
What can be problem?
 
expert
Frequent Visitor
Frequent Visitor
Posts: 99
Joined: Sun Dec 04, 2016 1:22 pm

Re: How to ***really*** block invalid TCP and UDP packet

Fri Aug 31, 2018 12:17 pm

As far as I know, when the payload of a message is too large to fit in a TCP/UDP packet (see MTU), then it gets split into multiple packets (ie: fragmented packets).
The first packet contains the TCP/UDP headers with the source/dest ports but the next fragmented packets do not contain the real ports but port 0.

Your post is absolutely odd. MTU has nothing to do with TCP or UDP. IP reassembly occurs of course on 3rd (IP) layer, whereas 4th (TCP) layer sees already defragmented packets.
Of course TCP header is only in the first IP fragment, and is never ever repeated in next fragments.

I suggest you to study IP reassembly algorithm (RFC 815).
 
User avatar
Cha0s
Forum Guru
Forum Guru
Posts: 1069
Joined: Tue Oct 11, 2005 4:53 pm

Re: How to ***really*** block invalid TCP and UDP packet

Fri Aug 31, 2018 12:46 pm

Well,

You are the expert. Why don't you explain it to us then?
 
expert
Frequent Visitor
Frequent Visitor
Posts: 99
Joined: Sun Dec 04, 2016 1:22 pm

Re: How to ***really*** block invalid TCP and UDP packet

Fri Aug 31, 2018 1:04 pm

Well,

You are the expert. Why don't you explain it to us then?
Well, you're forum veteran, so why you're posting impressions instead of facts here?
 
vchrizz
just joined
Posts: 12
Joined: Sun Jul 10, 2016 11:07 am
Location: Austria, Vienna
Contact:

Re: How to ***really*** block invalid TCP and UDP packet

Wed Dec 05, 2018 6:22 pm

Still waiting from the OP, conveniently does not have an IM LOL, to state which of his rules make sense to put in RAW filtering?????????????
When I wrote the post, "raw" did not exist at that time.
question regarding setup of a firewall on an edge router, is the ruleset from OP still apropriate to use nowadays?
regarding "raw" i guess the ruleset would look different now?

do "connection-state=established" and "connection-state=related" have to be each in an own rule? i usually set them both in one rule?

as this thread ranks top on google searches, a recent example would be great!
thanks
 
elico
Frequent Visitor
Frequent Visitor
Posts: 51
Joined: Mon Nov 07, 2016 3:23 am

Re: How to ***really*** block invalid TCP and UDP packet

Mon Aug 05, 2019 2:03 am

I am missing a full "fasttracked" rule-set with these protection rules.
I assume that the ESTABLISHED,RELATED and INVALID (ACCEPT, FASTTRACK and DORP) can be matched before these filtering rules.
Even if some of the TCP packets are malformed I am assuming the attacked side would not accept these as it probably have a steady IP stack.
If for some reason these will fail, the issue would probably be much worse and might be parallel to "TCP SACK" cve's level.

Also I am not sure but pretty sure that 0 port packets will not be masqueraded to the world via nat.
(As in a linux kernel these would be forwarded to the next hop or network hop as a routed packet)
 
gsbiz
just joined
Posts: 12
Joined: Sat Nov 17, 2018 5:18 pm

Re: How to ***really*** block invalid TCP and UDP packet

Tue Jul 28, 2020 4:27 pm

Just on these rules:
add action=drop chain=forward protocol=tcp src-port=0
add action=drop chain=forward dst-port=0 protocol=tcp
add action=drop chain=forward protocol=udp src-port=0
add action=drop chain=forward dst-port=0 protocol=udp
Load balancers use port 0 for dynamic port allocation, so this will kill some load balancers. Just an FYI. :)
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: How to ***really*** block invalid TCP and UDP packet (ver. 2014)

Tue Jul 06, 2021 5:16 pm

For:
viewtopic.php?f=2&t=176633&p=866054#p866012

When I have time I update 1st post for 2021
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: How to ***really*** block invalid packets (ver. 2021)

Tue Jul 06, 2021 10:52 pm

Still waiting from the OP, conveniently does not have an IM LOL, to state which of his rules make sense to put in RAW filtering?????????????
You read the reply on 2018? :P
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2050
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Wed Jul 07, 2021 2:31 am

it will be much more convinient to import these rules as
/ip firewall raw
add action=jump chain=prerouting comment=rextended jump-target=rextended
add action=drop chain=rextended comment="IP options left, except IP Stream used by the IGMP protocol" ipv4-options=any protocol=!igmp
add action=drop chain=rextended comment="TCP invalid combination of flags attack (7 rules)" in-interface-list=WAN protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=rextended in-interface-list=WAN protocol=tcp tcp-flags=fin,syn
add action=drop chain=rextended in-interface-list=WAN protocol=tcp tcp-flags=fin,rst
add action=drop chain=rextended in-interface-list=WAN protocol=tcp tcp-flags=fin,!ack
add action=drop chain=rextended in-interface-list=WAN protocol=tcp tcp-flags=fin,urg
add action=drop chain=rextended in-interface-list=WAN protocol=tcp tcp-flags=syn,rst
add action=drop chain=rextended in-interface-list=WAN protocol=tcp tcp-flags=rst,urg
add action=drop chain=rextended comment="TCP Port 0 attack (2 rules)" in-interface-list=WAN protocol=tcp src-port=0
add action=drop chain=rextended dst-port=0 in-interface-list=WAN protocol=tcp
add action=drop chain=rextended comment="UDP Port 0 attack (2 rules)" in-interface-list=WAN protocol=udp src-port=0
add action=drop chain=rextended dst-port=0 in-interface-list=WAN protocol=udp
add action=drop chain=rextended comment="ICMP large packet attack" in-interface-list=WAN packet-size=1025-65535 protocol=icmp
add action=drop chain=rextended comment="ICMP fragmentation attack" fragment=yes in-interface-list=WAN protocol=icmp
add action=drop chain=rextended comment="SYN fragmented attack" fragment=yes in-interface-list=WAN protocol=tcp tcp-flags=syn
add action=drop chain=rextended comment="IP option loose-source-routing" in-interface-list=WAN ipv4-options=loose-source-routing
add action=drop chain=rextended comment="IP option strict-source-routing" in-interface-list=WAN ipv4-options=strict-source-routing
add action=drop chain=rextended comment="IP option record-route" in-interface-list=WAN ipv4-options=record-route
add action=drop chain=rextended comment="IP option router-alert" in-interface-list=WAN ipv4-options=router-alert
add action=drop chain=rextended comment="IP option timestamp" in-interface-list=WAN ipv4-options=timestamp
add action=drop chain=rextended comment="IP options left, except IP Stream used by the IGMP protocol" in-interface-list=WAN ipv4-options=any protocol=!igmp
add action=return chain=rextended
and then just move the first rule of this chain to it's suitable place
....action=jump chain=prerouting comment=rextended jump-target=rextended
No mess, only one line to disable to stop all chain to interfere with other rules.
Real admins use real keyboards.
To quote or not to quote, there is the topic: viewtopic.php?f=2&t=168474
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Wed Jul 07, 2021 3:06 am

Thanks also for this idea!!!
Is work in progress,
I do not know if is better to put all together, and explain later, or explain section by section... :?
 
Cablenut9
Long time Member
Long time Member
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Wed Jul 07, 2021 3:09 am

Explain it section by section, then give the "whole thing" at the end.
Serial question asker
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Wed Jul 07, 2021 3:13 am

Uhm, I proceed like how is now, explaining why this and why that, and at the end the "superscript"? :P
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2050
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Wed Jul 07, 2021 1:05 pm

Like this?
/ip firewall raw
#
# move this "jump" line to proper place in the prerouting chain
# it is THE ONLY line you have to move with WinBox
#
add action=jump chain=prerouting comment=rextended jump-target=rextended
#
# Section 1 - block .... description of Section1
#
add action=drop chain=rextended comment="IP options left, except IP Stream used by the IGMP protocol" ipv4-options=any protocol=!igmp
#
# Section 2 - block .... description of Section2
#
add action=drop chain=rextended comment="TCP invalid combination of flags attack (7 rules)" in-interface-list=WAN protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=rextended in-interface-list=WAN protocol=tcp tcp-flags=fin,syn
add action=drop chain=rextended in-interface-list=WAN protocol=tcp tcp-flags=fin,rst
add action=drop chain=rextended in-interface-list=WAN protocol=tcp tcp-flags=fin,!ack
add action=drop chain=rextended in-interface-list=WAN protocol=tcp tcp-flags=fin,urg
add action=drop chain=rextended in-interface-list=WAN protocol=tcp tcp-flags=syn,rst
add action=drop chain=rextended in-interface-list=WAN protocol=tcp tcp-flags=rst,urg
#
# Section 3 - block .... description of Section3
#
add action=drop chain=rextended comment="TCP Port 0 attack (2 rules)" in-interface-list=WAN protocol=tcp src-port=0
add action=drop chain=rextended dst-port=0 in-interface-list=WAN protocol=tcp
add action=drop chain=rextended comment="UDP Port 0 attack (2 rules)" in-interface-list=WAN protocol=udp src-port=0
add action=drop chain=rextended dst-port=0 in-interface-list=WAN protocol=udp
add action=drop chain=rextended comment="ICMP large packet attack" in-interface-list=WAN packet-size=1025-65535 protocol=icmp
add action=drop chain=rextended comment="ICMP fragmentation attack" fragment=yes in-interface-list=WAN protocol=icmp
add action=drop chain=rextended comment="SYN fragmented attack" fragment=yes in-interface-list=WAN protocol=tcp tcp-flags=syn
add action=drop chain=rextended comment="IP option loose-source-routing" in-interface-list=WAN ipv4-options=loose-source-routing
add action=drop chain=rextended comment="IP option strict-source-routing" in-interface-list=WAN ipv4-options=strict-source-routing
add action=drop chain=rextended comment="IP option record-route" in-interface-list=WAN ipv4-options=record-route
add action=drop chain=rextended comment="IP option router-alert" in-interface-list=WAN ipv4-options=router-alert
add action=drop chain=rextended comment="IP option timestamp" in-interface-list=WAN ipv4-options=timestamp
add action=drop chain=rextended comment="IP options left, except IP Stream used by the IGMP protocol" in-interface-list=WAN ipv4-options=any protocol=!igmp
#
# return from chain
#
add action=return chain=rextended
Real admins use real keyboards.
To quote or not to quote, there is the topic: viewtopic.php?f=2&t=168474
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Wed Jul 07, 2021 2:01 pm

Yes!
 
faxxe
newbie
Posts: 36
Joined: Wed Dec 12, 2018 1:46 pm

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Fri Jul 09, 2021 8:00 am

Great work...

may i ask what´s the purpose of this line:

add action=drop chain=prerouting comment="IP option router-alert" ipv4-options=router-alert

Thank you,
faxxe
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Fri Jul 09, 2021 10:21 am

This rule drop all packet with the IP option called router-alert
add action=drop chain=prerouting comment="IP option router-alert" ipv4-options=router-alert

Are used to do DoS attacks using packets with fake levels of aggregated RSVP reservation.
The option is used only on the past and only on experimental protocols.
The guide to explain all is not complete, is a work-in-progress, but that rules are "ready"
 
User avatar
frank333
Member Candidate
Member Candidate
Posts: 240
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Fri Jul 09, 2021 9:40 pm

@ rextended
add action=drop chain=prerouting comment="Unused protocol protection" disabled=yes protocol=!tcp

The last rule is disabled on purpose, first add all protocol you use (for example 47 GRE for pptp, EoIP etc.) before you enable it
Accept pass to next /firewall filter section, do not accept directly the packet.
  • can you explain how to do it?
/ip firewall address-list
add address=2.3.4.5 list=fragment_protected_IP
  • what addresses should be written here an example?
  • can i use these rules on a rbm11g with lte modem?
  • Do I have to enter each line manually or is there a script?
  • What default lines does the quick set configuration add in the firewall?
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Sat Jul 10, 2021 10:24 am

can you explain how to do it?
on example are added the most used:
icmp (1)
igmp (2)
tcp (6)
udp (17)
gre (47, EoIP, GRE, PPtP, etc.)
but if your network need to run more protocols like IPsec, simply add before drop and log (on script or later on winbox, not matter)
add action=accept chain=prerouting protocol=ipsec-esp
add action=accept chain=prerouting protocol=ipsec-ah
and the "log" rule log what are the other protocols transit on your network, for inspection


/ip firewall address-list
add address=2.3.4.5 list=fragment_protected_IP
  • what addresses should be written here an example?
All device sensible to Teardrop Attack, on the doubt, add all your LAN IP (Public or Local no matter)

  • can i use these rules on a rbm11g with lte modem?
Yes, this rules are for generic use.

  • Do I have to enter each line manually or is there a script?
Is a work in progrss, actually you must paste each "block" on new terminal, following the minimal instructions.

  • What default lines does the quick set configuration add in the firewall?
Those do not are the scopes of this topic, for explanation of generic firewall rules read the MikroTik help pages
Last edited by rextended on Sat Jul 10, 2021 10:58 am, edited 4 times in total.
 
User avatar
frank333
Member Candidate
Member Candidate
Posts: 240
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Sat Jul 10, 2021 10:33 am

 0    ;;; Winbox on WAN
      chain=input action=drop protocol=tcp in-interface=lte1 dst-port=8291 

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 4    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1 

 5    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN 

 6    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

 7    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

 8 X  ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related 
do these types of rules in the firewall seem compatible with your raw?
Also, do raws have to have a specific order of execution?

/ip firewall address-list
add address=2.3.4.5 list=fragment_protected_IP
  • what addresses should be written here an example?
for example, I have a home automation server in my LAN, should it be included in this list with the IP of the LAN network, should the IP of important devices in the LAN be included in this list?
I did so
Image
You do not have the required permissions to view the files attached to this post.
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Sat Jul 10, 2021 11:02 am

do these types of rules in the firewall seem compatible with your raw?
Also, do raws have to have a specific order of execution?
1) The raw precede filter, and my raw rules complete defaut configuration, do not interfere on normal rule added later from user to /ip firewall filter or NAT or mangle.
2) Yes, follow the order of the rule on the first post.

for example, I have a home automation server in my LAN, should it be included in this list with the IP of the LAN network,
should the IP of important devices in the LAN be included in this list?
I did so
Read previous answer on previous post.
Last edited by rextended on Sat Jul 10, 2021 11:21 am, edited 1 time in total.
 
User avatar
frank333
Member Candidate
Member Candidate
Posts: 240
Joined: Mon Dec 18, 2017 12:17 pm
Location: S.Marino Router model: RB3011UiAS-RM

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Sat Jul 10, 2021 11:12 am

add action=drop chain=prerouting comment="Unused protocol protection" disabled=yes protocol=!tcp

The last rule is disabled on purpose, first add all protocol you use (for example 47 GRE for pptp, EoIP etc.) before you enable it
Accept pass to next /firewall filter section, do not accept directly the packet.

one more thing can you add some more information in a simple way . I don't know what to include .
Ps: sei un drago! continua sempre cosi ti seguo!! BRAVO
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Sat Jul 10, 2021 11:23 am

Grazie!

In realtà a meno che non usi IPsec non ti serve altro.
e la regola di LOG scrive prima di drop-pare se eventualmente ce ne sono altri
Read the IPsec example on previous post


Accept pass to next /firewall filter section, do not accept directly the packet.
IT: quello che viene accettato poi passa ai classici firewall filter / NAT / masquerade come se in RAW non fosse accaduto nulla

I must write a clear guide, but on meantime all can take advantage from this Juniper feat... ehm, from this rules.
 
nickcarr
just joined
Posts: 5
Joined: Tue Jul 13, 2021 6:43 pm

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Wed Jul 14, 2021 10:48 am

search tag # rextended firewall raw rules
....
Hi and thanks for all: it's very effective. I got not suggestion for you, but questions instead. Here just some.
1) ip firewall raw
Drop traffic from/to port 0: could be easier to stop traffic using 0 in any port instead of src and dst with additional rules?
2) New TCP connection without SYN
It's an attack for sure. Instead of drop it in input or forwarding could be better to add src addresses to a "attack-list-src" list and drop incoming from that list from upper lines of raw prerouting table?
3) I use (hoping to do the best thing) to add extra chains in raw, for example one for ICMP traffic, one for BAD TCP flags association, and so on... with a simple jump after i've dropped traffic from, for example, from "attack-list-src" that contains dynamic values. It's a good strategy, for you?
4) Is there a way to creare Object of objects that could help the management? I make an example: List "Do-not-blocl-src". And this List contains other lists such "winbox-src-allow", "ssh-src-allow", etc...
So i could add/remove address from a sub-list, propagating it in all rules without the need of add/remove them from each one.
Thanks in advance for any answer.
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Wed Jul 14, 2021 10:55 am

1) My preference are to see exactly what happen, on older version of routeros do not are present raw and "any", When I revise the rule I keep your suggestion, thanks.
2) Sometime error happen... On this base config, I do not want to risk to lock other router, but if you like address-list no problem :)
3) Good, but for now I not finished the guide, and what you write are already considereded.
4) This is complicated I need more time to understand and elaborate.

Thanks for reply and I'm open for suggestions!
 
Ddram
just joined
Posts: 15
Joined: Mon Feb 08, 2021 7:56 pm

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Sun Jul 18, 2021 8:56 pm

Hi,

i need some further explanation for this rule:
add action=drop chain=prerouting comment="IP Spoofing protection from LAN" in-interface-list=LAN src-address-list=!IP_used_on_LAN \
    src-address=!0.0.0.0 dst-address=!255.255.255.255
as far as i understand, everything from interface list LAN and not src IP LAN with src address not 0.0.0.0 and dst address not 255.255.255.255, will be dropped.

But if i add it to my firewall everything on IP-layer breaks down.

Thanks in advance.
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Mon Jul 19, 2021 6:01 am

if i add it to my firewall everything on IP-layer breaks down
Have you set the IP_used_on_LAN address list?

add action=drop chain=prerouting comment="IP Spoofing protection from LAN" in-interface-list=LAN src-address-list=!IP_used_on_LAN \
    src-address=!0.0.0.0 dst-address=!255.255.255.255
Drop on prerouting packet from LAN with addresses different from expected IP_used_on_LAN and with source address differento from 0.0.0.0 and destination address different to 255.255.255.255
 
Ddram
just joined
Posts: 15
Joined: Mon Feb 08, 2021 7:56 pm

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Mon Jul 19, 2021 4:40 pm

Yes, I have my own list and there was a Tipo. My fault, everything works fine now.

Thanks for the hint ;)
 
DarkNate
Member
Member
Posts: 387
Joined: Fri Jun 26, 2020 4:37 pm

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Thu Jul 22, 2021 10:33 am

A lot of these can be dropped by rp-filter=strict.

Those ICMP rules of yours will likely break PMTUD.
Linux already rates limit ICMP, why add additional stress? Why stop 1500 ICMP size? We use those actively on ASNs to determine if the remote host (example cloudflare) supports 1508 L3 MTU.

This is sufficient: https://help.mikrotik.com/docs/display/ ... d+Firewall
 
pe1chl
Forum Guru
Forum Guru
Posts: 7733
Joined: Mon Jun 08, 2015 12:09 pm

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Thu Jul 22, 2021 11:02 am

Those ICMP rules of yours will likely break PMTUD.
You are right, such firewall rules (and all that blocking of "invalid packets" that do no harm anyway) is not worth the trouble and causes more harm than good.
It is all well as long as it is the play garden of some hobbyist and he gets satisfaction out of it, but sometimes such bad advise breaks loose on the internet (e.g. as seen with the site of a certain Steve Gibson) and bad breakage of the internet occurs that is very hard to fix because everyone copies it without understanding what they break.

It is better to stick to what is described on that MikroTik Help webpage.
 
DarkNate
Member
Member
Posts: 387
Joined: Fri Jun 26, 2020 4:37 pm

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Thu Jul 22, 2021 11:20 am

Those ICMP rules of yours will likely break PMTUD.
You are right, such firewall rules (and all that blocking of "invalid packets" that do no harm anyway) is not worth the trouble and causes more harm than good.
It is all well as long as it is the play garden of some hobbyist and he gets satisfaction out of it, but sometimes such bad advise breaks loose on the internet (e.g. as seen with the site of a certain Steve Gibson) and bad breakage of the internet occurs that is very hard to fix because everyone copies it without understanding what they break.

It is better to stick to what is described on that MikroTik Help webpage.
I have found many ISPs deploying these stupid configurations, breaking PMTUD and wonder why customers are leaving them. The MikroTik help page config conforms to the latest RFCs as of 2021 and covers all the bases without breaking any protocol or mechanism.

As for a certain Steve Gibson, I definitely don't take advice from them anyway.

@rextended before posting bullshit config, study basic networking concepts and learn what PMTUD is.
RFC 8900 exists because of people like yourself: https://datatracker.ietf.org/doc/html/rfc8900
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 2308
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Thu Jul 22, 2021 11:34 am

No need to use bad language. Constructive feedback is always welcome.
 
Try Splunk> to monitor your MikroTik Router(s). How to set it up. :mrgreen:

MikroTik->Splunk
 
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Thu Jul 22, 2021 11:52 am

@DarkNate
Where is the page on the forum where you teach to change the default "no" in the rp-filter and set it to "strict"?
I asked everyone for constructive criticism, not unnecessary controversy.

And about ICMP, all is start for a request about this Juniper feature
https://www.juniper.net/documentation/u ... protection
Last edited by rextended on Thu Jul 22, 2021 12:34 pm, edited 2 times in total.
 
DarkNate
Member
Member
Posts: 387
Joined: Fri Jun 26, 2020 4:37 pm

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Thu Jul 22, 2021 12:11 pm

@DarkNate
Where is the page on the forum where you teach to change the default "no" in the rp-filter and set it to "strict"?
I asked everyone for constructive criticism, not unnecessary controversy.

And about ICMP, all is start for a request about this Juniper feature
https://www.juniper.net/documentation/u ... protection
1. RouterOS is based on Linux, Linux is general and has a lot of documentation. RP-Filtering has been widely discussed and documented for decades. So what does MikroTik have to do with it?
Source: https://www.theurbanpenguin.com/rp_filt ... x-security

2. They are not behind the iptables/nftables framework, they simply build a UI/UX/API on-top of the kernel.

3. It is basic network engineering to know that rp-filter = strict is applicable anywhere where symmetric routing takes place and wherever ASN termination does not take place (even if symmetric). If it is an edge router used for ASN termination (read BGP sessions/peering/upstream), then rp-filter = loose

4. Juniper is nothing special, they moved on to Linux, so the same principles apply: https://twitter.com/ghostinthenet/statu ... 09187?s=20

5. ICMP should be rate-limited not blocked, what are you achieving by breaking PMTUD? Did you even read RFC 8900? Why do you want to intentionally break PMTUD? Have you seen what kind of effects that create on the internet? Point-to-point links between ASNs?

6. Fortunately for ignorant fools, MikroTik rates limit ICMP by default anyway
And another chain for ICMP. Note that if you want a very strict firewall then such strict ICMP filtering can be used, but in most cases, it is not necessary and simply adds more load on the router's CPU. ICMP rate limit in most cases is also unnecessary since the Linux kernel is already limiting ICMP packets to 100pps.
Source: https://help.mikrotik.com/docs/display/ ... d+Firewall
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Thu Jul 22, 2021 12:17 pm

The topic is work in progress AND I accept your criticism AND I understand exactly PMTUD,
your observation are considered.

from RFC 8900 for example:
6. Recommendations
6.1. For Application and Protocol Developers
Developers SHOULD NOT develop new protocols or applications that rely
on IP fragmentation
. ....

...Protocols and applications that rely on IP
fragmentation will work less reliably on the Internet.
...

...Legacy protocols that depend upon IP fragmentation SHOULD be updated
to break that dependency.
...

...Other protocols may
deploy a sufficiently reliable PMTU discovery mechanism (e.g.,
PLPMTUD)
...


I don't understand why you assume, not just you, that everyone who uses MikroTik, at any level, is a linux kernel expert.
If someone asks for help on the forum, they are certainly not an expert, otherwise they would be able to manage on their own.
Who gets to build networks between ASNs comes to ask for help on the MikroTik forum or to copy and paste from my topic?

Anyway THANK YOU, despite your rude way (but really, only on post #69) I noticed this thing AND I KEEP IT IN CONSIDERATION.

Thank you.
 
DarkNate
Member
Member
Posts: 387
Joined: Fri Jun 26, 2020 4:37 pm

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Thu Jul 22, 2021 12:47 pm

The topic is work in progress AND I accept your criticism AND I understand exactly PMTUD,
your observation are considered.

from RFC 8900 for example:
6. Recommendations
6.1. For Application and Protocol Developers
Developers SHOULD NOT develop new protocols or applications that rely
on IP fragmentation
. ....

...Protocols and applications that rely on IP
fragmentation will work less reliably on the Internet.
...

...Legacy protocols that depend upon IP fragmentation SHOULD be updated
to break that dependency.
...

...Other protocols may
deploy a sufficiently reliable PMTU discovery mechanism (e.g.,
PLPMTUD)
...


I don't understand why you assume, not just you, that everyone who uses MikroTik, at any level, is a linux kernel expert.
If someone asks for help on the forum, they are certainly not an expert, otherwise they would be able to manage on their own.
Who gets to build networks between ASNs comes to ask for help on the MikroTik forum or to copy and paste from my topic?

Anyway THANK YOU, despite your rude way (only once, not everywhere) I noticed this thing AND I KEEP IT IN CONSIDERATION.

Thank you.
1. MikroTik is a brand, RouterOS is just a UI/UX/GUI/API running on top of Linux. MikroTik never had and never will do jack to the underlying Linux kernel project, we all know how terrible RouterOS is with stability and not up to par with JunOS Evolved, Cumulus Linux etc
2. Linux is the foundation of modern-day networking, source: https://twitter.com/ghostinthenet/statu ... 09187?s=20
3. If you want to master or at the least thoroughly understand networking, then study Linux Networking, some basics of BPF and eBPF, nftables etc
4. I am NOT making an observation, I'm stating facts that your config tax the CPU without any purpose and breaks legitimate PMTUD among other things.
5. rp-filtering=strict takes care of 99% of what your rule does, and I'd ball-park 80% with rp-filtering=loose
6. Thousands of ISPs especially in Asia-Pacific, South America, South Africa etc lack knowledge and technically competent network engineers, they come to forum posts etc, see some bad config with a beautiful headline, copy/paste it and viola! Breaks the web.
An APNIC blog post has partially mentioned this problem in the first paragraph or so: https://blog.apnic.net/2021/06/24/how-t ... imization/
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Thu Jul 22, 2021 1:14 pm

6. Thousands of ISPs especially in Asia-Pacific, South America, South Africa etc lack knowledge and technically competent network engineers, they come to forum posts etc, see some bad config with a beautiful headline, copy/paste it and viola! Breaks the web.
Why you do not ask Juniper to remove that option, MikroTik to close this forum, ask the other forums to close, ask GitHub to delete all related repository and Youtube to delete his videos?

On that article drop port 0 and invalid flags are presents...
Not the others, obviously.
I have modified top post.
 
DarkNate
Member
Member
Posts: 387
Joined: Fri Jun 26, 2020 4:37 pm

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Thu Jul 22, 2021 2:10 pm

6. Thousands of ISPs especially in Asia-Pacific, South America, South Africa etc lack knowledge and technically competent network engineers, they come to forum posts etc, see some bad config with a beautiful headline, copy/paste it and viola! Breaks the web.
Why you do not ask Juniper to remove that option, MikroTik to close this forum, ask the other forums to close, ask GitHub to delete all related repository and Youtube to delete his videos?

On that article drop port 0 and invalid flags are presents...
Not the others, obviously.
I have modified top post.
Are you an idiot? It's not Juniper or MikroTik putting out false information, it is end-users like yourself.

Your config has a lot of redundant rules like protocol based ones, like so what? Now we just drop udp-lite, dccp, sctp or what?

Read the MikroTik advanced firewall help-page and it's 100x better than yours and covers all bases without breaking any protocols or mechanisms.
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Thu Jul 22, 2021 2:15 pm

You are still rude and offensive, you have to be really frustrated in your private life to offend in such a free way here on the forum.

Maybe there is someone who commands you and you can't do anything about it,
then try to do the same here on the forum. This does not justify offenses and bad words.

I'd rather be ignorant than a know-it-all and conceited like you.
Last edited by rextended on Thu Jul 22, 2021 2:21 pm, edited 2 times in total.
 
DarkNate
Member
Member
Posts: 387
Joined: Fri Jun 26, 2020 4:37 pm

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Thu Jul 22, 2021 2:18 pm

You are still rude and offensive, you have to be really frustrated in your private life to offend in such a free way here on the forum.

Maybe there is someone who commands you and you can't do anything about it,
then try to do the same here on the forum. This does not justify offenses and bad words.

I'd rather be ignorant than a know-it-all and conceited like you.
I'm not alone in calling out your bullshit config: viewtopic.php?f=9&t=83387#p868588
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Thu Jul 22, 2021 2:25 pm

@ pe1chl expressed his thoughts in a non-offensive manner.

The forum is full of worst things, like you, for example, why don't you ask the staff to delete them all?

Instead of being here to offend on the forum, why can't you find a job with your very high knowledge, perhaps as a teacher of the "right path"?

Of course I am honored that a person with such a high qualification is offending me on the forum, instead of going to work!!!

Got nothing better to do huh?

Unemployed?
 
DarkNate
Member
Member
Posts: 387
Joined: Fri Jun 26, 2020 4:37 pm

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Thu Jul 22, 2021 2:28 pm

@ pe1chl expressed his thoughts in a non-offensive manner.

The forum is full of worst things, like you, for example, why don't you ask the staff to delete them all?

Instead of being here to offend on the forum, why can't you find a job with your very high knowledge, perhaps as a teacher of the "right path"?

Of course I am honored that a person with such a high qualification is offending me on the forum, instead of going to work!!!

Got nothing better to do huh?

Unemployed?
I do promote my knowledge to live ASNs and networks. Based on my experience/personal opinion, 99% of bad network configuration comes from forum posts like yours, many ASNs and network operators copy/paste such config without studying the underlying BPF/eBPF logic.

Hence I am calling out on your bullshit config. It is what it is. You can keep defending your config rules all day if you want to, it won't change the fact that it's bad and poorly implemented.

I have plenty of free time from my main job, we automate 99% of the config/deployments.
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Thu Jul 22, 2021 2:31 pm

I do not want defend my rules,
I want you to stop offend and be more polite.
Last edited by rextended on Thu Jul 22, 2021 2:33 pm, edited 2 times in total.
 
DarkNate
Member
Member
Posts: 387
Joined: Fri Jun 26, 2020 4:37 pm

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Thu Jul 22, 2021 2:32 pm

I do not want defend my rules,
I want you to stop offend and be more polite.
Dude, I'm not here to be friends. I'm here to share factual information on networking, engineering and tech. 1+1=2 is what it is.

If you want some bro time, find that elsewhere. This is a networking forum, not Facebook group chats.
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Thu Jul 22, 2021 2:35 pm

To do this, there is no need to offend or be rude.

I don't want another friend, I just want you to stop offending and be more polite.

It is against the rules of any forum to offend.

Am I asking too much?
 
sid5632
Member
Member
Posts: 469
Joined: Fri Feb 17, 2017 6:05 pm

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Thu Jul 22, 2021 2:48 pm

see some bad config with a beautiful headline, copy/paste it and viola! Breaks the web.
Sometimes, if it's a really big problem, you end up with a cello or even a double-bass.
 
pe1chl
Forum Guru
Forum Guru
Posts: 7733
Joined: Mon Jun 08, 2015 12:09 pm

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Thu Jul 22, 2021 5:00 pm

I do not want defend my rules,
I want you to stop offend and be more polite.
HAHAHA rextended is offended by others... while usually he is the worst one on the forum, offending everyone who dares to ask a question!
Maybe you can see it as a hint that you need to adjust your behavior?
 
DarkNate
Member
Member
Posts: 387
Joined: Fri Jun 26, 2020 4:37 pm

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Thu Jul 22, 2021 5:04 pm

I do not want defend my rules,
I want you to stop offend and be more polite.
HAHAHA rextended is offended by others... while usually he is the worst one on the forum, offending everyone who dares to ask a question!
Maybe you can see it as a hint that you need to adjust your behavior?
A potato no matter what you do will remain a potato.
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Thu Jul 22, 2021 5:05 pm

Maybe you can see it as a hint that you need to adjust your behavior?
You're right,
it can serve me as a lesson,
but without exaggerating ...
 
Ddram
just joined
Posts: 15
Joined: Mon Feb 08, 2021 7:56 pm

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Sat Aug 07, 2021 2:46 pm

Hello again,

I've got another "problem" (not really a problem) i want to track down for my understanding.

Before i added your raw rules, i had two working filter rules to block incoming (from the WAN side) dns requests.
 
2    ;;; Drop Wan2Lan DNS (UDP)
      chain=input action=drop protocol=udp in-interface=pppoe-out1 dst-port=53
      
3    ;;; Drop Wan2Lan DNS (TCP)
      chain=input action=drop protocol=tcp in-interface=pppoe-out1 dst-port=53
Since i added your raw rules i can see incoming dns requests on my pihole and the firewall filterrules don't hit.

In the meantime i added two additional raw rules to block these requests.

 1    chain=prerouting action=drop dst-port=53 protocol=udp src-address-list=!Lan 

 2    chain=prerouting action=drop dst-port=53 protocol=tcp src-address-list=!Lan 

From my understanding your raw rules shouldn't affect the filter rules i've had in the past. Any hints on what's going on here is appreciated.
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Sat Aug 07, 2021 5:10 pm

If something has been dropped on
/ip firewall raw
fails to reach the
/ip firewall filter
because it was dropped before the filter

If something has been accepted on
/ip firewall raw
is still processed on
/ip firewall filter
as if it was never accepted on RAW

I do not know why happen this to you, but I have just checked it on my device, and that behavior do not happen.
 
Ddram
just joined
Posts: 15
Joined: Mon Feb 08, 2021 7:56 pm

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Sat Aug 07, 2021 8:15 pm

Your explanation is exactly what i expected, but it's not what my router is doing.

I searched some of the clients that came in and as far as i can see, these are some scanners which are searching for open dns recursive servers, which can be used for dns amplification attack. So it's nothing bad on short sight, but it shouldn't be possible....

Do you think i can gather useful information with wireshark to see whats happening? Or should i keep the raw rules and delete the filter, because that way it works?
 
User avatar
rextended
Forum Guru
Forum Guru
Topic Author
Posts: 5702
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Sat Aug 07, 2021 8:32 pm

Explainable or not (at least to me),
eliminating unwanted traffic on raw is better, keep those rules and eliminate them on the filter.
 
Ddram
just joined
Posts: 15
Joined: Mon Feb 08, 2021 7:56 pm

Re: How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021)

Sat Aug 07, 2021 8:42 pm

Alright, then i'll keep it this way. Maybe oneday i find something that's explaining this behaviour.

Thanks for your advice! :)

Who is online

Users browsing this forum: No registered users and 38 guests