Community discussions

MikroTik App
 
francolini
just joined
Topic Author
Posts: 7
Joined: Tue Jun 30, 2020 11:51 am

FW rule for routerOS updates

Sun May 21, 2023 11:05 am

Hi all,

A basic firewall rule-pair running on RouterOS 6.47 that I stuggle to understand:
ether1 = WAN facing interface
;;; Allow routerOS update checks
chain=output action=accept connection-state=established,related,new protocol=tcp out-interface=ether1 dst-port=80 log=yes log-prefix="ROUTER-UPDATE_ACP" 

;;; Block other WAN requests to router
chain=input action=drop in-interface=ether1 log=yes log-prefix="WAN-INPUT_DRP"
Logs show that first rule correctly matches the outgoing SYN package, but does not match the returning SYN,ACK reply. Instead, it's caught by the drop rule.
Isn't connection-state=related supposed to ensure that all packages in the 3-way handshake is included here?

I've seen some posts saying that it would work if an input chain is used instead. But I struggle to understand why, since this is imo a perfect example of a typical output chain rule
 
holvoetn
Forum Guru
Forum Guru
Posts: 5317
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: FW rule for routerOS updates

Sun May 21, 2023 11:16 am

Without specifying where to go to, that rule is not specific for RouterOS upgrades, I think.
Almost anything going out for port 80 will match that rule.
To my knowledge default RouterOS does not have a rule on output chain.
So where does it come from ?

What are you actually trying to look for ?
 
francolini
just joined
Topic Author
Posts: 7
Joined: Tue Jun 30, 2020 11:51 am

Re: FW rule for routerOS updates

Sun May 21, 2023 2:06 pm

Without specifying where to go to, that rule is not specific for RouterOS upgrades, I think.
Almost anything going out for port 80 will match that rule.
To my knowledge default RouterOS does not have a rule on output chain.
So where does it come from ?

What are you actually trying to look for ?
It's possible to add a specific destination filter, but it should not be needed for it to work. The default routerOS config does not have any rules at all (at least not on this particular model), so you're right about that.

The question is: Why does the first rule not match the handshake packets sent from the router when attempting to do a routerOS upgrade check (eg, package/update/check-for-updates)
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: FW rule for routerOS updates

Sun May 21, 2023 9:21 pm

The thing with packets, which are parts of router's own connection, is that outgoing packets will be dealt with by chain=output and incoming packets will be dealt with by chain=input. It doesn't matter which entity did initiate the connection. (Reference: https://wiki.mikrotik.com/wiki/Manual:I ... all/Filter).

Default firewall filter ruleset doesn't have anything for chain=output, so all packets leaving router will be allowed. And chain=input has a rule alliwing "connection-state=established,related" ... which then accepts return packets. If you start to play with chain=output, then you have to construct rules, which will allow packets, belonging to allowed connections. In all relevant chains.

When constructing filter rules which allow connections to mikrotik's update servers: you may want to allow https as well, everything is moving towards it these days. If the rule is not needed now, it may become necessary in not-so-distant future.
 
francolini
just joined
Topic Author
Posts: 7
Joined: Tue Jun 30, 2020 11:51 am

Re: FW rule for routerOS updates

Mon May 22, 2023 11:31 pm

Thanks, this clears up some questions.
Overall, I was skeptical to use chain=input rules on the WAN interface, as I don't have any services on the router that should be exposed on wan. But as I now understand, by not having "new" in the connection-state parameter, the router will only accept packages on connections that were initiated from the router. Which was kinda what I was aiming for

And yeah, it makes sense to also prepare https / do additional destination filtering and more. Shouid be easier now with basic understanding of the chain concept :). Next challenge will be to get DNS DOH up and running

Who is online

Users browsing this forum: tangent and 34 guests