FIREWALL GUIDANCE
1. Novice Setup
2A Novice+ Setup
2B Apprentice Setup ( * NEW * )
3. Use of Interface Lists and Firewall Address Lists
4. Limiting Configuration Access to Admin
5. Intermediate Setup
6. Understanding Firewall Rule Matching
7. Identifying Users/Devices/Groups/Interfaces
8. RoS & Stateful Firewall - Basic
9. FIrewall Rules & Fastrack
NOVICE and RECREATIONAL USER RECOMMENDED CONFIGS.
( Intended for the new user and for the lightly experienced user who has gained enough knowledge and who now require changes to the default config. )
(i) Use Safe Mode when configuring the MT Device - https://help.mikrotik.com/docs/display/ ... t-SafeMode.
(ii) Do NOT use quickset, and if you do for some reason at start-up, do NOT return to quickset to make changes later.
(iii) Finding the default configuration - Go to 'New Terminal', on the command line enter: /system default-configuration print file=anynamewilldo - next download the file and you have it! Not really needed unless you have completely lost the bubble.
(iv) Also for various models the default config included is noted here - https://help.mikrotik.com/docs/display/ ... igurations
(v) Understanding basic Firewall - https://www.youtube.com/watch?v=Q9qwgKrw-0g
MOST RECENT CHANGES LISTED HERE:
update1--> /ip settings: Should mention RP-filter is best set LOOSE and do NOT recommend checkbox for tcp syn cookies, and max neighbours to 4096 ( 8092 is way to many for home user ).
update2--> [/ip firewall: Connection Tab settings (Tracking Button): Do NOT check box for Loose Tracking. In Table set TCP Established Timeout=30min and if you use VOIP/SIP sent UDP Timeout=30sec.
update3--> MISC: Set IP DNS cache TTL=30min. Turn IP Cloud time update off. Turn sys clock auto-time detect off.
(1) NOVICE DEFAULT SETUP
INPUT CHAIN --> To the Router or to Router Services. Directional flow is WAN to Router, and LAN to Router.
FORWARD CHAIN --> Through the Router. Direction flow is LAN to LAN, LAN to WAN, WAN to LAN.
OUTPUT CHAIN --> From the Router. Directional flow is Router to WAN.
NOTE: Subnet/VLAN/Wireguard gateway IPs are considered as being part of the ROUTER and thus are pingable from all devices ( not subject to forward chain rules ).
CONCEPT APPROACH.
DEFAULT - What you should know is that the DEFAULT CONFIG is setup on an ALLOW everything concept and an attempt to block traffic that has no need for access - mostly external traffic.
BETTER - Most MT admins move to a different concept and that is BLOCK everything and allow only known needed traffic flows. This is accomplished by slightly modifying some default rules and then adding a drop rule at the end of the input and forward chains. Be CAREFUL on adding the drop rule on the input chain because that will lock you out unless you have put an allow access rule above that (covered in the below examples).
BEST PRACTICE TIP 1 - For many reasons it is best to completely separate the 'independent' INPUT and FORWARD chains. They are much easier to read and understand and later to troubleshoot issues related to the firewall if kept separate. ORDER WITHIN A CHAIN itself is critical!
BEST PRACTICE TIP 2 - In general, admin added rules that affect more traffic should be moved higher up the associated CHAIN, but not before the default rules.
*** It also worth it to read PARA 6 to understand how the Router processes the filter rules prior to changing your config. ***
/ip firewall filter
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else" *****
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN
NOTE1: ***** Enter this "drop all else" rule ONLY after the accept rule for the LAN is in place on the input chain.
NOTE2: Lines in green can be disabled/removed if not required)
NOTE3: If the admin requires users on the same LAN subnet as the server, to access the Server by dyndns URL (public IP),
or test his/her Server connection thusly, then read this article. viewtopic.php?t=179343
(2A) NOVICE+ MODIFIED SETUP
The main changes made in this configuration relate to narrowing down access to config the router only to the admin. We still have to ensure that users on the router still have access to the necessary services the router may be providing including mainly DNS, but could include NTP *** or upnp as well.
...........................
Code: Select all
/ip firewall address-list
add address=IP1 list=Admin (desktop)
add address=IP2 list=Admin (laptop)
add address=IP3 list=Admin (smartphone)
add address=IP4 list=Admin (wireguard IP)
/interface list
name=WAN
name=LANAuthorized
/Interface list members
add interface='trusted_subnet' list=Authorized
add interface=WG list=Authorized
~ entries for LAN
~ entries for WAN
/ip firewall filter
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
{option1}
add action=accept chain=input in-interface-list=Authorized src-address-list=Admin dst-port=xxxxxx,yyyyyy protocol=tcp {winbox & SSH ports}
{ option 2 }
add action=accept chain=input in-interface-list=!WAN src-address-list=Admin dst-port=xxxxxx,yyyyyy protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \ {and NTP *** services if required etc}
dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
dst-port=53 in-interface-list=LAN protocol=tcp
add action=reject chain=input in-interface-list=LAN reject-with=icmp-admin-prohibited {optional --> useful but only if interested in tracking LAN issues }
add action=drop chain=input comment="drop all else"
{forward chain}
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow dst-nat from both WAN and LAN (including port forwarding)" connection-nat-state=dstnat
add action=reject chain=forward in-interface-list=LAN reject-with=icmp-admin-prohibited { optional -->useful for tracking LAN issues}
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
NOTE1: Lines in Green can be disabled/removed if not required.
NOTE2: Option 2, is effective if the admin needs to access the config from many subnets or if incoming VPN access is required.
NOTE3: Loopback rule is not specific only to capsman. It is internal to RoS and a functionality where127.0.0.1 means "itself", that is the loopback interface (localhost / 127.0.0.1/32) always exists, and can be used by the CPU for packets that are sent between internal services of the RouterBoard,
for example, The Dude, RADIUS, user-manager, CAPsMAN on a wireless interface on the routerboard itself, and reportedly Wireguard.
NOTE4: The purpose of the action=reject rule is to prevent users in LAN from waiting for tens of seconds to get a timeout if they are trying to connect to forbidden destinations, and of course for the admin to be aware of traffic that has the potential to be a problem ( aka pinpoint device with issues ).
NOTE5: A problem with the reject rule may stem from broadcast traffic. Typically, firewall filter comes after routing, and multicast traffic is only routed if you explicitly enable and configure that, so in most installations the rule doesn't have to care about multicast traffic because it never sees it. If it is an issue simply match the rule with a slight modification
add action=reject chain=forward in-interface-list=LAN reject-with=icmp-admin-prohibited dst-address=!multicast
*** NTP port 123 protocol udp may be blocked by your ISP (on the client side aka in-bound on port123), in which case sourcenat 123 to something likely not blocked 12300 may solve the issue!
Code: Select all
/ip firewall nat
add action=src-nat chain=srcnat out-interface-list=WAN protocol=udp src-port=123 to-ports=12300(2B) APPRENTICE SETUP { input courtesy of Rextended }
The main changes made in this configuration relate to the minimum bloat required to stop any leaking of non-valid P addresses in any direction on the router.
This approach focuses on adding three /ip firewall RAW filter rules and the use of /ip route and unreachable functionality.
(1) RAW RULE Inbound/Source Address - Designed to Stop Cold, any incoming traffic (passing inbound on the WAN) whose source-address indicates that the traffic is not from a legitimate Public IP address. Thus we make use of a firewall address list to identify all the sources that should not be hitting the router. This includes internal LANS and private IPs (bogons).
(2) RAW RULE Inbound/Destination Address - Designed to Stop Cold, any incoming traffic (passing inbound on the WAN) whose destination-address is different from the public IPs on the router. Thus we make use of a firewall address list to identify the available public IPs at the router. CAUTION: This rule will not work with Dynamic WANIP at the moment. Working on a way to also include them.
(3) RAW RULE Outbound/Source Addresses - Designed to Stop Cold, any outgoing traffic ( to any destination ) whose source-address is not found LOCAL on the router. Thus we make use of a firewall address list to identify all LOCAL subnets and any remote subnets we allow on the router from VPN type traffic. Put more simply, we block any LAN to LAN, LAN to WAN and LAN to Router traffic originating from a source address that is foreign to the local router.
(4) IP ROUTING RULES - "Unreachable" Outbound/Destination Address - Designed to Stop Cold, any outgoing traffic routed out of/leaving the Router that is heading for a non-public IP address or not a legitimate public IP address. Thus difference between this and RAW RULE 2, is that in this case, the source address could be anything, and we only consider the destination IP. We use unreachable so that attempts to a bad address are communicated as unreachable to source which usually stops such traffic. Blackholes are more useful for incoming WAN traffic we want to avoid but that is already taken care of in raw rules.
RESULT
.......
Code: Select all
/ip firewall address-list { for input chain rule access to router }
add address=192.168.1.X list=ADMIN comment=admin-desktop
add address=192.168.1.Y list=ADMIN comment=admin-laptop
add address=192.168.1.XY list=ADMIN comment=admin-ipad/iphone
/ip firewall address-list
add list=unexpected-src-address-hitting-ISP address=10.0.0.0/8
add list=unexpected-src-address-hitting-ISP address=127.0.0.0/8
add list=unexpected-src-address-hitting-ISP address=169.254.0.0/16
add list=unexpected-src-address-hitting-ISP address=172.16.0.0/12
add list=unexpected-src-address-hitting-ISP address=192.0.0.0/24
add list=unexpected-src-address-hitting-ISP address=192.0.2.0/24
add list=unexpected-src-address-hitting-ISP address=192.88.99.0/24
add list=unexpected-src-address-hitting-ISP address=192.168.0.0/16
add list=unexpected-src-address-hitting-ISP address=198.18.0.0/15
add list=unexpected-src-address-hitting-ISP address=198.51.100.0/24
add list=unexpected-src-address-hitting-ISP address=203.0.113.0/24
add list=unexpected-src-address-hitting-ISP address=233.252.0.0/24
add list=unexpected-src-address-hitting-ISP address=240.0.0.0/5
add list=unexpected-src-address-hitting-ISP address=248.0.0.0/6
add list=unexpected-src-address-hitting-ISP address=252.0.0.0/7
add list=unexpected-src-address-hitting-ISP address=254.0.0.0/8
add list=unexpected-src-address-hitting-ISP address=my.public.wan.ip
add list=unexpected-src-address-hitting-ISP address=pool.of.my.internal.public.ips { may not be applicable to home user if single IP from each provider }
/ip firewall address-list { valid internal LAN traffic }
add Ip-address=localSubnet1 list=expected-address-from-LAN
add ip-address=localSubnet2 list=expected-address-from-LAN
add ip-address=remoteSubnet1 list=list=expected-address-from-LAN { remote Wireguard subnet1 exits tunnel locally }
add ip-address=remoteSubnet2 list=list=expected-address-from-LAN { remote Wireguard subnet2 exits tunnel locally }
..................................................
add list=expected-address-from-LAN address=0.0.0.0 comment="Current network"
add list=expected-address-from-LAN address=224.0.0.0/4 comment=Multicast
add list=expected-address-from-LAN address=255.255.255.255 comment="Local"
/ip firewall address-list { valid WAN IPs }
add list=expected-dst-address-to-my-ISP address=my.public.wan.ip
add list=expected-dst-address-to-my-ISP address=pool.of.my.internal.public.ips
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=ICMP { essential for networking ignore the bad advice everywhere!! }
add action=accept chain=input comment="admin access" in-interface-list=LAN src-address-list=ADMIN
add action=accept chain=input comment="DNS allow TCP from br-local" dst-port=\
53 in-interface=br-local protocol=tcp
add action=accept chain=input comment="DNS/NTP allow UDP from br-local" dst-port=\
53,123 in-interface=br-local protocol=udp { to enable NTP usage by downstream devices like CAP }
add action=drop chain=input comment="Drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet access" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat { disable if not using port forwarding }
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN { if a dynamic WANIP }
add action=src-nat chain=srcnat dst-address=static-WANIP out-interface=etherX-WAN { if a static/fixed WANIP }
/ip firewall raw
add action=drop chain=prerouting in-interface-list=WAN src-address-list=unexpected-src-address-hitting-ISP \
comment="drop non-legit src-addresses hitting WAN side" \
add action=drop chain=prerouting in-interface-list=WAN dst-address-list=!expected-dst-address-to-my-ISP \
comment="drop non-legit dst-addresses hitting WAN side"
add action=drop chain=prerouting in-interface-list=LAN src-address-list=!expected-address-from-LAN \
comment="drop non-legit traffic coming from LAN"
NOTE: For Dynamic WANIP There are two possible solutions.
A. Add the following rule:
add chain=output action=add-src-to-address-list src-address-type=local out-interface-list=WAN address-list=expected-dst-address-to-my-ISP address-list-timeout=1m
B. [u](Preferred[/u]) Add the following rules: ( replace DNS with those of your choice )
/ip firewall address-list
add address=1.1.1.1 list=allowed_DNS
add address=8.8.8.8 list=allowed_DNS
/ip firewall raw
add action=accept chain=prerouting src-address-list=allowed_DNS
add action=accept chain=output dst-address-list=allowed_DNS
[b]Note1[/b]: First RAW rule blocks all incoming WAN traffic with invalid source addresses (before it hits connection tracking aka raw filtering)
[b]Note2[/b]: Second RAW rule blocks all incoming WAN traffic with invalid destination addresses.
[b]Note3[/b]: Third RAW rule block all LAN side originated traffic that is not Local { LAN users/devices or remote subnets entering the router through VPN }.
[b]Note4[/b]: If you have two different ISP providers you may wish to allow access from one to the other on the WAN side, if this is the case you will need to create additional rules for each WAN to be a valid source address for the other WAN. Ensure you put these additional RAW rules before rule 1.
The last edition to the Apprentice Firewall setup is the use of unreachable. These drop any outgoing traffic to addresses that local users should not have as a destination address.
While in the third RAW rule above, we stop any traffic from the LAN, other than LOCAL heading outbound, the Unreachable rules will stop any local traffic or otherwise heading outbound to the addresses below.
/ip routing rule
add action=unreachable dst-address=10.0.0.0/8 { common on LANs disable if local to you }
add action=unreachable dst-address=169.254.0.0/16
add action=unreachable dst-address=172.16.0.0/12 { common on LANs disable if local to you }
add action=unreachable dst-address=192.0.0.0/24
add action=unreachable dst-address=192.0.2.0/24
add action=unreachable dst-address=192.88.99.0/24
add action=unreachable dst-address=192.168.0.0/16 { common on LANs disable if local to you }
add action=unreachable dst-address=198.18.0.0/15
add action=unreachable dst-address=198.51.100.0/24
add action=unreachable dst-address=203.0.113.0/24
add action=unreachable dst-address=233.252.0.0/24
add action=unreachable dst-address=240.0.0.0/5
add action=unreachable dst-address=248.0.0.0/6
add action=unreachable dst-address=252.0.0.0/7
add action=unreachable dst-address=254.0.0.0/8
{ Unreachable Exception: If you have unused public IPs, use "[i][u]unreachable[/u][/i]" to prevent their inadvertent use! }
add action=unreachable dst-address=my.unused.public.ip1
add action=unreachable dst-address=my.unused.public.ip2
Note1: All of these rules should be placed before any other routing rules.
Note2: [color=#FF8000][b]CAUTION, [/b][/color]do not include any subnets you actually have on the LAN.
......
([a]NOTE2[/b]: If you need to reach your ISP/MODEM, and it conflicts with the above addresses, ensure there is a path for that traffic depending upon individual requirements and potentially could be solved by approaches such as IP route or IP address.)
.......................................................................................................
(3) USE OF INTERFACES AND FIREWALL ADDRESSES
The basic rules of thumb here are as follows:
1. Use Interface list for two or more whole subnets that will have associated firewall rules..
(Exception: The management or base interface by itself is normally given an interface list entry, and mainly due to use in several places on the MT router where a List entry is required!)
2. Any combination of users described by individual IP addresses should be contained in a firewall address list, and this includes:
a. Single or Group of IP addresses within a subnet, but not the whole subnet
b. Single or group of IP addresses from different subnets
c. Single or group of IP addresses AND one or more subnets
3. A firewall address list should not normally consist of a single Subnet, simply use dst-address=subnet or src-address=subnet, or the name of the interface which contains the single subnet, such as vlan20-home.
(4) LIMITING CONFIG TO ADMIN - INPUT CHAIN
One should have noted in the preceding paragraphs that the default of allowing all LAN users complete access to the router via the input chain is best changed at some point to just access to the services required and that the idea is to limit only the admin to config the router (be it by winbox, or SSH etc..........).
This rule is added as an alternative as it may scale a bit bette for complex setups where.
a. the admin may actually have fixed LANIPs on other than trusted subnets for which access to the router may be desired. (and interface-list=trusted wont do the complete job)
b. the admin may be coming in on some other interface other than LAN (vpn etc.)
add action=accept chain=input in-interface-list=!WAN dst-port=winboxport protocol=tcp source-address=AUTHORIZED
(5) INTERMEDIATE MODIFIED SETUP ( use of tcp connection tracking )
In this paragraph we will introduce the usage of TCP Connection Tracking. Also we will be delving into a rudimentary explanation of packet flow in firewall rules in terms of matching.
The only change to the Modified Setup (2), will be the use of TCP Tracking and specifically changing it from the default: "loose tracking", by unchecking the associated check box in WINBOX. This unchecking changes the functionality to "Strict Tracking". In past IT history. TCP stacks were hacked by injecting TCP packets into sessions that didnt match. These hacks are usually patched quickly and none are known to affect MT devices these days, but one never knows what the future brings. Hence the recommendation to utilize this extra security tool! However there is a catch, it may be CPU intensive so track your CPU usage afterwards to ensure you have a buffer.
The real difference is that the TCP Tracking set to "STRICT" gives more teeth to the INVALID rule we use in firewall rules. In clearer terms, with TCP tracking set to "strict", the router at the INVALID RULE, looks at all new packets and specifically at the TCP portion of the new packet ( the first packet of a new session!). Invalid rule even without strict tracking should be used as iaw STRODS - > "Drop invalid rule is necessary if you use NAT on your router. It is possible that for different reasons packet can leave router with wrong (LAN) IP address. This firewall rule will drop such packets."
TCP CONNECTION TRACKING STRICT
"if a TCP packet with a given unique combination of source and destination addresses and ports does not match any existing connection, it is new if it contains the SYN flag (and has zero payload length), otherwise it is invalid
TCP CONNECTION TRACKING LOOSE (default)
"if a TCP packet with a given unique combination of source and destination addresses and ports does not match any existing connection, it is new, regardless if it has SYN flag etc......). ALL packets will be considered new and the INVALID rule is thus basically transparent............ However the MT docs also use the terminology of a packet not having any state OR the packet cannot be identified its then matches for invalid, so there may be some small advantage to the invalid default rule and thus we keep it regardless in the usual firewall rule setup. More detail on what this bad packet may entail can be found below in understanding rule matching.
To confirm what setting is on your device "Strict or Loose" use VERBOSE in export or directly type: /ip/firewall/connection/tracking/export verbose
/ip firewall connection tracking
set enabled=auto generic-timeout=10m icmp-timeout=10s loose-tcp-tracking=no tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-max-retrans-timeout=5m tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-time-wait-timeout=10s \
tcp-unacked-timeout=5m udp-stream-timeout=3m udp-timeout=10s
(6) UNDERSTANDING RULES MATCHING (input chain used as an example).[/color]
The first rule in the Input chain is an ACCEPT RULE for ESTABLISHED, RELATED packets.
We know that the first packet of a session will hit the router and if directed at the router (destination IP is the router) will then be subjected to the list of Firewall Filter Rules for the input chain in the order provided by the admin. When the NEW packet hits this first rule, it will NOT be matched. Its new, and its neither established or related. Therefore it will move on to the second rule.
The second rule is a DROP RULE FOR INVALID packets. According to the documentation this is supposed to simply match and drop bad packets and let good new packets go to the next rule.
"invalid - a packet that does not have a determined state in connection tracking (usually - severe out-of-order packets, packets with wrong sequence/ack number, or in case of a resource over usage on the router), for this reason, an invalid packet will not participate in NAT.......
Further Detail: TCP Connection Tracking: Where the INVALID RULE gains BITE, is when TCP Tracking (defaulted to "loose") is set to STRICT!. In this case, the INVALID Rule inspects the packet to ensure that the TCP portion of the new packet has a SYN FLAG, a unique source and destination address and ports and a payload with zero length . If it misses any of these points the packet and session are dropped. If we keep the default setting of TCP Connection Tracking as "Loose", then the above extra TCP inspection is not done and basically unless the packet is invalid in other ways, the rule is virtually transparent and the new packet will travel to the next rule.
The third rule Allow ICMP basically ensure the router remains accessible for pinging, certainly essential for testing purposes. There are other advantages to having an accessible ICMP but will leave that for others to discuss, the important thing is that there is no real negative downside to allowing ICMP for the homeowner. How businesses or ISPs handle ICMP may be a different story.
Then we get into USER RULES, such as ALLOW ADMIN TO ROUTER, or ALLOW INCOMING WIREGUARD initial traffic or ALLOW LAN USERS access to DNS services.
If that new packet matches any of these rules, the SUBSEQUENT packets in the applicable session, when they hit the FIRST RULE, are recognized as established or related and dont traverse the Firewall List further and are managed by router connection tracking and simply the session goes on doing its business as it should.......... letting the ADMIN access the router, or the USERS access DNS services.
Finally we get to the last rule, the DROP ALL RULE. The purpose of this rule is to drop all other traffic. What does this mean?
It means, ANY NEW FIRST PACKETS (and thus their associated sessions) THAT HAVE NOT BEEN MATCHED ---> ARE DROPPED!!
DISCUSSION OF NEW: The reason we do not use the state of NEW in the FIRST RULE is due to the fact that ALL first packets arriving at the router are new and we DO NOT want to match all the sessions/packets and allow them all to then access the router, essentially bypassing all the rules in place to direct the sessions accordingly and to provide security - a recipe for a hacking disaster!! What we want is only established/related packets, not requiring any further analysis, to go straight to the router under connection tracking.
Since every first packet of a session is new, it is not necessary to state for each RULE, connection-state=new. It is redundant. Only the first new packet of a session traverses the rules to find a match for allowed traffic and if not matched, gets dropped and so do all the subsequent packets in that session attempt. So at the very end on the Input Chain, for example, for any new packets that find their way to the last rule, they are not wanted and their session is not wanted..............
(7) Identifying Users/Devices/Groups/Interfaces: (basic guidance).
On a more basic level.......
There are many ways to identify users/devices.
Lets take a subnet 192.168.88.0/24, which could be also designated a vlan, such as Home_VLAN88, which could be also be assigned to ether2
SUBNET:
To identify this subnet on a rule.
( in or out ) interface=Home_VLAN88
( in or out ) interface=ether2
(src or dst)-address=192.168.88.0/24
USER/DEVICE:
One can identify individual devices by their IP address. (src-address= or dst-address= )
MULTIPLE USERS/DEVICES:
One can identify a group of IPs (ranges, single etc.) within a subnet by FIREWALL IP ADDRESS.
One can identify a group of IPs from various subnets by FIREWALL IP ADDRESS.
One can identify a group of IPs from various subnets along with whole subnet(s) by FIREWALL IP ADDRESS
MULTIPLE SUBNETS:
One can identify two or more WHOLE subnets by use of the Interface List and Interface List members.
Special case: Single subnet identification of management subnet for router config access, neighbours discovery rule and mac winbox rule.
One can combine the above as well...
add chain=forward action=accept in-interface-list=LAN src-address=subnetA out-interface=subnetB dst-address=printer_subnetB
Bit overkill most would do something like
add chain=forward action=accept src-address=subnetA dst-address=printer_subnetB
RULES OF THUMB................
1. Firewall addresses - use when there are a group of IP addresses OR a group of IP addresses AND anything else (subnet etc....)
2. Single IP addresses - use for single user/device
3. Subnet - use Ip address or interface name as appropriate.
4. Multiple subnets - use interface list (see special case)
5. Use of drop rules makes it easy, if its not allowed its dropped!
Note: In general this guidance is for firewall rules. The idea being to eliminate multiple rules if possible and there are MANY WAYS to do this...........
Example LAN consists of subnets A-E
subnet A needs internet
subnet B needs internet
subnet C needs internet
subnet D does not need internet.
subnet E does not need internet.
Interface List
INTERNET (members --> subnets A-C)
(obvious)
add chain=forward action=accept in-interface-list=INTERNET out-interface-list=WAN
IN AND OUT INTERFACE:
I personally think of IN-interface as meaning where is the traffic coming FROM [ SOURCE ]
I personally think of the OUT-interface as meaning where is the traffic going TO [ DESTINATION ]
(8) RoS Stateful Firewall - Why! (basic).
RoS uses a stateful firewall. It doesn't just see individual packets, but also sees their state within the connection (be it real one like tcp or fake one like udp streams). Order of rules matter, because they are processed from top to bottom and first rule that is matched/captured is the one used by a packet (matching part of rule) with the appropriate action taken (action part of rule) and the rest of the rules are not seen by that packet (in most cases). The less rules need to be checked, the better, because it means less work for router, less CPU usage, more possible throughput. So a typical firewall (default-deny):
1) allow established & related & untracked
2) drop invalid
3) allow new traffic (new here is implicit, because all other states were already handled before, and thus don't need to state new!)
4) unconditionally block (drop or reject) everything else
Has 1) first, because it will match vast majority of packets. One packet, one rule checked, done. You want to have 2), because packets with invalid state could be otherwise allowed by some rule in 3), if other parameters matched.
This applies also when you use reversed logic (default-allow ---> standard on MT RoS default configs), although this is generally regarded as a less optimal approach from a security perspective:
1) allow established & related & untracked
2) drop invalid
3) block new traffic that shouldn't be allowed
You still want 1) and 2), because if you have established connection, you don't want each packet checked against hundred rules in 3).
(9) Firewall Rules & Fastrack Firewall rules allow us to still use Fastrack for the rest off the data that is not involved in mangling (queues etc)
It is also important to consider the interfaces involved in traffic flow and one must consider both directions of the specific traffic.
a. Queues: How do we deal with any marking and fastrack to keep the rest of the traffic being efficiently processed.
Method One - Additional firewall rules are added to the forward chain prior to the fastrack rules for simple queues: Have to consider both directions of traffic and these two rules should be placed before the fastrack rule!
ex. (subnet of your choosing)
/ip firewall filter
add action=accept chain=forward connection-state=established,related src-address=172.16.25.0/24
add action=accept chain=forward connection-state=established,related dst-address=172.16.25.0/24
{default fastrack rule}
Method Two - Simply adjust the fastrack rule to include no-marks!
/ip firewall filter
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related connection-mark=no-mark
b. Mangling: Read ---> viewtopic.php?t=134048#p659676
END OF GUIDANCE SECTION
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
DISCUSSIONS TO GENERATE ABOVE SETUPS:
1. IP ROUTE & BOGONS - INITIAL VIEW reached on the functionality required to ensure private IP addresses not on one of your subnets/LANS do not leave the router (Ieak). With unreachable no longer an option in Version 7, blackhole (checkbox) is the preferred method via IP routes to stop such traffic and NOT firewall chain rules.
What is important to realize is that these rules (seen below) although actually encompassing private subnets existing on ones Router, do not interfere with the private subnets on the router. Another advantage as errors in firewall rules (forgetting to remove ones own private subnet) are not experienced using the IP Routes method. In general a rule with a more specific prefix WINS, meaning a more precise subnet rule takes precedence. All other private IP routes (usually dynamically created on the router) contain more specific destination addresses and thus will be matched before the wider routes are matched.
/ip route
add dst-address=10.0.0.0/8 type=unreachable - due to v7 use blackhole
add dst-address=172.16.0.0/12 type=unreachable - due to v7 use blackhole
add dst-address=192.168.0.0/16 type=unreachable - due to v7 use blackhole
2. DDOS -INITIAL VIEW reached for the homeowner, there is no point. For edge routers on a professional network this may be a different story but above my pay grade. What is recommended is the use of cloudfare on the DNS settings and specifically Primary DNS: 1.1.1.2 /Secondary DNS: 1.0.0.2. These DNS settings are intended to block/filter malware.
3. BLACKLISTS......... These lists are often culled from available lists already on the internet (spamhous/dshield/malcode) and updated frequently. They will stop any inbound traffic from known " BAD ACTORS " preventing them from accessing the Router (and router services) and the LAN. It does not prevent the LAN user from contacting (initiating outbound traffic) to " BAD ACTORS " Therefore, their utility is really one sided. Since much traffic these days is https outbound it would very difficult to do such work anyway. Although it is possible to monkey around and do a half assed job its far easier to use services alreeady doing this work. One of these is AXIOM (https://axiomcyber.com/) which on average costs $300-600 a year depending upon plan, whereas this service only costs a couple of cups of coffee a month $90 a year. MOAB (https://itexpertoncall.com/).
4. REMOTE ACCESS -WINBOX The general conclusion is that any remote access to winbox must be done via a secure tunnel be it IPSEC, or Wireguard for instance or if desperate port knocking. There is no good reason to allow remote access to winbox without encryption.
5. PORT SCANNING - The jury is still out on this one. I would like to see some proof first that block all at the end of the input chain/forward chain isnt doing the job.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
8. Background chatter..........
Okay, lets get to the definitive Default Setup that all new users should gravitate to once they are somewhat familiar with RoS.
We can agree that the current default rules allow a user to get quickly up and running and successfully feel like their investment into the unknown of MT was worth it.
Little does the unsuspecting netgear etc.... neophyte know that soon they will be in quicksand as soon as they attempt to make any changes, especially if they do it by quickset.
So......... the goal/challenge here is to find the ultimate next step firewall rule set, that is minimalistic and realistic and cost effective.
The only starting point is that it will be based on block all (drop all else as the end of input/forward chains) traffic and admins stating the allowed traffic.
Before getting into the specific configs its probably best to agree upon the basic requirements/modifications/additions that make sense and should be debated.
A. Block LAN to WAN Private IP addresses
B. DDOS ( I note in newsletter 103, that some people are willing to fork over $1000 per year for a service that does this).
C. Blacklists
D. Remote Access (winbox)
E. Bots etc... looking for Ports....... ( port trapping/collecting/dropping) port scanning
F. ICMP - no discussion required, default rule is fine no need to fine tune!
G.
H.
I.
etc.....
Please add any topics you feel worthy of entry on this list!!
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A. BLOCK ALL PRIVATE IPs:
We have all seen the BOGON lists and other attempts to block all outgoing LAN requests to non-public IP addresses be it due to prevent malicious users or hacked users traffic requests.
Q1 Is this a valid concept?
Q2 What is the optimal way to address the issue if its relevant?
Discussion: So far, I have not seen evidence of this being a problem (own scenario) so I have no idea how common this actually is. How does a LAN user send a non-public IP out the router anyway. Does not the router simply not route such traffic??
For example, taking care of also other non-public subnets, why not, that's not difficult. I don't remember them all, but there's full list in some RFC.
