Community discussions

MikroTik App
 
Batman
just joined
Topic Author
Posts: 8
Joined: Thu Nov 23, 2023 8:24 am

About "Building Your First Firewall" ICMP jump-chain

Thu Nov 30, 2023 3:15 pm

The manual recommends one should add a few FORWARD-chain ICMP rules "to protect the LAN devices".

add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment="echo reply"
add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment="net unreachable"
add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment="host unreachable"
add chain=icmp protocol=icmp icmp-options=3:4 action=accept comment="host unreachable fragmentation required"
add chain=icmp protocol=icmp icmp-options=8:0 action=accept comment="allow echo request"
add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment="allow time exceed"
add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment="allow parameter bad"
add chain=icmp action=drop comment="deny all other types"

I'm wondering what kind of protection these rules would actually provide.

For example, the first one:

add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment="echo reply"

How this rule could ever accept anything?

If echo request comes from the internet, it will go to the INPUT-chain and the router either responds to it or not. No LAN device can see the request.

If echo request comes from the LAN, the reply from the internet will get state ESTABLISHED and therefore it will be accepted by the following default rule:

add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked

So, it seems there's no need for "echo reply" rule.

What I am missing here?
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3040
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: About "Building Your First Firewall" ICMP jump-chain

Thu Nov 30, 2023 4:43 pm

Raw "prerouting" rules happen before filter "input", so the drop icmp at end of the chain happens before the accept in /ip/firewall/filter. See the packet flow diagram in the manual, specifically this one:
Image

The manual recommends one should add a few FORWARD-chain ICMP rules "to protect the LAN devices".
ICMP has protections in the OS kernel (e.g. limits on echo reply), so I'd say "recommends" may be strong... I view the manual is more providing a concrete example of how to use the raw (connection-less) filters to do limits and avoid connection tracking...than "must have" rules for security.

Certainly you finely tune the limits in the raw rules, but the value may be minimal. And...adding more rules does slow down packet processing — although the action=jump to the icmp4 chain helps to avoid the performance hit from add'l rules, which is part of the example.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3040
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: About "Building Your First Firewall" ICMP jump-chain

Thu Nov 30, 2023 4:49 pm

Also your rules posted here, don't match the current ones that have a limit on the rules, see: https://help.mikrotik.com/docs/display/ ... v4RAWRules
 
dadaniel
Member Candidate
Member Candidate
Posts: 220
Joined: Fri May 14, 2010 11:51 pm

Re: About "Building Your First Firewall" ICMP jump-chain

Thu Nov 30, 2023 5:11 pm

Also your rules posted here, don't match the current ones that have a limit on the rules, see: https://help.mikrotik.com/docs/display/ ... v4RAWRules
Why are these rules not included in the default-config?
 
Batman
just joined
Topic Author
Posts: 8
Joined: Thu Nov 23, 2023 8:24 am

Re: About "Building Your First Firewall" ICMP jump-chain

Thu Nov 30, 2023 5:23 pm

Raw "prerouting" rules happen before filter "input", so the drop icmp at end of the chain happens before the accept in /ip/firewall/filter. See the packet flow diagram in the manual, specifically this one:
Image

The manual recommends one should add a few FORWARD-chain ICMP rules "to protect the LAN devices".
ICMP has protections in the OS kernel (e.g. limits on echo reply), so I'd say "recommends" may be strong... I view the manual is more providing a concrete example of how to use the raw (connection-less) filters to do limits and avoid connection tracking...than "must have" rules for security.

Certainly you finely tune the limits in the raw rules, but the value may be minimal. And...adding more rules does slow down packet processing — although the action=jump to the icmp4 chain helps to avoid the performance hit from add'l rules, which is part of the example.

Thanks for the comment. I haven't yet made it to the "Building Advanced Firewall" page, I'm still going through the rules on this page: https://help.mikrotik.com/docs/display/ ... t+Firewall

I have to say it does make lots of sense that ICMP-rules are in prerouting chain before other stuff.

But why they are last in FORWARD chain on "Building Your First Firewall" page remains as an open question.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18697
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: About "Building Your First Firewall" ICMP jump-chain

Thu Nov 30, 2023 5:32 pm

Because they are not necessary and are bloatware............

Instead stick to the defaults...........
The defaults are safe for a single user and a single WAN and LAN subnet with no complexities.
Once you go beyond that, its 99.999 percent of the time needed to start mucking about in the rules.
The default concept, is block a bunch of stuff and implicitly allow everything else.
Most here prefer to reverse that and state BLOCK everything except traffic we know we need. EXPLICIT allow.

Recommend the following........
/ip firewall filter
{Input Chain}
(default rules to keep)
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1

( admin rules )
add action=accept chain=input src-address-list=Authorized comment="Config Access"
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else" { add this rule last so you don't lock yourself out }

{forward chain}
(default rules to keep)
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid

(user rules)
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disabled=yes { enable if required }
add action=drop chain=forward comment="drop all else"


Where the input chain entry of Authorized is a firewall address list ( mostly from static dhcp leases )
/ip firewall address-list
add address=adminIP1 list=Authorized comment="local address - desktop-wired"
add address=adminIP2 list=Authorized comment="local address - laptop-wired or wifi"
add address=adminIP3 list=Authorized comment="local address -smartphone/ipad - wifi"
add address=adminIP3 list=Authorized comment="remote vpn address"
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3040
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: About "Building Your First Firewall" ICMP jump-chain

Thu Nov 30, 2023 5:33 pm

Also your rules posted here, don't match the current ones that have a limit on the rules, see: https://help.mikrotik.com/docs/display/ ... v4RAWRules
Why are these rules not included in the default-config?
As noted, the kernel has some controls on ICMP, outside of the firewall, via "/ip/settings/set icmp-rate-limit=" in CLI & enabled by default. So there is some protection again ping attacks without any additional rules.

The help talks about these rules in the "Building Advanced Firewall" section: showing it possible to tweak things like ICMP rates further. I can see an ISP wanting fine-grain control, but not sure enterprise/home customer require anything beyond linux's built-in protections. Just my opinion.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3040
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: About "Building Your First Firewall" ICMP jump-chain

Thu Nov 30, 2023 5:47 pm

But why they are last in FORWARD chain on "Building Your First Firewall" page remains as an open question.
@anav pretty spot on, the default firewall is excellent starting place. Using the "interface-list" like WAN and LAN is the right way, IMO, to create a firewall.

Since most user don't read the manual... Mikrotik docs are more reference and examples, than prescriptive of what to do...e.g. you need to know what you want to do before looking at the help ;)

Basically Mikrotik also like dense examples,
Like the "basic firewall" subtle shows using IP address-list, instead of the interface-list used in default — since that's that's "more pure" way to view the firewall filters operate at the IP layer (layer-3 in ISO) & not actually on interfaces (although it has helpers to lookup get IP from interface). But operationally using an interface-list is WAY better approach, so why the defaults do it that way. Manual skips the "why".

And the "advanced firewall" shows "how to" to RAW rules at the same time as showing examples of using a "jump" (since there are no example of action=jump elsewhere) — it does not say "you must do this"...
 
Batman
just joined
Topic Author
Posts: 8
Joined: Thu Nov 23, 2023 8:24 am

Re: About "Building Your First Firewall" ICMP jump-chain

Sun Dec 03, 2023 9:52 am

Thanks all for your comments.

The default ruleset is elegant and simple and I'd really like to stick to it. However, I need to use port forwarding for http-server so I will probably benefit from more comprehensive ruleset that handles ICMP forwarding, IP spoofings, basic DoS attacks etc.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18697
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: About "Building Your First Firewall" ICMP jump-chain

Sun Dec 03, 2023 3:05 pm

Why, none of those things are required for port forwarding.
 
Batman
just joined
Topic Author
Posts: 8
Joined: Thu Nov 23, 2023 8:24 am

Re: About "Building Your First Firewall" ICMP jump-chain

Mon Dec 04, 2023 7:25 am

Why, none of those things are required for port forwarding.

For extra protection. I can't guarantee that the server and the software are safe (has no security flaws) so it's better to block at least part of the malicious traffic before it even passes the router.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18697
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: About "Building Your First Firewall" ICMP jump-chain

Mon Dec 04, 2023 1:43 pm

If your server does not have secure login (encrypted) then you shouldnt be using those servers.
Assuming they are secure logins, consider
a. src-address-list on your dst-nat rules ( everyone is comming from a public IP address, static or dynamic either directly or from their upstream ISP modem/router and there are many free domain names/urls out there for dynamic IPs.
b. give your users wireguard access to the LAN and specifically only to your servers.
c. host your servers on cloud server, where they are equipped to deal with such issues.
d. consider using zerotrust cloudflare tunnel for hosting.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3040
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: About "Building Your First Firewall" ICMP jump-chain

Mon Dec 04, 2023 3:03 pm

Why, none of those things are required for port forwarding.
For extra protection. I can't guarantee that the server and the software are safe (has no security flaws) so it's better to block at least part of the malicious traffic before it even passes the router.
It's more than the firewall to secure the router. For example, you'll likely want to disable unused things in /ip/services. Or, using QoS to manage traffic so DoS attack etc to web server don't overwhelm the link (or have a limit-at on ICMP to ensure some pings get out when congested). Or, if you're not using IPv6, disable it (and if you are...it needs to be considered as well)

My thought is more complex rules, also create more complex config to evaluate if complete...and if done wrong someplace, you could be worse off and/or more troubleshooting. But I don't see any issue with using some of the examples the "Advanced Firewall", in addition to, the default one if you want a "belt-and-suspenders" approach.

As @anav highlights, you can certain add more rules to drop based on your IPs (in addition to interface list like LAN/WAN). I just think the "invalid" rule covers a lot of case in default (and kernel does rp-filter=loose and icmp throttling via /ip/settings already).
 
Batman
just joined
Topic Author
Posts: 8
Joined: Thu Nov 23, 2023 8:24 am

Re: About "Building Your First Firewall" ICMP jump-chain

Tue Dec 05, 2023 5:39 pm

Thanks for the tips. I will digest them and make more research with better time.

Who is online

Users browsing this forum: teran and 32 guests