Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Firewall / bridge vs interface filtering Q

Post Reply
 
User avatar
atomicduck
Member Candidate
Member Candidate
Topic Author
Posts: 244
Joined: Fri Oct 02, 2020 1:42 pm

Firewall / bridge vs interface filtering Q

Wed Apr 27, 2022 2:17 pm

I am building a simple firewall using this tutorial: https://help.mikrotik.com/docs/display/ ... t+Firewall

I am happy, but I have few Q for more knowledgable ones.

I usually put ether1-WAN in INTERNET bridge and then filter that bridge in rules. The reason is simply not to get confused. - Any cons of doing it that way? I presume that delays filtering a bit (first port, than bridge), but I suppose there is no big performance impact. Security?

Here is the config:
Code: Select all
/ip firewall address-list
add address=10.10.10.2-10.10.10.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add address=10.10.10.0/24 list=local_ranges
add address=10.10.20.0/24 list=local_ranges
add address=10.10.30.0/24 list=local_ranges
/ip firewall filter
add action=accept chain=input comment="allow established, related" connection-state=established,related
add action=accept chain=input comment="DNS UDP" dst-port=53 in-interface=!INTERNET protocol=udp
add action=accept chain=input comment="DNS TCP" dst-port=53 in-interface=!INTERNET protocol=tcp
add action=accept chain=input comment="alow icmp" protocol=icmp
add action=accept chain=input comment="allowed to router" src-address-list=allowed_to_router
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=accept chain=forward comment="Accept Port forwards if configured" connection-nat-state=dstnat disabled=yes
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log-prefix=invalid
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface-list=LAN log=yes log-prefix=!public_from_LAN out-interface-list=\
    !LAN
add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new in-interface=INTERNET log=yes log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp protocol=icmp
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=INTERNET log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface-list=LAN log=yes log-prefix=LAN_!LAN src-address-list=!local_ranges
add action=reject chain=forward comment="Block WiFi to LOCAL LAN traffic" dst-address=10.10.10.0/24 reject-with=icmp-net-prohibited src-address=10.10.20.0/24
add action=reject chain=forward comment="Block WiFi to VIDEOSURVEILANCE traffic" dst-address=10.10.30.0/24 reject-with=icmp-net-prohibited src-address=10.10.20.0/24
add action=reject chain=forward comment="Block VIDEOSURVEILANCE to LOCAL LAN traffic" dst-address=10.10.10.0/24 reject-with=icmp-net-prohibited src-address=10.10.30.0/24
add action=reject chain=forward comment="Block VIDEOSURVEILANCE to WIFI traffic" dst-address=10.10.20.0/24 reject-with=icmp-net-prohibited src-address=10.10.30.0/24
add action=passthrough chain=forward
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=INTERNET
add action=accept chain=srcnat comment="defconf: accept all that matches IPSec policy" disabled=yes ipsec-policy=out,ipsec
add action=dst-nat chain=dstnat comment="Sample Port Forward" disabled=yes dst-port=123 in-interface=INTERNET protocol=tcp to-addresses=1.2.3.4 to-ports=123
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19323
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Firewall / bridge vs interface filtering Q

Wed Apr 27, 2022 3:43 pm

Yeah,
(1) If you are going to use the philosophy of block all by the use of drop all at the end, and basically define all the traffic allowed, then
I take issue with your DNS rules...........
Much prefer clean and direct and avoid the use of the ! (which is not required).
Simply state what is allowed, in-interface-list=LAN.............

(2) The forward chain invalid rule should go before the disabled for now port forwarding rule.

(3) The forward drop rule for dropping traffic trying to reach non-public IPs could be done via other means.........
/ip route
add blackhole disabled=no dst-address=10.0.0.0/8
add blackhole disabled=no dst-address=172.16.0.0/12
add blackhole disabled=no dst-address=192.168.0.0/16
(NOTE1: add more bogon addresses as you see fit.)
(NOTE2: If you need to reach your ISP/MODEM, and it conflicts with bogon addresses, ensure there is a path for that traffic depending upon individual requirements and potentially could be solved by approaches such as IP route or IP address.)

(4) The old default rule blocking wan traffic unless dst-natted is a complete waste, as you have the rule above this to allow port forwarding when it is needed..........
and you have a drop all else rule at the end. Should be removed.

(5) The rule drop for traffic coming from the LAN that has an IP not on the LAN is interesting............ and am thinking about that one.........
Is this working under the assumption that user computers may get compromised ???

(6) The block rules for wifi/video etc seem fine. I would be tempted to make an interface called BLOCK-2-LAN which includes wifi and surveillance so that I can reduce two of the rules to one rule.

(7) I am confused as to all your ICMP rules in the forward chain?? I would get rid of all that.
You accepted icmp in the input chain that suffices........

(8) Missing drop all else at the end of the forward chain????

+++++++++++++++++++++++++++++++
As far as firewall rules, best to use the standard chains for such and not use bridge filter rules.........
Top
 
User avatar
atomicduck
Member Candidate
Member Candidate
Topic Author
Posts: 244
Joined: Fri Oct 02, 2020 1:42 pm

Re: Firewall / bridge vs interface filtering Q

Thu Apr 28, 2022 2:09 pm

Thanks. I gave it some thought. Generally, firewalling works with more or less the same priciple on both input and forward.

1. allow established,related
2. block invalid
3. filtering-blocking
4. allows
5. blocks
6. drop all

I have reworked my firewall, partly on your comments;

1. on input i specifically allowed stuff, maybe you look at it? No need to let anyone in fully, isn’t it so?
2. i used mostly lists instead !INTERFACE
3. removed ICMP jumps (that one was really un necessary)
4. Maybe a stupid Q, but can a dstnat connection be initiated from outside? I presume yes, and given I have accept new in the end, this could actually catch something?
5. added accept new connections on forward, or I would block most of the traffic

As for your Q re filtering ranges not from lan, I tested it and it works as it should it preventing passing stuff suspicious stuff around. If nothing, it serves as a trigger.
Code: Select all
/ip firewall filter
add action=passthrough chain=input comment="count NTP" dst-port=123 protocol=udp
add action=passthrough chain=input comment="count DHCP" dst-port=67 protocol=udp
add action=accept chain=input comment="allow established, related" connection-state=established,related
add action=drop chain=input comment="Drop invalid" connection-state=invalid log-prefix=invalid
add action=accept chain=input comment="UDP allow - ENTIRE LAN: DNS, DHCP,  NTP, CAPsMAN manager, CAPsMAN traffic" dst-port=53,67,123,5246,5247 in-interface-list="[ALL LANS]" protocol=udp
add action=accept chain=input comment="UDP allow - LOCAL LAN: MAC winbox" dst-port=20561 in-interface-list="[LOCAL LAN]" protocol=udp
add action=accept chain=input comment="TCP allow - ENTIRE LAN: DNS" dst-port=53 in-interface-list="[ALL LANS]" protocol=tcp
add action=accept chain=input comment="TCP allow - LOCAL LAN: SSH, Winbox" dst-port=22,8291 in-interface-list="[LOCAL LAN]" protocol=tcp
add action=accept chain=input comment="alow icmp" protocol=icmp
add action=accept chain=input comment="allowed to router" disabled=yes src-address-list=allowed_to_router
add action=drop chain=input comment="Drop all else" log=yes log-prefix="drop all"
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log-prefix=invalid
add action=accept chain=forward comment="Accept ICMP" log=yes log-prefix="accept ICMP" protocol=icmp
add action=accept chain=forward comment="Accept Port forwards if configured" connection-nat-state=dstnat disabled=yes
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface-list="[LANS + WIFI]" log=yes log-prefix=!public_from_LAN \
    out-interface-list="![LANS + WIFI]"
add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new in-interface=INTERNET log=yes log-prefix=!NAT
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=INTERNET log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface-list="[ALL LANS]" log=yes log-prefix=LAN_!LAN src-address-list=!local_ranges
add action=reject chain=forward comment="Block WIF Ito LOCAL LAN traffic" dst-address=10.10.10.0/24 reject-with=icmp-net-prohibited src-address=10.10.20.0/24
add action=reject chain=forward comment="Block WIFI to VIDEOSURVEILANCE traffic" dst-address=10.10.30.0/24 reject-with=icmp-net-prohibited src-address=10.10.20.0/24
add action=reject chain=forward comment="Block VIDEOSURVEILANCE to LOCAL LAN traffic" dst-address=10.10.10.0/24 reject-with=icmp-net-prohibited src-address=10.10.30.0/24
add action=reject chain=forward comment="Block VIDEOSURVEILANCE to WIFI traffic" dst-address=10.10.20.0/24 reject-with=icmp-net-prohibited src-address=10.10.30.0/24
add action=accept chain=forward comment="Accept new connections" connection-state=new
add action=drop chain=forward comment="Drop all other traffic"



/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=INTERNET
add action=accept chain=srcnat comment="defconf: accept all that matches IPSec policy" disabled=yes ipsec-policy=out,ipsec
add action=dst-nat chain=dstnat comment="Sample Port Forward" disabled=yes dst-port=123 in-interface=INTERNET protocol=tcp to-addresses=1.2.3.4 to-ports=123



/ip firewall address-list
add address=10.10.10.2-10.10.10.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add address=10.10.10.0/24 list=local_ranges
add address=10.10.20.0/24 list=local_ranges
add address=10.10.30.0/24 list=local_ranges
Top
Post Reply

Who is online

Users browsing this forum: Amazon [Bot], Bing [Bot] and 44 guests
  4. RouterOS
  5. Beginner Basics