Community discussions

MikroTik App
 
User avatar
hendry
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 66
Joined: Sat Jan 18, 2014 9:59 am
Location: Singapore
Contact:

Is missing connection-state=invalid hugely bad?

Thu Aug 31, 2017 5:29 am

Hi,

I setup a Firewall https://www.reddit.com/r/mikrotik/comme ... _for_home/ like so
add action=accept chain=forward comment="LAN traffic can go anywhere" in-interface=aa
add action=accept chain=forward comment="Established traffic" connection-state=established
add action=accept chain=forward comment="Related traffic" connection-state=related
add action=accept chain=forward comment=ICMP protocol=icmp
add action=drop chain=forward comment="Drop the rest"
add action=accept chain=output
add action=accept chain=input comment="LAN traffic can go anywhere" in-interface=aa
add action=accept chain=input comment="Established traffic" connection-state=established
add action=accept chain=input comment="Related traffic" connection-state=related
add action=accept chain=input comment=ICMP protocol=icmp
add action=accept chain=input comment="allow ssh" dst-port=22 protocol=tcp src-address=MY.TRUSTED.SPECIAL.IP
add action=drop chain=input comment="Drop the rest"
I did this pretty much manually since the first Google result for Miktotik Firewall took me to https://wiki.mikrotik.com/wiki/Firewall which I found overwhelming. So I wrote the above almost by hand.

Image

Later I found https://wiki.mikrotik.com/wiki/Manual:I ... all/Filter which is better. Better would be some inline Firewall option in Webfig to create a sane default. Quickset's firewall option is far too opaque and risky!

So should I be worried that my initial Firewall configuration missing those "Drop Invalid connections" rules?
RouterBOARD 4xRB952Ui-5ac2nD & 1xRB952Ui-5ac2nD
https://natalian.org/2017/08/20/Choosin ... _Ubiquiti/
 
User avatar
karlisi
Member
Member
Posts: 375
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: Is missing connection-state=invalid hugely bad?

Thu Aug 31, 2017 1:35 pm

So should I be worried that my initial Firewall configuration missing those "Drop Invalid connections" rules?
No.
These examples are a little outdated, i.e., established and related can be in one rule.
add action=accept chain=forward comment="" connection-state=established,related
---
Karlis
 
User avatar
strods
MikroTik Support
MikroTik Support
Posts: 1446
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: Is missing connection-state=invalid hugely bad?

Thu Aug 31, 2017 2:00 pm

Drop invalid rule is necessary if you use NAT on your router. It is possible that for different reasons packet can leave router with wrong (LAN) IP address. This firewall rule will drop such packets.
 
User avatar
hendry
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 66
Joined: Sat Jan 18, 2014 9:59 am
Location: Singapore
Contact:

Re: Is missing connection-state=invalid hugely bad?

Thu Aug 31, 2017 4:07 pm

Drop invalid rule is necessary if you use NAT on your router. It is possible that for different reasons packet can leave router with wrong (LAN) IP address. This firewall rule will drop such packets.
Oh, I don't use NAT, so I guess I'm fine? :)
RouterBOARD 4xRB952Ui-5ac2nD & 1xRB952Ui-5ac2nD
https://natalian.org/2017/08/20/Choosin ... _Ubiquiti/
 
gmiller01
just joined
Posts: 3
Joined: Thu Feb 05, 2015 10:09 am

Re: Is missing connection-state=invalid hugely bad?

Fri Sep 22, 2017 12:40 pm

Drop invalid rule is necessary if you use NAT on your router. It is possible that for different reasons packet can leave router with wrong (LAN) IP address. This firewall rule will drop such packets.
I have a problem with this rule. Sometimes drop packets from VPN clients, sometimes doesn't.
How can I debug it, why some packets are invalid, and others not?
I have added an exception to VPN addresses, so I have solved the problem, but I want to know what is the root of this problem.
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1189
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Is missing connection-state=invalid hugely bad?

Fri Sep 22, 2017 6:43 pm

This should be the default setup on MikroTik. I know those new to RouterOS must be overwhelmed. You don't need hundreds of drop rules, unless you want to log them.

About Drop invalid rules:
We need support to confirm this, but basically it is possible for a packet to look like it was established or related, when in fact it really was not. These are packets that have been crafted to seem this way. However, RouterOS knows that a three way handshake did not exist for them. Thus, they are invalid. Without the drop invalid rule, I'm guessing, that RouterOS will accept them in the established~related rule?

I would rather they simply go passed that rule and hit Drop All for performance reasons. Can support please confirm if we need Drop invalid given my rules below? According to what I've read about IPTables, the INVALID state is different from Established and Related, thus, if you use my firewall rules, they will hit my drop all. Better performance since invalid is a rare packet type for me.

Reading on the subject.
/ip firewall filter
add chain=input action=drop connection-state=invalid comment="Drop invalid"
add chain=input action=accept connection-state=established,related comment="Accept established related"
add chain=input action=accept in-interface=bridge-LAN comment="Allow LAN access to router and Internet"
add chain=input action=drop comment="Drop all other input"

add chain=forward action=drop connection-state=invalid protocol=tcp comment="Drop invalid"
add chain=forward action=accept connection-state=established,related comment="Accept established related"
add chain=forward action=accept connection-state=new in-interface=bridge-LAN comment="Allow LAN access to router and Internet"
add chain=forward action=accept connection-nat-state=dstnat comment="Accept Port forwards if configured"
add chain=forward action=drop comment="Drop all other forward"

/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether-WAN comment="Default masq"
add chain=dstnat action=dst-nat in-interface=ether-WAN protocol=tcp to-addresses=1.2.3.4 dst-port=123 to-ports=123 comment="Sample Port Forward"

Who is online

Users browsing this forum: abdurrazaqa, Ahrefs [Bot], Bing [Bot], Majestic-12 [Bot] and 46 guests