Community discussions

MikroTik App
 
francolini
just joined
Topic Author
Posts: 2
Joined: Tue Jun 30, 2020 11:51 am

fw does not drop winbox mac-telnet

Tue Jun 30, 2020 12:44 pm

Hi all,

I've been testing the firewall feature on the CRS328, and I stuggle to understand the following ruleset:
/ip firewall filter
add action=drop chain=input comment="Block mgmt on eth1" in-interface=ether1
add action=accept chain=input connection-state=established,related,untracked
add action=accept chain=input protocol=icmp
I would expect that the first line would block all incoming traffic on ether1 addressed to the router. ip-connections via Winbox and ping are blocked, but I'm still able to connect using winbox and mac-telnet.

If I enable logging, I can see that the telnet packages are listed by the rule. So the filter is capturing the packages, but still forwards them to the CPU?
The ether1 interface is not part of any bridge configuration

Note: I know there are many alternatives to block mac-telnet, but I'm trying to understand why the above rules don't work, and possible consequences for other protocols.
 
anav
Forum Guru
Forum Guru
Posts: 4614
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: fw does not drop winbox mac-telnet

Tue Jun 30, 2020 3:37 pm

What are you trying to accomplish that is not already done properly in the default ruleset?
Why did you add that extra rule?
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6043
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: fw does not drop winbox mac-telnet

Tue Jun 30, 2020 3:44 pm

See packet flow diagram
https://wiki.mikrotik.com/wiki/Manual:Packet_Flow

mac telnet is not layer3 connection, so from in-interface it goes directly to local-in
 
User avatar
xvo
Forum Veteran
Forum Veteran
Posts: 714
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: fw does not drop winbox mac-telnet

Tue Jun 30, 2020 3:46 pm

I would expect that the first line would block all incoming traffic on ether1 addressed to the router. ip-connections via Winbox and ping are blocked, but I'm still able to connect using winbox and mac-telnet.
All incoming ip traffic.
Limit the list of ports, through which mac-winbox and/or mac-telnet connections can happen.
 
francolini
just joined
Topic Author
Posts: 2
Joined: Tue Jun 30, 2020 11:51 am

Re: fw does not drop winbox mac-telnet

Tue Jun 30, 2020 4:04 pm

mac telnet is not layer3 connection, so from in-interface it goes directly to local-in
Awesome, thanks for the explaination!

What are you trying to accomplish that is not already done properly in the default ruleset?
Why did you add that extra rule?
Read the first post, last section... Also, the CRS328 did not come with a default ruleset
 
User avatar
k6ccc
Long time Member
Long time Member
Posts: 535
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: fw does not drop winbox mac-telnet

Tue Jun 30, 2020 8:51 pm

OK, I have never given that any thought because I have never used MAC WinBox. How do you block MAC WinBox - either completely or selectively? Since it's not IP, the IP firewall and ports rules do not apply.
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission

Warning: I know enough to be dangerous...

Jim
 
anav
Forum Guru
Forum Guru
Posts: 4614
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: fw does not drop winbox mac-telnet

Tue Jun 30, 2020 9:10 pm

OK, I have never given that any thought because I have never used MAC WinBox. How do you block MAC WinBox - either completely or selectively? Since it's not IP, the IP firewall and ports rules do not apply.
I know enough to be dangerous and then some!!!
Go to Tools and to Mac Server and yee shall be enlightened!!

Security for Router The Rule of 4! (from MTUNA manual)
1 - firewall input rules - allow admin only on wan side and block wan
2 - users - change name from admin and strong password
3 - Winbox Settings under iP services
4. -WinMAC settings under Tools.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
k6ccc
Long time Member
Long time Member
Posts: 535
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: fw does not drop winbox mac-telnet

Wed Jul 01, 2020 2:41 am

Thanks.
I wonder if I had discovered and forgotten about that sometime in the past. When I looked at my router 2, both mac-winbox and mactel interface lists had all interfaces, but when I looked at my newer router 1, only the local LAN was listed for both.
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission

Warning: I know enough to be dangerous...

Jim

Who is online

Users browsing this forum: No registered users and 32 guests