Hello, after I enabled the IPv6 package and set up the IPv6 on the hAP ac2 (v6.48) I realized, that my IPv6 firewall is completely empty by default. Can someone help me up with some basic FW rules for home use?
Thanks.
/system default-configuration print
/ipv6 firewall {
address-list add list=bad_ipv6 address=::/128 comment="defconf: unspecified address"
address-list add list=bad_ipv6 address=::1 comment="defconf: lo"
address-list add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local"
address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped"
address-list add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat"
address-list add list=bad_ipv6 address=100::/64 comment="defconf: discard only "
address-list add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation"
address-list add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID"
address-list add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone"
address-list add list=bad_ipv6 address=::224.0.0.0/100 comment="defconf: other"
address-list add list=bad_ipv6 address=::127.0.0.0/104 comment="defconf: other"
address-list add list=bad_ipv6 address=::/104 comment="defconf: other"
address-list add list=bad_ipv6 address=::255.0.0.0/104 comment="defconf: other"
filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
filter add chain=input action=accept protocol=udp port=33434-33534 comment="defconf: accept UDP traceroute"
filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="defconf: accept DHCPv6-Client prefix delegation."
filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
filter add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
filter add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
filter add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6"
filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6"
filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1"
filter add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
filter add chain=forward action=accept protocol=139 comment="defconf: accept HIP"
filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
filter add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
filter add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
filter add chain=forward action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
}
Default configuration is not re-applied on module activation. Maybe it should (for firewall) but that's up to the product team.not sure why it wasn't applied automatically.
That's a great suggestion for a new installation, but does not help for an existing configuration with a couple hundred lines of configuration. However the list provided earlier is a good help. I recently enabled IPv6 - just to play with a little on my RB750Gr3. I created an EXTREMELY restrictive firewall, but will take a look at the default listed earlier.It is a bug/shortcoming in RouterOS.
When you add a new package, the default configuration for that package is not applied.
Workaround: always enable IPv6 as first thing when you receive a new router, then update to the newest RouterOS version, and then reset to factory defaults.
When you do the reset with IPv6 package enabled, you get the correct default configuration.
This ruleset relies on the fact that in RouterOS there is a "default allow" at the end of each chain.In the ruleset above, where is the rule which actually creates connection states from egress traffic? Is connection state tracking enabled implicitly? How does this work?
OK, let's consider this simplified but working example:I always make the ruleset so that it ends in a "drop" rule
/ipv6 firewall filter
add action=accept chain=input comment="Allow established and related" connection-state=established,related
add action=drop chain=input comment="Drop by default" in-interface=sit1
Connection state tracking happens by default on "auto" when there is at least one firewall or NAT rule. It doesn't matter what the rule is, as long as long as at least one rule exists, all connections will be tracked. So because you have at least one IPv4 or IPv6 firewall or NAT rule, connection tracking happens for all IPv4 and IPv6 traffic.There is no explicit rule to create firewall state based on outgoing packets, and nevertheless state is created and return traffic via sit1 is being permitted. Where exactly is the state created in this example?
Thank you, now I understand. I have even found the Firewall -> Connections -> Tracking button after your explanation.Connection state tracking happens by default on "auto" when there is at least one firewall or NAT rule. It doesn't matter what the rule is, as long as long as at least one rule exists, all connections will be tracked. So because you have at least one IPv4 or IPv6 firewall or NAT rule, connection tracking happens for all IPv4 or IPv6 traffic.
If you add firewall rules and you don't want connections to be tracked, you have to change connection tracking from "auto" to "off".
Connection tracking is part of iptables. My experience with Linux suggests that connections are tracked even if there are no iptables rules, so Linux uses what MikroTik calls the "on" setting instead of the "auto" setting. I'm not sure if you can change Linux from "on" to "auto", or whether this is something that MikroTik created.Is this a MikroTik feature or a generic Linux iptables feature?
Remember that there are different chains in the firewall. Your example with "input" might indicate that you think that all traffic incoming to your network is passing the "input" chain. That is not true!OK, let's consider this simplified but working example:I always make the ruleset so that it ends in a "drop" rule
There is no explicit rule to create firewall state based on outgoing packets, and nevertheless state is created and return traffic via sit1 is being permitted. Where exactly is the state created in this example?Code: Select all/ipv6 firewall filter add action=accept chain=input comment="Allow established and related" connection-state=established,related add action=drop chain=input comment="Drop by default" in-interface=sit1
Yes, I am aware of that. My simplified example was actually meant for a ping from the router itself etc.Remember that there are different chains in the firewall. Your example with "input" might indicate that you think that all traffic incoming to your network is passing the "input" chain. That is not true!
The "input" chain is only for traffic incoming to and processed by the router itself.
As a person with FreeBSD/ipfw/pf background, I had a problem understanding that an empty output chain can create state. In ipfw or pf, an explicit outgoing "pass ... keep-state" rule is required to record state.In your example, traffic outgoing from the router is implicitly accepted by the empty output chain, creates a connection tracking entry there, and its replies are accepted by the established/related rule in your input chain.
Thanks, this is useful information. I wonder if MikroTik is different from the generic Linux in this aspect.Actually, connection tracking entries are not created by those filter chains, that happens elsewhere. When you need to avoid a tracking entry, you have to do that in the raw chains (prerouting and output), that is the only one that is "early enough" to drop packets or to pass them but not create a tracking entry.
By the time you reach the filter chains, the tracking entry already has been created.
That can be relevant e.g. in case of port scans or ddos attacks. Even when dropping traffic in the filter chain, you still can have issues with a large connection tracking table.
It is strange however, that on Debian 10, when `iptables -L` has no rules (default configuration after installation), the output of `conntrack -L` is empty.It isn't. This is just Linux iptables.
(there are other firewall systems in Linux)
On CentOS 7, I run iptables -L and get this:It is strange however, that on Debian 10, when `iptables -L` has no rules (default configuration after installation), the output of `conntrack -L` is empty.
[root@srv /]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Looks like it. Now we have the complete picture.Just tried on Ubuntu and conntrack -L shows nothing when there are no rules. Presumably, then, "auto" and "on" are from Linux, and CentOS uses the equivalent of the MikroTik "on" setting while Debian and Ubuntu use "auto".
I applied this to my router hoping to get ipv6 running, but still can't..After enabling ipv6 package, the ipv6 firewall is in the default configuration.
https://help.mikrotik.com/docs/display/ ... igurations/system default-configuration print
You can copy/paste the /ipv6 firewall part from there (make sure your terminal window is wide enough for all contents to be displayed).Code: Select all/ipv6 firewall { address-list add list=bad_ipv6 address=::/128 comment="defconf: unspecified address" address-list add list=bad_ipv6 address=::1 comment="defconf: lo" address-list add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local" address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped" address-list add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat" address-list add list=bad_ipv6 address=100::/64 comment="defconf: discard only " address-list add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation" address-list add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID" address-list add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone" address-list add list=bad_ipv6 address=::224.0.0.0/100 comment="defconf: other" address-list add list=bad_ipv6 address=::127.0.0.0/104 comment="defconf: other" address-list add list=bad_ipv6 address=::/104 comment="defconf: other" address-list add list=bad_ipv6 address=::255.0.0.0/104 comment="defconf: other" filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked" filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid" filter add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6" filter add chain=input action=accept protocol=udp port=33434-33534 comment="defconf: accept UDP traceroute" filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="defconf: accept DHCPv6-Client prefix delegation." filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE" filter add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH" filter add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP" filter add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy" filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN" filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked" filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid" filter add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6" filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6" filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1" filter add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6" filter add chain=forward action=accept protocol=139 comment="defconf: accept HIP" filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE" filter add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH" filter add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP" filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy" filter add chain=forward action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN" }
/ipv6 dhcp-server
add address-pool=pool1 interface=bridge name=server1
/ipv6 pool
add name=pool1 prefix=fd00::/8 prefix-length=63
/ipv6 address
add address=2001:470:1f10:942::2 advertise=no interface=sit1
add address=2001:470:1f10:943::2 interface=bridge
/ipv6 dhcp-client
add disabled=yes interface=ether1 request=address
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 nd
set [ find default=yes ] advertise-mac-address=no interface=bridge managed-address-configuration=yes other-configuration=yes
/ipv6 nd prefix
add autonomous=no interface=bridge
/ipv6 route
add disabled=no distance=1 dst-address=2000::/3 gateway=2001:470:1f10:942::1 scope=30 target-scope=10
/ipv6 settings
set max-neighbor-entries=8192