Community discussions

MikroTik App
 
User avatar
broderick
Member Candidate
Member Candidate
Topic Author
Posts: 242
Joined: Mon Nov 30, 2020 7:44 pm

About Building Your FirstFirewall. Jump and Chain

Sat Dec 11, 2021 12:39 pm

Hi,
As a Mikrotik device noob I always need to brush up my knowledge every now and then since I have few chances to use it during a week, so it sometimes happens that I just need to read and try the same setup I had already used for my Mikrotik device, but sometimes it is a matter do dive a bit deeper into some topics.

I was reading this interesting article:

https://help.mikrotik.com/docs/display/ ... t+Firewall

but I don't think that I got what exactly a few rules do here
...
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=bridge log=yes log-prefix=!public_from_LAN out-interface=!bridge add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=jump chain=forward protocol=icmp jump-target=icmp comment="jump to ICMP filters"
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=ether1 log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=bridge log=yes log-prefix=LAN_!LAN src-address=!192.168.88.0/24

the first drop and the jump rule in particular.

then

/ip firewall filter
  add chain=icmp protocol=icmp icmp-options=0:0 action=accept \
    comment="echo reply"
  add chain=icmp protocol=icmp icmp-options=3:0 action=accept \
    comment="net unreachable"
  add chain=icmp protocol=icmp icmp-options=3:1 action=accept \
    comment="host unreachable"
  add chain=icmp protocol=icmp icmp-options=3:4 action=accept \
    comment="host unreachable fragmentation required"
  add chain=icmp protocol=icmp icmp-options=8:0 action=accept \
    comment="allow echo request"
  add chain=icmp protocol=icmp icmp-options=11:0 action=accept \
    comment="allow time exceed"
  add chain=icmp protocol=icmp icmp-options=12:0 action=accept \
    comment="allow parameter bad"
  add chain=icmp action=drop comment="deny all other types"
  
How does this icmp chain work and what is the icmp-options for?

Thanks
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: About Building Your FirstFirewall. Jump and Chain

Sat Dec 11, 2021 1:57 pm

First drop is to prevent packets to internal subnets leaking to internet. They won't do it if such local subnet exists. But it can be for example some remote LAN accessible over VPN. And if it's disconnected, then packets from device in local LAN trying to communicate with something in remote LAN may go to ISP instead. You don't want that.

Jump for icmp is to allow only selected types and block the rest. The general idea (for not just icmp) is that the less you allow, the more secure it is. For large part it is true. For example, router with no firewall and all services exposed to the world is less secure than router with only VPN server exposed. And that's still less secure than router with no service exposed. Some people believe that there's no limit to this. In a way they are right, the ultimate security is to cut the cable, it will protect you completely. But there's gray area before the ultimate solution, and icmp is in there.

Icmp is protocol that can do different useful things (see e.g. https://en.wikipedia.org/wiki/Internet_ ... e_Protocol). Some are less and some more important. So going with the previous idea that less is more secure, some people try to filter icmp by types, allow those important and block the rest. How much useful it is, that's a question. It's not that any type would be clearly dangerous. On the other hand, if you can live without it, you can block it and it won't hurt you. And in unlikely case when some problem with it will be discovered, you can make fun of other people who didn't block it. :)
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: About Building Your FirstFirewall. Jump and Chain

Sat Dec 11, 2021 2:10 pm

ICMP is very important and the most important one is 3:4 indicating that the packetsize MTU is to high and that the client should reduce the MTU.

Why use a chain. The firewall is walked through in a specific order of chains. Creating a specific own chain allow to only have to walk one line and have to match not all separate lines, depending on that jump yes or no, and so saving time.

It also makes the page more readable by combining that chain to one location.

At the end of the chain you seea drop and all other not matching ICMP stopped there.

There is also an action return and that get you back the next line under the jump in the Forward chain, from where you jumped.

You have to see the created chain ICMP as an subroutine of Forward and when ready it will return on it's own.
A automatic return can avoided if your actions that Passthrough setting. If you activate that all the walking of that chain is interupted an if I am correct also all following chains in Filter in this example.

Passthrough as parameter: "whether to let the packet to pass further (like action passthrough) into the firewall or not (property only valid some actions)"
 
User avatar
broderick
Member Candidate
Member Candidate
Topic Author
Posts: 242
Joined: Mon Nov 30, 2020 7:44 pm

Re: About Building Your FirstFirewall. Jump and Chain

Sat Dec 11, 2021 2:47 pm

still a bit confused, bear with me.

1) is this line:
add action=jump chain=forward protocol=icmp jump-target=icmp comment="jump to ICMP filters"
related with all the icmp firewall filter rules underneath? Meaning something like, " go to the icmp rules underneath when you get icmp requests?"


2) this line is rather..overwhelming for me to grasp in every and each point:
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=bridge log=yes log-prefix=!public_from_LAN out-interface=!bridge add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
Could you help me figure it out what it does step by step?

Thanks
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: About Building Your FirstFirewall. Jump and Chain

Sat Dec 11, 2021 3:00 pm

1) Yep, it has jump-target=icmp, so chain=icmp is exactly where it goes. The "icmp" here is just a name of chain, it could be anything else.

2) That line is actually two rules, first for outgoing packets (LAN->WAN):

- action=drop - throw the packet away
- chain=forward - traffic passing through router, so not to or from router itself
- dst-address-list=not_in_internet - list of destinations, containing non-public subnets like 10.0.0.0/8 and others
- in-interface=bridge - packets coming from LAN
- log=yes - each such packet should be logged (for debugging, otherwise not needed)
- log-prefix=!public_from_LAN - logging prefix
- out-interface=!bridge - packets not going to LAN (given there's already in-interface=bridge, such packets going back to source interface would be rare, they can occur e.g. with hairpin NAT)

and second for incoming packets (WAN->LAN):

- action=drop - same as above
- chain=forward - same as above
- connection-nat-state=!dstnat - connection is not dstnatted, i.e. it's not forwarded port
- connection-state=new - only apply for new connections (initial packets)
- in-interface=ether1 - packets from internet
- log=yes - same as above
- log-prefix=!NAT - same as above
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: About Building Your FirstFirewall. Jump and Chain

Sat Dec 11, 2021 3:19 pm

Forget JUMP for ICMP, useless for the most part and if done incorrectly can really screw up connectivity, been there done that!

As for the rules..........
The first one is to stop private subnets (those reserved for use behind ones router) from leaving the router, and specifically private subnets that are NOT on your router.
The only thing that should be leaving your router is your public IP (as the router source nats your private LANIPs with the public IP of your router).

How is it possible that private IPs, not on your router will attempt to leak out of ones router........ is also beyond me but apparently it can happen.
The most common case is a broken vpn where through the VPN the router users are communicating with private LANS, and if the VPN stops working, well the attempts to communicate with these LANS may try to go out your ISP connection (vice the VPN tunnel). Hence why you see all these BOGON rules which is to stop the possibility of such LAN to WAN traffic.

The other rule has to do with port forwarding. I should note that I personally prefer new users avoid any rules with negative commands (everything but) which is show with the exclamation symbol " ! " One has to be careful on how to use these as they can have unexpected consequences if one does not understand what they do. They are a hammer and not a scalpel is the best analogy I can think of.

So the first rule...........
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet in-interface=bridge log=yes log-prefix=!public_from_LAN out-interface=!bridge

So the first rule basically states drop all traffic from source addresses identified (originating traffic) that are coming from the routers LANs heading towards the internet. Those source addresses are such groups of private IPs..... One of the problems is people forget to remove the private IP addresses they actually use on their own router and block themselves from outgoing internet traffic (browsing etc.) and the last bit after the log prefix rule says for all traffic heading towards any interface that is not the bridge (leaving the WAN interface usually)

The confusing bit is what the router will log, as the text or title on the log line he uses, looks very much like Router Config Commands. I personally log very little (beyond default logging) as most of it is noise that eats up memory. Logging is very useful if you do detect issues and you want to troubleshoot and then folks will recommend logging specific items in order to get to the root cause of issues. The log prefix means what is the title of the log line that will show up, and in this case the text on the logging line will be "!public_from_LAN

As for the second rule that is basically saying, BLOCK ALL TRAFFIC FROM THE WAN, for all traffic EXCEPT dstnat traffic.
add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT

I personally like clearer and better security rules.
ALLOW ALL DST TRAFFIC FROM WAN (which can be disabled if you dont do port forwarding or removed)
BLOCK EVERYTHING ELSE (wan to lan, lan to wan, lan to lan)

add action=accept chain=forward comment="Allow port forwarding" connection-nat-state=dstnat connection-state=new in-interface=ether1
add action=drop chain=forward comment="drop all else"

(one thing should pop out at you, the last rule blocks all traffic and thus you no longer will have access to the internet so any traffic you wish to allow, internet traffic, shared printer between subnets etc has to be entered prior to the last block all rule.

Ex. internet traffic
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
 
User avatar
broderick
Member Candidate
Member Candidate
Topic Author
Posts: 242
Joined: Mon Nov 30, 2020 7:44 pm

Re: About Building Your FirstFirewall. Jump and Chain

Sat Dec 11, 2021 5:41 pm

much clearer, thanks @sob, @msatter, and @anav

They are rules I think I'd better stay away from, for the time being at least; I need a better understanding of the Mikrotik world first.
Anyway, I also think that trying to understand more complex rules is a good way to bring your knowledge of this device to the next level.
I try it at least.

Thank you very much again for your informative and precise answers
 
PackElend
Member Candidate
Member Candidate
Posts: 269
Joined: Tue Sep 29, 2020 6:05 pm

Re: About Building Your FirstFirewall. Jump and Chain

Thu Jul 07, 2022 10:33 am

thx all for that very helpful conversation here :).

I would a question in regard to
Drop packets from LAN that do not have LAN IP
I missed the
!
to negate the LAN IP List but traffic was still flowing.
I'm wondering if using the bridge's CPU Port as an in-interface is correct or do I have to use Interface-List?

The bridge bridge-VLANs contains all my VLAN interfaces, the List LAN.FULL_RANGE contains all possible IPs in my LAN (10.10.0.0/18):
add action=drop   chain=forward in-interface=bridge-VLANs src-address-list=!LAN.FULL_RANGE log=yes log-prefix=LAN_!LAN comment="Drop packets from LAN that do not have LAN IP  (by MikroTik)"
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: About Building Your FirstFirewall. Jump and Chain

Thu Jul 07, 2022 11:38 am

I'm wondering if using the bridge's CPU Port as an in-interface is correct or do I have to use Interface-List?

Firewall is working on L3 and only sees the immediately underlying L2 interface. When VLANs are used, the immediately underlying L2 interface will be the vlan interface created in /interface vlan.

On trunk ports (either directly used interface such as ether1 if not bridged or bridge interface (CPU port) when multiple ports are bridged together with vlan-enabled bridge) one will typically have multiple VLAN interfaces and if a single firewall filter rule is to be applied to all of VLANs, one has to construct interface list with all relevant vlan interfaces set as members and then use that interface list in firewall filter rule.
 
PackElend
Member Candidate
Member Candidate
Posts: 269
Joined: Tue Sep 29, 2020 6:05 pm

Re: About Building Your FirstFirewall. Jump and Chain

Fri Jul 08, 2022 4:45 pm

wow that was quick answer thx a lot :).
.
.
I'm wondering if using the bridge's CPU Port as an in-interface is correct or do I have to use Interface-List?
Firewall is working on L3 and only sees the immediately underlying L2 interface. When VLANs are used, the immediately underlying L2 interface will be the vlan interface created in /interface vlan.
I have properly mistaken the purposes of the Bridge-CPU-Port, although traffic flows through this port, it won't flow directly to L3 services.
I try to explain it:
physical access port -> Bridge-CPU-Port --> VLAN-Interface (L2/L3 Interface)
Port only connects things (cable to an interface, NIC / Switch Chip to CPU)
The interface is an interface to other functions (either hardware or software) :roll:
.
.
On trunk ports (either directly used interface such as ether1 if not bridged or bridge interface (CPU port) when multiple ports are bridged together with vlan-enabled bridge) one will typically have multiple VLAN interfaces and if a single firewall filter rule is to be applied to all of VLANs, one has to construct interface list with all relevant vlan interfaces set as members and then use that interface list in firewall filter rule.
the solution as code:
/interface/list
add name=list.Bridge-VLANs
/interface/list/member
add list=list.Bridge-VLANs interface=VLAN_VLAN_BKHOLE
add list=list.Bridge-VLANs interface=VLAN_VLAN_GUEST 
add list=list.Bridge-VLANs interface=VLAN_VLAN_INTRA 
add list=list.Bridge-VLANs interface=VLAN_VLAN_SYS  
add list=list.Bridge-VLANs interface=VLAN_VLAN_MGMT
add list=list.Bridge-VLANs interface=VLAN_VLAN_COMMON
add list=list.Bridge-VLANs interface=VLAN_VLAN_USER2
add list=list.Bridge-VLANs interface=VLAN_VLAN_USER3
add list=list.Bridge-VLANs interface=VLAN_VLAN_USER6
add list=list.Bridge-VLANs interface=VLAN_VLAN_IoT

/ip firewall filter
add action=drop   chain=forward dst-address-list=not_in_internet in-interface-list=bridge-VLANs  out-interface-list=!bridge-VLANs     log=yes log-prefix=!public_from_LAN

Who is online

Users browsing this forum: Bing [Bot], gogle, lmeira and 47 guests