Community discussions

MikroTik App
 
zaqik
newbie
Topic Author
Posts: 30
Joined: Mon Apr 13, 2020 5:31 pm

Dumb firewall question

Mon Aug 15, 2022 2:15 pm

Hi!

If my firewall is empty (no rules at all) then all traffic is allowed (should I call it accepted in terms of firewall?) the router.
If I create a rule to drop invalid connections why I need a rule to accept established,related?

I mean these rules, which are present in most "basic Mikrotik setup" guides

/ip firewall filter add action=accept chain=forward connection-state=established,related
/ip firewall filter add action=drop chain=forward connection-state=invalid

If I'll make a last-in-the-list rule to drop everything then I don't need drop invalid rule since invalid connections will be dropped anyway. If I don't have drop everything rule at all, then I don't need accept established,related since they are allowed anyway like any other traffic. Am I missing a point of all of that or don't understand how firewall is working but think that I understand?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19175
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dumb firewall question

Mon Aug 15, 2022 2:35 pm

 
zaqik
newbie
Topic Author
Posts: 30
Joined: Mon Apr 13, 2020 5:31 pm

Re: Dumb firewall question

Mon Aug 15, 2022 2:44 pm

So now I know the exact step when Filter is working. Excuse me, but how it explains working of filter rules?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19175
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dumb firewall question

Mon Aug 15, 2022 2:47 pm

 
zaqik
newbie
Topic Author
Posts: 30
Joined: Mon Apr 13, 2020 5:31 pm

Re: Dumb firewall question

Mon Aug 15, 2022 3:09 pm

There are two methods on how to set up filtering:

allow specific traffic and drop everything else
drop only malicious traffic, everything else is allowed.
And how to achieve both of the methods? Is my suggestion correct that for first you need final rule to "drop everything" and previous rules to accept the required traffic? And for the second you just create drop rules since everything else will be accepted by default without additional "accept everything" rule? If so, then I'm sorry, but there's no answer to my question about two exact rules and their impact.

Maybe there's a forum user who will be so generous to explain me with the words, not with links, how the two mentioned rules can be suited for anything?

When I saw lot of people say "accept established,related" then I heard "drop all other states". But it's total nonsense, because I need to drop new too. So it's either "lot of people" just braindeadly copypasted some info (probably, partially) or I don't get how Firewall works and need an explanation more clear (on my example, if you please) than info on the provided page.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Dumb firewall question

Mon Aug 15, 2022 5:39 pm

It's stateful firewall, it doesn't see just individual packets, but also their state within connection (be it real one like tcp or fake one like udp streams). Order of rules matter, because they are processed from top to bottom and first matching one is used. The less rules need to be checked, the better, because it means less work for router, less CPU usage, more possible throughput. So a typical firewall (default-deny):

1) allow established & related & untracked
2) drop invalid
3) allow new traffic (new here is implicit, because all other states were already handled before)
4) unconditionally block (drop or reject) everything else

Has 1) first, because it will match vast majority of packets. One packet, one rule checked, done. You want to have 2), because packets with invalid state could be otherwise allowed by some rule in 3), if other parameters matched.

This applies also when you use reversed logic (default-allow):

1) allow established & related & untracked
2) drop invalid
3) block new traffic that shouldn't be allowed

You still want 1) and 2), because if you have established connection, you don't want each packet checked against hundered rules in 3).
 
zaqik
newbie
Topic Author
Posts: 30
Joined: Mon Apr 13, 2020 5:31 pm

Re: Dumb firewall question

Mon Aug 15, 2022 5:57 pm

You still want 1) and 2), because if you have established connection, you don't want each packet checked against hundered rules in 3).
But without 3) do you really need 1) ? I see how 1) and 2) work, I just don't get is there's a reason to use them alone, without 3)? No additional rules - no need to avoid passing through them just to reach the end of the list to be accepted by default. Is this right?
 
MrYan
Member Candidate
Member Candidate
Posts: 160
Joined: Sat Feb 27, 2010 6:13 pm

Re: Dumb firewall question

Mon Aug 15, 2022 6:26 pm

You could just have 2) and DROP INVALID without the other rules.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Dumb firewall question

Mon Aug 15, 2022 6:31 pm

Without any rules in 3), you wouldn't need firewall at all, because everything would be allowed to pass (for default-allow). But usually you do want to block something (new connections from internet, ...).

Even if you use firewall only to protect router itself (chain=input), it activates connection tracking, which is the heavy part. In that case, some firewall rules in chain=forward, together with fasttrack may give better results than keeping it empty (it's a guess, I'm not sure).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19175
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Dumb firewall question

Mon Aug 15, 2022 7:24 pm

Nice writeup Sob, something simlar just appeared magically #8. you know where.........
 
zaqik
newbie
Topic Author
Posts: 30
Joined: Mon Apr 13, 2020 5:31 pm

Re: Dumb firewall question

Tue Aug 16, 2022 3:22 pm

You could just have 2) and DROP INVALID without the other rules.
That's what I tried to clarify, thank you.

Without any rules in 3), you wouldn't need firewall at all
I meant, what's the point to have 1) and 2) without 3) if - my guess I'm failing to explain - without 3) it's enough to have just 2). I'm talking about This scheme if something:
1) allow established & related & untracked
2) drop invalid
3) block new traffic that shouldn't be allowed
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Dumb firewall question

Tue Aug 16, 2022 6:18 pm

Yes, if you want your firewall to drop only packets with invalid connection state, but allow everything else (don't really do anything else at all), then just the "drop invalid" rule alone would do. I just wonder what exact purpose would such firewall have, where would you use it?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11476
Joined: Thu Mar 03, 2016 10:23 pm

Re: Dumb firewall question

Tue Aug 16, 2022 7:25 pm

Essentially it boils down to performance of a non-trivial filter rule set. Imagine that evaluating a filter rule for each packet bears certain cost (in terms of CPU cycles and device has a limit for those, extensive processing delay affects end2end throughput as well). So one wants to construct such filter rule set that will cost least for average traffic hitting the device.
If there's only one rule in firewall (e.g. #2 from the 3 rules list used in previous posts), then all packets would incur cost of 1 unit (regardless the actual action taken by that rule). In case of using 3-rule set most packets get dealt entirely by first rule, some by second (total cost for those is 2), some by third (total cost for those is 3) and some would pass all rules (again total cost is 3). So perhaps average cost would be 0.997+0.002+0.003+0.003=1.005 (if portion of packets dealt by rule #2 is 1:1000, portion of packets dealt by rule #3 the same and portion of packets dropping off the rule set as well) or something. Without rule #1, most packets would have to pass 2 rules (#2 and #3), only a fraction (e.g. 1:1000) would be handled by #2 alone and another fraction (1:1000) would pass #2 and would be handled by #3, so average processing cost would be 0.001+0.002+1.996=1.999 . So in average almost the double processing cost due to elimination of the first rule.
With longer filter rule list average processing cost can skyrocket if one doesn't deal with vast majority of packets as soon as possible and most frequent packets in vast majority of cases are "established,related" packets (a legitimate connection can consist of millions of packets), valid new packets are a few per connection and number of invalid depends on various factors and can be almost zero (ideal case) or considerable (specially crafted attacks against your firewall or routing misconfiguration - routing triangles).

Actual processing cost calculation is more complex than the example above as not all rules bear the same cost. And it also depends much on actual filter rule "hit rate" and other factors. But the results are probably not very different.

And all of the above without considering fasttrack.

Who is online

Users browsing this forum: baragoon and 53 guests