Community discussions

MikroTik App
 
dima1002
Member Candidate
Member Candidate
Topic Author
Posts: 160
Joined: Fri Jan 26, 2018 8:40 pm

Optimize Firewall - Raw? more Security?

Wed Nov 23, 2022 9:46 pm

Hi,

what do you think about this firewall?

1. I would like to move what is possible to the Chain RAW.
2. Port scanner, internally and externally
3. SSH, Winbox Blacklist
4.What else would increase security?


### Telephone
/ip firewall mangle
add action=mark-connection chain=forward dst-address=192.168.141.100 dst-port=5060 new-connection-mark=sip-connection protocol=tcp
add action=mark-packet chain=forward connection-mark=sip-connection new-packet-mark=SIP
add action=mark-connection chain=forward dst-address=192.168.141.100 new-connection-mark=rtp-connection port=10000-20000 protocol=udp
add action=mark-packet chain=forward connection-mark=rtp-connection new-packet-mark=RTP

/ip firewall raw
add action=drop chain=prerouting comment=DDos src-address-list=ddoser

##Address Lists
/ip firewall address-list
add comment="Black List (SSH)" list="Black List (SSH)"
add comment="Black List (Winbox)" list="Black List (Winbox)"
add comment="Black List (Port Scanner WAN)" list="Black List (Port Scanner WAN)"
add comment="Black List (Port Scanner LAN)" list="Black List (Port Scanner LAN)"
add address=192.168.141.0/24 list=local

/ip firewall connection tracking set enabled=yes

/ip settings set tcp-syncookies=yes

/ip firewall filter add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s protocol=tcp tcp-flags=syn,ack

/ip firewall service-port set sip disabled=yes

/ip firewall filter
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add action=drop chain=input comment="Drop Netbios" connection-state="" dst-port=137,138 protocol=udp

###DDOS
add action=jump chain=input comment="Dos protect" connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos dst-limit=32,42,src-and-dst-addresses/10s
add action=return chain=detect-ddos src-address=192.168.141.1
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=1w10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddoser address-list-timeout=1w10m chain=detect-ddos

###Port Scanner
add action=drop chain=input comment="Drop Port Scanner (WAN) list." in-interface-list=WAN log=yes log-prefix="BL_Black List (Port Scanner WAN)" src-address-list=\
    "Black List (Port Scanner WAN)"
add action=drop chain=forward comment="Drop Port Scanner (WAN) list." in-interface-list=WAN log=yes log-prefix="BL_Black List (Port Scanner WAN)" src-address-list=\
    "Black List (Port Scanner WAN)"
add action=add-src-to-address-list address-list="Black List (Port Scanner WAN)" address-list-timeout=4w2d chain=input comment="Add TCP port scanner to Port Scanner (WAN) list." \
    in-interface-list=WAN log=yes log-prefix="Add_Black List (Port Scanner WAN)" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop anyone in the Port Scanner (LAN) list." in-interface-list=WAN log=yes log-prefix="BL_Black List (Port Scanner LAN)" src-address-list=\
    "Black List (Port Scanner LAN)"
add action=drop chain=forward comment="Drop anyone in the Port Scanner (LAN) list." in-interface-list=WAN log=yes log-prefix="BL_Black List (Port Scanner LAN)" src-address-list=\
    "Black List (Port Scanner LAN)"
add action=add-src-to-address-list address-list="Black List (Port Scanner LAN)" address-list-timeout=4w2d chain=forward comment="Add TCP port scanner to Port Scanner (LAN) list." \
    in-interface-list=WAN log=yes log-prefix="Add_Black List (Port Scanner LAN)" protocol=tcp psd=21,3s,3,1

###Winbox
add action=drop chain=input comment="Drop anyone in Black List (Winbox)." in-interface-list=WAN log=yes log-prefix="BL_Black List (Winbox)" src-address-list="Black List (Winbox)"
add action=jump chain=input comment="Jump to Black List (Winbox) chain." dst-port=8291 in-interface-list=WAN jump-target="Black List (Winbox) Chain" protocol=tcp
add action=add-src-to-address-list address-list="Black List (Winbox)" address-list-timeout=4w2d chain="Black List (Winbox) Chain" comment=\
    "Transfer repeated attempts from Black List (Winbox) Stage 3 to Black List (Winbox)." connection-state=new in-interface-list=WAN log=yes log-prefix="Add_Black List (Winbox)" \
    src-address-list="Black List (Winbox) Stage 3"
add action=add-src-to-address-list address-list="Black List (Winbox) Stage 3" address-list-timeout=1m chain="Black List (Winbox) Chain" comment=\
    "Add succesive attempts to Black List (Winbox) Stage 3." connection-state=new in-interface-list=WAN log=yes log-prefix="Add_Black List (Winbox) S3" src-address-list=\
    "Black List (Winbox) Stage 2"
add action=add-src-to-address-list address-list="Black List (Winbox) Stage 2" address-list-timeout=1m chain="Black List (Winbox) Chain" comment=\
    "Add succesive attempts to Black List (Winbox) Stage 2." connection-state=new in-interface-list=WAN log=yes log-prefix="Add_Black List (Winbox) S2" src-address-list=\
    "Black List (Winbox) Stage 1"
add action=add-src-to-address-list address-list="Black List (Winbox) Stage 1" address-list-timeout=1m chain="Black List (Winbox) Chain" comment=\
    "Add initial attempt to Black List (Winbox) Stage 1." connection-state=new in-interface-list=WAN log=yes log-prefix="Add_Black List (Winbox) S1"
add action=return chain="Black List (Winbox) Chain" comment="Return From Black List (Winbox) chain."

###SSH
add action=drop chain=input comment="Drop anyone in Black List (SSH)." in-interface-list=WAN log=yes log-prefix="BL_Black List (SSH)" src-address-list="Black List (SSH)"
add action=jump chain=input comment="Jump to Black List (SSH) chain." dst-port=2222 in-interface-list=WAN jump-target="Black List (SSH) Chain" protocol=tcp
add action=add-src-to-address-list address-list="Black List (SSH)" address-list-timeout=4w2d chain="Black List (SSH) Chain" comment=\
    "Transfer_repeated attempts from Black List (SSH) Stage 3 to Black List (SSH)." connection-state=new in-interface-list=WAN log=yes log-prefix="Add_Black List (SSH)" \
    src-address-list="Black List (SSH) Stage 3"
add action=add-src-to-address-list address-list="Black List (SSH) Stage 3" address-list-timeout=1m chain="Black List (SSH) Chain" comment=\
    "Add successive attempts to Black List (SSH) Stage 3." connection-state=new in-interface-list=WAN log=yes log-prefix="Add_Black List (SSH) S3" src-address-list=\
    "Black List (SSH) Stage 2"
add action=add-src-to-address-list address-list="Black List (SSH) Stage 2" address-list-timeout=1m chain="Black List (SSH) Chain" comment=\
    "Add successive attempts to Black List (SSH) Stage 2." connection-state=new in-interface-list=WAN log=yes log-prefix="Add_Black List (SSH) S2" src-address-list=\
    "Black List (SSH) Stage 1"
add action=add-src-to-address-list address-list="Black List (SSH) Stage 1" address-list-timeout=1m chain="Black List (SSH) Chain" comment=\
    "Add initial attempt to Black List (SSH) Stage 1." connection-state=new in-interface-list=WAN log=yes log-prefix="Add_Black List (SSH) S1"
add action=return chain="Black List (SSH) Chain" comment="Return From Black List (SSH) chain."
add action=accept chain=input comment="Accept established connections" connection-state=established

###INPUT
add action=accept chain=input comment="Accept related connections" connection-state=related
add action=accept chain=input comment="Allow limited pings" limit=50/5s,2:packet protocol=icmp
add action=drop chain=input comment="Drop excess pings" protocol=icmp
add action=accept chain=input comment="Accept SSH for secure shell" dst-port=2222 protocol=tcp
add action=accept chain=input comment="Accept VPN" protocol=ipsec-esp
add action=accept chain=input comment="Accept OpenVPN" dst-port=1194 protocol=tcp
add action=accept chain=input comment="Accept VPN" dst-port=500,4500,1701 protocol=udp
add action=accept chain=input comment="Accept Winbox access" dst-port=8291 protocol=tcp src-address-list=local
add action=accept chain=input comment="Accept Winbox MAC" dst-port=20561 in-interface-list=!WAN log-prefix=MIKROTIK_MAC_LOGIN protocol=udp src-address-list=local
add action=accept chain=input comment="Accept NDP" dst-port=5678 in-interface-list=!WAN protocol=udp src-address-list=local
add action=accept chain=input comment="Accept DNS Querry" dst-port=53 in-interface-list=!WAN protocol=udp src-address-list=local
add action=accept chain=input comment="Accept NTP Querry" dst-port=123 in-interface-list=!WAN protocol=udp src-address-list=local
add action=accept chain=input comment="Accept DHCP Querry" dst-port=67 in-interface-list=!WAN protocol=udp src-address-list=local src-port=68
add action=accept chain=input comment="CAPsMAN accept all local traffic" src-address-type=local
add action=drop chain=input comment="Drop everything else" log-prefix="IN DROP REST -> "

###FORWARD
add action=accept chain=forward comment=E-MAIL dst-port=80 in-interface=WAN1 log-prefix=80 protocol=tcp
add action=accept chain=forward comment=E-MAIL dst-port=443 in-interface=WAN1 log-prefix=443 protocol=tcp
add action=accept chain=forward comment="Accept established connections" in-interface=l2tp-PGP01
add action=accept chain=forward comment="Accept established connections" out-interface=l2tp-PGP01
add action=accept chain=forward comment="Accept DSTNAT connections" connection-nat-state=dstnat
add action=accept chain=forward comment="Accept established connections" connection-state=established
add action=accept chain=forward comment="Accept related connections" connection-state=related
add action=accept chain=forward comment="Allow Forward to WAN" out-interface=WAN1
add action=accept chain=forward comment="Allow Forward to WAN" out-interface=WAN2
add action=drop chain=forward comment="Drop invalid connections" connection-state=invalid
add action=log chain=forward comment="Log everything else" log=yes log-prefix="DROP FORWARD"
add action=drop chain=forward comment="Drop everything else"
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Optimize Firewall - Raw? more Security?

Wed Nov 23, 2022 11:20 pm

I would say KISS and understand that your router is not meant nor can handle DDOS type attacks etc.

Stick to the defaults and use drop all at the end of the input and forward chain and you should be good to go.
If you have open doors on your router due to port fowarding then suggest you limit access on the destination nat rules by source address list.
Preferable is to have users connect via VPN and then access server.

viewtopic.php?t=180838

Furthermore, the only reasonable way to remotely reach and configure the router or resources for you as the admin and primary user is to vpn in first.
 
dima1002
Member Candidate
Member Candidate
Topic Author
Posts: 160
Joined: Fri Jan 26, 2018 8:40 pm

Re: Optimize Firewall - Raw? more Security?

Thu Nov 24, 2022 9:13 am

forward and input always drop at the end? except once the ping. Is that so bad?

VPN is not always possible, but with input via Winbox we solved this via the address list.

With NAT, I want to receive my emails on the go, i.e. I'm always on the move with dynamic IPs. How to limit that?
 
dima1002
Member Candidate
Member Candidate
Topic Author
Posts: 160
Joined: Fri Jan 26, 2018 8:40 pm

Re: Optimize Firewall - Raw? more Security?

Sun Nov 27, 2022 12:52 pm

Can anyone help me with this or have a suggestion for improvement? Security is very important to me.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: Optimize Firewall - Raw? more Security?

Sun Nov 27, 2022 3:36 pm

As already mentioned, raw firewall part has no notion about connections, so it's harder to implement highly selective rules. There are a few (possibly fingers of single hand suffice) cases when it's better to use raw firewall rules. One being handling of (D)DoS attacks since those hit connection tracking machinery real hard. Black listing might be another one, but possibly less resource friendly. Keep in mind that all passed packets have to be evaluated against all rules and if only a small fraction of packets get dropped due to raw filters, this is not optimal usage of resources.

As @anav writes many times: contemporary default firewall settings are pretty decent and secure. The concept of "allow needed, drop the rest" is implemented using a slightly awkward last rule (drop everything from WAN that is not dst-nated) and would be easier to grasp and/or adjust if it was in two rules (1. accept dst-nated from WAN and 2. drop everything from WAN), but defaults are pretty good. If you want to tinker (e.g. log different hacking attempts), then you're on your own ... but it's hard to come up with more secure (and better performing) firewall setup than default.
 
dima1002
Member Candidate
Member Candidate
Topic Author
Posts: 160
Joined: Fri Jan 26, 2018 8:40 pm

Re: Optimize Firewall - Raw? more Security?

Wed Nov 30, 2022 10:35 pm

My firewall was an example. Couldn't everyone just post your firewall?

Or is there a kind of basic firewall summarized from the examples:
https://help.mikrotik.com/docs/display/ ... d+Firewall
https://help.mikrotik.com/docs/display/ ... prevention
https://help.mikrotik.com/docs/pages/vi ... d=28606504
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Optimize Firewall - Raw? more Security?

Thu Dec 01, 2022 2:25 pm

For someone asking for help, its weird you keep turning it down and being uncooperative.
You have to do the work and then post your config for review if still having issues.

and yes the full config because all the bits of a script are connected and effect each other.
 
dima1002
Member Candidate
Member Candidate
Topic Author
Posts: 160
Joined: Fri Jan 26, 2018 8:40 pm

Re: Optimize Firewall - Raw? more Security?

Thu Dec 01, 2022 9:39 pm

I'm sorry. I didn't want to be uncooperative.
I thought too much information would bother me, so I deleted that.

Why is the serial number or something important at all?
Should I always post everything with "/export compact" ?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Optimize Firewall - Raw? more Security?

Thu Dec 01, 2022 10:02 pm

In terms of the serial number, not sure, but it was advice from someone far my expert than myself, and it is done to protect the router if hacked I guess.

plain /export file=anynameyouwish is fine.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: Optimize Firewall - Raw? more Security?

Fri Dec 02, 2022 10:48 am

Why is the serial number or something important at all?
If one uses cloud functionality (under /ip cloud), specially if ddns-enabled is set to yes, then a DNS entry in form <serial_number>.sn.mynetname.net will appear. So if somebody posts config which is a good example of misconfigured firewall, an attacker would have pretty easy task to compromise that device (before owner/admin could fix the problems). Hence advice to redact serial number when posting full config.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Optimize Firewall - Raw? more Security?

Fri Dec 02, 2022 4:46 pm

Thanks Mkx explanation added to article on making posts useful...........
I scrape gems manually :-)
 
dima1002
Member Candidate
Member Candidate
Topic Author
Posts: 160
Joined: Fri Jan 26, 2018 8:40 pm

Re: Optimize Firewall - Raw? more Security?

Sun Dec 04, 2022 10:59 am

I didn't want to start a fight here and I didn't want to be uncooperative either. I understand that it is not good if some only post half scripts. But the topic here was really only about the firewall.
I also see the serial number and Cloud DDNS as a danger.
But my example above must be sufficient for the firewall? or should I now really post everything with bridge and interfaces? I just want ideas/tips on what I can improve.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: Optimize Firewall - Raw? more Security?

Sun Dec 04, 2022 6:54 pm

When it comes to firewall ... it's a common consensus that default firewall, which comes with SOHO class devices, is decently secure and decently performant. However it doesn't suit everybody and there are (border) cases where different setup fares better. But it's really down to actual requirements and it's impossible to comment if context is not fully known. Your initial post doesn't explain context.
Example: to me most of filtering raw seems to be useless nit-picking in most cases. I can imagine a few cases when raw rules actually makes sense, but I don't know if it's the case here. During actual DDoS, your router will be hit by packets originating from milions of source addresses, but each sending only a few packets. I'm not sure your ddos detection rule catches that. OTOH it might push RAM usage to the limit due to excessively long address list.

Who is online

Users browsing this forum: Ahrefs [Bot], donkeyKong, ItchyAnkle, Soleous75 and 81 guests