Firewall Testing Recommendations
I'm using RouterOS for a small business firewall and I'd like some suggestions for testing before deployment. I've used nmap for scans but I'm wondering if there are more professional suggestions.
-
-
BrianHiggins
Forum Veteran
- Posts: 720
- Joined:
- Location: Norwalk, CT
- Contact:
Re: Firewall Testing Recommendations
disable unneeded packages, restrict or disable services [/ip services] to your LAN or managment subnet
additionally if you use the firewall wizard in webbox (logon to the web interface) and check the protect customer (and router if you prefer) box, it will create a nice set of firewall rules to start with that will keep unwanted traffic out.
additionally if you use the firewall wizard in webbox (logon to the web interface) and check the protect customer (and router if you prefer) box, it will create a nice set of firewall rules to start with that will keep unwanted traffic out.
Re: Firewall Testing Recommendations
Thanks for the advice. I didn't want to mess up my existing rules and I had heard that the web gui might do that. I did a fresh install of RouterOS 2.6 on a VM and used the web GUI. In case this is useful to anyone else I am posting the export output after setting all of the default protect options + NAT:
Code: Select all
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=\
10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m \
udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="Added by webbox" disabled=no protocol=icmp
add action=accept chain=input comment="Added by webbox" connection-state=established disabled=no in-interface=WAN
add action=accept chain=input comment="Added by webbox" connection-state=related disabled=no in-interface=WAN
add action=drop chain=input comment="Added by webbox" disabled=no in-interface=WAN
add action=jump chain=forward comment="Added by webbox" disabled=no in-interface=WAN jump-target=customer
add action=accept chain=customer comment="Added by webbox" connection-state=established disabled=no
add action=accept chain=customer comment="Added by webbox" connection-state=related disabled=no
add action=drop chain=customer comment="Added by webbox" disabled=no
/ip firewall nat
add action=masquerade chain=srcnat comment="Added by webbox" disabled=no out-interface=WAN
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
Re: Firewall Testing Recommendations
Answering some of my own questions... here are some of the testing tools/scanners I've found...
For inbound connections there are quite a few:
http://www.auditmypc.com/
https://www.grc.com/ (ShieldsUp)
etc.
For outbound connections it's a little trickier since something needs to be listening on the other side. If you have an external server and can run something internally then there are quite a few tools. Otherwise the best thing I found which is simple and browser based is:
http://www.firebind.com/
I was actually able to verify that my netbios firewall filters are working using this tool!
For inbound connections there are quite a few:
http://www.auditmypc.com/
https://www.grc.com/ (ShieldsUp)
etc.
For outbound connections it's a little trickier since something needs to be listening on the other side. If you have an external server and can run something internally then there are quite a few tools. Otherwise the best thing I found which is simple and browser based is:
http://www.firebind.com/
I was actually able to verify that my netbios firewall filters are working using this tool!