Community discussions

MikroTik App
  4. RouterOS
  5. General

Firewall not working?

Post Reply
 
sergeda
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 78
Joined: Wed Sep 20, 2006 6:03 am

Firewall not working?

Fri Jul 27, 2007 1:48 pm

Hi.
I have this set of filters in firewall:
[admin@MikroTik] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Drop Invalid connections
chain=input in-interface=External connection-state=invalid action=drop

1 ;;; Allow inbound SSH
chain=input in-interface=External protocol=tcp dst-port=22
action=accept

2 ;;; Allow Established connections
chain=input in-interface=External connection-state=established
action=accept

3 ;;; Allow UDP DNS
chain=input in-interface=External protocol=udp src-port=53 action=accept

4 ;;; Allow ICMP
chain=input in-interface=External protocol=icmp action=accept


5 ;;; Drop anything else
chain=input in-interface=External action=drop

6 ;;; drop invalid connections
chain=forward protocol=tcp connection-state=invalid action=drop

7 ;;; allow related connections
chain=forward connection-state=established action=accept

8 chain=forward in-interface=External action=drop

For me this looks like everything ok in this. But when I tried to scan from external host I've found some ports opened.
For example 53 udp. Now I can set it as nameserver on external host and Mikrotik returning me results of DNS requests. I want it to serve only internal clients. What I'm doing wrong?
Top
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: Firewall not working?

Fri Jul 27, 2007 2:20 pm

Code: Select all
3 ;;; Allow UDP DNS 
 chain=input in-interface=External protocol=udp src-port=53 action=accept
you are accepting connections destinated to router from outside
Top
 
sergeda
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 78
Joined: Wed Sep 20, 2006 6:03 am

Re: Firewall not working?

Fri Jul 27, 2007 6:08 pm

Code: Select all
3 ;;; Allow UDP DNS 
 chain=input in-interface=External protocol=udp src-port=53 action=accept
you are accepting connections destinated to router from outside
Well, in this rule I've allowed connections with src-port 53, not destination port 53. I think this rule only for udp reply from external DNS servers. Am I wrong?
Top
 
User avatar
andrewluck
Forum Veteran
Forum Veteran
Posts: 700
Joined: Fri May 28, 2004 9:05 pm
Location: Norfolk, UK

Re: Firewall not working?

Sat Jul 28, 2007 2:32 pm

Yes. Anytime someone sends a udp packet from outside with a source port of 53 it will bypass your rules and be able to connect to any udp port.

Better to remove this rule and accept inbound established and related packets in the input chain the same as you have in the forward chain.

Regards

Andrew
Top
 
sergeda
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 78
Joined: Wed Sep 20, 2006 6:03 am

Re: Firewall not working?

Sat Jul 28, 2007 3:22 pm

Well, thank you for advice. I have disabled that rule but still can use my DNS server from external world.
I've lost.
Top
 
GotNet
Member
Member
Posts: 434
Joined: Fri May 28, 2004 7:52 pm
Location: Florida

Re: Firewall not working?

Sat Jul 28, 2007 7:02 pm

;;; Drop External DNS Query
chain=input action=drop in-interface=internet interface dst-address=router ip
dst-port=53 protocol=udp
Top
Post Reply
  4. RouterOS
  5. General