Securing your router

Sahafi2001 · Mon Jan 10, 2022 1:38 pm

Hi.

I have a question I'd like you to answer.

I've set up "Building Advanced Firewall" for Mikrotik 1009-8G-1-1+ long term version 6.48.6.

The question is, am I supposed to do "Building Your First Firewall" and then "Building Advanced Firewall" or don't I have to do it?

https://help.mikrotik.com/docs/display/ ... our+router

Mon Jan 10, 2022 2:02 pm

Your device did not come with a default preset firewall, correct ?

Like a house: first you build the base, then you put on the subsequent floors.
So "First firewall" to start, then move to advanced.

sindy · Mon Jan 10, 2022 2:12 pm

So "First firewall" to start, then move to advanced.

The thing is that the "basic firewall" section in the manual refers to "default firewall rules" but duplicates some of them, and also the "advanced firewall" section duplicates some of the rules given in the "basic firewall" section. So whilst your alegory with the house is a common sense one, the way the documentation is structured seems not use some other logic.

SecCon · Mon Jan 10, 2022 2:16 pm

Interesting, I lost all conn to the router setting up the basic firewall according to the manual pages.

/ip firewall filter
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router

Maybe something else is wrong with my quick-set setup. Oh, and in my case i use 192.168.1.0/24.

Curious as to how it goes for others.

anav · Mon Jan 10, 2022 2:21 pm

THis is what the basic user needs, using the defaults as a starting point.
If you have additional connectivity requirements ask for assistance.

/ip firewall filter
add action=accept chain=input comment="default configuration" \
connection-state=established,related,untracked
add action=drop chain=forward comment="default configuration" \
connection-state=invalid
add action=accept chain=input dst-port=13231 protocol=udp in-interface=ether1-WAN {only required if planning to use wireguard vpn - the port number is up to you }
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input in-interface-list=LAN *********** {allows access to the router for configuration - then limit by subnet and/or source address list later}
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \ { intended for all LAN users, and required when you modify the admin config access rule above}
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="default configuration" \
connection-state=established,related
add chain=forward comment="default configuration" connection-state=\
established,related,untracked
add action=drop chain=forward comment="default configuration" \
connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN {allows internet traffic}
add action=accept chain=forward comment="allow port forwarding" \ (allows servers if necessary}
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=drop chain=forward comment="drop all else"

Where the +++++++ indicates where to put additional allow rules for traffic.
************ When comfortable, reduce this rule to the (trusted) subnet or vlan where the admin resides and reduce further by source address list if required

anav · Mon Jan 10, 2022 2:21 pm

SeCon, dont use quickset!
Already provided a reference not to lock yourself out, especially if configuring the bridge!!, which is a whole other topic?
viewtopic.php?t=181718

In terms of firewall rules, it is important to NOT put in the drop all rule in the iNPUT Chain until you have an allow rule above that for the admin to access the router for configuration purposes....

Typically to be safe at startup we put this rule....
add action=accept chain=input in-interface-list=LAN

Later we change it to the trusted subnet where the admin works from........ or trusted interface list
add action=accept chain=input in-interface-list=Management OR in-interface=trusted subnet/vlan

Later if necessary we reduce the access solely to the devices used by the admin by firewall source address list (lets say trusted subnet is 192.168.5.0/24)
add action=accept chain=input in-interface=192.168.5.0/24 src-address-list=authorized

where (IP are set statically in the config)
add address=IP of admin desktop list=authorized
add address=IP of admin laptop list=authorized
add address=IP of admin smartphone list=authorized
etc.

Sahafi2001 · Mon Jan 10, 2022 2:25 pm

Your device did not come with a default preset firewall, correct ?

Like a house: first you build the base, then you put on the subsequent floors.
So "First firewall" to start, then move to advanced.

i do it but now this is show in log
"invalid forward: in:VLAN1 out:pppoe-1, src-mac ac:f6:f7:f7:7e:51, proto TCP (ACK,FIN,PSH), 172.16.2.29:57283->157.240.196.60:443, len 76"

sindy · Mon Jan 10, 2022 2:27 pm

Interesting, I lost all conn to the router setting up the basic firewall according to the manual pages.

In your case, the address-list "allowed_to_router" should have contained an address range from 192.168.1.0/24, in particular the IP address of the device from which you configure the router. And although I would have put the command to populate this address-list before the commands to set up the firewall rules if I were the one to write the documentation, even this order should cause no trouble if the "accept established or related" rule is put in place sooner than the "drop the rest" one, and if you do not leave the management session between adding the rules and populating the address-list.

anav · Mon Jan 10, 2022 2:30 pm

Saha post your config for review, one cannot efficiently parse little bits without seeing it in context of the config.........
/export hide-sensitive file=anynameyouwish

Sahafi2001 · Mon Jan 10, 2022 2:31 pm

So "First firewall" to start, then move to advanced.
The thing is that the "basic firewall" section in the manual refers to "default firewall rules" but duplicates some of them, and also the "advanced firewall" section duplicates some of the rules given in the "basic firewall" section. So whilst your alegory with the house is a common sense one, the way the documentation is structured seems not use some other logic.

I noticed that.. so we can say that the advanced firewall setup is enough and there is no need to use the basic right?

Sahafi2001 · Mon Jan 10, 2022 2:33 pm

Saha post your config for review, one cannot efficiently parse little bits without seeing it in context of the config.........
/export hide-sensitive file=anynameyouwish

l

/ip firewall address-list
add address=10.50.0.0/24 list=AP
add address=10.50.0.0/16 list=Network
add address=172.16.0.0/12 list=Network
add address=10.50.0.1 list=GETWEY
add address=172.16.1.1 list=GETWEY
add address=172.16.2.1 list=GETWEY
add address=172.16.3.1 list=GETWEY
add address=172.16.4.1 list=GETWEY
add address=172.16.5.1 list=GETWEY
add address=172.16.6.1 list=GETWEY
add address=172.16.7.1 list=GETWEY
add address=172.16.8.1 list=GETWEY
add address=172.16.9.1 list=GETWEY
add address=172.16.10.1 list=GETWEY
add address=172.16.11.1 list=GETWEY
add address=172.16.12.1 list=GETWEY
add address=172.16.13.1 list=GETWEY
add address=172.16.14.1 list=GETWEY
add address=172.16.15.1 list=GETWEY
add address=172.16.16.1 list=GETWEY
add address=172.16.17.1 list=GETWEY
add address=172.16.18.1 list=GETWEY
add address=172.17.1.1 list=GETWEY
add address=172.17.2.1 list=GETWEY
add address=172.17.3.1 list=GETWEY
add address=172.17.4.1 list=GETWEY
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
    not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=accept chain=input comment="default configuration" \
    connection-state=established,related
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-state=established,related
add action=accept chain=forward comment="Established, Related" \
    connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    log=yes log-prefix=invalid
add action=drop chain=forward comment=\
    "Drop tries to reach not public addresses from LAN" dst-address-list=\
    not_in_internet in-interface=OUT log=yes log-prefix=!public_from_LAN \
    out-interface=!OUT
add action=drop chain=forward comment=\
    "Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
    connection-state=new in-interface=E1 log=yes log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
    protocol=icmp
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=E1 log=\
    yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
    "Drop packets from LAN that do not have LAN IP" in-interface=OUT log=yes \
    log-prefix=LAN_!LAN src-address-list=!Network
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
    protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
    protocol=icmp
add action=accept chain=icmp comment=\
    "host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
    protocol=icmp
add action=drop chain=icmp comment="deny all other types"
add action=drop chain=forward comment="AP Drop" out-interface-list=WAN \
    src-address-list=AP
add action=drop chain=input comment="dropping port scanners" \
    src-address-list="port scanners"
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="Port scanners to list " \
    protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
    protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
    tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
    tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
    tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
    tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=accept chain=input comment="defconf: accept ICMP after RAW" \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input in-interface-list=!OUT-LIST src-address=\
    127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!OUT-LIST
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv4
add action=reject chain=input content=freedom disabled=yes reject-with=\
    icmp-network-unreachable
add action=drop chain=input content=freedom disabled=yes
add action=reject chain=output content=freedom disabled=yes reject-with=\
    icmp-network-unreachable
add action=drop chain=output content=freedom disabled=yes
add action=drop chain=input disabled=yes dst-port=53 in-interface=E1 \
    protocol=udp
add action=accept chain=input disabled=yes dst-port=53 in-interface-list=\
    OUT-LIST limit=2500,5:packet protocol=udp
add action=drop chain=input disabled=yes dst-port=53 in-interface-list=\
    OUT-LIST limit=2500,5:packet protocol=udp
add action=accept chain=forward connection-state=\
    established,related,untracked disabled=yes
add action=accept chain=input connection-state=established,related,untracked \
    disabled=yes
add action=drop chain=forward connection-state=invalid disabled=yes
add action=fasttrack-connection chain=output disabled=yes port=53 protocol=\
    udp
add action=accept chain=output disabled=yes port=53 protocol=udp
add action=drop chain=input connection-state=invalid disabled=yes
add action=drop chain=input disabled=yes dst-port=53 in-interface=Internet \
    protocol=tcp
add action=drop chain=input disabled=yes dst-port=53 in-interface=Internet \
    protocol=udp
/ip firewall mangle
add action=accept chain=prerouting dst-address-list=AP in-interface-list=\
    OUT-LIST
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat out-interface=E1
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=10.50.0.0/16
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=172.16.1.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=172.16.2.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=172.16.3.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=172.16.4.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=172.16.5.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=172.16.6.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=172.16.7.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=172.16.8.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=172.16.9.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=172.16.10.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=172.16.11.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=172.16.12.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=172.16.13.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=172.16.14.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=172.16.15.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=172.16.16.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=172.16.17.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=172.16.18.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=172.17.1.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=172.17.2.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=172.17.3.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=172.17.4.0/24
add action=accept chain=srcnat comment=\
    "defconf: accept all that matches IPSec policy" disabled=yes \
    ipsec-policy=out,ipsec
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface-list=WAN
/ip firewall raw
add action=drop chain=prerouting dst-address-type=!local dst-port=!80,67 \
    hotspot=!auth in-interface=OUT protocol=udp
add action=drop chain=prerouting dst-address-type=!local dst-port=!80,67 \
    hotspot=!auth in-interface=all-vlan protocol=udp
add action=accept chain=prerouting dst-port=67 in-interface=OUT protocol=udp
add action=accept chain=prerouting dst-port=67 in-interface=all-vlan \
    protocol=udp
add action=drop chain=prerouting dst-address-type=!local dst-port=!80 \
    hotspot=!auth in-interface=OUT protocol=tcp
add action=drop chain=prerouting dst-address-type=!local dst-port=!80 \
    hotspot=!auth in-interface=all-vlan protocol=tcp
add action=drop chain=prerouting hotspot=!auth in-interface=OUT port=\
    701,143,443,1198,3128 protocol=tcp
add action=drop chain=prerouting hotspot=!auth in-interface=all-vlan port=\
    701,143,443,1198,3128 protocol=tcp
add action=drop chain=prerouting hotspot=!auth in-interface=OUT port=\
    701,143,443,1198,3128 protocol=udp
add action=drop chain=prerouting hotspot=!auth in-interface=all-vlan port=\
    701,143,443,1198,3128 protocol=udp
add action=drop chain=prerouting dst-address-list=!GETWEY dst-port=53 \
    hotspot=!auth in-interface=OUT protocol=udp
add action=drop chain=prerouting dst-address-list=!GETWEY dst-port=53 \
    hotspot=!auth in-interface=all-vlan protocol=udp
add action=accept chain=prerouting comment=\
    "defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
    dst-address=255.255.255.255 dst-port=67 in-interface-list=OUT-LIST \
    protocol=udp src-address=0.0.0.0 src-port=68
add action=accept chain=prerouting in-interface-list=!OUT-LIST src-address=\
    127.0.0.1
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
    in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment=\
    "defconf: drop forward to local lan from WAN" dst-address-list=Network \
    in-interface-list=WAN
add action=drop chain=prerouting comment=\
    "defconf: drop local if not from default IP range" in-interface-list=\
    OUT-LIST src-address-list=!Network
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
    protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
    jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
    jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from LAN" in-interface-list=OUT-LIST
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
    protocol=tcp
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 \
    limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" \
    icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" \
    icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" \
    icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" \
    icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" \
    icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=\
    5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=\
    11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp

Mon Jan 10, 2022 2:42 pm

So "First firewall" to start, then move to advanced.
The thing is that the "basic firewall" section in the manual refers to "default firewall rules" but duplicates some of them, and also the "advanced firewall" section duplicates some of the rules given in the "basic firewall" section. So whilst your alegory with the house is a common sense one, the way the documentation is structured seems not use some other logic.

IF there would be instructions how to add a floor to an existing house and it says "first build the basement" and you see there IS already a basement, I would assume any logical thinking person would skip that step, no ? Or would they add a basement first on top of the first floor again ? I surely hope not. I do want pictures though if you ever see that happen

But then again, every assumption is potential cause for error. As has been shown again here.

Personal view: anyone jumping right into the advanced part without first getting the basics right, is most likely going to encounter some problems.
But hey, that's me ...

Anyhow, I see the support train has started.

Mon Jan 10, 2022 2:44 pm

The thing is that the "basic firewall" section in the manual refers to "default firewall rules" but duplicates some of them, and also the "advanced firewall" section duplicates some of the rules given in the "basic firewall" section. So whilst your alegory with the house is a common sense one, the way the documentation is structured seems not use some other logic.
I noticed that.. so we can say that the advanced firewall setup is enough and there is no need to use the basic right?

Not necessarily. Not everything has been duplicated.
You do need to review those settings and evaluate if they are already present or not.

It's BTW a perfect way too to LEARN what such a firewall does and why.

anav · Mon Jan 10, 2022 3:19 pm

Good luck with the pile of crap you have...... troubleshooting that will be a nightmare......

Sahafi2001 · Mon Jan 10, 2022 3:30 pm

Good luck with the pile of crap you have...... troubleshooting that will be a nightmare......

Is there a problem with my configurations?

Sob · Mon Jan 10, 2022 3:41 pm

Yes, there's a problem, it's too long for @anav, he has processing limit around hundred lines or so.

SecCon · Mon Jan 10, 2022 3:43 pm

Yes, there's a problem, it's too long for @anav, he has processing limit around hundred lines or so.

Coming to think of I share that feeling....

Mon Jan 10, 2022 4:39 pm

It's quite easy to start again from scratch and slowly add the blocks piece by piece.
The basic firewall is a very good place to start and pretty solid for most uses.

One of the stupidest (in my view) things one can do is blindly copy some config from whatever website (yes, even Mikrotik) and put it inside your config without knowing what it does.
Suddenly things don't work anymore and then they blame the website were they got the partial config from.
That's what I call "self-inflicted error".

I've been there too. Certainly in the beginning I also had to clean reset my devices more then once because I locked myself out (still happens sometimes but I learned pretty early to make frequent config backups and Safe Mode is also a nifty tool to use, especially when tinkering with firewall settings ...).
Best way to learn is to hit the wall sometimes. Hopefully not too hard

anav · Mon Jan 10, 2022 4:41 pm

Yes, I have lived 60+ years to learn two things.
a. its not what you have (possessions) that counts
b. keep it simple!!!
c. be able to laugh at yourself

Go EFF yourself sob

)) luv ya bro!

(yes that was three things, told you I was old)

Jotne · Mon Jan 10, 2022 4:53 pm

Some FW tips from me.

Use config that has been posted in this thread.
Have a block rule as last rule.
Make a diagram of all the rules, and understand what they do.

Here is an example from one of my Routers.
.

FW.jpg

anav · Mon Jan 10, 2022 4:57 pm

(nice Jotne, if it was legible).

On a serious note, the firewall should be appropriate to the threat to your network.
Do you have open servers?
Do you have sensitive information (medical, financial, scientific, ie business related items bad actors may want to gain access to)
etc..

Most folks dump a whole bunch of extra sheite blindly and often with little knowledge of RoS and it quickly turns into a nighmare.
If you know what you are doing and understand the threat then by all means use all the tools at your disposal.
Keep in mind the RoS is not an edge router kind of unit as some seem to think.
You want/need that level of protection then get the barracuda appliance for email, and some edge router with Services - in other words, you spend the money to protect the resources accordingly.
If any twit thinks their hapac2 is going to protect them from a DDOS attach they are being mislead.
Anyway you guys are the experts, I just try and keep it practical and simple and realistic and always willing to learn, given logical arguments and evidence!!

SecCon · Mon Jan 10, 2022 5:20 pm

On a serious note, the firewall should be appropriate to the threat to your network.
Do you have open servers?
Do you have sensitive information (medical, financial, scientific, ie business related items bad actors may want to gain access to)
etc..

I would seriously judge the data I manage via my home network as potentially sensible. Mainly two reasons for this:

I am a politician and have potential access to sensitive information, both sent to me and accessed via network.
Having said that, it is of course not only my system that should be secure, but also the systems I connect to, be that e-mail or city-state-national servers.
I work in Health IT Services and while my work equipment is secured via VPN on that computer, I try to pay attention to how secure it may be on my network. Not sure I can do anything about that though. But I do have access to a lot of sensitive information, both medical and organizational, since I also work with IT related matters in the same job. And it goes via my switch and router...

Eventually I aim to have some kind of access to my network and my servers, but for now that is just a low priority project that comes after other considerations

So wanting to "secure my router" and finding no nonsense concrete dead serious critical info from the manufacturer is very relevant. Then it is not funny to read how official resources are not really up to that requirement...(?).

Visualizing is relevant, kudos to Jotne for that:
FiberBox > Router > Wired Switch+Wifi AP > Devices.

Mon Jan 10, 2022 5:35 pm

@SecCon,
I do understand your concerns but if all your info is that critical, why not hire a professional to configure that device for you or why doesn't your employer provide you a pre-made setup which you can simply plugin ?
I for one would NOT allow anyone to use personal gear if the info is that valuable as you make it seem to be ?
All the info would have to stay on a secured and controlled server and only remote access to that server with very strict monitoring and auditing would be possible.
No local loopholes allowed.
But that's me...

If however you want to use your own material, you also need to follow the process to learn how these devices work.
Mikrotik gear is incredibly powerful compared to other products, certainly when you look at the price range, but it DOES come with a steep learning curve.
Pass that hurdle and you can do a lot of stuff.
Not spending the time to learn is also an option but don't be disappointed then either if it does not work plug and play. It doesn't.

PS re: your signature: I started working with computers in 1980.
CLI/command line is sometimes the only thing you have when all else fails.

Sob · Mon Jan 10, 2022 5:35 pm

One important thing to understand is that there's no clear right and wrong, there's no one perfect solution. If there was, and if it was MikroTik's advanced firewall, why wouldn't they use it as default? Why would they give everyone just some crummy short version, when they have something better? Especially if we're talking about home users, who can't be expected to understand these things and improve it themselves. We can go even further, if some packets are invalid (e.g. some combinations of tcp flags), why should we even need firewall to catch them? Wouldn't it be better hardcoded in OS?

But it's all about what's good enough for selected purpose. Even the short default firewall is fine for most users, that's why it's installed by default. If you want more, you should also know why. If you don't, you can explore and find inspiration, but you need to be able to evaluate what is useful for you. If you wonder whether you should copy & paste some config or some other config, it's not a good way.

..., told you I was old)

I remember it every time I feel like I want to smack you on the head, but then I realize how weird it would be.

anav · Mon Jan 10, 2022 5:54 pm

Secon,
Would ensure that you have separate vlans for Medical work and Political work with no connection to any other subnets and only internet access.
Ensure you use approved company/organization vpn connections to access work etc, if available otherwise wireguard seems pretty easy to use.
Ensure you have up to date AV/MALware apps on PCs......
Suggest you use something like MAIL WASHER to access all emails if using email on local device.

In terms of the mikrotik either use
a. for the cost of a couple of cups a coffe a month this excellent MT add-on https://itexpertoncall.com/promotional/moab.html
He specializes in clients that want cost effective protection and he can certainly give you really good advice on the rest of your network needs.

b. use something like this...............
https://axiomcyber.com/shield/

johnson73 · Mon Jan 10, 2022 5:56 pm

Good luck with the pile of crap you have...... troubleshooting that will be a nightmare......
Is there a problem with my configurations?

Yes. There are too many rules in your configuration that are not really needed.
Recommend you to use Anav config example. I use it myself and everything works very well. Not everything that is written on a "wiki" is correct and true.

anav · Mon Jan 10, 2022 6:12 pm

To be fair the wiki is not WRONG, but tends to cover many cases that may or may not be needed.
We dont know the users requirements and his setup may be needed but I 99.9% doubt it.
Simple is best and then add on slowly understanding what each line will do, if its deemed necessary to add.
There may be a million bots knocking on my door but I never see it as I use a drop all rule at the end of input and forward chains.
If I started looking for problems that dont exist...............

SecCon · Mon Jan 10, 2022 6:23 pm

@SecCon,
I do understand your concerns but if all your info is that critical, why not hire a professional to configure that device for you or why doesn't your employer provide you a pre-made setup which you can simply plugin ?

That is one of the bigger IT-issues that is causing occasional headlines. Who is responsible for the security of an employees IT equipment while working from home? In my country it's a legislation matter that ties closely with work health and security. Who owns the equipment if you use it for work? Do you get a computer for work? Can you connect to work via your private computer (virtual desktop / Citrix all that)? Should the employer pay? Should the employee pay? Should the state subsidize the employer or the employee? Who would get the contracts for this? How to ensure its proper implementation? What hardware and connection would be supported? Etc...

It's a challenge to define that and not many are even aware of this being a serious issue. I am one of the few outside the IT-professional sphere, while i still consider myself an IT-Pro.

So my approach to securing this, I will look closer at it, but rather than trusting stuff that I do not really know how it works, I am placing myself in a position where I simply have to learn and discuss how to create safer connections and network environments, that is why I am here. Having said that, we need more AI and cloud based monitoring and Mikrotik need to look at having usage profiles for RoS.
Homeuser Basic = these recommended settings.
Homeuser + gaming = these....
Homeuser + working = these...
SoHo Lab = these...
etc... and of course perfectly editable and changeable over time and usage.

Jotne · Mon Jan 10, 2022 6:46 pm

Here is one tip that I like to add to my router:
viewtopic.php?f=23&t=178496
If someone tries any port on my router that is not open (typical a scan script), then this IP will be blocked for 24 hour on all ports.
This way the can not continue to hack on open ports like 443 etc, since its blocked.
For me this give an access list with 5000-15000 IP address at all time in the list.

Sob · Mon Jan 10, 2022 8:00 pm

@Jotne: That's nice example. On one hand, it's objectively more secure to do this, the difference is obvious. If you don't have this protection, then evil hacker can scan all your ports in one go, and then continue breaking in using open ones. But if you do have it, it's not possible like this, it would take over hundered years to scan your ports.

Except, maybe a true villain will have access to more source IP addresses? So a large botnet will still scan all your ports in few minutes, and hacking of open ones will continue from completely different addresses. Not everyone has a botnet, of course. But then, who's really interested in your open non-standard ports? Isn't it easier to simply play with few standard ones, rather than looking for something hidden and hoping that if it exists at all, it will be hackable?

So it it more secure? Yes, there are definitely some cases when it can help. Is it worth it? That's much more difficult question. Does it make you 50% more safer? Or is it 10%, 1%, 0.001%? You don't really know. And it also costs you something in terms of resources, it's not completely free. So is it good idea or not? Who knows...

anav · Mon Jan 10, 2022 8:18 pm

@jotne, waste of time, my drop all rule works just fine for scans..
If you have an open port then at least put a source address list on it, and the port wont appear on scans.
If you have port forwarding also ensure its an encrypted type of connection for login, not just plain user name.
If you think you can run a game server at home without any controls expect to get hacked, leave gaming to professionals such as steam etc.......

Mon Jan 10, 2022 8:27 pm

I'm also in the camp of drop and forget it happened.
I don't care who's knocking on the door. As long as the door stays closed unless opened at my will.

mkx · Mon Jan 10, 2022 8:35 pm

@jotne, waste of time, my drop all rule works just fine for scans..

There are some slightly less plain users than you. For example, one might run a HTTPS server at home and it's open to internet. If a bot scans ports, then that remote address will be blocked on port 443 as well if one used magic by @jotne. Or one is running IPsec VPN server ... while it may be considered as safe service, why would you like to let random script kiddie to try to break it?

SecCon · Mon Jan 10, 2022 8:41 pm

@jotne, waste of time, my drop all rule works just fine for scans..

There are some slightly less plain users than you. For example, one might run a HTTPS server at home and it's open to internet. If a bot scans ports, then that remote address will be blocked on port 443 as well if one used magic by @jotne. Or one is running IPsec VPN server ... while it may be considered as safe service, why would you like to let random script kiddie to try to break it?

That may very well be relevant for me...eventually

sindy · Mon Jan 10, 2022 9:01 pm

If a bot scans ports, then that remote address will be blocked on port 443 as well if one used magic by @jotne. Or one is running IPsec VPN server ... while it may be considered as safe service, why would you like to let random script kiddie to try to break it?

I'm with @Sob here. If someone scans ports, the proper strategy is to start from those most likely to be open. For a VPN or SSH server, you can choose any of the remaining 65534 other ports than the "well-known" one for that service, so blacklisting the source on any attempt towards a closed port does make some sense unless 65535 zombies coordinate and try one port each, but a web server cannot listen anywhere else but at 443 as SRV records are rarely,if at all, used for web services. And whereas with SSH you can recognize a failed connection and ban the source IP to prevent the attacker from brute-forcing the password, that's not the case with https, where often no login is required at all and the attacks concentrate on something else.

anav · Mon Jan 10, 2022 9:12 pm

@jotne, waste of time, my drop all rule works just fine for scans..

There are some slightly less plain users than you. For example, one might run a HTTPS server at home and it's open to internet. If a bot scans ports, then that remote address will be blocked on port 443 as well if one used magic by @jotne. Or one is running IPsec VPN server ... while it may be considered as safe service, why would you like to let random script kiddie to try to break it?

I dont script kiddies are not going to break https and your ipsec.
https is at least a secure protocol to get to a point to login securely etc........
I would not run it on 443 anyway it would be more like 4433 translated to 443 ;-PP

As noted sophisticated botnets will come at ports from many IPs.......... and they will keep hammering, seems to me unnecessary WALLS attract flies.
heck a real hacker would have a whole history after some time.........
PUBLIC IP X
when scanned on port X, is blocked for 4 days
When scanned on port Y is blocked for 5 days.
Not blocked when scanning ports a-z, d-g etc.............

You have to come up with something more solid than that...................

Sob · Mon Jan 10, 2022 11:30 pm

Script kiddies with the right toys can do a lot. For example, since we're in MikroTik forum, when few years ago RouterOS had that wonderful WinBox bug, everyone could exploit it once the tools for it went public.

If you had publicly accessible WinBox, could blacklisting port scannners protect you? From random non-targeted attack, yes. But if someone went specifically for WinBox, then of course they tested default port 8291 first (*). Blacklisting could still help, if you use some non-standard port (but not everything can be moved easily, e.g. already mentioned public https server has to use standard port). But while it's a good protection if someone decides to discover it now, it doesn't help if someone already discovered it before. And if you had it like that for a long time, there's good chance that someone already did. I'm sure there are many botnets doing this, very slowly testing random ports one by one, from different addresses, and keeping results.

(*) In fact, if I was the bad guy, I'd test only port 8291. There are 65k ports. So with same effort I can scan 65k ports on one address, or one (most likely to be used) port on 65k addresses. The latter is clearly better choice.

anav · Tue Jan 11, 2022 1:19 am

Doesnt compute, LOL.

lazy admin = doesnt care really about proper security
keen admin= will not leave winbox open to the public and will not use standard port.

Keep trying.........

Amm0 · Tue Jan 11, 2022 1:37 am

I am a politician and have potential access to sensitive information, both sent to me and accessed via network.

FWIW, if you look at how a former Chief of Staff in the US got hack, turns out phish email and bad IT advice:
https://www.pcmag.com/news/report-typo- ... email-hack

And the biggest attack on Mikrotik has been Mëris. May aspects of that but essentially using a long/complex password (>12 chars). Personally I wouldn't use a password manager to store the Mikrotik passport, it just to big a pot of gold beyond just your router.

Personally I think QuickSet and it's default firewall comes with a pretty well configured firewall that blocks all but the necessary things is the best approach - and likely what the manufacturer/Mikrotik generally recommend, notwithstanding the firewall config docs. Not saying Jonte's approach is bad at all – but he spend time on it and no doubt completely understands every line of config. I worry about stuff on clients doing bad things more, so if it's choice about where you spend your time secure stuff – the client device be my focus.

The IP>Firewall>Connection shows traffic, so if ever concerned you can "audit" that to see if anything is expected is going on. Knowing the expected traffic, help identify unexpected traffic - which can be addressed by the router's firewall so also backed LAN->WAN traffic to prevent data leaks. Anyway, if this you concern is security, you need to look at layers/places beyond just what's going on the router at your house. Presumably you connect to Wi-Fi or other networks sometimes, other than the network at your house. And/or use cloud services, VPNs, etc., etc. Those are all other attack vectors too.

Sob · Tue Jan 11, 2022 2:20 am

@anav: Ok, then let's just stick with less confusing https. For example, you could be running blog.anavisgreat.ca, because you want to share your thoughts with whole world. So it has to be publicly accessible and it has to use default port 443 (technically no, but for real world use, pretty much yes). Now there's this new popular log4j vulnerability, which I, playing the role of bad guy, want to exploit. Would I first try to scan all ports on your webserver? Of course not, I'll go straight to port 443, and only when I don't succeed there, I may try other ports later, but probably only after I run out of other easy targets with default ports. So in this case blacklisting port scanners doesn't help at all. And I know you didn't say that it would, the response was mainly related to underestimating script kiddies.

anav · Tue Jan 11, 2022 3:47 am

Hmmm yes well then I would have my blog hosted at amazon aws or whatever cloud crap does that sort of thing and let them deal with the pain.
I know when to cut my losses and let others do the work.

Tue Jan 11, 2022 7:52 am

That's keen admin, then ?
Our rather lazy admin ?

mkx · Tue Jan 11, 2022 9:09 am

No, not a lazy admin, he's diligent all right. But it boils down to what @Sob revealed in another thread: our beloved has processing buffer of around 100 lines of code and the "block the port scanner" game adds just enough lines of code to overflow our beloved's processing buffer

SecCon · Tue Jan 11, 2022 9:19 am

I am a politician and have potential access to sensitive information, both sent to me and accessed via network.
FWIW, if you look at how a former Chief of Staff in the US got hack, turns out phish email and bad IT advice:
https://www.pcmag.com/news/report-typo- ... email-hack
Personally I think QuickSet and it's default firewall comes with a pretty well configured firewall that blocks all but the necessary things is the best approach - a

What default FW? Ethernet Quick Set is one page in WebFig where you set the basic network range, dhcp and nat, it has no FW rules in that "page". But if you are referring to the default FW explained here: https://help.mikrotik.com/docs/display/ ... theClients well that is what I tried to apply a couple of times but lost connectivity and had to start over. And ended in this thread... not that I am complaining.

As for the hack you refer to, who the hell uses GMail for official stuff...? Phishing mails are everywhere, you just need to keep your wits about you.

sindy · Tue Jan 11, 2022 9:28 am

if you are referring to the default FW explained here: https://help.mikrotik.com/docs/display/ ... theClients well that is what I tried to apply a couple of times but lost connectivity and had to start over. And ended in this thread...

If it is still an issue, the right way is to create a dedicated topic where you post the export of the configuration which doesn't work. I assume you are aware that using Winbox, you can connect to the MAC address of the device even if your IP firewall is a total mess, provided that you haven't disabled the mac-server as well.

And as for the "default firewall" - it is not a matter of Quickset, it is a matter of the factory default settings. Quickset doesn't touch that part, it only lets you define interface types and roles, but the firewall rules themselves refer to interface lists WAN and LAN. But factory default settings only include firewall rules on SOHO devices - both of yours are "big boys' toys" so Mikrotik assumes that "home CPE" is a niche use case for them.

mkx · Tue Jan 11, 2022 9:32 am

But factory default settings only include firewall rules on SOHO devices - both of yours are "big boys' toys" so Mikrotik assumes that "home CPE" is a niche use case for them.

This.

Indeed MT doesn't say so anywhere (so it's really their fault), but to me when investing in a "big boys' toy" which he doesn't know how to handle, it would be sensible to get a "kids' toy" (e.g. a hAP mini) to learn how to handle the toy.

SecCon · Tue Jan 11, 2022 9:40 am

@sindy @mkx
Sorry you lost me. Sindy, yes I would of course make a new thread about that, but right now I am confused by what you and MKX are referring to in regards to SOHO devices, big boy toys and such...

So there is a default basic FW embedded and working regardless of any other settings, or additional FW scripting, which could explain someone mentioning that admin account is never exposed outside the local lan. (?)

sindy · Tue Jan 11, 2022 9:49 am

All devices come with a script that sets up the initial configuration, which is run as you press the "reset" button the right way or you enter a corresponding command line command. This script is part of the RouterOS package, so some evolution takes place along with RouterOS itself. And the script differs per device category, let's say. It is in no aspect "hard wired" - whatever this script has set up can be changed later if that was your question. It's just that for your devices, this script installs no firewall rules at all.

SecCon · Tue Jan 11, 2022 10:07 am

. It's just that for your devices, this script installs no firewall rules at all.

Wonderful...

Sahafi2001 · Tue Jan 11, 2022 12:40 pm

To be clear with you

I run a public internet and use my Nanostation M2 to stream the internet to users purchasing accounts and logging in via the hotspot page.
Recently, many tools have spread that help bypass and hack the router and use the Internet for free, either through injection or proxy, which affects my work because the Internet is limited
The highest package offered by the government at a speed of 4 megabytes, a size of 400 gigabytes, and a price of approximately $ 70, which causes me a lot of losses.

All I want is router protection, can you direct me?

anav · Tue Jan 11, 2022 1:55 pm

There are some big boys wearing big boy pants that should help you sort out your issues in terms of RoS and knowledge. Experience wise, I suspect there are many that run WISPs using MT devices that could be of assistance as well. I have not run hotspots so do not know the ins and outs of making that kind of setup secure.

anav · Tue Jan 11, 2022 2:54 pm

I remember it every time I feel like I want to smack you on the head, but then I realize how weird it would be.

@Sob I should teach you the sound of one hand slapping.

)))))
https://www.youtube.com/watch?v=F3Pb3Kv-7XI

Sob · Tue Jan 11, 2022 3:44 pm

@anav: I meant the gentle educational kind, the one that says "hey kid, behave!", but you see the problem.

But back to serious things...

Recently, many tools have spread that help bypass and hack the router and use the Internet for free, either through injection or proxy, ...

First step, you need to find out what exactly those tools do. Then you can think about ways how it can be prevented.

sindy · Tue Jan 11, 2022 4:11 pm

To be clear with you
...
All I want is router protection, can you direct me?

All you need to protect the router itself are three rules in chain input of filter, that will

allow packets belonging to already established connections:
chain=input connection-state=established,related action=accept
permit establishing of new management connections coming in via known-good interface(s) from known-good IP addresses:
chain=input src-address-list=mgmt-addresses in-interface-list=mgmt-interfaces protocol=tcp dst-port=22,8291 action=accept
drop any other packet towards the router itself, except if you need the router to serve as DNS for the clients (not a good idea where clients tend to cheat):
chain=input action=drop

Before putting these rules in place, you have to populate the interface list mgmt-interfaces with name(s) of the interface(s) from which management access to the router needs to be permitted, and the address-list mgmt-addresses with the IP addresses of the devices you are going to use to manage it.

First add the "drop" rule as disabled, connect to the router via the proper interface and from the proper address, and check whether the 2nd "accept" rule counts one packet for each new management connection; if it does, you can enable the "drop" rule.

However, all this is best to be done before ever connecting the router to the internet after a netinstall - if it has already spent some time connected to the internet without a proper firewall, it may already have another admin, and it may actively establish connections to that admin's VPN server so the firewall rules won't prevent the admin from accessing it.

Regarding cheating customers, ideally you wouldn't accept any IP packets at all at physical interfaces facing towards customers, and would only allow them to connect via PPPoE. This means they would be unable to bypass bandwidth enforcement by things like DNS tunneling.

anav · Tue Jan 11, 2022 4:27 pm

Interesting Sindy, I have always just given the admin full access to the router but thinking about your setup, the admin really only needs access on winbox port (I dont use the default port) and SSH lets say for backup. This also applies to remote connections where the key as you pointed out is being consistent with the interface list entry and the source address list entry.

Access to the router as requested is controlled in specific locations:

1. INPUT CHAIN as sindy has noted.
2. System Users, where one assigns the user name and password required to gain access & one can also use IP addresses to further limit.
3. Tools -Mac server--> Mac Win Mac Server where one enters the interface list permitted access to winbox by mac address & on can also use IP addresses to further limit ***
4. IP System Services where one identifies the winbox and ssh port (activates it) & one limit basd on availabe FROM as well as further security of certificates

If one of these is not in concert with the others, accessing winbox will be problematic.

Jotne · Wed Jan 12, 2022 11:23 am

@jotne, waste of time, my drop all rule works just fine for scans..
If you have an open port then at least put a source address list on it, and the port wont appear on scans.
If you have port forwarding also ensure its an encrypted type of connection for login, not just plain user name.
If you think you can run a game server at home without any controls expect to get hacked, leave gaming to professionals such as steam etc.......

I do not agree 100% with you here.
For dedicated on port attack, like the WinBox bug some time ago this did not help.

If you look at how many do attack you, they have a tool set that tries to do a lot of stuff, not just one port attack.
So if you have a FTP server or RDP server open that you do like to reach from all over internett (I do not recommend to do that for RDP), its just a username and password that prevents some from access your system. Here is where my drop rule works to prevent user that using a tools set that for some reason hits a port that its not open, to be blocked for both FTP and RDP.

PS For FTP I do have a 3 hit wrong user/password block.

PS For RDP I do use port knocking, so that port does not seems to be open in first place, and not using default port. User gets blocked if they try correct port (according to above rules), without first passes the port knock.

sindy · Wed Jan 12, 2022 11:38 am

PS For FTP I do have a 3 hit wrong user/password block.

May I ask what are your reasons to use FTP these days, i.e. why is SFTP/SCP not sufficient?

Jotne · Wed Jan 12, 2022 11:44 am

Old system that I use for som backup purpose. Should have been upgraded

SecCon · Wed Jan 12, 2022 12:49 pm

Just wanted to report back that I implemented the basic FW rules as specified Here: https://help.mikrotik.com/docs/display/ ... vityAccess and everything is still working, even my Port Forward rule.

Yes, yes, to some it may be obvious that these ruleset in FW will not affect one another, but I am just saying I am happy about this so far.
I did it in the WebFig interface though, not in the terminal. While it is a bit cumbersome to scroll back and forth to check the entries I prefer doing it that way.

sindy · Wed Jan 12, 2022 1:11 pm

I did it in the WebFig interface though, not in the terminal. While it is a bit cumbersome to scroll back and forth to check the entries I prefer doing it that way.

The big drawback of GUI is that the information density per pixel is much lower as compared to plain text/command line.

Wed Jan 12, 2022 1:15 pm

I did it in the WebFig interface though, not in the terminal. While it is a bit cumbersome to scroll back and forth to check the entries I prefer doing it that way.
The big drawback of GUI is that the information density per pixel is much lower as compared to plain text/command line.

Yet CLI is so 1984, uh ?

SecCon · Wed Jan 12, 2022 1:36 pm

I did it in the WebFig interface though, not in the terminal. While it is a bit cumbersome to scroll back and forth to check the entries I prefer doing it that way.
The big drawback of GUI is that the information density per pixel is much lower as compared to plain text/command line.

While you are not wrong, Sindy, that is a problem caused by the interface layout, not its functionality.

The big drawback of GUI is that the information density per pixel is much lower as compared to plain text/command line.
Yet CLI is so 1984, uh ?

I stand by my opinion.

anav · Wed Jan 12, 2022 2:07 pm

Hi Secon, based on this thread I finished for now another thread I was working on.....
Based on some feedback here, sorry jotne, no port scanning rules were used or injured in the configs.
viewtopic.php?t=180838

(However am willing to work on the next level fw set of rules - lets say an intermediate user - but only when I can understand what I post - which may be a while).

SecCon · Wed Jan 12, 2022 3:24 pm

Hi Secon, based on this thread I finished for now another thread I was working on.....

viewtopic.php?t=180838

(However am willing to work on the next level fw set of rules - lets say an intermediate user - but only when I can understand what I post - which may be a while).

on it... you sure you want me posting and asking questions over there?

anav · Wed Jan 12, 2022 4:29 pm

There is no ignore button here so not much I could do anyways.....

SecCon · Wed Jan 19, 2022 9:43 am

So I just realized I protected the clients and not the Router

https://help.mikrotik.com/docs/display/ ... theClients

compared to

https://help.mikrotik.com/docs/display/ ... vityAccess

This is basically a note to self, can't venture in to that right now, but later today perhaps.

anav · Wed Jan 19, 2022 1:40 pm

Hence the article created, which you should use as its better than both those quoted, if I must say so myself.

Who is online