Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Trying to understand the firewall workflow in MikroTik

Post Reply
 
User avatar
SpongeB0B
newbie
Topic Author
Posts: 39
Joined: Wed May 29, 2019 10:18 am

Trying to understand the firewall workflow in MikroTik

Sat Aug 10, 2019 5:59 pm

Hi everyone,

I'm currently setup my first MikroTik router (Hex: RB750Gr3)
I have read all the chapter about the firewall but still certain thing are unclear...

What are Dynamic rules ?
and what is this rule ?
/ip firewall filter print dynamic
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
--

Input
Code: Select all
 0    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 1    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 2    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 3    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN

If I want to improve a little bit this default config I could
  • remove the untracked from rule 0
  • change rule 2 into : chain=input action=accept protocol=icmp in-interface=ether2-master (meaning only all Lan device will be able to do a ICMP correct ?)
  • is it possible to create an additional rule how say : Drop everything who is not TCP:80 on LAN ? (I don't find...)


Forward
Code: Select all
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

 2    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

 3    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related 

 4    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

 5    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

 6    ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
  • What the purpose of rule 5 & 6 ?
Last edited by SpongeB0B on Sat Aug 10, 2019 7:17 pm, edited 2 times in total.
Top
 
pe1chl
Forum Guru
Forum Guru
Posts: 10560
Joined: Mon Jun 08, 2015 12:09 pm

Re: Trying to understand the firewall workflow in MikroTik

Sat Aug 10, 2019 6:32 pm

The "dynamic" rules are inserted automatically. That one is used only for counting, it does nothing by itself.
When you remove the "fasttrack" rule and reboot the router, it will be gone. (and you have no fasttracking anymore)

Your "improvements" are not improvements at all! The default firewall is quite OK, currently.
Removing "untracked" can be done, but it will serve no purpose and will cause problems once you start using "untracked" in the "raw" firewall (which maybe will not happen).
You should not change the ICMP rule, not even when Steve Gibson tells you so. It will cause problems with MTU path discovery.
The 3rd change is not required, everything is already dropped by default.
Top
 
User avatar
SpongeB0B
newbie
Topic Author
Posts: 39
Joined: Wed May 29, 2019 10:18 am

Re: Trying to understand the firewall workflow in MikroTik

Sat Aug 10, 2019 7:14 pm

Thank you @pe1chl !

The "dynamic" rules are inserted automatically
You mean they are default rules or it might happen that in the futur appear other Dynamic rules ? if yes how are they generated ?

The 3rd change is not required, everything is already dropped by default.
If I'm not mistaken it's only drop everything outside LAN , and I would like authorize only TCP:80 from LAN (I change my first post to be more clear)
Last edited by SpongeB0B on Sat Aug 10, 2019 7:49 pm, edited 1 time in total.
Top
 
pe1chl
Forum Guru
Forum Guru
Posts: 10560
Joined: Mon Jun 08, 2015 12:09 pm

Re: Trying to understand the firewall workflow in MikroTik

Sat Aug 10, 2019 7:22 pm

There used to be more dynamic rules in the past then there are now. E.g. automatic "adjust tcp mss" rule for interfaces with lower MTU.
Those are now no longer visible rules in the firewall, but options in the interface settings, probably handled by the driver instead of the firewall.
Now, the fasttrack thing is the most visible case of dynamic rules.

When you do not want access to certain services at all, you can turn them off under IP->services.
You can do it in the firewall as well, but I would advise you to first get some working knowledge about how it works, and features like "safe mode", as there is a risk of locking yourself out.
Top
 
User avatar
SpongeB0B
newbie
Topic Author
Posts: 39
Joined: Wed May 29, 2019 10:18 am

Re: Trying to understand the firewall workflow in MikroTik

Sat Aug 10, 2019 7:59 pm

Thank you very much @pe1chl for your extensive answer !

I have stopped already those services, but I would like to close also all the remaining ports from the firewall.

I guess I will do this:
Code: Select all
chain=input action=accept connection-state=established,related
chain=input action=drop connection-state=invalid 
chain=input action=accept protocol=icmp
chain=input action=drop in-interface-list=!LAN
chain=input action=accept in-interface-list=LAN
chain=input action=accept protocol=tcp in-interface-list=LAN dst-port=80
chain=input action=drop in-interface-list=LAN
Top
 
pe1chl
Forum Guru
Forum Guru
Posts: 10560
Joined: Mon Jun 08, 2015 12:09 pm

Re: Trying to understand the firewall workflow in MikroTik

Sat Aug 10, 2019 8:18 pm

It would break use of the router's DNS resolver.
Top
Post Reply
  4. RouterOS
  5. Beginner Basics