MikroTik

Community discussions
https://forum.mikrotik.com/

Trying to understand the firewall workflow in MikroTik

https://forum.mikrotik.com/viewtopic.php?t=151022

Page 1 of 1

Trying to understand the firewall workflow in MikroTik

Posted: Sat Aug 10, 2019 5:59 pm
by SpongeB0B
Hi everyone,

I'm currently setup my first MikroTik router (Hex: RB750Gr3)
I have read all the chapter about the firewall but still certain thing are unclear...

What are Dynamic rules ?
and what is this rule ?
/ip firewall filter print dynamic
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
--

Input
Code: Select all
 0    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 1    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 2    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 3    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN

If I want to improve a little bit this default config I could
  • remove the untracked from rule 0
  • change rule 2 into : chain=input action=accept protocol=icmp in-interface=ether2-master (meaning only all Lan device will be able to do a ICMP correct ?)
  • is it possible to create an additional rule how say : Drop everything who is not TCP:80 on LAN ? (I don't find...)


Forward
Code: Select all
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

 2    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

 3    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related 

 4    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

 5    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

 6    ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
  • What the purpose of rule 5 & 6 ?

Re: Trying to understand the firewall workflow in MikroTik

Posted: Sat Aug 10, 2019 6:32 pm
by pe1chl
The "dynamic" rules are inserted automatically. That one is used only for counting, it does nothing by itself.
When you remove the "fasttrack" rule and reboot the router, it will be gone. (and you have no fasttracking anymore)

Your "improvements" are not improvements at all! The default firewall is quite OK, currently.
Removing "untracked" can be done, but it will serve no purpose and will cause problems once you start using "untracked" in the "raw" firewall (which maybe will not happen).
You should not change the ICMP rule, not even when Steve Gibson tells you so. It will cause problems with MTU path discovery.
The 3rd change is not required, everything is already dropped by default.

Re: Trying to understand the firewall workflow in MikroTik

Posted: Sat Aug 10, 2019 7:14 pm
by SpongeB0B
Thank you @pe1chl !

The "dynamic" rules are inserted automatically
You mean they are default rules or it might happen that in the futur appear other Dynamic rules ? if yes how are they generated ?

The 3rd change is not required, everything is already dropped by default.
If I'm not mistaken it's only drop everything outside LAN , and I would like authorize only TCP:80 from LAN (I change my first post to be more clear)

Re: Trying to understand the firewall workflow in MikroTik

Posted: Sat Aug 10, 2019 7:22 pm
by pe1chl
There used to be more dynamic rules in the past then there are now. E.g. automatic "adjust tcp mss" rule for interfaces with lower MTU.
Those are now no longer visible rules in the firewall, but options in the interface settings, probably handled by the driver instead of the firewall.
Now, the fasttrack thing is the most visible case of dynamic rules.

When you do not want access to certain services at all, you can turn them off under IP->services.
You can do it in the firewall as well, but I would advise you to first get some working knowledge about how it works, and features like "safe mode", as there is a risk of locking yourself out.

Re: Trying to understand the firewall workflow in MikroTik

Posted: Sat Aug 10, 2019 7:59 pm
by SpongeB0B
Thank you very much @pe1chl for your extensive answer !

I have stopped already those services, but I would like to close also all the remaining ports from the firewall.

I guess I will do this:
Code: Select all
chain=input action=accept connection-state=established,related
chain=input action=drop connection-state=invalid 
chain=input action=accept protocol=icmp
chain=input action=drop in-interface-list=!LAN
chain=input action=accept in-interface-list=LAN
chain=input action=accept protocol=tcp in-interface-list=LAN dst-port=80
chain=input action=drop in-interface-list=LAN

Re: Trying to understand the firewall workflow in MikroTik

Posted: Sat Aug 10, 2019 8:18 pm
by pe1chl
It would break use of the router's DNS resolver.
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/