Page 1 of 1
Firewall input drop all except LAN
Posted: Mon Mar 20, 2023 11:14 pm
by globalmedia
I have enabled the defconf: drop all not coming from LAN rule in the firewall. Basically it is an input drop !LAN
After that I am getting a lot of these messages in the log:
OUT-OF-LAN input: in:ether1-pppoe-out1 out:(unknown 0), connection-state:new src-mac xx:xx:xx:xx:xx:xx, proto UDP, xxx.xxx.xxx.xxx:53->PPPOE-DYNAMIC-IP-ADDRESS:54398, len 144
I am trying to find an explanation about that. I see some topics in this forum related with similar problem, but no solutions.
Do you have some idea about how to get it fixed?
Re: Firewall input drop all except LAN
Posted: Tue Mar 21, 2023 8:46 am
by BartoszP
You want to fix scanning bots or other abusing devices sweeping all router ports to check if your device is vulnerable.
Re: Firewall input drop all except LAN
Posted: Tue Mar 21, 2023 9:47 am
by erlinden
You can disable logging on this firewall rule.
Re: Firewall input drop all except LAN
Posted: Tue Mar 21, 2023 2:01 pm
by anav
First of all why do you use such a twisted rule??
defconf: drop all not coming from LAN rule in the firewall. Basically it is an input drop !LAN
Much better and clearer to simply say
accept all coming from LAN
drop all else
This leads to the logical next step, which you may have not noticed with the original default (designed for simple flat network).
accept all coming from LAN but only with source address of ADMIN
accept all coming from LAN for ONLY required services, normally DNS and sometimes NTP
drop all else.
Because the whole LAN does not require full access to the router!! (input chain = to the router) better security practice!
Re: Firewall input drop all except LAN
Posted: Tue Mar 21, 2023 10:48 pm
by globalmedia
Dear,
I absolutely agree with you. But the comments came from the examples that I have used.
I will make necessary changes with your suggestions.
Accept all only from admin IPs.
Accept from all only 53 and 123 ports.
And I have observed the following... I am also getting a lot of ACK,PSH messages and apparently all the messages gone when I have added a new condition to the rule:
Now the rule is chain input !LAN !DSTNAT. Apparently all that messages are from connections from nat.
Sincerely,
First of all why do you use such a twisted rule??
defconf: drop all not coming from LAN rule in the firewall. Basically it is an input drop !LAN
Much better and clearer to simply say
accept all coming from LAN
drop all else
This leads to the logical next step, which you may have not noticed with the original default (designed for simple flat network).
accept all coming from LAN but only with source address of ADMIN
accept all coming from LAN for ONLY required services, normally DNS and sometimes NTP
drop all else.
Because the whole LAN does not require full access to the router!! (input chain = to the router) better security practice!
Re: Firewall input drop all except LAN
Posted: Wed Mar 22, 2023 2:07 am
by anav
Its simple for both chains
a few default rules
a few user rules
drop all
No need to get cute............
allow Admin to router
allow users to needed services
drop all else
allow subnets to WAN
**************
allow port forwarding
drop all else
**** any other needed traffic like to a shared printer for example.
Re: Firewall input drop all except LAN
Posted: Thu Mar 23, 2023 3:52 am
by globalmedia
I got it. Thank you so much!
Mindset changes!
Its simple for both chains
a few default rules
a few user rules
drop all
No need to get cute............
allow Admin to router
allow users to needed services
drop all else
allow subnets to WAN
**************
allow port forwarding
drop all else
**** any other needed traffic like to a shared printer for example.
Re: Firewall input drop all except LAN
Posted: Thu Mar 23, 2023 4:13 am
by anav
Re: Firewall input drop all except LAN
Posted: Fri Mar 24, 2023 7:45 am
by globalmedia
Recommended that topic for all mikrotik new user.