MikroTik

Community discussions
https://forum.mikrotik.com/

Firewall setup - Block all inbound but allow all outbound

https://forum.mikrotik.com/viewtopic.php?t=23703

Page 1 of 1

Firewall setup - Block all inbound but allow all outbound

Posted: Sun May 04, 2008 12:46 am
by QpoX
I want to block all inbound trafic on all ports but have port 80 tcp and port 3389 tcp and port 27000-27050 TCP/UDP open.

But when i make this:
add action=accept chain=forward comment="RDP" disabled=no dst-address=xxx.xxx.xxx.123 dst-port=3389 protocol=tcp src-address=yyy.yyy.yyy.0/28
add action=accept chain=forward comment="HTTP" disabled=no dst-address=xxx.xxx.xxx.123 dst-port=80 protocol=tcp src-address=yyy.yyy.yyy.0/28
add action=accept chain=forward comment="TF2" disabled=no dst-address=xxx.xxx.xxx.123 dst-port=27000-27050 protocol=tcp
add action=accept chain=forward comment="TF2" disabled=no dst-address=xxx.xxx.xxx.123 dst-port=27000-27050 protocol=udp
add action=drop chain=forward comment="BLOCK ALL" disabled=yes dst-address=xxx.xxx.xxx.123

It does not work, i can't even ping out from xxx.xxx.xxx.123 or get any trafic out (look at websites and so on).
Is there something that i don't get about the way the firewall in RouterOS is working?
But the RDP and HTTP works??? (and can connect to the RDP running on xxx.xxx.xxx.123 and look at the HTTP server running on it).
And when i disable the "BLOCK ALL" rule it all works, but the machine is expose'd to the net.

Re: Firewall setup - Block all inbound but allow all outbound

Posted: Sun May 04, 2008 2:16 am
by jwcn
Use IP - services to turn off inbound services.

Re: Firewall setup - Block all inbound but allow all outbound

Posted: Sun May 04, 2008 2:50 am
by QpoX
It's not to the box it self thies rules are for. but a server on a subnet...

Re: Firewall setup - Block all inbound but allow all outbound

Posted: Sun May 04, 2008 4:56 am
by jwcn
Are you routing public addresses or nat?

Re: Firewall setup - Block all inbound but allow all outbound

Posted: Sun May 04, 2008 5:34 am
by QpoX
I'm routing public addresses and this server is on a /30

Re: Firewall setup - Block all inbound but allow all outbound

Posted: Sun May 04, 2008 6:12 am
by jwcn
Check out the Wiki. I think you will find your answer there.

Re: Firewall setup - Block all inbound but allow all outbound

Posted: Sun May 04, 2008 11:41 pm
by savagedavid
A simple way would be to masquerade the network if you dont mind having a natted output. This will effectively hide your network behind the router but still allow all outgoing traffic.

Currently the last rule in your list will drop ALL traffic in the forward chain, in and out, so the result you are getting is expected.

Re: Firewall setup - Block all inbound but allow all outbound

Posted: Mon May 05, 2008 12:20 am
by QpoX
Check out the Wiki. I think you will find your answer there.
Did not find anything usefull :(

A simple way would be to masquerade the network if you dont mind having a natted output. This will effectively hide your network behind the router but still allow all outgoing traffic.

Currently the last rule in your list will drop ALL traffic in the forward chain, in and out, so the result you are getting is expected.
Have had that ideer in my head, but i wanted it on it's own IP free of NAT...
But how do a block all indbound and only allow trafic in that i want open? and allow all outbound trafic?

Re: Firewall setup - Block all inbound but allow all outbound

Posted: Mon May 05, 2008 5:51 am
by jwcn
Dmitri's firewall rules. Read the wiki.

Re: Firewall setup - Block all inbound but allow all outbound

Posted: Mon May 05, 2008 6:29 am
by QpoX
Dmitri's firewall rules. Read the wiki.
Will do...

Re: Firewall setup - Block all inbound but allow all outbound

Posted: Wed May 07, 2008 4:41 pm
by andrewluck
Before the final drop rule add this:
Code: Select all
chain=forward action=accept connection-state=established
Regards

Andrew
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/