MikroTik

I am replacing a firebox in one of my locations. The firebox is set in drop in mode so I had to bridge my External Port and DMZ port on my mikrotik install. I have the bridge setup and it passes traffic, however when I set firewall rules for my DMZ none are taking effect. I have made sure I told it to use the IP Firewall. Anyone have any suggestions. Here is a bit of the config. I am testing using ICMP to my DMZ

/interface bridge port
add bridge=bridge1 comment="" disabled=no edge=auto external-fdb=auto \
horizon=none interface=ether1-External path-cost=10 point-to-point=auto \
priority=0x80
add bridge=bridge1 comment="" disabled=no edge=auto external-fdb=auto \
horizon=none interface=ether2-Optional path-cost=10 point-to-point=auto \
priority=0x80
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes

/ip firewall filter
add action=accept chain=forward comment="Allow all outgoing" disabled=no \
out-interface=bridge1
add action=accept chain=forward comment="" disabled=no \
src-address=216.234.27.0/24
add action=accept chain=forward comment="" connection-state=established \
disabled=no
add action=drop chain=forward comment="" disabled=no protocol=udp
add action=drop chain=forward comment="" disabled=no protocol=tcp
add action=drop chain=forward comment="" disabled=no protocol=icmp

For reasons that I do not understand, those rules did apply to bridged traffic on versions of RouterOS... until version 3.

Now you have to specifically enable firewall rules on the bridge.

From WinBox/Bridge, Bridge Tab, Settings button, check "use IP firewall"

Or:

/interface bridge settings
set use-ip-firewall=yes

The odd thing is I do have that set.

That is an odd set of FW rules....

In fact, reading this one:

add action=accept chain=forward comment="Allow all outgoing" disabled=no \
out-interface=bridge1

..... makes me wonder if that rule would accept everything... because in a bridge all "foreward" packets come in from the Bridge, and all packets go out to the Bridge.

Perhaps you could describe exactly what traffic (protocol & port) that you are hoping to drop. And exactly what traffic (protocol & port) that you are hoping to accept.

The real you asked about was to allow all outgoing traffic. We are trying to block anything except for what we explicitly open. This is working now when you meantioned the rule I got to thinking about it and moved the outgoing rule to the bottom and it started to work. When we have set these up in the past we always had the outgoing rules before the deny and everything worked fine. I just wonder if it's something with using the bridge.

We are trying to block anything except for what we explicitly open

that is the correct approach for a protective firewall.

it looks like your current rules where an effort to allow ANYTHING from your internal network (you're calling it a DMZ). And are allowing ANYTHING from 216.234.27.0/24. And then want to drop everything else.....

This is how I would write that...

add chain=forward connection-state=invalid action=drop comment="Drop Invalid" disabled=no
add chain=forward connection-state=established action=accept comment="Allow Established Connections" disabled=no
add chain=forward connection-state=related action=accept comment="Allow Related Connections" disabled=no
add chain=forward src-address=<your DMZ IP address> action=accept disabled=no
add chain=forward src-address=216.234.27.0/24 action=accept disabled=no
add chain=forward action=drop comment="Drop Everything Else" disabled=no

But.... instead of

add chain=forward src-address=<your DMZ IP address> action=accept disabled=no
add chain=forward src-address=216.234.27.0/24 action=accept disabled=no

I would suggest writing rules which only allow certain protocols/ports to be accepted.

And, only from (and/or to) certain specified IP blocks when it is possible to narrow it down to that level...

When we have set these up in the past we always had the outgoing rules before the deny and everything worked fine. I just wonder if it's something with using the bridge.

I think that one problem with the bridge is that from the perspective of the forward firewall chains, all packets come in from the bridge, and all packets depart and are outbound to the bridge.

For "source" and "destination" I would suggest thinking in terms of specific IP address, and specify "source" and/or "desitination" protocols/ports and specify IP address blocks whenever possible.

And...

When we have set these up in the past we always had the outgoing rules before the deny

Mikrotik (and all other commercial grade firewalls that I can think of) processes the rules in numerical order. As soon as there is a "Match" (when that packet matches the rule) the "Action" is then executed.

If the Action was "accept" or "drop" - that's it - game over - Mikrotik accepts or drops as instructed - no further processing is done.

So.... you need to mentally process the rules in the order in which you place them.

Normally, when writing protective firewall rules, you would want to write rules in the following order:
1) Drop traffic that you definately do not want, defined as broadly as possible.
2) Specifically accept traffic that you do want, with the tightest possible definition of source and destination protocols & ports, and source and destination ip address blocks.
3) Drop everything else.

The problem in the end was with this

add chain=forward connection-state=established action=accept comment="Allow Established Connections" disabled=no

The action should have been outgoing. I was not paying full attention to what I was doing. Thank you for your help...

Thanks