Page 1 of 1
Firewall Testing Recommendations
Posted: Sun Apr 18, 2010 10:11 pm
by pablo
I'm using RouterOS for a small business firewall and I'd like some suggestions for testing before deployment. I've used nmap for scans but I'm wondering if there are more professional suggestions.
Re: Firewall Testing Recommendations
Posted: Fri Apr 23, 2010 10:15 pm
by BrianHiggins
disable unneeded packages, restrict or disable services [/ip services] to your LAN or managment subnet
additionally if you use the firewall wizard in webbox (logon to the web interface) and check the protect customer (and router if you prefer) box, it will create a nice set of firewall rules to start with that will keep unwanted traffic out.
Re: Firewall Testing Recommendations
Posted: Fri Apr 23, 2010 10:52 pm
by pablo
Thanks for the advice. I didn't want to mess up my existing rules and I had heard that the web gui might do that. I did a fresh install of RouterOS 2.6 on a VM and used the web GUI. In case this is useful to anyone else I am posting the export output after setting all of the default protect options + NAT:
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=\
10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m \
udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="Added by webbox" disabled=no protocol=icmp
add action=accept chain=input comment="Added by webbox" connection-state=established disabled=no in-interface=WAN
add action=accept chain=input comment="Added by webbox" connection-state=related disabled=no in-interface=WAN
add action=drop chain=input comment="Added by webbox" disabled=no in-interface=WAN
add action=jump chain=forward comment="Added by webbox" disabled=no in-interface=WAN jump-target=customer
add action=accept chain=customer comment="Added by webbox" connection-state=established disabled=no
add action=accept chain=customer comment="Added by webbox" connection-state=related disabled=no
add action=drop chain=customer comment="Added by webbox" disabled=no
/ip firewall nat
add action=masquerade chain=srcnat comment="Added by webbox" disabled=no out-interface=WAN
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
Re: Firewall Testing Recommendations
Posted: Sat Apr 24, 2010 10:50 am
by pablo
Answering some of my own questions... here are some of the testing tools/scanners I've found...
For inbound connections there are quite a few:
http://www.auditmypc.com/
https://www.grc.com/ (ShieldsUp)
etc.
For outbound connections it's a little trickier since something needs to be listening on the other side. If you have an external server and can run something internally then there are quite a few tools. Otherwise the best thing I found which is simple and browser based is:
http://www.firebind.com/
I was actually able to verify that my netbios firewall filters are working using this tool!