0 ;;; Drop invalid connections
chain=input action=drop connection-state=invalid
1 ;;; Port scanners to list
chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1
address-list=port scanners address-list-timeout=2w
2 ;;; NMAP FIN Stealth scan
chain=input action=add-src-to-address-list
tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
address-list=port scanners address-list-timeout=2w
3 ;;; SYN/FIN scan
chain=input action=add-src-to-address-list tcp-flags=fin,syn protocol=tcp
address-list=port scanners address-list-timeout=2w
4 ;;; SYN/RST scan
chain=input action=add-src-to-address-list tcp-flags=syn,rst protocol=tcp
address-list=port scanners address-list-timeout=2w
5 ;;; FIN/PSH/URG scan
chain=input action=add-src-to-address-list
tcp-flags=fin,psh,urg,!syn,!rst,!ack protocol=tcp
address-list=port scanners address-list-timeout=2w
6 ;;; ALL/ALL scan
chain=input action=add-src-to-address-list
tcp-flags=fin,syn,rst,psh,ack,urg protocol=tcp address-list=port scanners
address-list-timeout=2w
7 ;;; NMAP NULL scan
chain=input action=add-src-to-address-list
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
address-list=port scanners address-list-timeout=2w
8 ;;; dropping port scanners
chain=input action=drop src-address-list=port scanners
9 ;;; suppress DoS attack
chain=input action=tarpit protocol=tcp src-address-list=black_list
connection-limit=3,32
10 ;;; detect DoS
chain=input act
address-list=black_list address-list-timeout=1d in-interface=ether1
connection-limit=10,32
11 ;;; DOS attack protection(50 connections/ip)
chain=input action=add-src-to-address-list protocol=tcp
address-list=black_list address-list-timeout=1d connection-limit=50,32
12 ;;; drop ssh brute forcers
chain=input action=drop protocol=tcp src-address-list=ssh_blacklist
dst-port=22
13 chain=input action=add-src-to-address-list connection-state=new protocol=tc>
src-address-list=ssh_stage3 address-list=ssh_blacklist
address-list-timeout=1w3d dst-port=22
14 chain=input action=add-src-to-address-list connection-state=new protocol
src-address-list=ssh_stage2 address-list=ssh_stage3
address-list-timeout=1m dst-port=22
15 chain=input action=add-src-to-address-list connection-state=new protocol
src-address-list=ssh_stage1 address-list=ssh_stage2
address-list-timeout=1m dst-port=22
16 chain=input action=add-src-to-address-list connection-state=new protocol
address-list=ssh_stage1 address-list-timeout=1m dst-port=22
17 ;;; drop ssh brute downstream
chain=forward action=drop protocol=tcp src-address-list=ssh_blacklist
dst-port=22
18 ;;; Allow Broadcast Traffic
chain=input action=accept dst-address-type=broadcast
19 ;;; smtp(e-mail)
chain=input action=accept protocol=tcp in-interface=ether1 src-port=25
20 ;;; vpn(gre)
chain=input action=accept protocol=gre in-interface=ether1
21 ;;; ping
chain=input action=accept protocol=icmp in-interface=ether1
22 ;;; tcp ports
chain=input action=accept protocol=tcp in-interface=ether1
dst-port=22,25,53,1723,2000,7780,8291
23 ;;; udp ports
chain=input action=accept protocol=udp in-interface=ether1 dst-port=53
24 ;;; drop everything else
chain=input action=drop in-interface=ether1
Building secure firewall
Here is my firewall, I am still working on it. I would like to share it and hear your opinions, what to change, what is missing...ether1 is internet....
Re: Building secure firewall
Code: Select all
0 ;;; Drop invalid connections
chain=input action=drop connection-state=invalid
1 ;;; Port scanners to list
chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1
address-list=port scanners address-list-timeout=2w
2 ;;; NMAP FIN Stealth scan
chain=input action=add-src-to-address-list
tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
address-list=port scanners address-list-timeout=2w
3 ;;; SYN/FIN scan
chain=input action=add-src-to-address-list tcp-flags=fin,syn protocol=tcp
address-list=port scanners address-list-timeout=2w
4 ;;; SYN/RST scan
chain=input action=add-src-to-address-list tcp-flags=syn,rst protocol=tcp
address-list=port scanners address-list-timeout=2w
5 ;;; FIN/PSH/URG scan
chain=input action=add-src-to-address-list
tcp-flags=fin,psh,urg,!syn,!rst,!ack pr address-list=port scanners address-list-timeout=2w
6 ;;; ALL/ALL scan
chain=input action=add-src-to-address-list
tcp-flags=fin,syn,rst,psh,ack,urg protocol=tcp address-list=port scanners
address-list-timeout=2w
7 ;;; NMAP NULL scan
chain=input action=add-src-to-address-list
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
address-list=port scanners address-list-timeout=2w
8 ;;; dropping port scanners
chain=input action=drop src-address-list=port scanners
9 ;;; suppress DoS attack
chain=input action=tarpit protocol=tcp src-address-list=black_list
connection-limit=3,32
10 ;;; detect DoS attack(10 connections/ip from internet)
chain=input action=add-src-to-address-list protocol=tcp
address-list=black_list address-list-timeout=1d in-interface=ether1
connection-limit=10,32
11 ;;; DOS attack protection(50 connections/ip)
chain=input action=add-src-to-address-list protocol=tcp
address-list=black_list address-list-timeout=1d connection-limit=50,32
12 ;;; drop ssh brute forcers
chain=input action=drop protocol=tcp src-address-list=ssh_blacklist
dst-port=22
13 chain=input action=add-src-to-address-list connection-state=new protocol=tc>
src-address-list=ssh_stage3 address-list=ssh_blacklist
address-list-timeout=1w3d dst-port=22
14 chain=input action=add-src-to-address-list connection-state=new protocol=tc>
src-address-list=ssh_stage2 address-list=ssh_stage3
address-list-timeout=1m dst-port=22
15 chain=input action=add-src-to-address-list connection-state=new protocol=tc>
src-address-list=ssh_stage1 address-list=ssh_stage2
address-list-timeout=1m dst-port=22
16 chain=input action=add-src-to-address-list connection-state=new protocol=tc>
address-list=ssh_stage1 address-list-timeout=1m dst-port=22
17 ;;; drop ssh brute downstream
chain=forward action=drop protocol=tcp src-address-list=ssh_blacklist
dst-port=22
18 ;;; Allow Broadcast Traffic
chain=input action=accept dst-address-type=broadcast
19 ;;; smtp(e-mail)
chain=input action=accept protocol=tcp src-port=25
20 ;;; vpn(gre)
chain=input action=accept protocol=gre
21 ;;; ping
chain=input action=accept protocol=icmp
22 ;;; tcp ports
chain=input action=accept protocol=tcp dst-port=22,25,1723,2000,7780,8291
23 ;;; allow estabilished connections
chain=input action=accept connection-state=established
24 ;;; drop everything else
chain=input action=drop in-interface=ether1
Re: Building secure firewall
Security isn't an absolute thing - as long as you don't power off every network device and computer.
"Secure enough" depends solely on your specific requirements - which we cannot know. You may have to rethink your ruleset at least when the first user complains about something not working right. And there may always be someone more clever than you who knows how to get around your restrictions to achieve things you intended to block.
"Secure enough" depends solely on your specific requirements - which we cannot know. You may have to rethink your ruleset at least when the first user complains about something not working right. And there may always be someone more clever than you who knows how to get around your restrictions to achieve things you intended to block.
Re: Building secure firewall
Do you understand differences in chains (input,forward)?
There are many unnecessary rules. 19? 20? 21? 22?
Maybe better accept access for ssh or icmp or another services from trusted network?
Try to disable unused services in "/ip service".
There are many unnecessary rules. 19? 20? 21? 22?
Maybe better accept access for ssh or icmp or another services from trusted network?
Try to disable unused services in "/ip service".
Re: Building secure firewall
That's an example why I said we can't judge because we don't know the requirements. Is the box always administered locally via console port he won't need ssh and telnet. Otherwise he's pretty much locking himself out if he ever has to remotely work on the shell.Maybe better accept access for ssh or icmp or another services from trusted network?
Re: Building secure firewall
I connect to local network using vpn in this gateway. I ping this router from internet to check if it is online...and when is down send sms....from other device in network...Do you understand differences in chains (input,forward)?
There are many unnecessary rules. 19? 20? 21? 22?
Maybe better accept access for ssh or icmp or another services from trusted network?
Try to disable unused services in "/ip service".
25 is needed to send emails from this device....
I was just curious if order is good, and also if there is something other to do it more secure...
Re: Building secure firewall
If you have one port for WAN and another for LAN (or logical) it is not too hard to work out a secure solution. Like an onion we will start with a layer and add or remove features as we move through the layers. Note that I prefer to use interfaces instead of IP addressing because those can be spoofed.
Option 1: Router and internal network protection
Goals:
. Disallow anything originating from the WAN (ether1).
. Allow anything originating from the LAN (ether2) to setup and receive packets coming back to it.
. Allow ICMP (ping) from the WAN.
Notes:
This is a standard secure setup. However, it does not allow for internal servers. It also trusts internal clients to be nice and to not be in a hacked state. Suitable for a SOHO network.
Goals:
. Masquerade and allow for internal servers.
Notes:
Uses "Port mapping" technique.
Goals:
. Filter certain connections, ports, and packet types from leaving the LAN to the WAN.
Notes:
When I get time.
Option 4: Stop trusting the internal network
Goals:
. While still allowing for router supplied services (DHCP, DNS, etc.). Disallow anything else.
. Only allow LAN access to the router console from a single trusted client. Disallow all others.
. Segment the LAN clients from each other. They're all crazy anyway.
Notes:
When I get time.
Option 1: Router and internal network protection
Goals:
. Disallow anything originating from the WAN (ether1).
. Allow anything originating from the LAN (ether2) to setup and receive packets coming back to it.
. Allow ICMP (ping) from the WAN.
Notes:
This is a standard secure setup. However, it does not allow for internal servers. It also trusts internal clients to be nice and to not be in a hacked state. Suitable for a SOHO network.
ros code
#Router and internal network protection, no internal servers, LAN is friendly /ip firewall filter add chain=input action=drop connection-state=invalid comment="Disallow weird packets" add chain=input action=accept connection-state=new in-interface=LAN comment="Allow LAN access to router and Internet" add chain=input action=accept connection-state=established comment="Allow connections that originated from LAN" add chain=input action=accept connection-state=related comment="Allow connections that originated from LAN" add chain=input action=accept protocol=icmp comment="Allow ping ICMP from anywhere" add chain=input action=drop comment="Disallow anything from anywhere on any interface" add chain=forward action=drop connection-state=invalid comment="Disallow weird packets" add chain=forward action=accept connection-state=new in-interface=LAN comment="Allow LAN access to router and Internet" add chain=forward action=accept connection-state=established comment="Allow connections that originated from LAN" add chain=forward action=accept connection-state=related comment="Allow connections that originated from LAN" add chain=forward action=drop comment="Disallow anything from anywhere on any interface"Option 2: Allowing for internal servers
Goals:
. Masquerade and allow for internal servers.
Notes:
Uses "Port mapping" technique.
ros code
# Port Forward (map) to an internal LAN server. Note that you'll need to move the # last line via the GUI to be above DROP rules. If you're using the one above # place it above the last line: "add chain=forward action=drop" /ip address add address=1.2.3.4/24 interface=WAN comment="Set public IP of router to a public interface" /ip firewall nat add chain=srcnat action=masquerade out-interface=WAN comment="Turn on masquerading" /ip firewall nat add chain=dstnat action=dst-nat protocol=tcp to-address=1.2.3.4 dst-port=80 to-port=80 comment="Create an incoming port map rule" /ip firewall filter add chain=forward action=accept protocol=tcp dst-port=80 comment="Add a filter exception for port mapped server"Option 3: Stop bad outgoing traffic
Goals:
. Filter certain connections, ports, and packet types from leaving the LAN to the WAN.
Notes:
When I get time.
Option 4: Stop trusting the internal network
Goals:
. While still allowing for router supplied services (DHCP, DNS, etc.). Disallow anything else.
. Only allow LAN access to the router console from a single trusted client. Disallow all others.
. Segment the LAN clients from each other. They're all crazy anyway.
Notes:
When I get time.
Last edited by pcunite on Wed Sep 04, 2013 5:06 pm, edited 1 time in total.
Re: Building secure firewall
I used the rules on the demo router as a start.
demo2.mt.lv
I added chain=input action=drop protocol=tcp dst-port=0-65535 port=""
to avoid port scans.
demo2.mt.lv
I added chain=input action=drop protocol=tcp dst-port=0-65535 port=""
to avoid port scans.