Firewall Filter: allow udp traffic?
Posted: Tue Jan 28, 2014 6:45 pm
I've been digging through several guides as to "How to protect your router" etc. Most of the examples show to open the required ports and drop everything else. The one configuration line i don't understand is this one:
/ip firewall filter add chain=input protocol=udp action=accept comment="UDP" disabled=no
If i understand this correctly it means it will accept udp traffic from anyone and everyone regardless of interface. Isn't that a bad thing? The problem I'm having is this: I want my LAN users to be able to user my router as a DNS proxy. However if i do not use the above line some dns queries are filtered out by my drop everything else rule.
Is there a secure way to allow only my LAN users access to my router as a dns proxy? Here's my filters:
Again with the above config DNS queries fail because the traffic is being dropped. If i add
/ip firewall filter add chain=input protocol=udp action=accept comment="UDP" disabled=no
DNS queries work, but my firewall also answers DNS lookups for anyone outside my network (the internet). I've tried tweaking with the in-interface etc. To my understanding the DNS requests would fall under the established or related connections when my router makes a query. Apparently this isn't the case. Without allowing udp traffic internet wide my router can't be used as a DNS proxy.
Any help is appreciated.
/ip firewall filter add chain=input protocol=udp action=accept comment="UDP" disabled=no
If i understand this correctly it means it will accept udp traffic from anyone and everyone regardless of interface. Isn't that a bad thing? The problem I'm having is this: I want my LAN users to be able to user my router as a DNS proxy. However if i do not use the above line some dns queries are filtered out by my drop everything else rule.
Is there a secure way to allow only my LAN users access to my router as a dns proxy? Here's my filters:
Code: Select all
/ip firewall filter
add chain=forward connection-state=established comment="Accept established connections" disabled=no
add chain=forward connection-state=related comment="Accept related connections" disabled=no
add chain=forward connection-state=invalid action=drop comment="Drop invalid connections" disabled=no
add chain=input connection-state=invalid action=drop comment="Drop invalid connections" disabled=no
add chain=input connection-state=related comment="Accept related connections" disabled=no
add chain=input connection-state=established comment="Accept established connections" disabled=no
add chain=input protocol=icmp limit=50/5s,2 comment="Allow limited pings" disabled=no
add chain=input protocol=icmp action=drop comment="Drop excess pings" disabled=no
add chain=input src-address=192.168.1.0/24 action=accept comment="Allow LAN access" disabled=no
add chain=input action=log log-prefix="DROP INPUT" comment="Log everything else" disabled=no
add chain=input action=drop comment="Drop everything else" disabled=no
/ip firewall filter add chain=input protocol=udp action=accept comment="UDP" disabled=no
DNS queries work, but my firewall also answers DNS lookups for anyone outside my network (the internet). I've tried tweaking with the in-interface etc. To my understanding the DNS requests would fall under the established or related connections when my router makes a query. Apparently this isn't the case. Without allowing udp traffic internet wide my router can't be used as a DNS proxy.
Any help is appreciated.