Professional Documents
Culture Documents
FIREWALL
Trainer
VEACESLAV SAMBURSKI
Firewall Principles
Firewall principles
A Firewall is a service that allows or
blocks data packets going to or through
it based on user-defined rules.
The firewall acts as a barrier between
two networks.
A common example is your LAN
(trusted) and the Internet (not trusted).
Firewall principles
How the firewall works?
The firewall operates using rules. These
have two parts
The matcher : The conditions that I need
to have a match
The Action : What I'll do once I have a
match
Firewall principles
The matcher looks at parameters such as :
Packet flows
MikroTik created the packet flow
diagrams to help us in the creation of
more advanced configurations
It's good to be familiar with them to
know what's happening with packets
and in which order
For this course, we'll keep it simple
Packet flows
Overall diagrams
Packet flows
Packet flows
Reply out
===OUTPUT===
Mangle-output output: in:(none) out:ether1, proto ICMP (type 3, code 1), 192.168.0.3->172.16.2.100, len 88
Filter-output output: in:(none) out:ether1, proto ICMP (type 3, code 1), 192.168.0.3->172.16.2.100, len 88
===POSTROUTING===
Mangle-postrouting postrouting: in:(none) out:ether1, proto ICMP (type 3, code 1), 192.168.0.3->172.16.2.100, len 88
DST-ADDRESS
17.172.232.126:5223
224.0.0.5
172.16.9.254:445
206.53.159.211:443
17.149.36.108:443
172.16.0.1
209.217.98.158:4569
173.252.103.16:443
69.171.235.48:443
173.252.79.23:443
173.252.102.241:443
224.0.0.5
65.54.167.16:12350
173.194.76.125:5222
172.16.0.1:1723
79.125.114.47:5223
TCP-STATE
TIMEOUT
established 23h42m6s
5m49s
established 23h42m51s
established 23h44m8s
established 23h43m41s
4h44m11s
13m9s
established 23h42m40s
established 23h43m27s
established 23h43m26s
established 23h44m15s
5m49s
established 23h35m28s
established 23h43m57s
established 4h44m11s
established 23h29m1s
NAT
Firewall
connection-bytes
connection-mark
connection-type
connection-state
connection-limit
connection-rate
layer7-protocol
p2p
new-connection-mark
tarpit
p2p matching in simple queues
Time-wait
Close
Syn-sent
Syn-received
Filter Matchers
Before taking "action" on a packet, it
must be identified.
Matchers are many!
Filter actions
Once a packet has been matched to a rule, an action
will be applied to it.
MikroTik's firewall filters have 10 actions.
Accept
Add-dst-to-address-list
Add destination address to address list specified by address-list parameter. Packet is passed to next
firewall rule.
Add-src-to-address-list
Add source address to address list specified by address-list parameter. Packet is passed to next firewall
rule.
Drop Silently drop the packet. Packet is not passed to next firewall rule.
Jump Jump to the user defined chain specified by the value of jump-target parameter. Packet is passed to next firewall rule (in the
user-defined chain).
Log
Add a message to the system log containing following data: in-interface, out-interface, src-mac, protocol, src-ip:port->dstip:port and length of the packet. Packet is passed to next firewall rule.
Passthrough Ignore this rule and go to next one (useful for statistics).
Reject Drop the packet and send an ICMP reject message. Packet is not passed to next firewall rule.
Return
Pass control back to the chain from where the jump took place. Packet is passed to next firewall rule (in originating chain,
if there was no previous match to stop packet analysis).
Tarpit Capture and hold TCP connections (replies with SYN/ACK to the inbound TCP SYN packet). Packet is not passed to next firewall
rule.
Accept icmp echo replies (You may want to ping a server on the Internet.
It would be useful for you to get the replies!)
Drop icmp echo requests (You don't want others pinging you. Stay under
the radar!)
Accept all "established" and "related" input traffic (You'll want the
replies to whatever the router asked for, like NTP and DNS requests)
Drop all "invalid" input traffic (Whatever the router gets that it didn't
ask for)
Log the rest of input traffic (Have I missed anything important?)
Drop the rest of input traffic (I want to be safe!)
Basic address-list
Basic address-list
Address lists are groups of IP addresses
They can be used to simplify filter rules
For example, you could create 100 rules to
block 100 addresses, or!!
You could create one group with those 100
addresses and create only one filter rule.
The groups (address lists) can represent
IT Admins with special rights
Hackers
Anything else you can think of
Basic address-list
They can be used in firewall filters, mangle and NAT
facilities.
Creation of address lists can be automated by using
add-src-to-address-list or add-dst-to-address-list
actions in the firewall filter, mangle or NAT facilities.
This is a great way of automatically blocking IP
addresses without having to enter them one by one
Example : add action=add-src-to-address-list
address-list=BLACKLIST chain=input
comment=psd in-interface=ether1-Internet
psd=21,3s,3,1
Source NAT
NAT
Network Address Translation (NAT) allows
hosts to use one set of IP addresses on the
LAN side and an other set of IP addresses
when accessing external networks.
Source NAT translates private IP addresses
(on the LAN) to public IP addresses when
accessing the Internet. The reverse is done for
return traffic. It's sometimes referred to as
"hiding" your address space (your network)
behind the ISP supplied address.
Destination NAT
NAT Syntax
Source NAT (from /ip firewall nat)
Destination NAT
Practical exercise
Laboratory
Goals of the lab
Laboratory : Setup
Laboratory: Step 1
Before going ahead with firewall rules, we'll test a NAT rule :
Masquerading
Look into your settings to see if you have a "masquerading"
NAT rule. Create one if you don't BUT leave it disabled. If
you have one make sure that it's disabled
Launch Winbox and connect to a neighbour pod.
In the IP FIREWALL CONNECTION section, look at active
connections. What do you see? Why?
Set the configuration option that will let you track
connections. Check the results.
Enable the masquerade NAT rule and check connection
tracking again.
Laboratory: Step 2
Let's make things more interesting by adding filter rules. Apply
the following rules to incoming traffic on your WAN interface.
Accept icmp echo replies
Drop icmp echo requests
Accept all "established" and "related" input and forward
traffic
Drop all "invalid" input and forward traffic
Log the rest of input and forward traffic
Drop the rest of input and forward traffic
Add meaningful comments to all rules.
Laboratory: Step 3
Now that you have rules, check your
logs. Look at the messages and their
format
Seeing what you see now, do you think
troubleshooting connection problems
would be easier? Why?
Laboratory: Step 4
Create Address Lists representing all
pods
Use the following format:
Name : Pod1
Address : <network/mask> of the LAN
Name : Pod1
Address : <IP> of the WAN interface
Laboratory: Step 5
Pods should be matched in pairs for the following
tests
Close your WinBox window and reopen it,
connecting to your peer pod. What's happening?
With one filter rule ONLY, allow all IP addresses
from you peer pod to connect to your router with
WinBox (TCP, 8291)
Make sure that it's in the right spot so that it
works
And DON'T forget comments!
Laboratory: Step 6
To test port redirection, we'll need to
make a small change to the IP
SERVICES of your pod.
Laboratory: Step 7
Close and reopen the WinBox interface without
adding any special parameters. What result do
you get?
Log into the WinBox using port 8111.
Create a dst-nat rule with a redirect action to
port 8111 on all TCP port 8291 traffic.
Close and reopen WinBox without the port after
the IP address. Does it work now?
Log into you peer pod's router. What's
happening?
Laboratory: Step 8
Return the WinBox port to it's normal
value of 8291.
Disable (don't delete) the dstnat rule of
"redirect".
Close WinBox and validate that you can
log into your router and your peer's
router normally.
Laboratory: Step 9
Create a dst-nat rule with a redirect
action to port 8291 on all TCP port 1313
traffic coming into the WAN port.
Open WinBox and log into your router
using port 1313.
Open WinBox and log into your peer's
router using port 1313.
Explain the different results.
Laboratory: Step 10
Do an export AND a binary backup
under the file name module6-podx.
Thank you!