Firewall

Module 6

2013-01-01 1
 Firewall Principles

2013-01-01 2
 Firewall

• Protects your router and clients from

unauthorized access
• This can be done by creating rules in
Firewall Filter facilities
• Rules are packet matchers, if packet
matches, perform the “Action”

3
 Firewall Types
• Firewalls come in two basic flavors, statefull and
stateless
• Stateless firewalls are simplistic, filter rules
based on source or destination IP address and
port, accept or block
• Statefull rules understand the state of
connections through the firewall, much more
robust, more flexible, easier to implement
• We will learn here to use a combination of both
techniques starting with stateless

4
Firewall Facility - Exploring
the Tabs

5
 Firewall Filter

• Consists of user defined rules that work on

the IF-Then principle
• These rules are ordered in Chains
• There are predefined Chains, and User
created Chains

6
 Firewall Filter
• Two tabs are
required for a
basic filter rule -
General and
Action

• General : Packet
matcher

• Action: What we
are going to do
to those packets

7
 Filter Chains
• Chains are a strange way to say “places
where we can look at and act on traffic”
Forward

Input Output

• In each of these places or “chains”, we can

examine traffic, allow traffic or block traffic

8
 Firewall Chains

• Rules can be placed in three default chains

• input (to router)
• output (from router)
• forward (through the router)

9
Firewall Chains
Output
Input Ping from Router
Winbox

Forward
WWW E-Mail

10
 Which Chain?
• If a packet has a destination address on the
router itself (local address), it hits the
INPUT chain
• If a packet has an address for which we have
a route (but not a local address), it hits the
FORWARD chain
• If a packet is generated by the router itself
(you on the terminal pinging a host) it hits
the OUTPUT chain
11
Is the address
local?
No

Yes

internal http server,

winbox server, DNS server,
etc.

12
 Input

• Chain contains filter rules that protect the

router itself
• Let’s block everyone except your laptop
using a simple, stateless rule

13
 Input

Add an accept
rule for your
Laptop IP
address
Your IP is
192.168.X.254

14
 Input

Add a drop rule

in input chain
to drop
everyone else

15
 Invalid Rules

After version 6.19, any invalid firewall rules will

show red and have an appropriate comment.

16
 Address-List

• Address-list allows you to filter group of

the addresses with one rule
• Automatically add addresses by address-
list and then block

17
 Address-List
• Create different lists
• Subnets, separates ranges, one host
addresses are supported

18
 Address-List in Firewall

• Ability to block
by source and
destination
addresses

19
 Forward

• Chain contains rules that control packets

going through the router

• Control traffic to and from the clients

• Rules in the forward chain are used to
protect the LAN but can also be used to
restrict the activities of hosts on the LAN

20
 Forward

• Create a rule
that will block
TCP port 80
(web browsing)
• Must select
protocol to
block ports

21
 Rule Actions Besides
Accept and Drop

There are many other firewall filter rule actions so we

will look at a few more

22
 Add to Address-List
• Address lists can
be created
manually or
automatically by
firewall rules
• Add specific
host to address-
list
• Specify timeout
for temporary
addition 23
 P2P - Peer to Peer
Create a rule that will
block client’s p2p
traffic

24
 Firewall Logging
• Let’s log client
pings to the router
• Log rule should be
added before
other action

25
Firewall Log

26
 Custom chains

• In addition to the built-in chains (input, forward,

output), custom chains can be created
• Make firewall structure more simple
• Decrease load of the router

27
 Firewall chains in Action
• Sequence of
the firewall
custom
chains
• Custom
chains can be
for viruses,
TCP, UDP
protocols,
etc.
28
29
Connections - Packet
Types Note:
Invalid - Not a part of a previous known
connection but not a SYN packet so it can’t
start a new connection.

30
 What If We Only Had
Stateless Rules?
• We would need a specific rule for every
protocol and port we wanted to allow, high
degree of administrative effort, constant
adjustment
• Using state full rules (connection states) we
can create a simpler, more flexible firewall
• Assume that anything that initiates from the
LAN is good and that anything initiated
from the WAN is bad
31
 Connection State
• In the forward chain, firewalls should allow
only new connections that initiate from the
LAN, established or related connections and
drop invalid
• Filter rules have the “connection state”
matcher for this purpose
• Using connection state is an easy way to only
allow traffic initiated by your clients to pass
through firewall

32
 Tying It All Together
•Firewalls are built according to purpose,
backbone router or internet router are two
broad categories
•Firewalls use a combination of rules:
•Rules to protect router
•Rules to protect clients
•Connection rules to allow clients to access
internet
33
 Source NAT

2013-01-01 35
NAT
• Network Address Translation (NAT) allows
hosts to use one set of IP addresses on the
LAN side and an other set of IP addresses
when accessing external networks.
• Source NAT translates private IP addresses
(on the LAN) to public IP addresses when
accessing the Internet. The reverse is done for
return traffic. It's sometimes referred to as
"hiding" your address space (your network)
behind the ISP supplied address.
2013-01-01 36
Masquerade and src-nat action
• The first chain for NATing is "srcnat". It's used by
traffic leaving the router.
• Much like firewall filters, NAT rules have many
properties and actions (13 actions!).
• The first, and most basic of NAT rules, only uses
the "masquerade" action.
• Masquerade replaces the source IP address in
packets by one determined by the routing facility.
− Typically, the source IP address of packets going to the
Internet will be replaced by the address of the outside
(WAN) interface. This is required for return traffic to "find
it's way home".
2013-01-01 37
Masquerade and src-nat action

• The "src-nat" action changes the source

IP address and port of packets to those
specified by the network administrator
− Usage example : Two companies (Alpha and
Beta) have merged and they both use the same
address space (ex. 172.16.0.0/16). They will set
up a segment using a totally different address
space as a buffer and both networks will
require src-nat and dst-nat rules.

2013-01-01 38
 Destination NAT

2013-01-01 39
Dst-nat and redirection action

• "Dst-nat" is an action used with the

"dstnat" chain to redirect incoming
traffic to a different IP address or port
− Usage example : In our previous Alpha and
Beta example, we see that dst-nat rules will be
required to reconvert the "buffer IP address" to
Beta's server's address.

2013-01-01 40
Dst-nat and redirection action

• "Redirect" changes the destination port

to the specified "to-ports" port of the
router.
− Usage example : All http (TCP, port 80)
traffic is to be sent to the web proxy service at
TCP port 8080.

2013-01-01 41
NAT Syntax
• Source NAT (from /ip firewall nat)
− Add the masquerade rule
● add action=masquerade chain=srcnat
− Change the source IP address
● add chain=srcnat src-address=192.168.0.109 action=src-nat to-
addresses=10.5.8.200
• Destination NAT
− Redirect all web traffic (TCP, port 80) to the router's web proxy on port 8080
● add action=redirect chain=dstnat dst-port=80 protocol=tcp to-ports=8080

2013-01-01 42
42
Laboratory : Setup

2013-01-01 46
Laboratory : step 1
• Before going ahead with firewall rules, we'll test a
NAT rule : Masquerading
− Look into your settings to see if you have a "masquerading"
NAT rule. Create one if you don't BUT leave it disabled. If
you have one make sure that it's disabled
− Launch Winbox and connect to a neighbour pod.
− In the IP FIREWALL CONNECTION section, look at
active connections. What do you see? Why?
− Set the configuration option that will let you track
connections. Check the results.
− Enable the masquerade NAT rule and check connection
tracking again.

2013-01-01 47
Laboratory : step 2
• Use the following slide to create a firewall
for a backbone router.
• Use the following slide to create a firewall
for an internet router.
• Optionally create a custom chain with a
jump rule in the forward chain for
destination address list “Servers”
• Discuss

2013-01-01 48
46
Laboratory : step 3

• Now that you have rules, add some

logging rules before the drop rules and
check your logs. Look at the messages
and their format
• Seeing what you see now, do you think
troubleshooting connection problems
would be easier? Why?

2013-01-01 49
Laboratory : step 4

• Create Address Lists representing all

pods
• Use the following format:
− Name : Pod1
− Address : <network/mask> of the LAN
− Name : Pod1
− Address : <IP> of the WAN interface
• Do so for all pods, even your own

2013-01-01 50
Laboratory : step 5
• Pods should be matched in pairs for the
following tests
• Close your WinBox window and reopen it,
connecting to your peer pod. What's
happening?
• With one filter rule ONLY, allow all IP
addresses from you peer pod to connect to your
router with WinBox (TCP, 8291)
− Make sure that it's in the right spot so that it works
− And DON'T forget comments!

2013-01-01 52
Laboratory : step 6

• Add port 8111 to the input chain rule on

the same line as 8291 (Winbox), this will
be needed in a minute
• To test port redirection, we'll need to
make a small change to the IP
SERVICES of your pod.
− In the IP Services section, change the WinBox
port to 8111.

2013-01-01 51
Laboratory : step 7
• Close and reopen the WinBox interface
without adding any special parameters. What
result do you get?
• Log into the WinBox using port 8111.
• Create a dst-nat rule with a redirect action to
port 8111 on all TCP port 8291 traffic.
• Close and reopen WinBox without the port
after the IP address. Does it work now?
• Log into you peer pod's router. What's
happening?
2013-01-01 55
Laboratory : step 8

• Return the WinBox port to it's normal

value of 8291.
• Disable (don't delete) the dstnat rule of
"redirect".
• Close WinBox and validate that you can
log into your router and your peer's
router normally.

2013-01-01 53
Laboratory : step 9

• Create a dst-nat rule with a redirect

action to port 8291 on all TCP port 1313
traffic coming into the WAN port.
• Open WinBox and log into your router
using port 1313.
• Open WinBox and log into your peer's
router using port 1313.
• Explain the different results.

2013-01-01 54
Laboratory : step 10

• Do an export AND a binary backup under

the file name module6-podx.

2013-01-01 56
 End of Laboratory 6

2013-01-01 57