Mengenal - Kekuatan - Mikrotik - RouterOS - Firewall - Sahoobi

o m
RouterOs Firewall .i c
o b
Massimo Nuvoli
o
TRAINER #TR0368
a h
MUM Europe 2017 Milan Italy
s
Massimo Nuvoli (maxnuv)
Owner of Progetto Archivio SRL and DICOBIT
o m
System Engineer
.i c
b
System Architect
o
o
Please, call me Max!
h
sa
MUM EUROPE 2017 RouterOs Firewall - (c) Massimo Nuvoli
2
First of all..
at the last Europe MUM..
o m
c
●
my talk was about Switching

and there was a request
b .i
o o
Please add “hardware spanning tree”
h
and from 6.38...
a
s
3
Switch Hardware
Spanning Tree
Make a switch (as usual)
o m
c
●
Add the master port to a bridge

.i
●
b
● Then from the bridge menu IF STP is on then
o
the STP is active on hardware
o
Slave ports are shown on the bridge to show
●
h
the STP status
a
Look documentation:
s
https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Spanning_Tree_Protocol

4
Today goals
Know about firewall design in RouterOs
o m
c
●
Know where is, and what to do with

.i
●
b
Changes of the firewall in the last year
●
● Two examples
o o
a h
s
5
What is a “firewall?”
Try to isolate the “less protected” outside area
o m
c
●
.i
from the “more protected” inside area
b
● It's security device, but own only a firewall is
o
not enough to be protected
o
● Security is a process, and firewall is only one
h
part of
a
The less secure item is between the keyboard
●
s
and the chair

6
Cut here to activate
firewall :-)
o m
.i c
o b
h o
sa
7
Where is “the firewall”
L2 firewall
o m
c
●
Bridge → Filter
b
Switch → Rule or Access List and other .i
● L3 (and up) firewall IPv4
o o
IP → Firewall and IP → Web Proxy
●
a h
L3 firewall IPv6
s
IPv6 → Firewall

8
L2 firewall
Take the fight at L2, but not only MAC
o m
ADDRESS...
.i c
b
● On switch chipset with ACL (hardware)
o
● On bridge interface with ACL (software)
h o
sa
9
RouterOs Packet Flow 1
o m
.i c
o b
h o
sa
10
RouterOs Packet Flow 2
o m
.i c
o b
h o
sa
11
ROUTING MANGLE FILTER
TTL=1 ACCOUNTING
DECISION FORWARD FORWARD
m
FORWARD
ROUTING MANGLE
o
DST MANGLE ADJUST POSTROUTING
NAT INPUT
c
SRC
.i
FILTER
MANGLE FILTER OUTPUT NAT
PREROUTING
INPUT
OUTPUT
PREROUTING
POSTROUTING
INPUT HOTSPOT
b
MANGLE OUT
CONNECTION QUEUE TREE OUTPUT
TRACKING GLOBAL QUEUE TREE
o
CONNECTION GLOBAL
HOTSPOT SIMPLE
o
TRACKING SIMPLE
IN QUEUES
QUEUES
h
RAW
RAW OUTPUT QUEUE TREE
PREROUTING
a
INTERFACE
MUM EUROPE 2017

s
INPUT
INTERFACE
LOCAL
PROCESSING
ROUTING
DECISION
RouterOs Firewall - (c) Massimo Nuvoli

OUTPUT
INTERFACE
12
Connection Tracking
● RouterOs can “detect” the status of a connection
o m
.i c
(TCP/UDP) and try to give us a more powerful way
to check packets
●
o b
Connection state can be “new” “established”
“related” but also “unknown” or “invalid”
●
h o
Particular protocols (eg SIP and FTP) needs
“connection helpers” to track complex connections
sa
/ip firewall connection

13
TTL=1 ACCOUNTING
m
FORWARD
ROUTING MANGLE
o
NAT INPUT
c
SRC
.i
FILTER
PREROUTING
INPUT
OUTPUT
PREROUTING
POSTROUTING
INPUT HOTSPOT
b
MANGLE OUT
o
CONNECTION GLOBAL
HOTSPOT SIMPLE
o
TRACKING SIMPLE
IN QUEUES
QUEUES
h
RAW
PREROUTING
a
INTERFACE
MUM EUROPE 2017

s
INPUT
INTERFACE
LOCAL
PROCESSING
ROUTING
DECISION

OUTPUT
INTERFACE
14
L3 firewall IPv4 and IPv6
● Packet flow show “where firewall act”
o m
● Each “position” is a “default chain”
.i c
b
● A “chain” is a set of sequential rules, the order
o
IS important
o
Check and action are different in each flow
●
position
a h
You can jump and also return back on a chain
s
●

15
Filter table
Filter chains can be used to allow and deny
o m
connections
.i c
b
● Input
Output
o
●
● Forward
h o
a
/ip firewall filter
s
/ipv6 firewall filter

16
TTL=1 ACCOUNTING
m
FORWARD
MANGLE
o
ROUTING
NAT INPUT
c
SRC
.i
FILTER
PREROUTING
INPUT
OUTPUT
PREROUTING
POSTROUTING
INPUT HOTSPOT
b
MANGLE OUT
GLOBAL
o
TRACKING QUEUE TREE
CONNECTION GLOBAL
SIMPLE
o
HOTSPOT TRACKING
IN QUEUES SIMPLE
QUEUES
h
RAW
PREROUTING
a
INTERFACE
MUM EUROPE 2017

s
INPUT
INTERFACE
LOCAL
PROCESSING
ROUTING
DECISION

OUTPUT
INTERFACE
17
Default filter table
With connection tracking:
o m
c
●
accept established/related connections

.i
–
b
– drop invalid connections
o
– after we have only “new” connections so no
o
need to check the connection state
h
– other rules
sa
18
Nat table
In the nat chains we can change address
o m
and port of connections, only in IPv4
.i c
b
● src nat
dst nat
o
●
/ip firewall nat
h o
sa
19
TTL=1 ACCOUNTING
FORWARD
m MANGLE
ROUTING
o
NAT INPUT
c
FILTER SRC
.i
PREROUTING
PREROUTING INPUT
OUTPUT
POSTROUTING
INPUT HOTSPOT
b
MANGLE OUT
o
CONNECTION GLOBAL
HOTSPOT SIMPLE
o
TRACKING SIMPLE
IN QUEUES
QUEUES
h
RAW
PREROUTING INTERFACE
sa
INPUT
INTERFACE
MUM EUROPE 2017

LOCAL
PROCESSING
ROUTING
DECISION

OUTPUT
INTERFACE
20
Mangle table
The mangle chain is useful to manage all other
o m
●
detail of a connection (e.g. ttl or qos)
input
.i c
output
b
●
forward
o
●
prerouting
o
●
Postrouting
h
●
a
/ip firewall mangle
s
/ipv6 firewall mangle

21
TTL=1 ACCOUNTING
m
FORWARD
MANGLE
o
ROUTING
NAT INPUT
c
SRC
.i
FILTER
PREROUTING
INPUT
OUTPUT
PREROUTING
POSTROUTING
INPUT HOTSPOT
b
MANGLE OUT
GLOBAL
o
TRACKING QUEUE TREE
CONNECTION GLOBAL
SIMPLE
o
HOTSPOT TRACKING
IN QUEUES SIMPLE
QUEUES
h
RAW
PREROUTING
a
INTERFACE
MUM EUROPE 2017

s
INPUT
INTERFACE
LOCAL
PROCESSING
ROUTING
DECISION

OUTPUT
INTERFACE
22
New from 6.36 raw table
only two chains
o m
c
●
INPUT
.i
●
OUTPUT
b
●
/ip firewall raw
o o
h
/ipv6 firewall raw
sa
23
TTL=1 ACCOUNTING
FORWARD
m MANGLE
ROUTING
o
NAT INPUT
c
FILTER SRC
.i
PREROUTING
PREROUTING INPUT
OUTPUT
POSTROUTING
INPUT HOTSPOT
b
MANGLE OUT
o
CONNECTION GLOBAL
HOTSPOT SIMPLE
o
TRACKING SIMPLE
IN QUEUES
QUEUES
h
RAW
PREROUTING INTERFACE
s
INPUT
a
INTERFACE
MUM EUROPE 2017

LOCAL
PROCESSING
ROUTING
DECISION

OUTPUT
INTERFACE
24
How to do it better
use “interface list” and “address list”
o m
c
●
use “jump” and “return”

.i
●
define new chains

b
●
o o
define less rules as possible
a h
later we see...
s
25
New! “Interface Lists”
Define a group of interfaces
o m
c
●
/interface list
.i
●
b
useful to simplify configuration
●
o o
a h
s
26
Interface lists
o m
.i c
o b
h o
sa
27
Interface lists
o m
.i c
o b
h o
sa
28
Interface lists
o m
.i c
o b
h o
sa
29
Address Lists
Define group of addresses
o m
c
●
I think MANDATORY for IPv6!!

.i
●
b
As “action” address can be added to
●
o o
address lists dynamically, also with time-out
New from 6.36 dns names can be used in
h
●
address lists!
sa
30
Firewall IPv4
o m
.i c
o b
h o
sa
31
Firewall IPv4
o m
.i c
o b
h o
sa
32
Firewall IPv4
o m
.i c
o b
h o
sa
33
Firewall IPv4
o m
.i c
o b
h o
sa
34
New! “Address Lists”
o m
.i c
o b
h o
sa
35
o m
.i c
o b
h o
sa
36
o m
.i c
o b
h o
sa
37
o m
.i c
o b
h o
sa
38
Firewall IPv6
o m
.i c
o b
h o
sa
39
Firewall IPv6
o m
.i c
o b
h o
sa
40
Firewall IPv6
o m
.i c
o b
h o
sa
41
Firewall IPv6
o m
.i c
o b
h o
sa
42
Where we can use “lists”?
Today only the “check”, not action
o m
c
●
b .i
o o
a h
s
43
Interface Lists
o m
.i c
o b
h o
sa
44
Address Lists
o m
.i c
o b
h o
sa
45
And... improved firewall
faster “connection-limit”
o m
c
●
raw filter
.i
●
interface list
b
●
● address list with dns names
o o
h
● limit (connections, packets, bits)
sa
check the wiki... all there..

46
Example: routeback
o m
.i c C
b
Router B
PC
o
A
o
internet lan
h
D
a
SERVER
s
47
Example: routeback
o m
.i c C
b
Router B
PC
o
A
o
internet lan
h
D
a
SERVER
s
48
Goal
PC with private address C need to talk to
o m
c
●
.i
the server with private address D
b
● The server is on DNAT from the address A
o
on the wan side of the router
o
Use “dns name” of the server
●
a h
s
49
Routeback!
First a dnat on the public ip address, and
o m
c
●
.i
the packet is routed back to the lan
b
● Then i need a source nat, as the packet
o
must route back to the router and then to
o
the pc
h
But... if the public ip address is dynamic?
●
sa
50
Address list!
Configure the “cloud” option, so we have a
o m
c
●
.i
dns address name with the public ip
address
●
o b
Configure one address list with this dns
o
name, then use the address list on the
h
destination nat rule!
sa
51
Sample code part 1
/ip firewall address-list
o m
.i c
add address=coolname3.mum.it list=myresolvedip
/ip firewall filter
b
add action=accept chain=input comment="accept
o
established related" connection-state=\
established,related
h o
add action=drop chain=input comment="drop invalid"
connection-state=invalid
a
add action=accept chain=input protocol=icmp
s
add action=drop chain=input comment="drop all from
wan" in-interface=pppoe-wan

52
Sample code part 2
/ip firewall nat
o m
.i c
add action=masquerade chain=srcnat comment="normal
masq" out-interface=pppoe-wan
b
add action=dst-nat chain=dstnat comment="nat to
o
192.168.7.2" dst-address-list=myresolvedip \
to-addresses=192.168.7.2
h o
add action=src-nat chain=srcnat comment="routeback
from 192.168.90.0/24 to lan (eq lan to lan)" \
a
out-interface=ether3-lan src-
s
address=192.168.7.0/24 to-addresses=192.168.7.1

53
A complex firewall
One wan
o m
c
●
More than one lan

.i
●
b
Define and update frequently all rules
●
● Avoid to hard code all
o o
a h
s
54
All code here...
address list
/ip firewall address-list
o m
add address=coolname3.mum.it list=myresolvedip
add address=192.168.7.0/24 list=lanip
.i c
o b
add address=192.167.8.0/24 list=cedip
h o
sa
55
All code here...
input chain
/ip firewall filter
o m
c
add action=accept chain=input comment="accept established related" \
.i
connection-state=established,related
add action=drop chain=input comment="drop invalid" connection-state=invalid
b
add action=accept chain=input comment="accept icmp" protocol=icmp
add action=accept chain=input port=8291 protocol=tcp
o
add action=jump chain=input comment=wan2fw in-interface-list=wan jump-target=\
o
wan2fw
add action=jump chain=input comment=wifi2fw in-interface-list=wifi jump-target=\
h
wifi2fw
a
add action=jump chain=input comment=osp2fw in-interface-list=osp jump-target=\
osp2fw
s
add action=jump chain=input comment=voip2fw in-interface-list=voip jump-target=\
voip2fw

56
All code here...
forward chain 1
o m
add action=accept chain=forward comment="accept established related" \
c
connection-state=established,related
.i
add action=drop chain=forward comment="drop invalid" \
connection-state=invalid
b
add action=jump chain=forward comment="filtro icmp" \
o
jump-target=accept-icmp protocol=icmp
o
add action=jump chain=forward comment="lan (ip) to wan" disabled=yes \
in-interface-list=lan jump-target=lan out-interface-list=wan \
h
src-address-list=lanip
a
add action=jump chain=forward comment="ced (ip) to wan" disabled=yes \
s
in-interface-list=lan jump-target=lan out-interface-list=wan \
src-address-list=cedip

57
All code here...
forward chain 2
o
add action=jump chain=forward in-interface-list=lan jump-target=lan2wan \
m
c
out-interface-list=wan
.i
add action=jump chain=forward in-interface-list=lan jump-target=lan2voip \
out-interface-list=voip
b
add action=jump chain=forward in-interface-list=lan jump-target=lan2osp \
out-interface-list=osp
o
add action=jump chain=forward in-interface-list=osp jump-target=osp2wan \
o
add action=jump chain=forward in-interface-list=voip jump-target=voip2wan \
h
a
add action=jump chain=forward in-interface-list=voip jump-target=voip2lan \
out-interface-list=lan
s
add action=jump chain=forward in-interface-list=wan jump-target=wan2lan \
out-interface-list=lan

58
All code here...
zone to zone
add action=drop chain=lan2osp comment="default drop"
o m
c
add action=drop chain=lan2voip comment="default drop"
.i
add action=drop chain=forward comment="default drop all2all"
add action=drop chain=input comment="drop all2fw" log-prefix=all2fw
b
add action=drop chain=voip2fw comment="default drop"
add action=drop chain=voip2lan comment="default drop"
o
add action=drop chain=voip2wan comment="default drop"
o
add action=drop chain=wan2lan comment="default drop"
add action=jump chain=wifi2fw comment="accept dns" jump-target=accept-dns
h
add action=drop chain=wifi2fw comment="default drop"
a
add action=jump chain=lan2wan jump-target=accept-dns
add action=drop chain=lan2wan comment="default drop"
s
add action=jump chain=wan2fw comment="protect ssh" jump-target=ssh
add action=drop chain=wan2fw comment="drop all from wan"

59
All code here...
dns check
add action=accept chain=accept-dns dst-port=53
o m
c
protocol=udp
add action=accept chain=accept-dns dst-port=53
protocol=tcp
b .i
o
add action=return chain=accept-dns
h o
sa
60
All code here...
icmp check
o m
add action=accept chain=accept-icmp comment="echo reply" icmp-options=0:0 \
c
protocol=icmp
.i
add action=accept chain=accept-icmp comment="net unreachable" icmp-options=3:0 \
protocol=icmp
b
add action=accept chain=accept-icmp comment="host unreachable" icmp-options=3:1 \
protocol=icmp
o
add action=accept chain=accept-icmp comment=\
"host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
o
add action=accept chain=accept-icmp comment="allow source quench" icmp-options=\
4:0 protocol=icmp
h
add action=accept chain=accept-icmp comment="allow echo request" icmp-options=\
8:0 protocol=icmp
a
add action=accept chain=accept-icmp comment="allow time exceed" icmp-options=\
s
11:0 protocol=icmp
add action=accept chain=accept-icmp icmp-options=12:0 protocol=icmp
add action=drop chain=accept-icmp comment="deny all other types"

61
All code here...
ssh protection
add action=drop chain=ssh comment="drop ssh brute forcers" dst-
o m
c
port=22 protocol=tcp src-address-list=badip
.i
add action=add-src-to-address-list address-list=badip address-list-
timeout=1w3d chain=ssh dst-port=22 protocol=tcp src-address-
b
list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-
o
list-timeout=1m chain=ssh dst-port=22 protocol=tcp src-address-
list=ssh_stage2
o
h
list-timeout=1m chain=ssh dst-port=22 protocol=tcp src-address-
list=ssh_stage1
a
list-timeout=1m chain=ssh dst-port=22 protocol=tcp
s
add action=return chain=ssh

62
All code here...
icmp check
/ip firewall nat
o m
add action=masquerade chain=srcnat out-
interface=pppoe-wan
.i c
b
/ip firewall raw
o
bad ip" in-interface-list=wan \
o
add action=drop chain=prerouting comment="drop
h
src-address-list=badip
sa
63
What you've seen
Compex firewall
o m
c
●
And configuration can be exported and

.i
●
b
imported to another routerboard, with NO
o
ERROR
o
And all “specific” configuration is on the
●
a h
“interface lists” and “address lists”
Recycle firewall rules
s
●
MUM EUROPE 2017 RouterOs Firewall - (c) Massimo Nuvoli 212

64
This year request
Complete IPv6 firewall
o m
c
●
Please add some kind of “global” generic

.i
●
b
constant values like objects
ip addresses
o
●
● ports
h o
sa
65
Questions?
o m
.i c
o b
h o
sa
66
Thank you!
o m
.i c
o b
massimo@dicobit.it
h o
sa
67

Mengenal - Kekuatan - Mikrotik - RouterOS - Firewall - Sahoobi

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Mengenal - Kekuatan - Mikrotik - RouterOS - Firewall - Sahoobi

Uploaded by

Copyright:

Available Formats

o m

my talk was about Switching

Add the master port to a bridge

MUM EUROPE 2017 RouterOs Firewall - (c) Massimo Nuvoli

Know where is, and what to do with

MUM EUROPE 2017 RouterOs Firewall - (c) Massimo Nuvoli

MUM EUROPE 2017 RouterOs Firewall - (c) Massimo Nuvoli

MUM EUROPE 2017

RouterOs Firewall - (c) Massimo Nuvoli

MUM EUROPE 2017 RouterOs Firewall - (c) Massimo Nuvoli

MUM EUROPE 2017

RouterOs Firewall - (c) Massimo Nuvoli

MUM EUROPE 2017 RouterOs Firewall - (c) Massimo Nuvoli

MUM EUROPE 2017 RouterOs Firewall - (c) Massimo Nuvoli

MUM EUROPE 2017

RouterOs Firewall - (c) Massimo Nuvoli

accept established/related connections

/ip firewall nat

MUM EUROPE 2017

RouterOs Firewall - (c) Massimo Nuvoli

MUM EUROPE 2017 RouterOs Firewall - (c) Massimo Nuvoli

MUM EUROPE 2017

RouterOs Firewall - (c) Massimo Nuvoli

/ip firewall raw

MUM EUROPE 2017

RouterOs Firewall - (c) Massimo Nuvoli

use “jump” and “return”

define new chains

I think MANDATORY for IPv6!!

● address list with dns names

MUM EUROPE 2017 RouterOs Firewall - (c) Massimo Nuvoli

MUM EUROPE 2017 RouterOs Firewall - (c) Massimo Nuvoli

MUM EUROPE 2017 RouterOs Firewall - (c) Massimo Nuvoli

More than one lan

● Avoid to hard code all

MUM EUROPE 2017 RouterOs Firewall - (c) Massimo Nuvoli

MUM EUROPE 2017 RouterOs Firewall - (c) Massimo Nuvoli

MUM EUROPE 2017 RouterOs Firewall - (c) Massimo Nuvoli

MUM EUROPE 2017 RouterOs Firewall - (c) Massimo Nuvoli

MUM EUROPE 2017 RouterOs Firewall - (c) Massimo Nuvoli

MUM EUROPE 2017 RouterOs Firewall - (c) Massimo Nuvoli

And configuration can be exported and

MUM EUROPE 2017 RouterOs Firewall - (c) Massimo Nuvoli 212

Please add some kind of “global” generic

You might also like