firewall_manual.pdf

Firewall Filters

Document revision 1.10 (Sun Dec 05 12:41:37 GMT 2004)

This document applies to MikroTik RouterOS V2.8

Table of Contents

General Information

Summary

Quick Setup Guide

Specifications

Related Documents

•

Package Management

•

IP Addresses and ARP

•

Routes, Equal Cost Multipath Routing, Policy Routing

•

Network Address Translation

•

Packet Marking (Mangle)

Description

Network firewalls keep outside threats away from sensitive data available inside the network.

Whenever different networks are joined together, there is always a threat that someone from outside

of your network will break into your LAN. Such break-ins may result in private data being stolen

and distributed, valuable data being altered or destroyed, or entire hard drives being erased.

Firewalls are used as a means of preventing or minimizing the security risks inherent in connecting

to other networks. MikroTik RouterOS implements wide firewalling features as well as

masquerading capabilities, which allows you to hide your network infrastructure from the outside

world.

Packet Flow

Description

MikroTik RouterOS simplifies the creation and deployment of sophisticated firewall policies. In

fact, you can easily create a simple one to filter your traffic or enable source NAT without need to

know how packets are processed in the router. But in case you want to deploy more complicated

policies, it is worth to know the underlying process details. IP packet flow through the router is

depicted in the following diagram:

Page 2 of 13

As we can see, a packet can enter the conveyer in two ways: whether the packet has come from an

interface or whether it has been originated by the router. Analogically, a packet has two ways to

leave the conveyer: through an outgoing interface or, in case the packet is locally destined, in the

local process.

When the packet arrives to the router's interface, firewall rules are applied in the following order:

•

The NAT rules are applied first. The firewall rules of the input chain and routing are applied

after the packet has passed the NAT rule set.

•

If the packet should be forwarded through the router, the firewall rules of the forward chain are

applied next.

•

When a packet leaves an interface, firewall rules of the output chain are applied first, then the

NAT rules and queuing.

Additional arrows from IPsec boxes shows the processing of encrypted packets (they need to be

encrypted / decrypted first and then processed as usual, id est from the point an ordinal packet

enters the router).

If the packet is bridged one, the 'Routing Decision' changes to 'Bridge Forwarding Decision'. In case

the bridge is forwarding non-IP packets, all things regarding IP protocol are not applicable

('Universal Client', 'Conntrack', 'Mangle', et cetera ).

Firewall Rules

Home menu level: /ip firewall rule <chain name>

Page 3 of 13

Description

A rule is an expression in a definite form that tells the router what to do with a particular packet.

The rule consists of two logical parts: the matcher set and the action set. For each packet you need

to define a rule with appropriate match and action.

Management of the firewall rules can be accessed by selecting the desired chain. If you use the

WinBox console, select the desired chain and then press the List button on the toolbar to open the

window with the rules.

Peer-to-Peer Traffic Filtering

MikroTik RouterOS provides a way to filter traffic from most popular peer-to-peer programs that

uses different P2P protocols.

ICMP TYPE:CODE values

In order to protect your router and attached private networks, you need to configure firewall to drop

or reject most of ICMP traffic. However, some ICMP packets are vital to maintain network

reliability or provide troubleshooting services.

The following is a list of ICMP TYPE:CODE values found in good packets. It is generally

suggested to allow these types of ICMP traffic.

• • 8:0 - echo request

• 0:0 - echo reply

Ping

• • 11:0 - TTL exceeded

• 3:3 - Port unreachable

Trace

• • 3:4 - Fragmentation-DF-Set

Path MTU discovery

General suggestion to apply ICMP filtering

•

Allow ping—ICMP Echo-Request outbound and Echo-Reply messages inbound

•

Allow traceroute—TTL-Exceeded and Port-Unreachable messages inbound

•

Allow path MTU—ICMP Fragmentation-DF-Set messages inbound

•

Block everything else

Type of Service

Internet paths vary in quality of service they provide. They can differ in cost, reliability, delay and

throughput. This situation imposes some tradeoffs, exempli gratia the path with the lowest delay

Page 4 of 13

may be among the slowest. Therefore, the "optimal" path for a packet to follow through the Internet

may depend on the needs of the application and its user.

Because the network itself has no knowledge on how to optimize path choosing for a particular

application or user, the IP protocol provides a facility for upper layer protocols to convey hints to

the Internet Layer about how the tradeoffs should be made for the particular packet. This facility is

called the "Type of Service" facility.

The fundamental rule is that if a host makes appropriate use of the TOS facility, its network service

should be at least as good as it would have been if the host had not used this facility.

Type of Service (ToS) is a standard field of IP packet and it is used by many network applications

and hardware to specify how the traffic should be treated by the gateway.

MikroTik RouterOS works with the full ToS byte. It does not take account of reserverd bits in this

byte (because they have been redefined many times and this approach provides more flexibility). It

means that it is possible to work with DiffServ marks (Differentiated Services Codepoint, DSCP as

defined in RFC2474) and ECN codepoints (Explicit Congestion Notification, ECN as defined in

RFC3168), which are using the same field in IP protocol header. Note that it does not mean that

RouterOS supports DiffServ or ECN, it is just possible to access and change the marks used by

these protocols.

RFC1349 defines these standard values:

• normal - normal service (ToS=0)

• low-cost - minimize monetary cost (ToS=2)

• max-reliability - maximize reliability (ToS=4)

• max-throughput - maximize throughput (ToS=8)

• low-delay - minimize delay (ToS=16)

Property Description

the packet matches the rule, one of the:

• accept - accept the packet. No action, i.e., the packet is passed through without undertaking any

action, except for mangle, and no more rules are processed in the relevant list/chain

• drop - silently drop the packet (without sending the ICMP reject message)

• jump - jump to the chain specified by the value of the jump-target argument

• passthrough - ignore this rule, except for mangle, go on to the next one. Acts the same way as

a disabled rule, except for ability to count and mangle packets

• reject - reject the packet and send an ICMP reject message

• return - return to the previous chain, from where the jump took place

comment ( text ; default: "" ) - a descriptive comment for the rule

connection ( text ; default: "" ) - connection mark to match. Only connections (including related)

marked in the MANGLE would be matched

connection-limit ( integer ; default: 0 ) - match the number of concurrent connections from each

particular IP address

connection-state ( any | established | invalid | new | related ; default: any ) - connection state

Page 5 of 13

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: