Firewall: Mangle&AddressList

DivisiTraining PT.UFOAKSESSUKSESLUARBIASA Jakarta [email protected]

Firewall
MikrotikRouterOSFirewallstandsbetweencompanys networkandapublicnetwork,effectivelyshieldingyour computersfrommalisioushackeractivity,andcontrollingthe flowofdatatotherouter,throughtherouter,andfromthe router. MikrotikRouterOSfirewallsupportsfilteringandsecurity functionsthatfromyourinternetusingpolicy

Applications:
ProtectionoftheRouterfromunauthorizedaccess Youcanmonitorconnectionstotheaddressesassigntotherouteritselfand allowaccessonlyfromcertainhoststocertaiTCPportsoftherouter.The firewallcontrollsallinternetinformationandwarnsandblocksinterutionattempt basedonrules,andcustomizedbytheuser. Protectionofthecustomershosts Youcanmonitorconnectionstotheaddressesassignedtothecustomers networkandallowaccessonlytocertainhostsandservices.Youendowyour customerswitheffectiveandproactivedefenceagainstmailiousattacks UsingMasqueradingtohidetheprivatenetworkbehindoneexternal address Allconnectionsfromprivateaddressescanbemasqueraded,andtheyappear ascomingfromoneexternaladdressthatoftherouter.Thefirewallwillactas agatewayforyourentirenetworktoenabletheofficesnetworktosharea single,safeconnectiontotheinternet.

Applications
EnforcingtheInternetUsagePolicyfromCustomersNetwork Prioritizingtraffic
ThefirewallallowsyoutocontrollconnectionsfromCustomersNetwork andprovidesdetailedtrafficstatisticsofallthelinks. Youcanmarkpacketsbyprioritytoensurefastestconnectiontomore importrantpackets,Thisguaranteesthatallgroupsallwaysget appropriatebandwidth.Providingcontrolableflowofnetworktrafficand preventingbandwidthstarvation. Thisfeatureallowstolimitconnectionspeedtocertaingroupofpacket. Thehierarchyofclassenablesyoutobuildaflexoble,andverylogical representationofyourtraffic.

Applyingqueuingtotheoutgoingpackets

Firewall
Rules NAT(sourcenatanddestinationnat) Mangle AddressList Serviceports Connections
Formonitoringonly

SourceofPacket
LocalProcess InputProcess
Originatedfromalocalprocess,likeweb proxy,VPNorothers Packetcancomefromoneoftheinterfaces presentintherouter(thentheinterfaceis referedasinputinterface)

DestinationofPacket
LocalProcess
Toserviceonlocalhost Apacketcanleavethorughtheoneofthe routersinterface(inthiscasetheinterfaceis referredasoutputinterface)

OutputInterface

IPFlow

IPFlow

RoutedTraffic ToRouter

RoutedTraffic FromRouter

RoutedTraffic ThroughRouter

BridgeTraffic ThroughRouter

ConnectionTracking
Theabilitytomaintainthestateinformation aboutconnections,suchassourceand destinationIPaddressandportspairs, connectionstates,protocoltypesandtimeouts. Firewallsthatdoconnectiontrackingareknown asstatefullandareinherentlymoresecurethat thosewhodoonlysimplestatelesspacket processing. 64MBofRAMcanholdinformationaboutupto 65536

ConnectionState
Astatusisassignedtoeachpacket:
Invalidpacketdoesnotbelongtoanyoftheknown connections Newpacketisopeninganewconnection Establishedpacketbelongstoestablished connection Relatedpacketcreatesanewconnectionrelatedto alreadyopenedconnection

Chain
Value=forward|input|output|output| postrouting|prerouting Specifythechaintoputaparticularruleinto.As thedifferenttrafficispassedthroughdifferent chains,alwaysbecarefullinchoosingtheright chainforanewrule Iftheinputdoesntmatchthenameofan alreadydefainedchain,anewchainwillbe created

Monitoring&ManagingFirewall
Youcanwatchthecountersofpacketandbytesfor firewallrules Youcanmoverulestoarrangetheminorderwith minimalaveragenumberofpassedrules Youcanaddaction=logruleinordertoseewhat packets(protocol,addressandports)passthisrule Youcanuseaction=passthoughtoaddsomple countersrule Youcanalsouseconnectiontrackingfeaturetosee currentconnections

Mangle
Mangleisakindofmarkerthatmarkspackets forfutureprocessingwithspecialmarks Additionally,themanglefacilityisusedtomodify somefieldsintheIPheader,likeTOS(DSCP) andTTLfields ManyotherfacilitiesinRouterOSmakeuseof thesemarks,e.g.queuetreesandNAT.

Mangle
Themanglemarksexistonlywithinthe router,theyarenottransmittedacrossthe network. Packetprocessthroughrulesintheorder theyarelistedtherefromtoptobottom.If apacketmatchesthecondition(s)ofthe rule,thenthespeciafiedactionis performedonit,elsepacketjumptothe nextrule.

MangleonWinbox

Concept
Makeaparameter,suchassourceaddress ordestionationaddress,ormuchmore,and setamarkforthatpacket Formoreadvancesetting,wewilluse connectionmark
Marktheconnectionbaseoncertain parameter Markthepacketbaseonconnectionmark

TypeofMark
FlowMark
Markeachpacketforcertainrule Marktheconnection.2wayspacket marking

ConnectionMark RoutingMark

MangleAction
AcceptthepacketisacceptedandpassedthoughNAT withouttakinganyaction Jumpjumptochainspecifiedbythevalueofthejump targetargument Returnreturntothepreviouschain,fromwherethe jumptookplace Loglogthepacketmatches Passthroughignorethisruleandgoontothenextone Adddsttoaddresslistaddpacketsdestinatios addresstothespecifiedaddresslist Addsrctoaddresslistaddpacketsourceaddressto thespecifiedaddresslist

MoreMangleActions
Markconnectionmarkconnection(onlyfirst packet) Markpacketmarckaflow(allpackets) Markroutingmarkpacketsforpolicy ChangeMSSchangemaximumsegmentsize ifthepacket ChangeTOS ChangeTTL StripIPv4options

IPaddressList
Youcanalsodefine groupofIPaddressusing IPaddressList IPaddressListcanuse alsoinFirewallRulesto applycertainaction Youcanusemangleor firewallfilterruleto dynamiclyaddIPaddress toIPaddressListcertain timelimit