Scribd
Upload
70 views11 pages

Firewall PDF

Uploaded by

Mohamed Suoodh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
70 views11 pages

Firewall PDF

Uploaded by

Mohamed Suoodh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

Firewall Filters

Document revision 1.10 (Sun Dec 05 12:41:37 GMT 2004)


This document applies to V2.8

Table of Contents
Table of Contents
General Information
Summary
Quick Setup Guide
Specifications
Related Documents
Description
Packet Flow
Description
Firewall Rules
Description
Property Description
Notes
Example
Firewall Chains
Description
Notes
Example
IP Firewall Applications
Description
Example of Firewall Filters
Protecting the Customer's Network
Enforcing the 'Internet Policy'
Example of Source NAT (Masquerading)
Example of Destination NAT

General Information

Summary

  
                       
   
          
  
            
            
       
    
  

Quick Setup Guide

•    
 
    !          "#$     
     
  %
/ip firewall rule forward add dst-port=135 protocol=tcp action=drop

Page 1 of 11
Copyright 1999-2006, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•         &   !   '#(    
  %
/ip firewall rule input add protocol=tcp dst-port=23 action=drop

Specifications
Packages required: system
License required: level1 (P2P filters limited to 1), level3
Home menu level: /ip firewall
Standards and Technologies: IP
Hardware usage: Increases with filtering rules count

Related Documents

• !   )   
• *!    +!
• + ,-  )   + !  +
• 
      
• !  )  &)  (

Description


   
     
            
  .
  
   /     
             
 

      0 1   2                   
                  3 
      
               
  )  + 41
   
  
    
  -     
 
    

         
 

Packet Flow

Description

)  + 41                
  *     
                      
   

  
      5    
             
   

       *!    
         
   %


            

%
          
   
                   

    
 %                        

.        6     


        
   %

•            


             
          

Page 2 of 11
Copyright 1999-2006, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
• *       
        
    
   
  7
• .          
              
   -

 
   *! 7 
         &      8
           id est              (

*         6+ 96    65  3


 96 *   
   
 2*!      *!         &6:  6
6  6 6)  6 et cetera(

Firewall Rules
Home menu level: /ip firewall rule <chain name>

Description

     7          


   
       
  
   %        3          

       

)       
              *    .57
              0        


 
 

Peer-to-Peer Traffic Filtering

)  + 41  


           22      
  !'!   

ICMP TYPE:CODE values

*              


        
   
/   * )!   ;
    * )!        
        
    

  
    * )! <!,% 49,        *      

   * )!  

• • 8:0 - echo request


• 0:0 - echo reply
!

• • 11:0 - TTL exceeded


• 3:3 - Port unreachable
 

Page 3 of 11
Copyright 1999-2006, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
• • 3:4 - Fragmentation-DF-Set
!  ):  

=     * )!   

•  
>* )! ,2+-   ,2+    
•  
  >02,7  ! 2:       
•  
  ):>* )! 3   29321   
• 5     

Type of Service

*       -                    
           exempli gratia   
  
    
   
     ? ?        
   *    
          

5   


       
  
           
    *!                   *  0 
 
                     ?  1 ?
  

                  41     
     
       
               

  1  &1(        *!         


     
 
   
            


)  + 41


 
   1  *             
&                    7 ( *     
   
 
 91   &9   1   91 !    +3 '@A@( 
,   &,7     ,     +3 #"BC(
     
   *!                + 41   91   ,    /
              

+3 "#@D       %


• normal - normal service (ToS=0)
• low-cost - minimize monetary cost (ToS=2)
• max-reliability - maximize reliability (ToS=4)
• max-throughput - maximize throughput (ToS=8)
• low-delay - minimize delay (ToS=16)

Property Description
action (accept | drop | jump | passthrough | reject | return; default: accept) - action to undertake if
the packet matches the rule, one of the:

Page 4 of 11
Copyright 1999-2006, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
• accept - accept the packet. No action, i.e., the packet is passed through without undertaking any
action, except for mangle, and no more rules are processed in the relevant list/chain
• drop - silently drop the packet (without sending the ICMP reject message)
• jump - jump to the chain specified by the value of the jump-target argument
• passthrough - ignore this rule, except for mangle, go on to the next one. Acts the same way as
a disabled rule, except for ability to count and mangle packets
• reject - reject the packet and send an ICMP reject message
• return - return to the previous chain, from where the jump took place
comment (text; default: "") - a descriptive comment for the rule
connection (text; default: "") - connection mark to match. Only connections (including related)
marked in the MANGLE would be matched
connection-limit (integer; default: 0) - match the number of concurrent connections from each
particular IP address
connection-state (any | established | invalid | new | related; default: any) - connection state
content (text; default: "") - the text packets should contain in order to match the rule
disabled (yes | no; default: no) - specifies whether the rule is disabled or not
dst-address (IP address/mask:port; default: 0.0.0.0/0:0-65535) - destination IP address
dst-netmask (IP address) - destination netmask in decimal form x.x.x.x
dst-port (integer: 0..65535) - destination port number or range
• 0 - all ports 1-65535
flow (text) - flow mark to match. Only packets marked in the MANGLE would be matched
icmp-options (integer; default: any:any) - matches ICMP Type:Code fields
in-interface (name; default: all) - interface the packet has entered the router through.
• all - may include the local loopback interface for packets originated from the router
jump-target (name) - name of the target chain, if the action=jump is used
limit-burst (integer; default: 0) - allowed burst regarding the limit-count/limit-time, measuret in
bits/s
limit-count (integer; default: 0) - how many times to use the rule during the limit-time period
limit-time (time; default: 0) - time interval measured in seconds, used in conjunction with
limit-count
• 0 - forever
log (yes | no; default: no) - specifies to log the action or not
out-interface (name; default: name) - interface the packet is leaving the router from
• all - may include the local loopback interface for packets with destination to the router
p2p (any | all-p2p | bit-torrent | direct-connect | fasttrack | soulseek | blubster | edonkey | gnutella |
warez; default: any) - match Peer-to-Peer (P2P) connections:
• all-p2p - match all known P2P traffic
• any - match any packet (i.e., do not check this property)
protocol (ah | egp | ggp | icmp | ipencap | ospf | rspf | udp | xtp | all | encap | gre | idpr-cmtp | ipip |
pup | st | vmtp | ddp | esp | hmp | igmp | iso-tp4 | rdp | tcp | xns-idp; default: all) - protocol setting

Page 5 of 11
Copyright 1999-2006, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
• all - cannot be used, if you want to specify ports
src-address (IP address/mask:port; default: 0.0.0.0/0:0-65535) - source IP address
src-mac-address (MAC address; default: 00:00:00:00:00:00) - host's MAC address the packet has
been received from
src-netmask (IP address) - source netmask in decimal form x.x.x.x
src-port (integer: 0..65535) - source port number or range (0-65535)
• 0 - all ports 1-65535
tcp-options (any | syn-only | non-syn-only; default: any) - TCP options
tos (<integer> | dont-change | low-cost | low-delay | max-reliability | max-throughput | normal | any
| integer; default: any) - specifies a match to the value of Type of Service (ToS) field of IP header:
• any - match any packet (i.e., do not check this property)

Notes

E     protocol   7    


    port

Example

3  

  /  
 dst-port=8080%
/ip firewall rule input add dst-port=8080 protocol=tcp action=reject
[admin@MikroTik] ip firewall rule input> print
Flags: X - disabled, I - invalid
0 src-address=0.0.0.0/0:0-65535 in-interface=all
dst-address=0.0.0.0/0:8080 out-interface=all protocol=tcp
icmp-options=any:any tcp-options=any connection-state=any flow=""
sconnection="" content="" rc-mac-address=00:00:00:00:00:00 limit-count=0
limit-burst=0 limit-time=0s action=reject log=no

 
     @          *!         %

/ip firewall rule forward add protocol=tcp tcp-options=syn-only connection-limit=5 \


action=drop

Firewall Chains
Home menu level: /ip firewall

Description

  
            * 
        
                           
   0       7           *!   
       *!          
    
  )                 
   *!
 

        


     %

Page 6 of 11
Copyright 1999-2006, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•    input                   
 
      !                  
input  
•    forward              
•    output                      
    !                   output
 

.                           
  *                       
            *          
     
             

           %


• accept - accept the packet
• drop - silently drop the packet (without sending the ICMP reject message)
• none - not applicable

:               )            
                 jump     

         
   

         none                
    &    (

Notes

5                      


    
 
             

                       
 

5              input  output  F <   
             drop           

    

Example
[admin@MikroTik] ip firewall> print
# NAME POLICY
0 input accept
1 forward accept
2 output accept
[admin@MikroTik] ip firewall> add name=router
[admin@MikroTik] ip firewall> print
# NAME POLICY
0 input accept
1 forward accept
2 output accept
3 router none

Page 7 of 11
Copyright 1999-2006, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
IP Firewall Applications

Description

*     *!  
       7      

Basic Firewall Building Principles

 
         6 
    *      
 
          
%

• Protect the router from unauthorized access


                4    
         !         

                 
      
          
• Protect the customer's hosts
          6 
       4   
          

           
            

         6 
 
• Use source NAT (masquerading) to 'Hide' the Private Network behind one External
Address
          -          7 
  2      
          -        
• Enforce the Internet Usage Policy from the Customer's Network
      6 
      
           
    8   -  &  (  
     


3             6                  
                   !  
 
non-syn-only
,7       
    


Example of Firewall Filters

 

      
 %

•    )           


  4      6 6

  "G$CG8'@  

•      6 
  
  "D'"BCGG8'@        

 

Page 8 of 11
Copyright 1999-2006, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•      *           "D'"BCG"A
• 
   * )!      6         7    "D'"BCG"A

   


          
   %

 *!       )      


%
[admin@MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 10.0.0.217/24 10.0.0.0 10.0.0.255 Public
1 192.168.0.254/24 192.168.0.0 192.168.0.255 Local
[admin@MikroTik] ip route> print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, R - rip, O - ospf, B - bgp
# DST-ADDRESS G GATEWAY DISTANCE INTERFACE
0 S 0.0.0.0/0 r 10.0.0.254 1 Public
1 DC 192.168.0.0/24 r 0.0.0.0 0 Local
2 DC 10.0.0.0/24 r 0.0.0.0 0 Public

          


       
   
          
  
 1  
    
 6           
      
    %
/ip firewall rule input
add connection-state=invalid action=drop \
comment="Drop invalid connection packets"
add connection-state=established \
comment="Allow established connections"
add connection-state=related \
comment="Allow related connections"
add protocol=udp comment="Allow UDP connections"
add protocol=icmp comment="Allow ICMP messages"
add src-addr=10.5.8.0/24 \
comment="Allow access from 'trusted' network 10.5.8.0/24"
add action=drop log=yes \
comment="Reject and log everything else"

    


    
          

Protecting the Customer's Network

      6 


 
     
     "D'"BCGG8'@
                 
   .      
   *!     
     /        customer .   
 
       %
/ip firewall add name=customer
/ip firewall rule customer
add connection-state=invalid action=drop \
comment="Drop invalid connection packets"
add connection-state=established \
comment="Allow established connections"
add connection-state=related \
comment="Allow related connections"
add protocol=udp \
comment="Allow UDP connections"
add protocol=icmp \
comment="Allow ICMP messages"
add protocol=tcp dst-address=192.168.0.17/32:80 \
comment="Allow http connections to the server at 192.168.0.17"
add protocol=tcp dst-address=192.168.0.17/32:25 \
comment="Allow SMTP connections to the server at 192.168.0.17"

Page 9 of 11
Copyright 1999-2006, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
add action=drop log=yes comment="Drop and log everything else"


     
       
       *!       6
   0     /       %
/ip firewall rule forward
add out-interface=Local action=jump \
jump-target=customer

             Local    &      6

 (
        
    customer  

Enforcing the 'Internet Policy'

      6     *        7    "D'"BCG"A

    
     
  %
/ip firewall rule forward
add connection-state=invalid action=drop \
comment="Drop invalid connection packets"
add connection-state=established \
comment="Allow established connections"
add connection-state=related \
comment="Allow related connections"
add protocol=icmp out-interface=Public \
comment="Allow ICMP ping packets"
add src-address=192.168.0.17/32 out-interface=Public \
comment="Allow outgoing connections from the server at 192.168.0.17"
add action=drop out-interface=Public log=yes \
comment="Drop and log everything else"

Example of Source NAT (Masquerading)

* 
  ??     0 "D'"BCGG8'@ ??    "GGG'"A     
*1! &  
         ,7   (        
 
     & - (      )     - 
     
*!                
  "D'"BCGG8'@     "GGG'"A 
 
        

  -      


  6 - 6        

 %
/ip firewall src-nat action=masquerade out-interface=Public

      


  "D'"BCGG8'@
       "GGG'"A   
      "G'@      * 
      0   * 

 
        
        
   
   &(

Example of Destination NAT

        )      


 
  
     
       
   %

       "D'"BCG@ 


  
           !   CG .

         *    %  "GGG'"A%CG         

Page 10 of 11
Copyright 1999-2006, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
  
       &(   )  +   !   % 
"GGG'"A%CG
       0  %  "D'"BCG@%CG 4      
-             %
/ip firewall dst-nat add action=nat protocol=tcp \
dst-address=10.0.0.217/32:80 to-dst-address=192.168.0.4

Page 11 of 11
Copyright 1999-2006, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.

You might also like