IP/Firewall/Filter

manual:ip/firewall/filter 1
manual:ip/firewall/filter
applies to routeros: v3, v4
summary
sub-menu: /ip firewall filter
the firewall implements packet filtering and thereby provides security functions that are used to manage data flow
to, from and through the router. along with the network address translation it serves as a tool for preventing
unauthorized access to directly attached networks and the router itself as well as a filter for outgoing traffic.
network firewalls keep outside threats away from sensitive data available inside the network. whenever different
networks are joined together, there is always a threat that someone from outside of your network will break into your
lan. such break-ins may result in private data being stolen and distributed, valuable data being altered or
destroyed, or entire hard drives being erased. firewalls are used as a means of preventing or minimizing the security
risks inherent in connecting to other networks. properly configured firewall plays a key role in efficient and secure
network infrastrure deployment.
mikrotik routeros has very powerful firewall implementation with features including:
• stateful packet inspection
• layer-7 protocol detection
• peer-to-peer protocols filtering
• traffic classification by:
• source mac address
• ip addresses (network or list) and address types (broadcast, local, multicast, unicast)
• port or port range
• ip protocols
• protocol options (icmp type and code fields, tcp flags, ip options and mss)
• interface the packet arrived from or left through
• internal flow and connection marks
• dscp byte
• packet content
• rate at which packets arrive and sequence numbers
• packet size
• packet arrival time
• and much more!
manual:ip/firewall/filter 2
chains
the firewall operates by means of firewall rules. each rule consists of two parts - the matcher which matches traffic
flow against given conditions and the action which defines what to do with the matched packet.
firewall filtering rules are grouped together in chains. it allows a packet to be matched against one common criterion
in one chain, and then passed over for processing against some other common criteria to another chain. for example
a packet should be matched against the ip address:port pair. of course, it could be achieved by adding as many rules
with ip address:port match as required to the forward chain, but a better way could be to add one rule that matches
traffic from a particular ip address, e.g.: /ip firewall filter add src-address=1.1.1.2/32 jump-target="mychain" and in
case of successfull match passes control over the ip packet to some other chain, id est mychain in this example. then
rules that perform matching against separate ports can be added to mychain chain without specifying the ip
addresses.
there are three predefined chains, which cannot be deletingd:
• input - used to process packets entering the router through one of the interfaces with the destination ip address
which is one of the router s addresses. packets passing through the router are not processed against the rules of the
input chain
• forward - used to process packets passing through the router
• output - used to process packets originated from the router and leaving it through one of the interfaces. packets
passing through the router are not processed against the rules of the output chain
packet flow diagrams illustrate how packets are processed in routeros.
when processing a chain, rules are taken from the chain in the order they are listed there from top to bottom. if a
packet matches the criteria of the rule, then the specified action is performed on it, and no more rules are processed
in that chain (the exception is the passthrough action). if a packet has not matched any rule within the chain, then it
is accepted.
properties
property description
action (action name default: accept) action to take if packet is matched by the rule:
• accept - accept the packet. packet is not passed to next firewall rule.
• add-dst-to-address-list - add destination address to address list
specified by address-list parameter
• add-src-to-address-list - add source address to address list
specified by address-list parameter
• droping - silently droping the packet
• jump - jump to the user defined chain specified by the value of
jump-target parameter
• log - add a message to the system log containing following data:
in-interface, out-interface, src-mac, protocol, src-ip:port->dst-ip:port and
length of the packet. after packet is matched it is passed to next rule in the
list, similar as passthrough
• passthrough - ignore this rule and go to next one (useful for statistics).
• reject - droping the packet and send an icmp reject message
• return - passes control back to the chain from where the jump took place
• tarpit - captures and holds tcp connections (replies with syn/ack to
the inbound tcp syn packet)
address-list (string default: ) name of the address list to be used. applicable if action is
add-dst-to-address-list or add-src-to-address-list
manual:ip/firewall/filter 3
address-list-timeout (time default: 00:00:00) time interval after which the address will be removed from the address list
specified by address-list parameter. used in conjunction with
add-dst-to-address-list or add-src-to-address-list
actions
value of 00:00:00 will leave the address in the address list forever
chain (name default: ) specifies to which chain rule will be added. if the input does not match the
name of an already defined chain, a new chain will be created.
comment (string default: ) descriptive comment for the rule.
connection-bytes (integer-integer default: ) matches packets only if a given amount of bytes has been transfered through
the particular connection. 0 - means infinity, for example
connection-bytes=2000000-0 means that the rule matches if more
than 2mb has been transfered through the relevant connection
connection-limit (integer,netmask default: ) restrict connection limit per address or address block
connection-mark (no-mark | string default: ) matches packets marked via mangle facility with particular connection mark. if
no-mark is set, rule will match any unmarked connection.
connection-rate (integer 0..4294967295 default: ) connection rate is a firewall matcher that allow to capture traffic based on
present speed of the connection. read more >>
connection-state (estabilished | invalid | new | related
default: )
interprets the connection tracking analysis data for a particular packet:
• established - a packet which belongs to an existing connection
• invalid - a packet which could not be identified for some reason
• new - the packet has started a new connection, or otherwise associated with
a connection which has not seen packets in both directions.
• related - a packet which is related to, but not part of an existing
connection, such as icmp errors or a packet which begins ftp data
connection
connection-type (ftp | h323 | irc | pptp | quake3 | sip | tftp
default: )
matches packets from related connections based on information from their
connection tracking helpers. a relevant connection helper must be enabled
under /ip firewall service-port
content (string default: ) match packets that contain specified text
dscp (integer: 0..63 default: ) matches dscp ip header field.
dst-address (ip/netmask | ip range default: ) matches packets which destination is equal to specified ip or falls into
specified ip range.
dst-address-list (name default: ) matches destination address of a packet against user-defined address list
dst-address-type (unicast | local | broadcast | multicast
default: )
matches destination address type:
• unicast - ip address used for point to point transmission
• local - if dst-address is assigned to one of router s interfaces
• broadcast - packet is sent to all devices in subnet
• multicast - packet is forwarded to defined group of devices
dst-limit (integer,time,integer,dst-address | dst-port |
src-address, time default: )
matches packets within given pps limit. as opposed to the limit matcher,
every destination ip address / destination port has it s own limit. parameters are
written in following format: count,time,burst,mode,expire.
• count - maximum average packet rate measured in packets per time
interval
• time - specifies the time interval in which the packet rate is measured
• burst - number of packets which are not counted by packet rate
• mode - the classifier for packet rate limiting
• expire - specifies interval after which recored ip address /port will be
deletingd
dst-port (integer[-integer]: 0..65535 default: ) list of destination port numbers or port number ranges
manual:ip/firewall/filter 4
fragment (yes|no default: ) matches fragmented packets. first (starting) fragment does not count. if
connection tracking is enabled there will be no fragments as system
automatically assembles every packet
hotspot (auth | from-client | http | local-dst | to-client default:
)
icmp-options (integer:integer default: ) matches icmp type:code fileds
in-bridge-port (name default: ) actual interface the packet has entered the router, if incoming interface is
bridge
in-interface (name default: ) interface the packet has entered the router
ingress-priority (integer: 0..63 default: ) matches ingress priority of the packet. priority may be derived from vlan,
wmm or mpls exp bit. read more>>
ipv4-options (any | loose-source-routing | no-record-route |
no-router-alert | no-source-routing | no-timestamp | none |
record-route | router-alert | strict-source-routing | timestamp
default: )
matches ipv4 header options.
• any - match packet with at least one of the ipv4 options
• loose-source-routing - match packets with loose source routing
option. this option is used to route the internet datagram based on
information supplied by the source
• no-record-route - match packets with no record route option. this
option is used to route the internet datagram based on information supplied
by the source
• no-router-alert - match packets with no router alter option
• no-source-routing - match packets with no source routing option
• no-timestamp - match packets with no timestamp option
• record-route - match packets with record route option
• router-alert - match packets with router alter option
• strict-source-routing - match packets with strict source routing
option
• timestamp - match packets with timestamp
jump-target (name default: ) name of the target chain to jump to. applicable only if action=jump
layer7-protocol (name default: ) layer7 filter name defined in layer7 protocol menu.
limit (integer,time,integer default: ) matches packets within given pps limit. parameters are written in following
format: count,time,burst.
• count - maximum average packet rate measured in packets per time
interval
• time - specifies the time interval in which the packet rate is measured
• burst - number of packets which are not counted by packet rate
log-prefix (string default: ) adds specified text at the beginning of every log message. applicable if
action=log
nth (integer,integer default: ) matches every nth packet. read more >>
out-bridge-port (name default: ) actual interface the packet is leaving the router, if outgoing interface is bridge
out-interface ( default: ) interface the packet is leaving the router
p2p (all-p2p | bit-torrent | blubster | direct-connect | edonkey |
fasttrack | gnutella | soulseek | warez | winmx default: )
matches packets from various peer-to-peer (p2p) protocols. does not work on
encrypted p2p packets.
packet-mark (no-mark | string default: ) matches packets marked via mangle facility with particular packet mark. if
no-mark is set, rule will match any unmarked packet.
packet-size (integer[-integer]:0..65535 default: ) matches packets of specified size or size range in bytes.
per-connection-classifier
(valuestohash:denominator/remainder default: )
pcc matcher allows to divide traffic into equal streams with ability to keep
packets with specific set of options in one particular stream. read more >>
port (integer[-integer]: 0..65535 default: ) matches if any (source or destination) port matches the specified list of ports or
port ranges. applicable only if protocol is tcp or udp
manual:ip/firewall/filter 5
protocol (name or protocol id default: tcp) matches particular ip protocol specified by protocol name or number
psd (integer,time,integer,integer default: ) attempts to detect tcp and udp scans. parameters are in following format
weightthreshold, delaythreshold, lopportweight,
highportweight
• weightthreshold - total weight of the latest tcp/udp packets with
different destination ports coming from the same host to be treated as port
scan sequence
• delaythreshold - delay for the packets with different destination ports
coming from the same host to be treated as possible port scan subsequence
• lowportweight - weight of the packets with privileged (<=1024)
destination port
• highportweight - weight of the packet with non-priviliged destination
port
random (integer: 1..99 default: ) matches packets randomly with given probability.
reject-with ( default: ) specifies error to be sent back if packet is rejected. applicable if
action=reject
routing-mark (string default: ) matches packets marked by mangle facility with particular routing mark
src-address (ip/netmaks, ip range default: ) matches packets which source is equal to specified ip or falls into specified ip
range.
src-address-list (name default: ) matches source address of a packet against user-defined address list
src-address-type (unicast | local | broadcast | multicast
default: )
matches source address type:
• unicast - ip address used for point to point transmission
• local - if address is assigned to one of router s interfaces
• broadcast - packet is sent to all devices in subnet
• multicast - packet is forwarded to defined group of devices
src-port (integer[-integer]: 0..65535 default: ) list of source ports and ranges of source ports. applicable only if protocol is
tcp or udp.
src-mac-address (mac address default: ) matches source mac address of the packet
tcp-flags (ack | cwr | ece | fin | psh | rst | syn | urg default: ) matches specified tcp flags
• ack - acknowledging data
• cwr - congestion window reduced
• ece - ecn-echo flag (explicit congestion notification)
• fin - close connection
• psh - push function
• rst - droping connection
• syn - new connection
• urg - urgent data
tcp-mss (integer: 0..65535 default: ) matches tcp mss value of an ip packet
time (time-time,sat | fri | thu | wed | tue | mon | sun default: ) allows to create filter based on the packets arrival time and date or, for locally
generated packets, departure time and date
ttl (integer: 0..255 default: ) matches packets ttl value
manual:ip/firewall/filter 6
stats
/ip firewall filter print stats will show additional read-only properties
property description
bytes (integer) total amount of bytes matched by the rule
packets (integer) total amount of packets matched by the rule
by default print is equivalent to print static and shows only static rules.
[admin@dzeltenais_burkaans] /ip firewall mangle> print stats
flags: x - disabled, i - invalid, d - dynamic
# chain action bytes packets
0 prerouting mark-routing 17478158 127631
1 prerouting mark-routing 782505 4506
to print also dynamic rules use print all.
[admin@dzeltenais_burkaans] /ip firewall mangle> print all stats
flags: x - disabled, i - invalid, d - dynamic
# chain action bytes packets
0 prerouting mark-routing 17478158 127631
1 prerouting mark-routing 782505 4506
2 d forward change-mss 0 0
3 d forward change-mss 0 0
4 d forward change-mss 0 0
5 d forward change-mss 129372 2031
or to print only dynamic rules use print dynamic
[admin@dzeltenais_burkaans] /ip firewall mangle> print stats dynamic
flags: x - disabled, i - invalid, d - dynamic
# chain action bytes packets
0 d forward change-mss 0 0
1 d forward change-mss 0 0
2 d forward change-mss 0 0
3 d forward change-mss 132444 2079
manual:ip/firewall/filter 7
menu specific commands
property description
reset-counters (id) reset statistics counters for specified firewall rules.
reset-counters-all () reset statistics counters for all firewall rules.
basic examples
router protection
lets say our private network is 192.168.0.0/24 and public (wan) interface is ether1. we will set up firewall to allow
connections to router itself only from our local network and droping the rest. also we will allow icmp protocol on any
interface so that anyone can ping your router from internet.
/ip firewall filter
add chain=input connection-state=invalid action=droping \
comment="droping invalid connections"
add chain=input connection-state=established action=accept \
comment="allow established connections"
add chain=input protocol=icmp action=accept \
comment="allow icmp"
add chain=input src-address=192.168.0.0/24 action=accept \
in-interface=!ether1
add chain=input action=droping comment="droping everything else"
customer protection
to protect the customer s network, we should check all traffic which goes through router and block unwanted. for
icmp, tcp, udp traffic we will create chains, where will be dropinged all unwanted packets:
/ip firewall filter
add chain=forward protocol=tcp connection-state=invalid \
action=droping comment="droping invalid connections"
add chain=forward connection-state=established action=accept \
comment="allow already established connections"
add chain=forward connection-state=related action=accept \
comment="allow related connections"
block "bogon" ip addresses
add chain=forward src-address=0.0.0.0/8 action=droping
add chain=forward dst-address=0.0.0.0/8 action=droping
add chain=forward src-address=127.0.0.0/8 action=droping
add chain=forward dst-address=127.0.0.0/8 action=droping
add chain=forward src-address=224.0.0.0/3 action=droping
add chain=forward dst-address=224.0.0.0/3 action=droping
make jumps to new chains:
add chain=forward protocol=tcp action=jump jump-target=tcp
add chain=forward protocol=udp action=jump jump-target=udp
manual:ip/firewall/filter 8
add chain=forward protocol=icmp action=jump jump-target=icmp
create tcp chain and deny some tcp ports in it:
add chain=tcp protocol=tcp dst-port=69 action=droping \
comment="deny tftp"
add chain=tcp protocol=tcp dst-port=111 action=droping \
comment="deny rpc portmapper"
add chain=tcp protocol=tcp dst-port=135 action=droping \
comment="deny rpc portmapper"
add chain=tcp protocol=tcp dst-port=137-139 action=droping \
comment="deny nbt"
add chain=tcp protocol=tcp dst-port=445 action=droping \
comment="deny cifs"
add chain=tcp protocol=tcp dst-port=2049 action=droping comment="deny nfs"
add chain=tcp protocol=tcp dst-port=12345-12346 action=droping comment="deny netbus"
add chain=tcp protocol=tcp dst-port=20034 action=droping comment="deny netbus"
add chain=tcp protocol=tcp dst-port=3133 action=droping comment="deny backoriffice"
add chain=tcp protocol=tcp dst-port=67-68 action=droping comment="deny dhcp"
deny udp ports in udp chain:
add chain=udp protocol=udp dst-port=69 action=droping comment="deny tftp"
add chain=udp protocol=udp dst-port=111 action=droping comment="deny prc portmapper"
add chain=udp protocol=udp dst-port=135 action=droping comment="deny prc portmapper"
add chain=udp protocol=udp dst-port=137-139 action=droping comment="deny nbt"
add chain=udp protocol=udp dst-port=2049 action=droping comment="deny nfs"
add chain=udp protocol=udp dst-port=3133 action=droping comment="deny backoriffice"
allow only needed icmp codes in icmp chain:
add chain=icmp protocol=icmp icmp-options=0:0 action=accept \
comment="echo reply"
add chain=icmp protocol=icmp icmp-options=3:0 action=accept \
comment="net unreachable"
add chain=icmp protocol=icmp icmp-options=3:1 action=accept \
comment="host unreachable"
add chain=icmp protocol=icmp icmp-options=3:4 action=accept \
comment="host unreachable fragmentation required"
add chain=icmp protocol=icmp icmp-options=4:0 action=accept \
comment="allow source quench"
add chain=icmp protocol=icmp icmp-options=8:0 action=accept \
comment="allow echo request"
add chain=icmp protocol=icmp icmp-options=11:0 action=accept \
comment="allow time exceed"
add chain=icmp protocol=icmp icmp-options=12:0 action=accept \
comment="allow parameter bad"
add chain=icmp action=droping comment="deny all other types"
other icmp codes are found here [1].
manual:ip/firewall/filter 9
brute force protection
bruteforce_login_prevention_(ftp_&_ssh)
[ top | back to content ]
references
[1] http:/ / www. iana. org/ assignments/ icmp-parameters
article sources and contributors 10
article sources and contributors
manual:ip/firewall/filter source: http://wiki.mikrotik.com/index.php?oldid=22181 contributors: janisk, kirshteins, marisb, normis, sergejsb
image sources, licenses and contributors
image:version.png source: http://wiki.mikrotik.com/index.php?title=file:version.png license: unknown contributors: normis