{"id":1030,"date":"2022-10-04T16:02:45","date_gmt":"2022-10-04T14:02:45","guid":{"rendered":"https:\/\/www.tinone71.com\/wp\/?p=1030"},"modified":"2022-10-04T16:30:25","modified_gmt":"2022-10-04T14:30:25","slug":"mikorik-firewall","status":"publish","type":"post","link":"https:\/\/www.tinone71.com\/wp\/?p=1030","title":{"rendered":"Mikorik Firewall"},"content":{"rendered":"<div style=\"\" class=\"ssag-opads-main     \" ><\/div>\n<h1 class=\"wp-block-heading\" id=\"title-text\">Articolo preso da<\/h1>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"title-text\"> https:\/\/help.mikrotik.com\/docs\/display\/ROS\/Building+Your+First+Firewall<\/h4>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"BuildingYourFirstFirewall-Ipv4firewall\">Ipv4 firewall&nbsp;<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"BuildingYourFirstFirewall-Protecttherouteritself\">Protect the router itself<\/h4>\n\n\n\n<ul><li>work with&nbsp;<em>new<\/em> connections to decrease load on a router;<\/li><li>create <em>address-list<\/em> for IP addresses, that are allowed to access your router;<\/li><li>enable ICMP access (optionally);<\/li><li>drop everything else, <em>log=yes<\/em> might be added to log packets that hit the specific rule;<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>\/ip firewall filter\nadd action=accept chain=input comment=\"default configuration\" connection-state=established,related\nadd action=accept chain=input src-address-list=allowed_to_router\nadd action=accept chain=input protocol=icmp\nadd action=drop chain=input\n\/ip firewall address-list\nadd address=192.168.88.2-192.168.88.254 list=allowed_to_router<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"BuildingYourFirstFirewall-ProtecttheLANdevices\">Protect the LAN devices<\/h4>\n\n\n\n<p>We will create <em>address-list<\/em> with name &#8220;not_in_internet&#8221; which we will use for the firewall filter rules:<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>\/ip firewall address-list\nadd address=0.0.0.0\/8 comment=RFC6890 list=not_in_internet\nadd address=172.16.0.0\/12 comment=RFC6890 list=not_in_internet\nadd address=192.168.0.0\/16 comment=RFC6890 list=not_in_internet\nadd address=10.0.0.0\/8 comment=RFC6890 list=not_in_internet\nadd address=169.254.0.0\/16 comment=RFC6890 list=not_in_internet\nadd address=127.0.0.0\/8 comment=RFC6890 list=not_in_internet\nadd address=224.0.0.0\/4 comment=Multicast list=not_in_internet\nadd address=198.18.0.0\/15 comment=RFC6890 list=not_in_internet\nadd address=192.0.0.0\/24 comment=RFC6890 list=not_in_internet\nadd address=192.0.2.0\/24 comment=RFC6890 list=not_in_internet\nadd address=198.51.100.0\/24 comment=RFC6890 list=not_in_internet\nadd address=203.0.113.0\/24 comment=RFC6890 list=not_in_internet\nadd address=100.64.0.0\/10 comment=RFC6890 list=not_in_internet\nadd address=240.0.0.0\/4 comment=RFC6890 list=not_in_internet\nadd address=192.88.99.0\/24 comment=\"6to4 relay Anycast &#91;RFC 3068]\" list=not_in_internet<\/code><\/pre>\n\n\n\n<p>Brief firewall filter rule explanation:<\/p>\n\n\n\n<ul><li>packets with <em>connection-state=established,related<\/em> added to FastTrack for faster data throughput, firewall will work with new connections only;<\/li><li>drop <em>invalid<\/em> connection and log them with prefix &#8220;invalid&#8221;;<\/li><li>drop attempts to reach not public addresses from your local network, apply <em>address-list=not_in_internet<\/em> before, &#8220;bridge&#8221; is local network interface, log=yes attempts with prefix &#8220;!public_from_LAN&#8221;;<\/li><li>drop incoming packets that are not NAT`ed, ether1 is public interface, log attempts with &#8220;!NAT&#8221; prefix;<\/li><li>jump to ICMP chain to drop unwanted ICMP messages<\/li><li>drop incoming packets from the Internet, which are not public IP addresses, ether1 is a public interface, log attempts with prefix &#8220;!public&#8221;;<\/li><li>drop packets from LAN that does not have LAN IP, 192.168.88.0\/24 is local network used subnet;<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\" style=\"font-size:12px\"><code>\/ip firewall filter\nadd action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related\nadd action=accept chain=forward comment=\"Established, Related\" connection-state=established,related\nadd action=drop chain=forward comment=\"Drop invalid\" connection-state=invalid log=yes log-prefix=invalid\nadd action=drop chain=forward comment=\"Drop tries to reach not public addresses from LAN\" dst-address-list=not_in_internet in-interface=bridge log=yes log-prefix=!public_from_LAN out-interface=!bridge\nadd action=drop chain=forward comment=\"Drop incoming packets that are not NAT`ted\" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT\nadd action=jump chain=forward protocol=icmp jump-target=icmp comment=\"jump to ICMP filters\"\nadd action=drop chain=forward comment=\"Drop incoming from internet which is not public IP\" in-interface=ether1 log=yes log-prefix=!public src-address-list=not_in_internet\nadd action=drop chain=forward comment=\"Drop packets from LAN that do not have LAN IP\" in-interface=bridge log=yes log-prefix=LAN_!LAN src-address=!192.168.88.0\/24<\/code><\/pre>\n\n\n\n<p>Allow only needed icmp codes in &#8220;icmp&#8221; chain:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><code><\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<pre class=\"wp-block-code\" style=\"font-size:12px\"><code>\/ip firewall filter\n  add chain=icmp protocol=icmp icmp-options=0:0 action=accept \\\n    comment=\"echo reply\"\n  add chain=icmp protocol=icmp icmp-options=3:0 action=accept \\\n    comment=\"net unreachable\"\n  add chain=icmp protocol=icmp icmp-options=3:1 action=accept \\\n    comment=\"host unreachable\"\n  add chain=icmp protocol=icmp icmp-options=3:4 action=accept \\\n    comment=\"host unreachable fragmentation required\"\n  add chain=icmp protocol=icmp icmp-options=8:0 action=accept \\\n    comment=\"allow echo request\"\n  add chain=icmp protocol=icmp icmp-options=11:0 action=accept \\\n    comment=\"allow time exceed\"\n  add chain=icmp protocol=icmp icmp-options=12:0 action=accept \\\n    comment=\"allow parameter bad\"\n  add chain=icmp action=drop comment=\"deny all other types\"<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"BuildingYourFirstFirewall-IPv6firewall\">IPv6 firewall&nbsp;<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"BuildingYourFirstFirewall-Protecttherouteritself.1\">Protect the router itself<\/h4>\n\n\n\n<p>Create an address-list from which you allow access to the device:<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code><code>\/ipv6 firewall address-list add address=fd12:672e:6f65:8899::\/64list=allo<\/code><\/code><\/pre>\n\n\n\n<p>Brief IPv6 firewall filter rule explanation:<\/p>\n\n\n\n<ul><li>work with <em>new<\/em> packets, accept <em>established\/related<\/em> packets;<\/li><li>drop <em>link-local<\/em> addresses from Internet(public) interface\/interface-list;<\/li><li>accept access to a router from <em>link-local<\/em> addresses, accept <em>multicast<\/em> addresses for management purposes, accept your source <em>address-list<\/em> for router access;<\/li><li>drop anything else;<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>\/ipv6 firewall filter\nadd action=accept chain=input comment=\"allow established and related\" connection-state=established,related\nadd chain=input action=accept protocol=icmpv6 comment=\"accept ICMPv6\"\nadd chain=input action=accept protocol=udp port=33434-33534 comment=\"defconf: accept UDP traceroute\"\nadd chain=input action=accept protocol=udp dst-port=546 src-address=fe80::\/16 comment=\"accept DHCPv6-Client prefix delegation.\"\nadd action=drop chain=input in-interface=sit1 log=yes log-prefix=dropLL_from_public src-address=fe80::\/16\nadd action=accept chain=input comment=\"allow allowed addresses\" src-address-list=allowed\nadd action=drop chain=input\n\/ipv6 firewall address-list\nadd address=fe80::\/16 list=allowed\nadd address=xxxx::\/48 list=allowed\nadd address=ff02::\/16 comment=multicast list=allowed<\/code><\/pre>\n\n\n\n<p>Enabled IPv6 puts your clients available for public networks, set proper firewall to protect your customers.<\/p>\n\n\n\n<ul><li>accept <em>established\/related<\/em> and work with <em>new<\/em> packets;<\/li><li>drop <em>invalid<\/em> packets and put prefix for rules;<\/li><li>accept ICMP packets;<\/li><li>accept <em>new<\/em> connection from your clients to the Internet;<\/li><li>drop everything else.<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>\/ipv6 firewall filter\nadd action=accept chain=forward comment=established,related connection-state=established,related\nadd action=drop chain=forward comment=invalid connection-state=invalid log=yes log-prefix=ipv6,invalid\nadd action=accept chain=forward comment=icmpv6 in-interface=!sit1 protocol=icmpv6\nadd action=accept chain=forward comment=\"local network\" in-interface=!sit1 src-address-list=allowed\nadd action=drop chain=forward log-prefix=IPV6<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Articolo preso da https:\/\/help.mikrotik.com\/docs\/display\/ROS\/Building+Your+First+Firewall Ipv4 firewall&nbsp; Protect the router itself work with&nbsp;new connections to decrease load on a<\/p>\n","protected":false},"author":1,"featured_media":1041,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[11],"tags":[32,33],"_links":{"self":[{"href":"https:\/\/www.tinone71.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/1030"}],"collection":[{"href":"https:\/\/www.tinone71.com\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tinone71.com\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tinone71.com\/wp\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tinone71.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1030"}],"version-history":[{"count":6,"href":"https:\/\/www.tinone71.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/1030\/revisions"}],"predecessor-version":[{"id":1040,"href":"https:\/\/www.tinone71.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/1030\/revisions\/1040"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.tinone71.com\/wp\/index.php?rest_route=\/wp\/v2\/media\/1041"}],"wp:attachment":[{"href":"https:\/\/www.tinone71.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1030"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tinone71.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1030"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tinone71.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1030"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}