some of the verbs such as established sound familiar from the days i used to work with Cisco access lists and checkpoint firewall the new command wasn't known to me
The firewall filters in a MikroTik (and on Linux in general) are far more advanced than the simple access lists in a Cisco router. On a Cisco router you generally just have static rules that allow e.g. traffic incoming on some ports. (there are some exceptions, e.g. "reflexive" access lists)
On a MikroTik or Linux system there is a table of open connections (you can see it on a separate tab in the MikroTik router), and you can easily allow all traffic belonging to existing open connections. This means you don't need to do anything to allow replies to outgoing connections, other than having a rule that allows "established, related" in all directions and a rule that allows "new" in outgoing direction. (or just a rule that allows everything in outgoing direction)
To allow some things in incoming direction (e.g. outside access to your IPIP tunnel), you need only to allow some new traffic matching a certain pattern. Once the connection completes, it will be in the connection table and again it will be matched by the "established, related" rule that you normally put at the top so it will be matched first.
The checkpoint firewall of course also offers such features.
In the default configuration, the MikroTik is delivered with some rules that allow "established, related", block other traffic incoming on ether1 (normally the internet port), and allow everything else.
I don't like that, because once you add a new interface that is facing outside (like a tunnel), the default will be to allow new connections and thus it is possible to exploit the services on the router.
Therefore I always replace such settings by a rule that allows "established, related", then one or more rules that allow "new" only from interfaces that I know are on the inside (trusted) side, then a rule that drops everything. So, a new interface is always by default untrusted until a new rule is added.
Make sure that when you modify the firewall you always do it in such a sequence that you do not lock yourself out because you added the "drop" rule before the correct "accept" rules, for example. A way to avoid that is to click the "safe mode" button in the menu on the left, then make all your changes to the firewall and check that you can still navigate around the user interface (open the quick start page, for example) and when everything is OK click the "safe mode" button again so it pops back out.
When you lose connectivity to the router while the safe mode is active, all changes you made after clicking it will be rolled back and you will have access again! When you reset safe mode, the changes are committed and you can logoff without losing them.
(note that there is no separate "running" config and "saved" config, everything you change is always saved immediately. so a mistake cannot be corrected by power-cycling the router, as with a Cisco)
Rob
Dear Rob Thank you for Brief explain Yes the Syntax of the Mikrotik is totally different then what i use to Also the mikrotik is not popular here I had hard time to find stores that sell it and i think im the only amateur who use it here The help that comes with the web interface is not so explainable do you know where i can find more explain on the commands (such as the explain you gave me about the establish and new and related) ? and if we talk on explain what is forward chain ? in and out i can understand but forward? and also there are a lot of commands in the action that i dont understand beside reject drop accept Where can i find description ? Thanks forward Ronen - 4Z4ZQ http://www.ronen.org
________________________________________ From: 44Net 44net-bounces+ronenp=hotmail.com@hamradio.ucsd.edu on behalf of Rob Janssen pe1chl@amsat.org Sent: Friday, April 8, 2016 11:13 AM To: 44net@hamradio.ucsd.edu Subject: Re: [44net] firewall rules at AMPR.ORG router ?
(Please trim inclusions from previous messages) _______________________________________________
some of the verbs such as established sound familiar from the days i used to work with Cisco access lists and checkpoint firewall the new command wasn't known to me
The firewall filters in a MikroTik (and on Linux in general) are far more advanced than the simple access lists in a Cisco router. On a Cisco router you generally just have static rules that allow e.g. traffic incoming on some ports. (there are some exceptions, e.g. "reflexive" access lists)
Hello Ronen,
Mikrotik is more of a boutique type router.. very powerful, inexpensive, etc but not a mainstream enterprise solution. You could say the same of Vyatta, OpenWRT, etc. Anyway, much of the concepts that Mikrotik's firewall uses are Linux terms. Per my previous email, there are a LOT of Linux URLs, commercially written books, etc. on the topic so you should start reading those materials.
--David KI6ZHD
On 04/08/2016 11:50 AM, R P wrote:
(Please trim inclusions from previous messages) _______________________________________________ Dear Rob Thank you for Brief explain Yes the Syntax of the Mikrotik is totally different then what i use to Also the mikrotik is not popular here I had hard time to find stores that sell it and i think im the only amateur who use it here The help that comes with the web interface is not so explainable do you know where i can find more explain on the commands (such as the explain you gave me about the establish and new and related) ? and if we talk on explain what is forward chain ? in and out i can understand but forward? and also there are a lot of commands in the action that i dont understand beside reject drop accept Where can i find description ? Thanks forward Ronen - 4Z4ZQ http://www.ronen.org
From: 44Net 44net-bounces+ronenp=hotmail.com@hamradio.ucsd.edu on behalf of Rob Janssen pe1chl@amsat.org Sent: Friday, April 8, 2016 11:13 AM To: 44net@hamradio.ucsd.edu Subject: Re: [44net] firewall rules at AMPR.ORG router ?
(Please trim inclusions from previous messages) _______________________________________________
some of the verbs such as established sound familiar from the days i used to work with Cisco access lists and checkpoint firewall the new command wasn't known to me
The firewall filters in a MikroTik (and on Linux in general) are far more advanced than the simple access lists in a Cisco router. On a Cisco router you generally just have static rules that allow e.g. traffic incoming on some ports. (there are some exceptions, e.g. "reflexive" access lists)
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
This is a good starting diagram:
http://wiki.mikrotik.com/images/6/67/PacketFlowDiagram_v6_a.svg
-----Original Message----- From: R P Sent: Friday, April 08, 2016 21:50 To: AMPRNet working group Subject: Re: [44net] firewall rules at AMPR.ORG router ?
...
The help that comes with the web interface is not so explainable do you know where i can find more explain on the commands (such as the explain you gave me about the establish and new and related) ? and if we talk on explain what is forward chain ? in and out i can understand but forward?
... _________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
-
David Ranch -
Marius Petrescu -
R P -
Rob Janssen