You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 29 Next »

Introduction

The firewall implements stateful (by utilizing connection tracking) and stateless packet filtering and thereby provides security functions that are used to manage data flow to, from and through the router. Along with the Network Address Translation (NAT), it serves as a tool for preventing unauthorized access to directly attached networks and the router itself as well as a filter for outgoing traffic.

  • Insert basic image(diagram) about firewall 

Network firewalls keep outside threats away from sensitive data available inside the network. Whenever different networks are joined together, there is always a threat that someone from outside of your network will break into your LAN. Such break-ins may result in private data being stolen and distributed, valuable data being altered or destroyed, or entire hard drives being erased. Firewalls are used as a means of preventing or minimizing the security risks inherent in connecting to other networks. Properly configured firewall plays a key role in efficient and secure network infrastructure deployment.

MikroTik RouterOS has very powerful firewall implementation with features including:

  • stateful packet inspection
  • Layer-7 protocol detection
  • peer-to-peer protocols filtering
  • traffic classification by:
    • source MAC address
    • IP addresses (network or list) and address types (broadcast, local, multicast, unicast)
    • port or port range
    • IP protocols
    • protocol options (ICMP type and code fields, TCP flags, IP options, and MSS)
    • interface the packet arrived from or left through
    • internal flow and connection marks
    • DSCP byte
    • packet content
    • rate at which packets arrive and sequence numbers
    • packet size
    • packet arrival time
  • and much more!

How It works

The firewall operates by means of firewall rules. Each rule consists of two parts - the matcher which matches traffic flow against given conditions and the action which defines what to do with the matched packet.

RouterOS utilizes 4 sub-facilities of the firewall:

  • Connection tracking
  • Filters
  • NAT
  • Mangle
  • RAW

Connection Tracking

Connection tracking allows the kernel to keep track of all logical network connections or sessions, and thereby relate all of the packets which may make up that connection. NAT relies on this information to translate all related packets in the same way. Because of connection tracking, you can use stateful firewall functionality even with stateless protocols such as UDP.

List of tracked connections can be seen in /ip firewall connection for ipv4 and /ipv6 firewall connection for IPv6.

    [admin@MirkoTik] /ip firewall connection> print
    Flags: S - seen-reply, A - assured
    #    PR.. SRC-ADDRESS           DST-ADDRESS           TCP-STATE   TIMEOUT
    0    udp  10.5.8.176:5678       255.255.255.255:5678              0s
    1    udp  10.5.101.3:646        224.0.0.2:646                     5s
    2    ospf 10.5.101.161          224.0.0.5                         9m58s
    3    udp  10.5.8.140:5678       255.255.255.255:5678              8s
    4 SA tcp  10.5.101.147:48984    10.5.101.1:8291       established 4m59s
  
    [admin@MirkoTik] /ipv6 firewall connection> print
    Flags: S - seen reply, A - assured
    #    PRO.. SRC-ADDRESS                 DST-ADDRESS                 TCP-STATE
    0    udp   fe80::d6ca:6dff:fe77:3698   ff02::1
    1    udp   fe80::d6ca:6dff:fe98:7c28   ff02::1
    2    ospf  fe80::d6ca:6dff:fe73:9822   ff02::5

Based on connection table entries arrived packet can get assigned one of the connection states: new, invalid, established, related or untracked.

There are two different methods when packet is considered new. The first one is in case of stateless connections (like UDP) when there is no connection entry in the connection table. The other one is in case of stateful protocol (TCP). In this case new packet that starts new connection is always TCP packet with SYN flag.

If packet is not new it can belong to either established or related connection or not to belong to any connection making it invalid. Packet with Established state, as most of you already guessed, belongs to an existing connection form the connection tracking table. Related state is very similar, except that packet belongs to connection which is related to one of existing connections, for example, ICMP error packets or FTP data connection packets.

Connection state notrack is special case when RAW firewall rules are used to exclude connection from connection tracking.

Any other packet is considered invalid and in most cases should be dropped.

Based on this information we can set basic set of filter rules to speed up packet filtering and reduce the load on CPU by accepting established/related packets, dropping invalid packets and working on more detailed filtering only for new packets.
?

1
2
3
4
5

/ip firewall filter
add chain=input connection-state=invalid action=drop \
  comment="Drop Invalid connections"
add chain=input connection-state=established,related,untracked action=accept \
  comment="Allow Established/Related/Untracked connections"



Warning! Such rule set must not be applied on routers with asymmetric routing, because asymmetrically routed packets may be considered invalid and dropped.

Firewall features affected by connection tracking:

  • NAT
  • filters and mangle:
    • connection-bytes
    • connection-mark
    • connection-type
    • connection-state
    • connection-limit
    • connection-rate
    • layer7-protocol
    • p2p
    • new-connection-mark
    • tarpit
  • p2p matching in simple queues


Filters

Firewall filters are used to allow or block specific packets forwarded to your local network, originated from your router or destined to the router.

There are two methods how to set up filtering:

  • allow specific traffic and drop everything else
  • drop only malicious traffic, everything else is allowed.


Both methods have pros and cons, for example, from security point of view first method is much more secure, but requires administrator input whenever traffic for new service need to be accepted. This strategy provides good control over the traffic and reduces the possibility of a breach because of service misconfiguration.

On the other hand when securing customer network it would be administration nightmare to accept all possible services that user may use. Therefore careful planning of the firewall is essential in advanced setups.

Lets look at basic firewall setup to protect the router. By default RouterOS firewall accepts everything, blocking is achieved by adding filter rule to drop everything at the end of rule set. For out router we want to allow only icmp, ssh and winbox and drop the rest:
?

1
2
3
4
5
6
7
8
9
10

/ip firewall filter
add chain=input connection-state=invalid action=drop \
  comment="Drop Invalid connections"
add chain=input connection-state=established,related,untracked action=accept \
  comment="Allow Established/Related/Untracked connections"
add chain=input protocol=icmp action=accept \
  comment="Allow ICMP"
add chain=input protocol=tcp ports=8291,22 action=accept \
  comment="Allow Winbox and SSH"
add chain=input action=drop comment="Drop everything else"

RouterOS also allows to filter packets before connection tracking and selectively send only specific traffic to connection tracking. This allows to significantly reduce the load on CPU and mitigate DOS attacks. Configuration of such rules is done in RAW filtering table.

Network Address Translation (NAT)

Network Address Translation is an Internet standard that allows hosts on local area networks to use one set of IP addresses for internal communications and another set of IP addresses for external communications. A LAN that uses NAT is referred as natted network. For NAT to function, there should be a NAT gateway in each natted network. The NAT gateway (NAT router) performs IP address rewriting on the way a packet travel from/to LAN.

Nat matches only first packet of the connection, connection tracking remembers the action and performs on all other packets belonging to the same connection.
Warning! Whenever NAT rules are changed or added, connection tracking table should be cleared otherwise NAT rules may seem to be not functioning correctly until connection entry expires.

There are two types of NAT:

  • source NAT or srcnat. This type of NAT is performed on packets that are originated from a natted network. A NAT router replaces the private source address of an IP packet with a new public IP address as it travels through the router. A reverse operation is applied to the reply packets travelling in the other direction.
  • destination NAT or dstnat. This type of NAT is performed on packets that are destined to the natted network. It is most commonly used to make hosts on a private network to be accessible from the Internet. A NAT router performing dstnat replaces the destination IP address of an IP packet as it travel through the router towards a private network.


For example, basic rule to hide (masquerade) local networks behind one public IP:
?

1

/ip firewall nat add chain=srcnat action=masquerade out-interface=Public

As you can see from example, we are using srcnat chain because we want to manipulate the source information. By specifying out interface we ensure that source will be modified only for those packets that leave specific interface, in out case it is interface named "Public", and the last action is to masquerade - change source address of the packet to global address configured on "Public" interface.
Note: If public interface has more than one IP address then masquerade may pick address that you do not want to, in this case action should be changed to src-nat.



?

1

/ip firewall nat add chain=srcnat action=src-nat to-address=1.1.1.1 out-interface=Public

NAT action masquerade is unique subversion of srcnat. It was designed for specific use in situaions when public IP can randomly change, for example, DHCP server chage assigned IP or PPPoE tunnel after disconnect gets different IP, in short - when public IP is dynamic.

Every time when interface disconnects and/or its IP address change, router will clear all masqueraded connection tracking entries related to the interface, this way improving system recovery time after public IP change.

Unfortunately this can lead to some issues with unstable links when connection gets routed over different link after primary link goes down. In such scenario following things can happen:

  • on disconnect, all related connection tracking entries are purged;
  • next packet from every purged (previously masqueraded) connection will come into firewall as new, and, if primary interface is not back, packet will be routed out via alternative route (if you have any) thus creating new masqueraded connection;
  • primary link comes back, routing is restored over primary link, so packets that belong to existing connections are sent over primary interface without being masqueraded, that way leaking local IPs to a public network.


To workaround this situation blackhole route can be created as alternative to route that might disappear on disconnect.

If srcnat is used instead of masquerade, connection tracking entries remain and connections can simply resume after link failure.

Hosts behind a NAT-enabled router do not have true end-to-end connectivity. Therefore some Internet protocols might not work in scenarios with NAT. Services that require the initiation of TCP connection from outside the private network or stateless protocols such as UDP, can be disrupted. Moreover, some protocols are inherently incompatible with NAT, a bold example is AH protocol from the IPsec suite.

To overcome these limitations RouterOS includes a number of so-called NAT helpers, that enable NAT traversal for various protocols.

Lets see an opposite example where we want to change destination address or perform port mapping.
?

1
2

/ip firewall nat
  add chain=dstnat dst-port=1234 action=dst-nat protocol=tcp to-address=192.168.88.2 to-port=12340

What this rule does is, when an incoming connection requests TCP port 1234, it uses the dst-nat action and redirect it to local address 192.168.88.2 and the port 12340. In this example we chose to specify ports to illustrate how traffic can be mapped from one port to another. If you do not specify to-port parameter, then destination port inside the packet is not changed.

Mangle

Mangle is a kind of 'marker' that marks packets for future processing with special marks. Many other facilities in RouterOS make use of these marks, e.g. queue trees, NAT, routing. They identify a packet based on its mark and process it accordingly. The mangle marks exist only within the router, they are not transmitted across the network.

Additionally, the mangle facility is used to modify some fields in the IP header, like TOS (DSCP) and TTL fields.

Firewall Chains

Firewall rules are grouped together in chains. It allows a packet to be matched against one common criterion in one chain, and then passed over for processing against some other common criteria to another chain. For example a packet should be matched against the IP address:port pair. Of course, it could be achieved by adding as many rules with IP address:port match as required to the forward chain, but a better way could be to add one rule that matches traffic from a particular IP address, e.g.: /ip firewall filter add src-address=1.1.1.2/32 jump-target="mychain" and in case of successful match passes control over the IP packet to some other chain, id est "mychain" in this example. Then rules that perform matching against separate ports can be added to "mychain" chain without specifying the IP addresses.

When processing a chain, rules are executed in the order from top to bottom. If a packet matches the criteria of the rule, then the specified action is performed on it, and no more rules are processed in that chain (the exception is specific actions that passes packet to next rule, for example, passthrough action). If a packet has not matched any rule within the chain, then it is accepted (in pre-defined chains) or jumped back to parent chain (in user defined chains).

There are several predefined chains, in every facility. Firewall filters and mangle has:

  • input - used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router's addresses. Packets passing through the router are not processed against the rules of the input chain
  • forward - used to process packets passing through the router
  • output - used to process packets originated from the router and leaving it through one of the interfaces. Packets passing through the router are not processed against the rules of the output chain


Mangle in addition has:


  • prerouting - allows to match all packets that enter the router before routing decision is made;
  • postrouting - allows to match packets that leave the router after routing decision is made.



NAT, as it was mentioned previously, has two built in chains srcnat and dstnat.

To fully understand how and when each built-in chain is used, we will have to look at packet flow inside RouterOS.



  • No labels