What
is a Firewall?
A firewall is a device whose
function is to examine and determine which data packets can get in or out of a
network. With this capability, firewall plays a role in protecting the network
from attacks originating from outside the network. The firewall implements
filtering packet and thereby provides security functions that are used to
manage data that flow to, from and through the router. For example,
the
firewall functions to protect the local network (LAN) from possible attacks
coming from the Internet. Besides protecting the network, a firewall is also
intended to protect the user's computer or host (host firewalls).Firewalls are used as means to prevent or minimize the security risks inherent in connecting to other networks. A well configured firewall will play an important role in sharing the network efficiently and safe infrastructure. MikroTik Router OS has a very powerful firewall implementation included:
- State full packet inspection
- Layer-7 protocol detection
- peer-to-peer protocols filtering
- traffic classification by :
- source MAC address
- IP addresses ( network or list ) and address types ( broadcast , local , multicast , unicast )
- port or port range
- IP protocols
- protocol options ( ICMP type and code fields , TCP flags , IP options and MSS )
- interface the packet arrived from or left through
- internal flow and connection marks
- DSCP byte
- packet content
- rate at the which packets arrive and sequence numbers
- packet size
- packet arrival time
- etc.
You can access the Mikrotik Firewall via Winbox through the IP menu - > Firewall
Chain on Mikrotik Firewall
Firewalls operate based on firewall
rules. Each rule consists of two parts - a matcher that is appropriate with
traffic flow against given conditions and actions that define what should be
done with the right plan. Firewall filtering rules are grouped together in a
chain. It allows packets to be matched against one common criterion in one
chain, and then it passes over for processing against some other common criteria
to another chain.
For example, the package must match the IP address: port. Of course, it could be achieved by adding some rules to the IP address: appropriate port using chain forward. But there is another better way to add a rule that matches traffic from a particular IP address, for example : a firewall filter / ip add src -address = 1.1.1.2/32 jump - target = " mychain " .
For example, the package must match the IP address: port. Of course, it could be achieved by adding some rules to the IP address: appropriate port using chain forward. But there is another better way to add a rule that matches traffic from a particular IP address, for example : a firewall filter / ip add src -address = 1.1.1.2/32 jump - target = " mychain " .
There are three predefined chain on Mikrotik RouterOS:
1. Input - used to process packets
entering the router through one of the interfaces in which the destination IP
address is one of the router's address. Chain input allows you to restrict
access
the configuration of the Mikrotik Router.
2. Forward - used to process the data packets passing through the router.
3. Output - used to process the data packets coming from the router and leaving through one of the interfaces.
When processing chain, rules taken from the order chain list will be executed from top to bottom. If the packet matches the rule criteria, then certain actions performed on it, and no more rules are processed in the chain. If the packet does not match any of the rules in the chain, then the packets will be accepted.
2. Forward - used to process the data packets passing through the router.
3. Output - used to process the data packets coming from the router and leaving through one of the interfaces.
When processing chain, rules taken from the order chain list will be executed from top to bottom. If the packet matches the rule criteria, then certain actions performed on it, and no more rules are processed in the chain. If the packet does not match any of the rules in the chain, then the packets will be accepted.
Connection
State (Status of data packets passing through the router)
- Invalid : the package is not owned by any connection; it is useless.
- New : package which is opening a connection / first packet of a connection .
- Established : continuation of the package is a package with the new status .
- Related: a packet that opens a new connection but still related some previous connection.
Action
Filter Firewall Mikrotik Router OS
In the mikrotik firewall
configuration there are several Action options, including:
- Accept : packets received and do not continue reading the next line
- Drop : reject packets silently (do not send ICMP rejection message)
- Reject : reject the packet and send an ICMP rejection message
- Jump : jump to another chain specified by the value of parameter jump - targets
- Tarpit : refuse, but still keep the incoming TCP connection (reply with a SYN / ACK for incoming TCP SYN packet)
- Passthrough : ignore the rule and go to the next rule
- log : add information of data packet to the log
Example of
Firewall Usage on Mikrotik Router Let's say that our private network is
92.168.0.0/24 and the public (WAN) is interface ether1. We will set the
firewall to allow connections to the router itself only from the local network
and drop the rest. We will allow any ICMP protocol on the interface so that
anyone can get a ping from our router in the internet. Here are the commands:
/ip firewall filter add chain=input connection-state=invalid action=drop \ comment="Drop Invalid connections" add chain=input connection-state=established action=accept \ comment="Allow Established connections" add chain=input protocol=icmp action=accept \ comment="Allow ICMP" add chain=input src-address=192.168.0.0/24 action=accept \ in-interface=!ether1 add chain=input action=drop comment="Drop all"
thank you its a BIG help
ReplyDelete