This is deployed on MikroTik RouterOS v6 stable.
So I referenced from MikroTik's new 2020 dated documentation domain/site and built the IPv4 and IPv6 firewall from scratch + I also read up on some RFCs (IPv4 only as of now with some general idea on IPv6 as it's too complex for me at the present) and build the firewall which I believe is fully IETF complaint and matches with 2021 current networking practices.
Also, I took advantage of the "Firewall RAW" feature offered on MikroTik. I excluded ICMP from RAW filtering as it's
- Already rate limited at the kernel level
- Already filtering it directly in the firewall filters section
- But if this isn't CPU efficient or a bad firewall design, I'd like to know. Should I remove it from firewall filters and directly process ICMP in the RAW section?
- Note I'm not black-holing ICMP. Just specific types.
MikroTik sources:
- https://help.mikrotik.com/docs/display/ROS/Building+Your+First+Firewall
- https://help.mikrotik.com/docs/display/ROS/Building+Advanced+Firewall
TL;DR I'd like some expert opinion on the overall firewall-config plus my ICMP "RAW vs Filter" concern above to ensure it's as per current best networking practices.
Neatly commented/formatted each rule to explain their purpose including disabled rules.
IPv4 firewall
/ip firewall filter add action=accept chain=input comment "defconf: accept established,related,untracked" connection-state established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state invalid add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=drop chain=input comment "defconf: drop all not coming from LAN's interface list/subnets" in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec add action=accept chain=forward comment "defconf: accept established,related, untracked" connection-state established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment "Drop tries to reach not public addresses from LAN" dst-address-list not_in_internet in-interface-list=LAN out-interface-list=WAN add action=drop chain=forward comment "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp protocol=icmp add action=drop chain=forward comment "Drop incoming from internet which is not public IP" in-interface-list WAN src-address-list=not_in_internet add action=drop chain=forward comment "Drop packets from LAN that do not have LAN IP" in-interface-list=LAN src-address-list=!lan_subnets add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol icmp add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp add action=accept chain=icmp comment "host unreachable fragmentation required" icmp-options=3:4 protocol=icmp add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp add action=drop chain=icmp comment="deny all other types" add action=jump chain=forward comment="Jump to DDoS detection" connection-state=new in-interface-list=WAN jump-target=detect-ddos add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s protocol=tcp tcp-flags=syn,ack add action=add-dst-to-address-list address-list=ddos-targets address-list-timeout=10m chain=detect-ddos add action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=10m chain=detect-ddos /ip firewall raw add action=drop chain=prerouting dst-address-list=ddos-targets src-address-list=ddos-attackers add action=accept chain=prerouting comment "defconf: enable for transparent firewall" disabled=yes add action=accept chain=prerouting comment="defconf: accept DHCP discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol udp src-address=0.0.0.0 src-port=68 add action=drop chain=prerouting comment="defconf: drop bad src IPs" src-address-list=bad_ipv4 add action=drop chain=prerouting comment="defconf: drop bad dst IPs" dst-address-list=bad_ipv4 add action=drop chain=prerouting comment="defconf: drop bad src IPs" src-address-list=bad_src_ipv4 add action=drop chain=prerouting comment="defconf: drop bad dst IPs" dst-address-list=bad_dst_ipv4 add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_in_internet add action=drop chain=prerouting comment "defconf: drop forward to local lan from WAN" dst-address-list lan_subnets in-interface-list=WAN add action=drop chain=prerouting comment "defconf: drop local if not from default IP range" in-interface-list=LAN src-address-list=!lan_subnets add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 protocol=udp add action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=bad_tcp protocol=tcp add action=accept chain=prerouting comment "defconf: accept everything else from LAN" in-interface-list=LAN add action=accept chain=prerouting comment "defconf: accept everything else from WAN" in-interface-list=WAN add action=drop chain=prerouting comment="defconf: drop the rest" add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=fin,syn add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=fin,rst add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=fin,!ack add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=fin,urg add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=syn,rst add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=rst,urg add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 protocol=tcp /ip firewall address-list add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet #Disabled as my ISP uses this very subnet on their access concentrator add address=10.0.0.0/8 comment=RFC6890 disabled=yes list=not_in_internet add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet add address=224.0.0.0/4 comment=Multicast list=not_in_internet add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet add address=255.255.255.255 comment=RFC6890 list=not_in_internet add list=ddos-attackers add list=ddos-targets #My LAN subnets add address=192.168.80.0/24 comment="LAN subnets" list=lan_subnets add address=192.168.81.0/30 comment="LAN subnets" list=lan_subnets add address=192.168.82.0/31 comment="LAN subnets" list=lan_subnets add address=127.0.0.0/8 comment="RAW Filtering - RFC6890" list=bad_ipv4 add address=192.0.0.0/24 comment="RAW Filtering - RFC6890" list=bad_ipv4 add address=192.0.2.0/24 comment="RAW Filtering - RFC6890 documentation" list=bad_ipv4 add address=198.51.100.0/24 comment="RAW Filtering - RFC6890 documentation" list=bad_ipv4 add address=203.0.113.0/24 comment="RAW Filtering - RFC6890 documentation" list=bad_ipv4 add address=240.0.0.0/4 comment="RAW Filtering - RFC6890 reserved" list=bad_ipv4 #Disabled as I do use Multicast routing services add address=224.0.0.0/4 comment="RAW Filtering - multicast" disabled=yes list=bad_src_ipv4 add address=255.255.255.255 comment="RAW Filtering - RFC6890" list=bad_src_ipv4 add address=0.0.0.0/8 comment="RAW Filtering - RFC6890" list=bad_dst_ipv4 #Disabled as I do use Multicast routing services add address=224.0.0.0/4 comment="RAW Filtering - RFC6890" disabled=yes list=bad_dst_ipv4
IPv6 firewall
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6 add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10 add action=drop chain=input comment=dropLocalLink_from_public in-interface=pppoe-out1 src-address=fe80::/16 add action=accept chain=input comment="allow allowed addresses" src-address-list=allowed add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6 add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6 add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv6 add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv6 add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6 add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6 add action=accept chain=forward comment="local clients to public" in-interface=!pppoe-out1 src-address-list=allowed add action=accept chain=forward comment="defconf: accept HIP" protocol=139 add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN /ipv6 firewall raw add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes add action=drop chain=prerouting comment="defconf: drop bad src IPs" src-address-list=bad_ipv6 add action=drop chain=prerouting comment="defconf: drop bad dst IPs" dst-address-list=bad_ipv6 add action=drop chain=prerouting comment="defconf: drop packets with bad src ipv6" src-address-list=bad_src_ipv6 add action=drop chain=prerouting comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6 add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv6 add action=accept chain=prerouting comment="defconf: accept local multicast scope" dst-address=ff02::/16 add action=drop chain=prerouting comment="defconf: drop other multicast destinations" dst-address=ff00::/8 add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN add action=drop chain=prerouting comment="defconf: drop the rest" /ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6 add address=::1/128 comment="defconf: lo" list=bad_ipv6 add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6 add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6 add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6 add address=100::/64 comment="defconf: discard only " list=bad_ipv6 add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6 add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6 add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6 add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6 add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6 add address=::/104 comment="defconf: other" list=bad_ipv6 add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6 add address=fd12:672e:6f65:8899::/64 list=allowed add address=fe80::/16 list=allowed add address=ff02::/16 comment=multicast list=allowed add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6 add address=100::/64 comment="RAW Filtering - RFC6890 Discard-only" list=not_global_ipv6 add address=2001::/32 comment="RAW Filtering - RFC6890 TEREDO" list=not_global_ipv6 add address=2001:2::/48 comment="RAW Filtering - RFC6890 Benchmark" list=not_global_ipv6 add address=fc00::/7 comment="RAW Filtering - RFC6890 Unique-Local" list=not_global_ipv6 add address=::/128 comment="RAW Filtering" list=bad_src_ipv6 add address=ff00::/8 comment="RAW Filtering" list=bad_src_ipv6 add address=::/128 comment="RAW Filtering" list=bad_dst_ipv6 add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=no_forward_ipv6 add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
No comments:
Post a Comment