Manual:IP/Firewall/Filter: Difference between revisions
m fix |
No edit summary |
||
(54 intermediate revisions by 11 users not shown) | |||
Line 1: | Line 1: | ||
<div class=manual> | |||
{{Warning|This manual is moved to https://help.mikrotik.com/docs/display/ROS/Filter}} | |||
==Summary== | ==Summary== | ||
Line 57: | Line 57: | ||
<p> | <p> | ||
When processing a chain, rules are taken from the chain in the order they are listed there from top to bottom. If a packet matches the criteria of the rule, then the specified action is performed on it, and no more rules are processed in that chain (the exception is the passthrough action). If a packet has not matched any rule within the chain, then it is accepted. | When processing a chain, rules are taken from the chain in the order they are listed there from top to bottom. If a packet matches the criteria of the rule, then the specified action is performed on it, and no more rules are processed in that chain (the exception is the passthrough action). If a packet has not matched any rule within the built-in chain, then it is accepted. | ||
</p> | </p> | ||
Line 75: | Line 75: | ||
<li> <var>add-src-to-address-list</var> - add source address to [[M:IP/Firewall/Address list | address list]] specified by <code>address-list</code> parameter | <li> <var>add-src-to-address-list</var> - add source address to [[M:IP/Firewall/Address list | address list]] specified by <code>address-list</code> parameter | ||
<li> <var>drop</var> - silently drop the packet | <li> <var>drop</var> - silently drop the packet | ||
<li> <var>fasttrack-connection</var> - process packets from a connection using FastPath by enabling [[Manual:IP/Fasttrack | FastTrack]] for the connection | |||
<li> <var>jump</var> - jump to the user defined chain specified by the value of <code>jump-target</code> parameter | <li> <var>jump</var> - jump to the user defined chain specified by the value of <code>jump-target</code> parameter | ||
<li> <var>log</var> - add a message to the system log containing following data: in-interface, out-interface, src-mac, protocol, src-ip:port->dst-ip:port and length of the packet. After packet is matched it is passed to next rule in the list, similar as <code>passthrough</code> | <li> <var>log</var> - add a message to the system log containing following data: in-interface, out-interface, src-mac, protocol, src-ip:port->dst-ip:port and length of the packet. After packet is matched it is passed to next rule in the list, similar as <code>passthrough</code> | ||
<li> <var>passthrough</var> - | <li> <var>passthrough</var> - if packet is matched by the rule, increase counter and go to next rule (useful for statistics) | ||
<li> <var>reject</var> - drop the packet and send an ICMP reject message | <li> <var>reject</var> - drop the packet and send an ICMP reject message | ||
<li> <var>return</var> - passes control back to the chain from where the jump took place | <li> <var>return</var> - passes control back to the chain from where the jump took place | ||
Line 85: | Line 86: | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td><var><b>address-list</b></var> (<em> | <td><var><b>address-list-timeout</b></var> (<em>none-dynamic | none-static | time</em>; Default: <b>none-dynamic</b>)</td> | ||
<td> | <td>Time interval after which the address will be removed from the address list specified by <code>address-list</code> parameter. Used in conjunction with <code>add-dst-to-address-list</code> or <code>add-src-to-address-list</code> actions<br /> | ||
<ul class="bullets"> | |||
<li>Value of <var>none-dynamic</var> (<code>00:00:00</code>) will leave the address in the address list till reboot | |||
<li>Value of <var>none-static</var> will leave the address in the address list forever and will be included in configuration export/backup | |||
</ul></td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td><var><b> | <tr> | ||
<td> | <td><var><b>chain</b></var> (<em>name</em>; Default: <b></b>)</td> | ||
<td>Specifies to which chain rule will be added. If the input does not match the name of an already defined chain, a new chain will be created. </td> | |||
</tr> | |||
<tr> | |||
<td><var><b>comment</b></var> (<em>string</em>; Default: <b></b>)</td> | |||
<td>Descriptive comment for the rule.</td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 107: | Line 116: | ||
<tr> | <tr> | ||
<td><var><b>connection-limit</b></var> (<em>integer,netmask</em>; Default: <b></b>)</td> | <td><var><b>connection-limit</b></var> (<em>integer,netmask</em>; Default: <b></b>)</td> | ||
<td> | <td>Matches connections per address or address block after given value is reached. Should be used together with connection-state=new and/or with tcp-flags=syn because matcher is very resource intensive.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 113: | Line 122: | ||
<td>Matches packets marked via mangle facility with particular connection mark. If <b>no-mark</b> is set, rule will match any unmarked connection.</td> | <td>Matches packets marked via mangle facility with particular connection mark. If <b>no-mark</b> is set, rule will match any unmarked connection.</td> | ||
</tr> | </tr> | ||
<tr> | |||
<td><var><b>connection-nat-state</b></var> (<em>srcnat | dstnat</em>; Default: <b></b>)</td> | |||
<td>Can match connections that are srcnatted, dstnatted or both. Note that connection-state=related connections connection-nat-state is determined by direction of the first packet. and if connection tracking needs to use dst-nat to deliver this connection to same hosts as main connection it will be in connection-nat-state=dstnat even if there are no dst-nat rules at all.</td> | |||
</tr> | |||
<tr> | <tr> | ||
<td><var><b>connection-rate</b></var> (<em>Integer 0..4294967295</em>; Default: <b></b>)</td> | <td><var><b>connection-rate</b></var> (<em>Integer 0..4294967295</em>; Default: <b></b>)</td> | ||
Line 118: | Line 134: | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td><var><b>connection-state</b></var> (<em>estabilished | invalid | new | related</em>; Default: <b></b>)</td> | <td><var><b>connection-state</b></var> (<em>estabilished | invalid | new | related | untracked</em>; Default: <b></b>)</td> | ||
<td>Interprets the connection tracking analysis data for a particular packet: | <td>Interprets the connection tracking analysis data for a particular packet: | ||
<ul class="bullets"> | <ul class="bullets"> | ||
<li> <var>established</var> - a packet which belongs to an existing connection | <li> <var>established</var> - a packet which belongs to an existing connection | ||
<li> <var>invalid</var> - a packet | <li> <var>invalid</var> - a packet that does not have determined state in connection tracking (usually - severe out-of-order packets, packets with wrong sequence/ack number, or in case of resource overusage on router), for this reason invalid packet will not participate in NAT (as only connection-state=new packets do), and will still contain original source IP address when routed. We strongly suggest to drop all connection-state=invalid packets in firewall filter forward and input chains | ||
<li> <var>new</var> - | <li> <var>new</var> - the packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions. | ||
<li> <var>related</var> - a packet which is related to, but not part of an existing connection, such as ICMP errors or a packet which begins FTP data connection | <li> <var>related</var> - a packet which is related to, but not part of an existing connection, such as ICMP errors or a packet which begins FTP data connection | ||
<li> <var>untracked</var> - packet which was set to bypass connection tracking in firewall [[M:IP/Firewall/Raw | RAW]] tables. | |||
</ul> | </ul> | ||
</td> | </td> | ||
Line 160: | Line 177: | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td><var><b>dst-limit</b></var> (<em>integer | <td><var><b>dst-limit</b></var> (<em>integer[/time],integer,dst-address | dst-port | src-address[/time]</em>; Default: <b></b>)</td> | ||
<td>Matches packets | <td>Matches packets until a given rate is exceeded. Rate is defined as packets per time interval. As opposed to the <var>limit</var> matcher, every flow has it's own limit. Flow is defined by mode parameter. Parameters are written in following format: <code>count[/time],burst,mode[/expire]</code>. | ||
<ul class="bullets"> | <ul class="bullets"> | ||
<li><b>count</b> - | <li><b>count</b> - packet count per time interval per flow to match | ||
<li><b>time</b> - specifies the time interval in which the packet | <li><b>time</b> - specifies the time interval in which the packet count per flow cannot be exceeded (optional, 1s will be used if not specified) | ||
<li><b>burst</b> - number of packets | <li><b>burst</b> - initial number of packets per flow to match: this number gets recharged by one every <code>time</code>/<code>count</code>, up to this number | ||
<li><b>mode</b> - | <li><b>mode</b> - this parameter specifies what unique fields define flow (src-address, dst-address, src-and-dst-address, dst-address-and-port, addresses-and-dst-port) | ||
<li><b>expire</b> - specifies interval after which | <li><b>expire</b> - specifies interval after which flow with no packets will be allowed to be deleted (optional) | ||
</ul> | </ul> | ||
</td> | </td> | ||
Line 181: | Line 198: | ||
<tr> | <tr> | ||
<td><var><b>hotspot</b></var> (<em>auth | from-client | http | local-dst | to-client</em>; Default: <b></b>)</td> | <td><var><b>hotspot</b></var> (<em>auth | from-client | http | local-dst | to-client</em>; Default: <b></b>)</td> | ||
<td></td> | <td>Matches packets received from HotSpot clients against various HotSpot matchers. | ||
<ul class="bullets"> | |||
<li><var>auth</var> - matches authenticted HotSpot client packets</li> | |||
<li><var>from-client</var> - matches packets that are coming from the HotSpot client</li> | |||
<li><var>http</var> - matches HTTP requests sent to the HotSpot server</li> | |||
<li><var>local-dst</var> - matches packets that are destined to the HotSpot server</li> | |||
<li><var>to-client</var> - matches packets that are sent to the HotSpot client</li> | |||
</ul> | |||
</td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td><var><b>icmp-options</b></var> (<em>integer:integer</em>; Default: <b></b>)</td> | <td><var><b>icmp-options</b></var> (<em>integer:integer</em>; Default: <b></b>)</td> | ||
<td>Matches ICMP type:code | <td>Matches ICMP type:code fields</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td><var><b>in-bridge-port</b></var> (<em>name</em>; Default: <b></b>)</td> | <td><var><b>in-bridge-port</b></var> (<em>name</em>; Default: <b></b>)</td> | ||
<td>Actual interface the packet has entered the router, if incoming interface is bridge</td> | <td>Actual interface the packet has entered the router, if incoming interface is bridge. Works only if '''use-ip-firewall''' is enabled in bridge settings.</td> | ||
</tr> | |||
<tr> | |||
<td><var><b>in-bridge-port-list</b></var> (<em>name</em>; Default: <b></b>)</td> | |||
<td>Set of interfaces defined in [[M:Interface/List | interface list]]. Works the same as <var>in-bridge-port</var></td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td><var><b>in-interface</b></var> (<em>name</em>; Default: <b></b>)</td> | <td><var><b>in-interface</b></var> (<em>name</em>; Default: <b></b>)</td> | ||
<td>Interface the packet has entered the router</td> | <td>Interface the packet has entered the router</td> | ||
</tr> | |||
<tr> | |||
<td><var><b>in-interface-list</b></var> (<em>name</em>; Default: <b></b>)</td> | |||
<td>Set of interfaces defined in [[M:Interface/List | interface list]]. Works the same as <var>in-interface</var></td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td><var><b>ingress-priority</b></var> (<em>integer: 0..63</em>; Default: <b></b>)</td> | <td><var><b>ingress-priority</b></var> (<em>integer: 0..63</em>; Default: <b></b>)</td> | ||
<td>Matches | <td>Matches the priority of an ingress packet. Priority may be derived from VLAN, WMM, DSCP or MPLS EXP bit. [[WMM | read more»]]</td> | ||
</tr> | |||
<tr> | |||
<td><var><b>ipsec-policy</b></var> (<em>in | out, ipsec | none</em>; Default: <b></b>)</td> | |||
<td>Matches the policy used by IpSec. Value is written in following format: <code><b>direction, policy</b></code>. Direction is Used to select whether to match the policy used for decapsulation or the policy that will be used for encapsulation. | |||
<ul> | |||
<li><var>in</var> - valid in the PREROUTING, INPUT and FORWARD chains</li> | |||
<li><var>out</var> - valid in the POSTROUTING, OUTPUT and FORWARD chains</li> | |||
</ul> | |||
<ul> | |||
<li><var>ipsec</var> - matches if the packet is subject to IpSec processing;</li> | |||
<li><var>none</var> - matches packet that is not subject to IpSec processing (for example, IpSec transport packet).</li> | |||
</ul> | |||
<p>For example, if router receives Ipsec encapsulated Gre packet, then rule <code>ipsec-policy=in,ipsec</code> will match Gre packet, but rule <code>ipsec-policy=in,none</code> will match ESP packet.</p></td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td><var><b>ipv4-options</b></var> (<em>any | loose-source-routing | no-record-route | no-router-alert | no-source-routing | no-timestamp | none | record-route | router-alert | strict-source-routing | timestamp</em>; Default: <b></b>)</td> | <td><var><b>ipv4-options</b></var> (<em>any | loose-source-routing | no-record-route | no-router-alert | no-source-routing | no-timestamp | none | record-route | router-alert | strict-source-routing | timestamp</em>; Default: <b></b>)</td> | ||
Line 226: | Line 276: | ||
<tr> | <tr> | ||
<td><var><b>limit</b></var> (<em>integer,time,integer</em>; Default: <b></b>)</td> | <td><var><b>limit</b></var> (<em>integer,time,integer</em>; Default: <b></b>)</td> | ||
<td>Matches packets | <td>Matches packets up to a limited rate (packet rate or bit rate). Rule using this matcher will match until this limit is reached. Parameters are written in following format: <code>count[/time],burst:mode</code>. | ||
<ul class="bullets"> | <ul class="bullets"> | ||
<li><b>count</b> - | <li><b>count</b> - packet or bit count per time interval to match | ||
<li><b>time</b> - specifies the time interval in which the packet | <li><b>time</b> - specifies the time interval in which the packet or bit count cannot be exceeded (optional, 1s will be used if not specified) | ||
<li><b>burst</b> - number of packets | <li><b>burst</b> - initial number of packets or bits to match: this number gets recharged every 10ms so burst should be at least 1/100 of rate per second | ||
<li><b>mode</b> - packet or bit mode | |||
</ul> | </ul> | ||
</td> | </td> | ||
Line 244: | Line 295: | ||
<tr> | <tr> | ||
<td><var><b>out-bridge-port</b></var> (<em>name</em>; Default: <b></b>)</td> | <td><var><b>out-bridge-port</b></var> (<em>name</em>; Default: <b></b>)</td> | ||
<td>Actual interface the packet is leaving the router, if outgoing interface is bridge</td> | <td>Actual interface the packet is leaving the router, if outgoing interface is bridge. Works only if '''use-ip-firewall''' is enabled in bridge settings.</td> | ||
</tr> | |||
<tr> | |||
<td><var><b>out-bridge-port-list</b></var> (<em>name</em>; Default: <b></b>)</td> | |||
<td>Set of interfaces defined in [[M:Interface/List | interface list]]. Works the same as <var>out-bridge-port</var></td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 251: | Line 306: | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td><var><b> | <td><var><b>out-interface-list</b></var> (<em>name</em>; Default: <b></b>)</td> | ||
<td> | <td>Set of interfaces defined in [[M:Interface/List | interface list]]. Works the same as <var>out-interface</var></td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 269: | Line 324: | ||
<td><var><b>port</b></var> (<em>integer[-integer]: 0..65535</em>; Default: <b></b>)</td> | <td><var><b>port</b></var> (<em>integer[-integer]: 0..65535</em>; Default: <b></b>)</td> | ||
<td>Matches if any (source or destination) port matches the specified list of ports or port ranges. Applicable only if <code>protocol</code> is TCP or UDP</td> | <td>Matches if any (source or destination) port matches the specified list of ports or port ranges. Applicable only if <code>protocol</code> is TCP or UDP</td> | ||
</tr> | |||
<tr> | |||
<td><var><b>priority</b></var> (<em>integer: 0..63</em>; Default:)</td> | |||
<td>Matches packet's priority after a new priority has been set. Priority may be derived from VLAN, WMM, DSCP, MPLS EXP bit or from priority that has been set using the <var>set-priority</var> action. [[WMM | Read more >>]]</td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 276: | Line 335: | ||
<tr> | <tr> | ||
<td><var><b>psd</b></var> (<em>integer,time,integer,integer</em>; Default: <b></b>)</td> | <td><var><b>psd</b></var> (<em>integer,time,integer,integer</em>; Default: <b></b>)</td> | ||
<td>Attempts to detect TCP and UDP scans. Parameters are in following format <code>WeightThreshold, DelayThreshold, | <td>Attempts to detect TCP and UDP scans. Parameters are in following format <code>WeightThreshold, DelayThreshold, LowPortWeight, HighPortWeight</code> | ||
<ul class="bullets"> | <ul class="bullets"> | ||
<li> <b>WeightThreshold</b> - total weight of the latest TCP/UDP packets with different destination ports coming from the same host to be treated as port scan sequence | <li> <b>WeightThreshold</b> - total weight of the latest TCP/UDP packets with different destination ports coming from the same host to be treated as port scan sequence | ||
<li> <b>DelayThreshold</b> - delay for the packets with different destination ports coming from the same host to be treated as possible port scan subsequence | <li> <b>DelayThreshold</b> - delay for the packets with different destination ports coming from the same host to be treated as possible port scan subsequence | ||
<li> <b>LowPortWeight</b> - weight of the packets with privileged (< | <li> <b>LowPortWeight</b> - weight of the packets with privileged (<1024) destination port | ||
<li> <b>HighPortWeight</b> - weight of the packet with non-priviliged destination port | <li> <b>HighPortWeight</b> - weight of the packet with non-priviliged destination port | ||
</ul> | </ul> | ||
Line 290: | Line 349: | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td><var><b>reject-with</b></var> (<em></em>; Default: <b></b>)</td> | <td><var><b>reject-with</b></var> (<em>icmp-admin-prohibited | icmp-net-prohibited | icmp-protocol-unreachable | icmp-host-prohibited | icmp-network-unreachable | tcp-reset | icmp-host-unreachable | icmp-port-unreachable</em>; Default: icmp-network-unreachable<b></b>)</td> | ||
<td>Specifies error to be sent back if packet is rejected. Applicable if <code>action=reject</code></td> | <td>Specifies ICMP error to be sent back if packet is rejected. Applicable if <code>action=reject</code></td> | ||
</tr> | |||
<tr> | |||
<td><var><b>routing-table</b></var> (<em>string</em>; Default: <b></b>)</td> | |||
<td>Matches packets which destination address is resolved in specific a routing table. More details can be found in the [[Manual:Routing_Table_Matcher | Routing Table Matcher]] page</td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 341: | Line 404: | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td><var><b>tcp-mss</b></var> (<em>integer: 0..65535</em>; Default: <b></b>)</td> | <td><var><b>tcp-mss</b></var> (<em>integer[-integer]: 0..65535</em>; Default: <b></b>)</td> | ||
<td>Matches TCP MSS value of an IP packet</td> | <td>Matches TCP MSS value of an IP packet</td> | ||
</tr> | </tr> | ||
Line 347: | Line 410: | ||
<td><var><b>time</b></var> (<em>time-time,sat | fri | thu | wed | tue | mon | sun</em>; Default: <b></b>)</td> | <td><var><b>time</b></var> (<em>time-time,sat | fri | thu | wed | tue | mon | sun</em>; Default: <b></b>)</td> | ||
<td>Allows to create filter based on the packets' arrival time and date or, for locally generated packets, departure time and date</td> | <td>Allows to create filter based on the packets' arrival time and date or, for locally generated packets, departure time and date</td> | ||
</tr> | |||
<tr> | |||
<td><var><b>tls-host</b></var> (<em>string</em>; Default: <b></b>)</td> | |||
<td>Allows to match https traffic based on TLS SNI hostname. Accepts [https://en.wikipedia.org/wiki/Glob_(programming) GLOB syntax] for wildcard matching. Note that matcher will not be able to match hostname if TLS handshake frame is fragmented into multiple TCP segments (packets).</td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 427: | Line 494: | ||
==Basic examples== | ==Basic examples== | ||
===CLI Disctinctive=== | |||
<p> | |||
There is a bit different interpretation in each section with the similar configuration. <br> | |||
For example, with the following configuration line you will match packets where tcp-flags does not have SYN, but has ACK flags: | |||
<pre> | |||
/ip firewall filter add chain=forward protocol=tcp tcp-flags=!syn,ack | |||
</pre> | |||
But with this configuration you will match all connections which state is not NEW or RELATED. | |||
<pre> | |||
/ip firewall filter add action=accept chain=forward connection-state=!new,related | |||
</pre> | |||
Both configure similarly. | |||
===Router protection=== | ===Router protection=== | ||
Lets say our private network is 192.168.0.0/24 and public (WAN) interface is ether1. We will set up firewall to allow connections to router itself only from our local network and drop the rest. Also we will allow ICMP protocol on any interface so that anyone can ping your router from internet. | Lets say our private network is 192.168.0.0/24 and public (WAN) interface is ether1. We will set up firewall to allow connections to router itself only from our local network and drop the rest. Also we will allow ICMP protocol on any interface so that anyone can ping your router from internet. | ||
Line 448: | Line 529: | ||
===Customer protection=== | ===Customer protection=== | ||
<p> | <p> | ||
To protect the customer's network, we should check all traffic which goes through router and block unwanted. For icmp, tcp, udp traffic we will create chains, where will be | To protect the customer's network, we should check all traffic which goes through the router and block unwanted. For icmp, tcp, udp traffic we will create chains, where will be dropped all unwanted packets: | ||
<pre> | <pre> | ||
/ip firewall filter | /ip firewall filter | ||
Line 516: | Line 597: | ||
add chain=icmp protocol=icmp icmp-options=3:4 action=accept \ | add chain=icmp protocol=icmp icmp-options=3:4 action=accept \ | ||
comment="host unreachable fragmentation required" | comment="host unreachable fragmentation required" | ||
add chain=icmp protocol=icmp icmp-options=8:0 action=accept \ | add chain=icmp protocol=icmp icmp-options=8:0 action=accept \ | ||
comment="allow echo request" | comment="allow echo request" | ||
Line 535: | Line 614: | ||
</div> | </div> | ||
===Bandwidth management=== | |||
This simple firewall filter rule will limit ether1 outgoing traffic to 100Mbps. | |||
<pre> | |||
/ip firewall filter | |||
add action=drop chain=forward out-interface=ether1 limit=!100M,100M:bit | |||
</pre> | |||
{{Cont}} | {{Cont}} |
Latest revision as of 05:59, 26 April 2022
Warning: This manual is moved to https://help.mikrotik.com/docs/display/ROS/Filter
Summary
Sub-menu: /ip firewall filter
The firewall implements packet filtering and thereby provides security functions that are used to manage data flow to, from and through the router. Along with the Network Address Translation it serves as a tool for preventing unauthorized access to directly attached networks and the router itself as well as a filter for outgoing traffic.
Network firewalls keep outside threats away from sensitive data available inside the network. Whenever different networks are joined together, there is always a threat that someone from outside of your network will break into your LAN. Such break-ins may result in private data being stolen and distributed, valuable data being altered or destroyed, or entire hard drives being erased. Firewalls are used as a means of preventing or minimizing the security risks inherent in connecting to other networks. Properly configured firewall plays a key role in efficient and secure network infrastrure deployment.
MikroTik RouterOS has very powerful firewall implementation with features including:
- stateful packet inspection
- Layer-7 protocol detection
- peer-to-peer protocols filtering
- traffic classification by:
- source MAC address
- IP addresses (network or list) and address types (broadcast, local, multicast, unicast)
- port or port range
- IP protocols
- protocol options (ICMP type and code fields, TCP flags, IP options and MSS)
- interface the packet arrived from or left through
- internal flow and connection marks
- DSCP byte
- packet content
- rate at which packets arrive and sequence numbers
- packet size
- packet arrival time
- and much more!
Chains
The firewall operates by means of firewall rules. Each rule consists of two parts - the matcher which matches traffic flow against given conditions and the action which defines what to do with the matched packet.
Firewall filtering rules are grouped together in chains. It allows a packet to be matched against one common criterion in one chain, and then passed over for processing against some other common criteria to another chain. For example a packet should be matched against the IP address:port pair. Of course, it could be achieved by adding as many rules with IP address:port match as required to the forward chain, but a better way could be to add one rule that matches traffic from a particular IP address, e.g.: /ip firewall filter add src-address=1.1.1.2/32 jump-target="mychain" and in case of successfull match passes control over the IP packet to some other chain, id est mychain in this example. Then rules that perform matching against separate ports can be added to mychain chain without specifying the IP addresses.
There are three predefined chains, which cannot be deleted:
- input - used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router's addresses. Packets passing through the router are not processed against the rules of the input chain
- forward - used to process packets passing through the router
- output - used to process packets originated from the router and leaving it through one of the interfaces. Packets passing through the router are not processed against the rules of the output chain
Packet flow diagrams illustrate how packets are processed in RouterOS.
When processing a chain, rules are taken from the chain in the order they are listed there from top to bottom. If a packet matches the criteria of the rule, then the specified action is performed on it, and no more rules are processed in that chain (the exception is the passthrough action). If a packet has not matched any rule within the built-in chain, then it is accepted.
Properties
Property | Description |
---|---|
action (action name; Default: accept) | Action to take if packet is matched by the rule:
|
address-list-timeout (none-dynamic | none-static | time; Default: none-dynamic) | Time interval after which the address will be removed from the address list specified by address-list parameter. Used in conjunction with add-dst-to-address-list or add-src-to-address-list actions
|
chain (name; Default: ) | Specifies to which chain rule will be added. If the input does not match the name of an already defined chain, a new chain will be created. |
comment (string; Default: ) | Descriptive comment for the rule. |
chain (name; Default: ) | Specifies to which chain rule will be added. If the input does not match the name of an already defined chain, a new chain will be created. |
comment (string; Default: ) | Descriptive comment for the rule. |
connection-bytes (integer-integer; Default: ) | Matches packets only if a given amount of bytes has been transfered through the particular connection. 0 - means infinity, for example connection-bytes=2000000-0 means that the rule matches if more than 2MB has been transfered through the relevant connection |
connection-limit (integer,netmask; Default: ) | Matches connections per address or address block after given value is reached. Should be used together with connection-state=new and/or with tcp-flags=syn because matcher is very resource intensive. |
connection-mark (no-mark | string; Default: ) | Matches packets marked via mangle facility with particular connection mark. If no-mark is set, rule will match any unmarked connection. |
connection-nat-state (srcnat | dstnat; Default: ) | Can match connections that are srcnatted, dstnatted or both. Note that connection-state=related connections connection-nat-state is determined by direction of the first packet. and if connection tracking needs to use dst-nat to deliver this connection to same hosts as main connection it will be in connection-nat-state=dstnat even if there are no dst-nat rules at all. |
connection-rate (Integer 0..4294967295; Default: ) | Connection Rate is a firewall matcher that allow to capture traffic based on present speed of the connection. Read more >> |
connection-state (estabilished | invalid | new | related | untracked; Default: ) | Interprets the connection tracking analysis data for a particular packet:
|
connection-type (ftp | h323 | irc | pptp | quake3 | sip | tftp; Default: ) | Matches packets from related connections based on information from their connection tracking helpers. A relevant connection helper must be enabled under /ip firewall service-port |
content (string; Default: ) | Match packets that contain specified text |
dscp (integer: 0..63; Default: ) | Matches DSCP IP header field. |
dst-address (IP/netmask | IP range; Default: ) | Matches packets which destination is equal to specified IP or falls into specified IP range. |
dst-address-list (name; Default: ) | Matches destination address of a packet against user-defined address list |
dst-address-type (unicast | local | broadcast | multicast; Default: ) | Matches destination address type:
|
dst-limit (integer[/time],integer,dst-address | dst-port | src-address[/time]; Default: ) | Matches packets until a given rate is exceeded. Rate is defined as packets per time interval. As opposed to the limit matcher, every flow has it's own limit. Flow is defined by mode parameter. Parameters are written in following format: count[/time],burst,mode[/expire] .
|
dst-port (integer[-integer]: 0..65535; Default: ) | List of destination port numbers or port number ranges |
fragment (yes|no; Default: ) | Matches fragmented packets. First (starting) fragment does not count. If connection tracking is enabled there will be no fragments as system automatically assembles every packet |
hotspot (auth | from-client | http | local-dst | to-client; Default: ) | Matches packets received from HotSpot clients against various HotSpot matchers.
|
icmp-options (integer:integer; Default: ) | Matches ICMP type:code fields |
in-bridge-port (name; Default: ) | Actual interface the packet has entered the router, if incoming interface is bridge. Works only if use-ip-firewall is enabled in bridge settings. |
in-bridge-port-list (name; Default: ) | Set of interfaces defined in interface list. Works the same as in-bridge-port |
in-interface (name; Default: ) | Interface the packet has entered the router |
in-interface-list (name; Default: ) | Set of interfaces defined in interface list. Works the same as in-interface |
ingress-priority (integer: 0..63; Default: ) | Matches the priority of an ingress packet. Priority may be derived from VLAN, WMM, DSCP or MPLS EXP bit. read more» |
ipsec-policy (in | out, ipsec | none; Default: ) | Matches the policy used by IpSec. Value is written in following format: direction, policy . Direction is Used to select whether to match the policy used for decapsulation or the policy that will be used for encapsulation.
For example, if router receives Ipsec encapsulated Gre packet, then rule |
ipv4-options (any | loose-source-routing | no-record-route | no-router-alert | no-source-routing | no-timestamp | none | record-route | router-alert | strict-source-routing | timestamp; Default: ) | Matches IPv4 header options.
|
jump-target (name; Default: ) | Name of the target chain to jump to. Applicable only if action=jump |
layer7-protocol (name; Default: ) | Layer7 filter name defined in layer7 protocol menu. |
limit (integer,time,integer; Default: ) | Matches packets up to a limited rate (packet rate or bit rate). Rule using this matcher will match until this limit is reached. Parameters are written in following format: count[/time],burst:mode .
|
log-prefix (string; Default: ) | Adds specified text at the beginning of every log message. Applicable if action=log |
nth (integer,integer; Default: ) | Matches every nth packet. Read more >> |
out-bridge-port (name; Default: ) | Actual interface the packet is leaving the router, if outgoing interface is bridge. Works only if use-ip-firewall is enabled in bridge settings. |
out-bridge-port-list (name; Default: ) | Set of interfaces defined in interface list. Works the same as out-bridge-port |
out-interface (; Default: ) | Interface the packet is leaving the router |
out-interface-list (name; Default: ) | Set of interfaces defined in interface list. Works the same as out-interface |
packet-mark (no-mark | string; Default: ) | Matches packets marked via mangle facility with particular packet mark. If no-mark is set, rule will match any unmarked packet. |
packet-size (integer[-integer]:0..65535; Default: ) | Matches packets of specified size or size range in bytes. |
per-connection-classifier (ValuesToHash:Denominator/Remainder; Default: ) | PCC matcher allows to divide traffic into equal streams with ability to keep packets with specific set of options in one particular stream. Read more >> |
port (integer[-integer]: 0..65535; Default: ) | Matches if any (source or destination) port matches the specified list of ports or port ranges. Applicable only if protocol is TCP or UDP |
priority (integer: 0..63; Default:) | Matches packet's priority after a new priority has been set. Priority may be derived from VLAN, WMM, DSCP, MPLS EXP bit or from priority that has been set using the set-priority action. Read more >> |
protocol (name or protocol ID; Default: tcp) | Matches particular IP protocol specified by protocol name or number |
psd (integer,time,integer,integer; Default: ) | Attempts to detect TCP and UDP scans. Parameters are in following format WeightThreshold, DelayThreshold, LowPortWeight, HighPortWeight
|
random (integer: 1..99; Default: ) | Matches packets randomly with given probability. |
reject-with (icmp-admin-prohibited | icmp-net-prohibited | icmp-protocol-unreachable | icmp-host-prohibited | icmp-network-unreachable | tcp-reset | icmp-host-unreachable | icmp-port-unreachable; Default: icmp-network-unreachable) | Specifies ICMP error to be sent back if packet is rejected. Applicable if action=reject |
routing-table (string; Default: ) | Matches packets which destination address is resolved in specific a routing table. More details can be found in the Routing Table Matcher page |
routing-mark (string; Default: ) | Matches packets marked by mangle facility with particular routing mark |
src-address (Ip/Netmaks, Ip range; Default: ) | Matches packets which source is equal to specified IP or falls into specified IP range. |
src-address-list (name; Default: ) | Matches source address of a packet against user-defined address list |
src-address-type (unicast | local | broadcast | multicast; Default: ) |
Matches source address type:
|
src-port (integer[-integer]: 0..65535; Default: ) | List of source ports and ranges of source ports. Applicable only if protocol is TCP or UDP. |
src-mac-address (MAC address; Default: ) | Matches source MAC address of the packet |
tcp-flags (ack | cwr | ece | fin | psh | rst | syn | urg; Default: ) | Matches specified TCP flags
|
tcp-mss (integer[-integer]: 0..65535; Default: ) | Matches TCP MSS value of an IP packet |
time (time-time,sat | fri | thu | wed | tue | mon | sun; Default: ) | Allows to create filter based on the packets' arrival time and date or, for locally generated packets, departure time and date |
tls-host (string; Default: ) | Allows to match https traffic based on TLS SNI hostname. Accepts GLOB syntax for wildcard matching. Note that matcher will not be able to match hostname if TLS handshake frame is fragmented into multiple TCP segments (packets). |
ttl (integer: 0..255; Default: ) | Matches packets TTL value |
Stats
/ip firewall filter print stats
will show additional read-only properties
Property | Description |
---|---|
bytes (integer) | Total amount of bytes matched by the rule |
packets (integer) | Total amount of packets matched by the rule |
By default print is equivalent to print static and shows only static rules.
[admin@dzeltenais_burkaans] /ip firewall mangle> print stats Flags: X - disabled, I - invalid, D - dynamic # CHAIN ACTION BYTES PACKETS 0 prerouting mark-routing 17478158 127631 1 prerouting mark-routing 782505 4506
To print also dynamic rules use print all.
[admin@dzeltenais_burkaans] /ip firewall mangle> print all stats Flags: X - disabled, I - invalid, D - dynamic # CHAIN ACTION BYTES PACKETS 0 prerouting mark-routing 17478158 127631 1 prerouting mark-routing 782505 4506 2 D forward change-mss 0 0 3 D forward change-mss 0 0 4 D forward change-mss 0 0 5 D forward change-mss 129372 2031
Or to print only dynamic rules use print dynamic
[admin@dzeltenais_burkaans] /ip firewall mangle> print stats dynamic Flags: X - disabled, I - invalid, D - dynamic # CHAIN ACTION BYTES PACKETS 0 D forward change-mss 0 0 1 D forward change-mss 0 0 2 D forward change-mss 0 0 3 D forward change-mss 132444 2079
Menu specific commands
Property | Description |
---|---|
reset-counters (id) | Reset statistics counters for specified firewall rules. |
reset-counters-all () | Reset statistics counters for all firewall rules. |
Basic examples
CLI Disctinctive
There is a bit different interpretation in each section with the similar configuration.
For example, with the following configuration line you will match packets where tcp-flags does not have SYN, but has ACK flags:
/ip firewall filter add chain=forward protocol=tcp tcp-flags=!syn,ack
But with this configuration you will match all connections which state is not NEW or RELATED.
/ip firewall filter add action=accept chain=forward connection-state=!new,related
Both configure similarly.
Router protection
Lets say our private network is 192.168.0.0/24 and public (WAN) interface is ether1. We will set up firewall to allow connections to router itself only from our local network and drop the rest. Also we will allow ICMP protocol on any interface so that anyone can ping your router from internet.
/ip firewall filter add chain=input connection-state=invalid action=drop \ comment="Drop Invalid connections" add chain=input connection-state=established action=accept \ comment="Allow Established connections" add chain=input protocol=icmp action=accept \ comment="Allow ICMP" add chain=input src-address=192.168.0.0/24 action=accept \ in-interface=!ether1 add chain=input action=drop comment="Drop everything else"
Customer protection
To protect the customer's network, we should check all traffic which goes through the router and block unwanted. For icmp, tcp, udp traffic we will create chains, where will be dropped all unwanted packets:
/ip firewall filter add chain=forward protocol=tcp connection-state=invalid \ action=drop comment="drop invalid connections" add chain=forward connection-state=established action=accept \ comment="allow already established connections" add chain=forward connection-state=related action=accept \ comment="allow related connections"
Block "bogon" IP addresses
add chain=forward src-address=0.0.0.0/8 action=drop add chain=forward dst-address=0.0.0.0/8 action=drop add chain=forward src-address=127.0.0.0/8 action=drop add chain=forward dst-address=127.0.0.0/8 action=drop add chain=forward src-address=224.0.0.0/3 action=drop add chain=forward dst-address=224.0.0.0/3 action=drop
Make jumps to new chains:
add chain=forward protocol=tcp action=jump jump-target=tcp add chain=forward protocol=udp action=jump jump-target=udp add chain=forward protocol=icmp action=jump jump-target=icmp
Create tcp chain and deny some tcp ports in it:
add chain=tcp protocol=tcp dst-port=69 action=drop \ comment="deny TFTP" add chain=tcp protocol=tcp dst-port=111 action=drop \ comment="deny RPC portmapper" add chain=tcp protocol=tcp dst-port=135 action=drop \ comment="deny RPC portmapper" add chain=tcp protocol=tcp dst-port=137-139 action=drop \ comment="deny NBT" add chain=tcp protocol=tcp dst-port=445 action=drop \ comment="deny cifs" add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS" add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus" add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus" add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice" add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"
Deny udp ports in udp chain:
add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP" add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper" add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper" add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT" add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS" add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"
Allow only needed icmp codes in icmp chain:
add chain=icmp protocol=icmp icmp-options=0:0 action=accept \ comment="echo reply" add chain=icmp protocol=icmp icmp-options=3:0 action=accept \ comment="net unreachable" add chain=icmp protocol=icmp icmp-options=3:1 action=accept \ comment="host unreachable" add chain=icmp protocol=icmp icmp-options=3:4 action=accept \ comment="host unreachable fragmentation required" add chain=icmp protocol=icmp icmp-options=8:0 action=accept \ comment="allow echo request" add chain=icmp protocol=icmp icmp-options=11:0 action=accept \ comment="allow time exceed" add chain=icmp protocol=icmp icmp-options=12:0 action=accept \ comment="allow parameter bad" add chain=icmp action=drop comment="deny all other types"
other ICMP codes are found here.
Brute force protection
Bandwidth management
This simple firewall filter rule will limit ether1 outgoing traffic to 100Mbps.
/ip firewall filter add action=drop chain=forward out-interface=ether1 limit=!100M,100M:bit
[ Top | Back to Content ]