Manual:IP/Firewall/Filter: Difference between revisions

From MikroTik Wiki
Jump to navigation Jump to search
(New page: <div class=manual> <h2>Summary</h2> <p> The firewall implements packet filtering and thereby provides security functions that are used to manage data flow to, from and through the router....)
 
No edit summary
Line 4: Line 4:
<p>
<p>
The firewall implements packet filtering and thereby provides security functions that are used to manage data flow to, from and through the router. Along with the Network Address Translation it serves as a tool for preventing unauthorized access to directly attached networks and the router itself as well as a filter for outgoing traffic.
The firewall implements packet filtering and thereby provides security functions that are used to manage data flow to, from and through the router. Along with the Network Address Translation it serves as a tool for preventing unauthorized access to directly attached networks and the router itself as well as a filter for outgoing traffic.
</p>
<br />
<p>
Network firewalls keep outside threats away from sensitive data available inside the network. Whenever different networks are joined together, there is always a threat that someone from outside of your network will break into your LAN. Such break-ins may result in private data being stolen and distributed, valuable data being altered or destroyed, or entire hard drives being erased. Firewalls are used as a means of preventing or minimizing the security risks inherent in connecting to other networks. Properly configured firewall plays a key role in efficient and secure network infrastrure deployment.
</p>
<br />
<p>
MikroTik RouterOS has very powerful firewall implementation with features including:
<ul>
:: <li> stateful packet inspection
:: <li> Layer-7 protocol detection
:: <li> peer-to-peer protocols filtering
:: <li> traffic classification by:
:: <li> source MAC address
:: <li> IP addresses (network or list) and address types (broadcast, local, multicast, unicast)
:: <li> port or port range
:: <li> IP protocols
:: <li> protocol options (ICMP type and code fields, TCP flags, IP options and MSS)
:: <li> interface the packet arrived from or left through
:: <li> internal flow and connection marks
:: <li> DSCP byte
:: <li> packet content
:: <li> rate at which packets arrive and sequence numbers
:: <li> packet size
:: <li> packet arrival time
:: <li> and much more!
</ul>
</p>
</p>


Line 9: Line 36:
<p><b>Sub-menu:</b> <code>/ip firewall filter</code></p>
<p><b>Sub-menu:</b> <code>/ip firewall filter</code></p>
<br />
<br />
<p>
The firewall operates by means of firewall rules. Each rule consists of two parts - the matcher which matches traffic flow against given conditions and the action which defines what to do with the matched packet.
</p>
<h3>Chains</h3>
<p>
Firewall filtering rules are grouped together in chains. It allows a packet to be matched against one common criterion in one chain, and then passed over for processing against some other common criteria to another chain. For example a packet should be matched against the IP address:port pair. Of course, it could be achieved by adding as many rules with IP address:port match as required to the forward chain, but a better way could be to add one rule that matches traffic from a particular IP address, e.g.: /ip firewall filter add src-address=1.1.1.2/32 jump-target="mychain" and in case of successfull match passes control over the IP packet to some other chain, id est mychain in this example. Then rules that perform matching against separate ports can be added to mychain chain without specifying the IP addresses.
<br />
<br />
There are three predefined chains, which cannot be deleted:
<ul>
: <li> <b>input</b> - used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router's addresses. Packets passing through the router are not processed against the rules of the input chain
: <li> <b>forward</b> - used to process packets passing through the router
: <li> <b>output</b> - used to process packets originated from the router and leaving it through one of the interfaces. Packets passing through the router are not processed against the rules of the output chain
</ul>
[[Packet_Flow | Packet flow]] diagrams illustrate how packets are processed in RouterOS.
<br />
<br .>
When processing a chain, rules are taken from the chain in the order they are listed there from top to bottom. If a packet matches the criteria of the rule, then the specified action is performed on it, and no more rules are processed in that chain (the exception is the passthrough action). If a packet has not matched any rule within the chain, then it is accepted.
</p>
<br />
<h3>Properties</h3>
<table class="styled_table">
<table class="styled_table">
<tr>
<tr>

Revision as of 11:59, 22 September 2009

Summary

The firewall implements packet filtering and thereby provides security functions that are used to manage data flow to, from and through the router. Along with the Network Address Translation it serves as a tool for preventing unauthorized access to directly attached networks and the router itself as well as a filter for outgoing traffic.


Network firewalls keep outside threats away from sensitive data available inside the network. Whenever different networks are joined together, there is always a threat that someone from outside of your network will break into your LAN. Such break-ins may result in private data being stolen and distributed, valuable data being altered or destroyed, or entire hard drives being erased. Firewalls are used as a means of preventing or minimizing the security risks inherent in connecting to other networks. Properly configured firewall plays a key role in efficient and secure network infrastrure deployment.


MikroTik RouterOS has very powerful firewall implementation with features including:

  • stateful packet inspection
  • Layer-7 protocol detection
  • peer-to-peer protocols filtering
  • traffic classification by:
  • source MAC address
  • IP addresses (network or list) and address types (broadcast, local, multicast, unicast)
  • port or port range
  • IP protocols
  • protocol options (ICMP type and code fields, TCP flags, IP options and MSS)
  • interface the packet arrived from or left through
  • internal flow and connection marks
  • DSCP byte
  • packet content
  • rate at which packets arrive and sequence numbers
  • packet size
  • packet arrival time
  • and much more!

Firewall filter

Sub-menu: /ip firewall filter


The firewall operates by means of firewall rules. Each rule consists of two parts - the matcher which matches traffic flow against given conditions and the action which defines what to do with the matched packet.

Chains

Firewall filtering rules are grouped together in chains. It allows a packet to be matched against one common criterion in one chain, and then passed over for processing against some other common criteria to another chain. For example a packet should be matched against the IP address:port pair. Of course, it could be achieved by adding as many rules with IP address:port match as required to the forward chain, but a better way could be to add one rule that matches traffic from a particular IP address, e.g.: /ip firewall filter add src-address=1.1.1.2/32 jump-target="mychain" and in case of successfull match passes control over the IP packet to some other chain, id est mychain in this example. Then rules that perform matching against separate ports can be added to mychain chain without specifying the IP addresses.

There are three predefined chains, which cannot be deleted:

  • input - used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router's addresses. Packets passing through the router are not processed against the rules of the input chain
  • forward - used to process packets passing through the router
  • output - used to process packets originated from the router and leaving it through one of the interfaces. Packets passing through the router are not processed against the rules of the output chain

Packet flow diagrams illustrate how packets are processed in RouterOS.

When processing a chain, rules are taken from the chain in the order they are listed there from top to bottom. If a packet matches the criteria of the rule, then the specified action is performed on it, and no more rules are processed in that chain (the exception is the passthrough action). If a packet has not matched any rule within the chain, then it is accepted.


Properties

Property Description
action (; Default: )
address-list (; Default: )
address-list-timeout (; Default: )
chain (; Default: )
comment (; Default: )
connection-bytes (; Default: )
connection-limit (; Default: )
connection-mark (; Default: )
connection-rate (; Default: )
connection-state (; Default: )
connection-type (; Default: )
content (; Default: )
dscp (; Default: )
dst-address (; Default: )
dst-address-list (; Default: )
dst-address-type (; Default: )
dst-limit (; Default: )
dst-port (; Default: )
fragment (; Default: )
hotspot (; Default: )
icmp-options (; Default: )
in-bridge-port (; Default: )
in-interface (; Default: )
ingress-priority (; Default: )
ipv4-options (; Default: )
jump-target (; Default: )
layer7-protocol (; Default: )
limit (; Default: )
log-prefix (; Default: )
nth (; Default: )
out-bridge-port (; Default: )
out-interface (; Default: )
p2p (; Default: )
packet-mark (; Default: )
packet-size (; Default: )
per-connection-classifier (; Default: )
port (; Default: )
protocol (; Default: )
psd (; Default: )
random (; Default: )
reject-with (; Default: )
routing-mark (; Default: )
src-address (; Default: )
src-address-list (; Default: )
src-address-type (; Default: )
src-port (; Default: )
tcp-flags (; Default: )
tcp-mss (; Default: )
time (; Default: )
ttl (; Default: )