Friday, 14 March 2014

What is a Firewall ?

A firewall is a device whose function is to examine and determine which data packets can get in or out of a network. With this capability, firewall plays a role in protecting the network from attacks originating from outside the network (outside the network). The firewall implements packet filtering and thereby provides security functions that are used to manage data flow to, from and through the router. For example, the firewall function to protect the local network (LAN) from possible attacks coming from the Internet. In addition to protecting the network, the firewall is also intended to protect the user's computer or host (host firewalls).

Firewalls are used as a means to prevent or minimize the security risks inherent in connecting to other networks. If properly configured firewall will play an important role in efficient network deployment and infrastrure safe. MikroTik RouterOS has very powerful firewall implementation with features including:


  • stateful packet inspection
  • Layer-7 protocol detection
  • peer-to-peer protocols filtering
  • traffic classification by:
  • source MAC address
  • IP addresses (network or list) and address types (broadcast, local, multicast, unicast)
  • port or port range
  • IP protocols
  • protocol options (ICMP type and code fields, TCP flags, IP options and MSS)
  • interface the packet arrived from or left through
  • internal flow and connection marks
  • DSCP byte
  • packet content
  • rate at which packets arrive and sequence numbers
  • packet size
  • packet arrival time
  • etc
You can access the firewall Mikrotik via Winbox through the menu IP -> Firewall


 Chain on Mikrotik Firewall

Firewalls operate by using firewall rules. Each rule consists of two parts - the corresponding matcher traffic flow against given conditions and actions that define what should be done with the right plan. Firewall filtering rules are grouped together in a chain. This allows packets to be matched against one common criterion in one chain, and then passed over for processing against some other common criteria to another chain.

For example, the package should match the IP address: port. Of course, it could be achieved by adding some rules to the IP address: port forward the appropriate use of chain, but a better way to add a rule that matches traffic from a particular IP address, for example:  


a firewall filter / ip add src-address = 1.1.1.2/32 jump-target = "mychain".

There are three predefined chain on Mikrotik RouterOS:

  1. Input - used to process packets entering the router through one of the interfaces with the destination IP address is one of the router's address. Chain input allows you to restrict access to the configuration of the Mikrotik Router.
  2. Forward - used to process the data packets passing through the router.
  3. Output - used to process the data packets coming from the router and leave through one interface.

 Connection State ( Status of data packets through the router )

  • Invalid : package is not owned by any connection, useless.
  • New : package which is opening a connection / first packet of a connection.
  • Established : is a continuation of a package with package new status.
  • Related : package opening a new connection, but still related some previous connection.

Action Filter Firewall RouterOS Mikrotik

In the mikrotik firewall configuration Action there are several options, including:
  • Accept : received packets and do not continue to read the next line
  • Drop : reject the package quietly (do not send ICMP rejection message)
  • Reject : reject the packet and send an ICMP rejection message
  • Jump : jump to another chain specified by the value parameter jump-targets
  • Tarpit : refused, but still keep the incoming TCP connection (reply with a SYN / ACK for incoming TCP SYN packets)
  • Passthrough : ignore this rule and go to the next rule
  • log : adds information to the data packet log

 

Usage example on Mikrotik Router Firewall

Let's say we are 192.168.0.0/24 private network and a public (WAN) interface ether1. We will set the firewall to allow connections to the router itself only from the local network and drop the rest. Also we will allow any ICMP protocol on the interface so that anyone can ping our router from the Internet. Her following command:

/ip firewall filter
add chain=input connection-state=invalid action=drop \
 comment="Drop Invalid connections"  
add chain=input connection-state=established action=accept \
 comment="Allow Established connections"  
add chain=input protocol=icmp action=accept \
 comment="Allow ICMP" 
add chain=input src-address=192.168.0.0/24 action=accept \
 in-interface=!ether1 
add chain=input action=drop comment="Drop All"  
 

No comments:

Post a Comment