firewall : mangle & address list - fahrezy blog · firewall • mikrotik routeros firewall...
TRANSCRIPT
Firewall• Mikrotik RouterOS Firewall stands between company’s
network and a public network, effectively shielding your computers from malisious hacker activity, and controlling the flow of data to the router, through the router, and from the router.
• Mikrotik RouterOS firewall supports filtering and security functions that from your internet using policy
Applications :• Protection of the Router from unauthorized access
You can monitor connections to the addresses assign to the router itself and allow access only from certain hosts to certai TCP ports of the router. The firewall controlls all internet information and warns and blocks interution attempt based on rules, and customized by the user.
• Protection of the customer’s hostsYou can monitor connections to the addresses assigned to the customer’s network and allow access only to certain hosts and services. You endow your customers with effective and proactive defence against mailious attacks
• Using Masquerading to hide the private network behind one external addressAll connections from private addresses can be masqueraded, and they appear as coming from one external address – that of the router. The firewall will act as a gateway for your entire network to enable the office’s network to share a single, safe connection to the internet.
Applications• Enforcing the Internet Usage Policy from Customer’s Network
The firewall allows you to controll connections from Customer’s Network and provides detailed traffic statistics of all the links.
• Prioritizing trafficYou can mark packets by priority to ensure fastest connection to more importrant packets, This guarantees that all groups allways get appropriate bandwidth. Providing controlable flow of network traffic and preventing bandwidth starvation.
• Applying queuing to the outgoing packetsThis feature allows to limit connection speed to certain group of packet. The hierarchy of class enables you to build a flexoble, and very logical representation of your traffic.
Firewall• Rules• NAT (sourcenat and destinationnat)• Mangle• Address List• Service ports• Connections
– For monitoring only
Source of Packet• Local Process
– Originated from a local process, like web proxy, VPN or others
• Input Process– Packet can come from one of the interfaces
present in the router (then the interface is refered as input interface)
Destination of Packet• Local Process
– To service on localhost• Output Interface
– A packet can leave thorugh the one of the router’s interface (in this case the interface is referred as output interface)
IP Flow
IP Flow
Routed Traffic To Router
Routed Traffic From Router
Routed Traffic Through Router
Bridge Traffic Through Router
Connection Tracking• The ability to maintain the state information
about connections, such as source and destination IP address and ports pairs, connection states, protocol types and timeouts.
• Firewalls that do connection tracking are known as “statefull” and are inherently more secure that those who do only simple “stateless” packet processing.
• 64 MB of RAM can hold information about up to 65536
Connection State• A status is assigned to each packet :
– Invalid – packet does not belong to any of the known connections
– New – packet is opening a new connection– Established – packet belongs to established
connection– Related – packet creates a new connection related to
already opened connection
Chain• Value = forward | input | output | output |
postrouting | prerouting• Specify the chain to put a particular rule into. As
the different traffic is passed through different chains, always be carefull in choosing the right chain for a new rule
• If the input doesn’t match the name of an already defained chain, a new chain will be created
Monitoring & Managing Firewall• You can watch the counters of packet and bytes for
firewall rules• You can move rules to arrange them in order with
minimal average number of passed rules• You can add action=log rule in order to see what
packets (protocol, address and ports) pass this rule• You can use action=passthough to add somple
counters rule• You can also use connection tracking feature to see
current connections
Mangle• Mangle is a kind of “marker” that marks packets
for future processing with special marks• Additionally, the mangle facility is used to modify
some fields in the IP header, like TOS (DSCP) and TTL fields
• Many other facilities in RouterOS make use of these marks, e.g. queue trees and NAT.
Mangle• The mangle marks exist only within the
router, they are not transmitted across the network.
• Packet process through rules in the order they are listed there from top to bottom. If a packet matches the condition(s) of the rule, then the speciafied action is performed on it, else packet jump to the next rule.
Mangle on Winbox
Concept• Make a parameter, such as source address
or destionation address, or much more, and set a mark for that packet
• For more advance setting, we will use connection mark– Mark the connection base on certain
parameter– Mark the packet base on connection mark
Type of Mark• Flow Mark
– Mark each packet for certain rule• Connection Mark
– Mark the connection…. 2 ways packet marking
• Routing Mark
Mangle Action• Accept – the packet is accepted and passed though NAT
without taking any action• Jump – jump to chain specified by the value of the jump
target argument• Return – return to the previous chain, from where the
jump took place• Log – log the packet matches• Passthrough – ignore this rule and go on to the next one• Adddsttoaddresslist – add packet’s destinatios
address to the specified address list• Addsrctoaddresslist – add packet source address to
the specified address list
More Mangle Actions• Markconnection – mark connection (only first
packet)• Markpacket – marck a flow (all packets)• Markrouting – mark packets for policy• Change MSS – change maximum segment size
if the packet• Change TOS• Change TTL• Strip IPv4 options
IP address List• You can also define
group of IP address using “IP address List”
• IP address List can use also in Firewall Rules to apply certain action
• You can use mangle or firewall filter rule to dynamicly add IP address to IP address List certain time limit