AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers

203

RouterOS v3 Configuration and User Guide

 

 

 

tcp-flags(ack cwr ece fin psh rst syn urg) - tcp flags to match ack - acknowledging data

cwr - congestion window reduced

ece - ECN-echo flag (explicit congestion notification) fin - close connection

psh - push function rst - drop connection syn - new connection urg - urgent data

tcp-mss(integer: 0..65535) - matches TCP MSS value of an IP packet

time (time-time,sat fri thu wed tue mon sun{+}) - allows to create filter based on the packets' arrival time and date or, for locally generated packets, departure time and date

￿

Because the NAT rules are applied first, it is important to hold this in mind when setting up firewall rules, since the original packets might be already modified by the NAT

9.1.3 Filter Applications

Protect your RouterOS router

To protect your router, you should not only change admin's password but also set up packet filtering. All packets with destination to the router are processed against the ip firewall input chain. Note, that the input chain does not affect packets which are being transferred through the router.

/ ip firewall filter

add chain=input connection-state=invalid action=drop \ comment="Drop Invalid connections"

add chain=input connection-state=established action=accept \ comment="Allow Established connections"

add chain=input protocol=udp action=accept \ comment="Allow UDP"

add chain=input protocol=icmp action=accept \ comment="Allow ICMP"

add chain=input src-address=192.168.0.0/24 action=accept \ comment="Allow access to router from known network"

add chain=input action=drop comment="Drop anything else"

Protecting the Customer's Network

To protect the customer's network, we should check all traffic which goes through router and block unwanted. For icmp, tcp, udp traffic we will create chains, where will be droped all unwanted packets:

/ip firewall filter

add chain=forward protocol=tcp connection-state=invalid \ action=drop comment="drop invalid connections"

add chain=forward connection-state=established action=accept \ comment="allow already established connections"

add chain=forward connection-state=related action=accept \ comment="allow related connections"

Block IP addreses called "bogons":

add chain=forward src-address=0.0.0.0/8 action=drop add chain=forward dst-address=0.0.0.0/8 action=drop add chain=forward src-address=127.0.0.0/8 action=drop add chain=forward dst-address=127.0.0.0/8 action=drop add chain=forward src-address=224.0.0.0/3 action=drop add chain=forward dst-address=224.0.0.0/3 action=drop

Page 202 Page 204
Page 203
Image 203
Allied Telesis AT-WR4500 manual Filter Applications, Protect your RouterOS router, Protecting the Customers Network
Page 202 Page 204
Top Page Image Contents